Tag: Apple

The Development of Cyber Law: Past and Future

The Development of Cyber Law: Past and Future

Cyber law is often seen as a developing field in terms of international law. And rightly so, considering that the internet is a relatively new development in human history. However, that’s not to say that there isn’t development within the field of cyber law. The field encompasses a broad range of topics such as Intellectual property, data privacy, censorship etc, and some laws regarding cyber law are clearly defined. But despite that, this paper will narrow the scope in terms of where cyber law is the least developed, arguably that is within the context of data privacy and unauthorized access. These laws are often the least developed because they used to be enforced by legislation that covered traditional communication networks, such as mail and phone networks. But since data and unauthorized access is  the least developed that means they are often the most abused by agents committing cybercrimes. Feasibly, this is mainly due to the fact that these sectors lack enforcement and detection methods. However, in regions where cyber law is most enforceable have decided to back enforcement and detection mechanisms that allow their  cyber law to be practically enforced. But in order to understand how that’s possible a bit of background information on cybercrime and cyber law is necessary.

 

Background

Cybercrime has existed since the 1970’s in the form of network attacks on phone companies. Hackers would infiltrate telephone networks enabling them to create connection, reroute calls, and use payphones for free (The History of Phone Phreaking).  This early era of hacking was a problem due to the lack of legislation that could act as a guide for law enforcement to accurately charge criminals. Arguably, it was the lack of legislation on hacking which allowed computer hackers to hone their techniques of network infiltration and data theft. The reason why that’s so can be observed in the late 1980s, where the intensity of large system attacks became more abundant and destructive. One of these major system hacks was perpetuated by a group known as 414. It may come as a surprise that this group wasn’t a group of hardened criminals, but rather 6 teenagers from Milwaukee, Wisconsin. These teenagers managed to hack high profile systems ranging from a nuclear power to banks (Stor). The intentions of the hackers didn’t seem maligned, since they didn’t steal any info from these systems. But the 414 hacks weren’t harmless either since they cost a research company $1,500 after the hackers deleted some billing records. But other major hacks weren’t as harmless. The notorious Morris worm is a prime example of the harmful effects of unwarranted network infiltration. The reason that’s the case is that it the Morris Worm was one of the first hacks that was distributed to the public internet (Sack). The worm was created by Robert Morris a Graduate student at Cornell in order to showcase the security problems of the internet, the worm would go on to cause in-between $100,000- $10,000,000 in damage by infiltrating networks and causing them to become non-operational (Newman). Clifford Stoll, one of the people responsible for purging the worm, described the Morris worm as such:

“I surveyed the network, and found that two thousand computers were infected within fifteen hours. These machines were dead in the water—useless until disinfected. And removing the virus often took two days.” (Sack)

Additionally, one of Stoll’s colleagues says that 6,000 computers were infected, which may not seem like much but only 60,000 computers were connected  to the internet at that time. Meaning 10% of the internet was infected (Sack). Such attacks would force legislators to address the problems of cybercrime, specifically network infiltration. One of the first pieces of comprehensive cyber law to address these issues was the Computer Fraud and Abuse Act enacted by the United States congress.

Computer Fraud and Abuse Act

After a lieu of cyber-attacks plagued the world, the U.S Congress decided to specifically address cybercrime. Prior to the Computer Fraud and Abuse Act (CFAA) cybercrime was prosecuted under mail and fraud, however that proved uncomprehensive. The CFAA’s framework defined what cybercrime entailed. One of the pioneering things the legislation did was define what kinds of computers were off limits to data infiltration. According United States code, In Title 18, Section 1030 of CFAA a computer is unlawful to hack if that computer is:

“(A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or

(B) which is used in interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States.” -18 U.S. Code § 1030 – Fraud and related activity in connection with computers (Cornell)

Basically, stealing information from a computer that effects the United States via interstate or foreign commerce/communication is forbidden. These specifications were enough to convict various individuals who committed cybercrimes in the late 1980s. Interestingly enough, Robert Morris was the first person to be convicted for violating the Computer Fraud and Abuse Act. Specifically, because he intended to infiltrate several computers without authorization which negatively affected economics and communication within the US (Newman). Arguably, the enforcement power of the CPAA may have been the essential precedent needed for the international community in terms of creating sufficient cyber laws.

Budapest Convention on Cybercrime

In November 2001, the first international convention on cybercrime took place. The scope of the Budapest Convention on Cyber Crime (BCC), unlike the CPA, had a wide range because it addressed: IP law, fraud, and child pornography. However, the convention also found it important to address what unlawful access to a computer constituted, defining it as:

“..A Party may require that the offence be committed by infringing security measures, with the intent of obtaining computer data or other dishonest intent, or in relation to a computer system that is connected to another computer system.” -Article 2 of BCC (Council Of Europe)

Here, arguably, the BCC is more specific then the CPAA in terms of defining unlawful access. The reason being is that it ignores the economic/ social effects and directly addresses what unlawful access is which would be:

“..the intent of obtaining computer data or other dishonest intent…to a computer system that is connected to another computer system”.

The BCC ignores the economic/ social effects because some hacks may not influence the economy or society, by keeping the CPAA definition, the scope of data infiltration would’ve been limited to social and economic consequences on specific nations.  Furthermore, the BCC’s unlawful access clause has been a topic of discussion for legal entities and private corporations.

Modern Developments

     EU v Facebook

The precedent set by the BCC on data infiltration remains relevant in contemporary times. Especially when considering the role private corporations have in data security.  This is evident when taking Facebook’s recent big data breach into consideration. In order to understand why Facebook could potentially be an important catalyst to cybercrime we need to understand Facebook’s role on the internet. Simply put, Facebook is a social media website which connects private users via a public platform, but despite it being a public platform users’ can share data privately.  However, controversy emerged after users’ data was allegedly being misdirected and sold to third parties without user’s complete consent(Guzenko). This is a clear violation of the BCC’s definition of unlawful system infiltration. The reason that could be so is that since Facebook is in charge of maintaining data security for their users, that would mean Facebook selling data without user’s consent would constitute unlawful data infiltration according to article 2 of the BCC. Additionally, Facebook was hacked by a third party and millions of users’ data was exposed without user consent. After this particular hack the European Union decided to step in and reprimand Facebook via a 1 billion euro fine (Schnechner). The EU argues Facebook didn’t do enough to protect users’ data from infiltration, but such accusations do little for cyberlaw. The reason for that is that the EU could always argue that an entity “didn’t do enough” to protect user data, and supplement that reasoning with a fine. Rather, since cyberlaw is a relatively new field, legal entities ought to cooperate with influential players within the cyber world in order to create viable solutions to cybercrimes. The EU accusations assume that Facebook is the entity which allows 3rd parties to access user’s data, but actually it’s the users themselves who allow it. Restricting one’s data is an option if a user changes their privacy settings. Additionally, It’s unrealistic to expect Facebook to curtail the behavior of its one billion users, some users may be more susceptible to data hackers due to their ignorance on data security. The reasoning the EU expels on to Facebook would be similar to this: If an EU citizen were to steal property from another citizen then the EU itself would be held accountable for allowing that to occur, and thus deserves to be fined. This is so because Facebook is similar to the EU, in that it’s a microcosm of different sets of people behaving in ways they can’t totally predict. So instead of focusing on how specific internet services operate, focus should be shifted to network self-enforcement. A prime example of that shift of focus would be China’s comprehensive self-regulating internet network.

China’s Internet Network

Modern cybercrime has evolved in terms of the magnitude of attacks. However, in the 21st century cyber attacks, particularly on infrastructure, are not only possible but prevalent (Schmitt). An example of such an attack is explained by Tomas Ball, a contributor to the Computer Business Review

in December 2015 a massive power outage hit the Ukraine, and it was found to be the result of a supervisory control and data acquisition (SCADA) cyber-attack. This instance left around 230,000 people in the West of the country without power for hours…chaos was sewn using spear phishing emails, a low tech approach to launch such an attack; this trend is relevant today, with phishing still being used against critical infrastructure.” (Ball).

That’s only one case, but hacks on critical infrastructure can range from manipulating data which changes the chemical composition of drugs being manufactured, or to infiltrating a dam and redirecting electricity (Schmitt). Countries have implemented measures to mitigate and respond to this risk on critical infrastructure. A notable response to this problem has been from the Chinese government. China has been able to mitigate the risk of data infiltration by regulating its domestic network via legislation and technology. This may seem like a normal approach, but China is unique in the sense that it’s network is reinforced by technology which actively implements its cyber legislation. It’s difficult to understand the full scope of how China is able to do this (since the government isn’t transparent on how the network fully operates) but there are things that are clearly observable in terms of how data transfer is controlled. Firstly, data transfer in China is purposefully slowed. This is important because it allows the Chinese network to detect potential disturbances before they fully manifest, so infiltration could be detected much easier (Chew). Secondly, as mentioned before, the system self regulates. The Chinese government implements its own filters by creating comprehensive state tech that enforces Chinese law. However, China also puts heavy pressure on Chinese firms to self-regulate content, meaning that a firm that deals within the cyber world must follow the cyber laws or face a shutdown of business or a hefty fine. This is similar to how the EU went about dealing with Facebook, the only key difference being that the EU lacks its own data enforcement technology (Chew).   And lastly, China’s network will respond to infringements of their cyber law by quickly “poisoning” unlawful data connections. An example of this would be if a hacker wanted to infiltrate some data network the connection would immediately be detected as a “poisonous connection” and thereby the hacker would be cut off from that connection (Chew). Arguably this is what sets China’s cyber network apart from everyone else, the ability to actively regulate data under their legal framework. Though it’s worthy to note that China’s network indeed does well in terms of enforcing its cyber law by regulating data, but that doesn’t mean the network is exempt from criticism.

China’s cyber network is rather effective in terms of enforcing its cyber law, however it has been used to disenfranchise its own civilian population. Qiang Xiao an internet researcher at UC Berkeley describes China’s internet network as such

…it has consistently and tirelessly worked to improve and expand its ability to control online speech and to silence voices that are considered too provocative or challenging to the status quo.”(Xiao). But such things, unfortunately, should be expected. After all it makes sense for illiberal governments to manifest illiberal computer networks. But such realities shouldn’t deter liberal government from trying to conceptualize and develop internet networks which enforce cyber law. This is a lot easier said than done because it’s easier to enforce authoritarian cyber law than more liberal law (Schmitt).”

Mainly, due to the fact that the amount of computing power needed to create a liberal network would be immense. In conjunction with it being so massive, economic factors come into play when determining how effective cyber law is enforced in a region, leaving poorer liberal nations behind. Despite that, developments in quantum computing can allow for massive amounts of data to be processed and it’s getting cheaper as it develops (IBM). Not only that but quantum computing opens up the door for the network to self-learn, enabling better self-enforcement (IBM). Such features may intrigue governments who want to enforce a Common Law internet network since it can self-learn off of old legal precedents. So in the future enforceable cyber for liberal governments is definitely a possibility, and perhaps a necessity if strong cyber law is to be properly enforced.

In conclusion, since there are problems with enforcement and efficiency of cyber law, internet networks which actively enforce cyber law using the internet network itself are necessary to achieve practical cyber data enforcement. Different legal jurisdictions would naturally have different laws concerning their respective internet networks, therefore various network legal structures would need to exist to facilitate their cyber laws. Developments in quantum computing may pave the way for networks to regulate themselves.

Works Cited

“18 U.S. Code § 1030 – Fraud and Related Activity in Connection with Computers.” LII / Legal Information Institute, Legal Information Institute, http://www.law.cornell.edu/uscode/text/18/1030.

Ball, Tom. “Top 5 Critical Infrastructure Cyber Attacks.” Computer Business Review, Computer Business Review, 18 Jan. 2018, http://www.cbronline.com/cybersecurity/top-5-infrastructure-hacks/.

“Budapest Convention on Cybercrime.” Council of Europe, Council of Europe, http://www.coe.int/en/web/conventions/full-list/-/conventions/rms/0900001680081561.

Chew, Wei Chun. “How It Works: Great Firewall of China – Wei Chun Chew – Medium.” Medium.com, Medium, 1 May 2018, medium.com/@chewweichun/how-it-works-great-firewall-of-china-c0ef16454475.

Guzenko, Ivan. “The Third-Party Data Crisis: How the Facebook Data Breach Affects the Ad Tech.” MarTechSeries, 5 July 2018, martechseries.com/mts-insights/guest-authors/the-third-party-data-crisis-how-the-facebook-data-breach-affects-the-ad-tech/.

“The History Of Phone Phreaking.” The History of Phone Phreaking — FAQ, http://www.historyofphonephreaking.org/faq.php.

Newman, Jon O. “UNITED STATES of America, Appellee, v. Robert Tappan MORRIS, Defendant–Appellant.” Stanford Law, stanford.edu/~jmayer/law696/week1/Unites%20States%20v.%20Morris.pdf.

Sack, Harald. “The Story of the Morris Worm – First Malware Hits the Internet.” SciHi Blog, 3 Nov. 2018, scihi.org/internet-morris-worm/.

Schechner, Sam. “Facebook Faces Potential $1.63 Billion Fine in Europe Over Data Breach.” The Wall Street Journal, Dow Jones & Company, 30 Sept. 2018, http://www.wsj.com/articles/facebook-faces-potential-1-63-billion-fine-in-europe-over-data-breach-1538330906.

Schmitt , Michael N. “Cyberspace and International Law: The Penumbral Mist of Uncertainty.” Harvard Law Review, harvardlawreview.org/2013/04/cyberspace-and-international-law-the-penumbral-mist-of-uncertainty/.

Stor, Will. “The Kid Hackers Who Starred in a Real-Life WarGames.” The Telegraph, Telegraph Media Group, 16 Sept. 2015, http://www.telegraph.co.uk/film/the-414s/hackers-wargames-true-story/.

“What Is Quantum Computing?” What Is Quantum Computing? , IBM, http://www.research.ibm.com/ibm-q/learn/what-is-quantum-computing/.

Xiao, Qiang. “Recent Mechanisms of State Control over the Chinese Internet – Xiao Qiang.” China Digital Times CDT, chinadigitaltimes.net/2007/07/recent-mechanisms-of-state-control-over-the-chinese-internet-xiao-qiang/.

John Deere & The Right To Fix.

Farming has been quintessential to America’s economy ever since 1776. Throughout history the American government has legitimized the aforementioned sentiment via different forms of legislation. For example, when the Great Depression hit Franklin Roosevelt decided that full economic recovery depended on enfranchising the agricultural sector. His New Deal through the Agricultural Adjustment Act created the AAA ( Agricultural Adjustment Administration) which is still active to this day. These measures not only helped local farmers, but also farming manufactures who would’ve surely gone under. An example being John Deere. However, thanks to some help John Deere & small farmers were able to recover, & develop a symbiotic relationship. Farmers could farm with the best equipment because John Deere (due to government assistance) decided not to repossess any tractors that weren’t paid off . An admirable gesture in trying times. However, despite John Deere’s role in making farmers lives easier via new farming technology & charitable business practices, a new trend seems to negate their storied history.

Farmers in the modern era are facing trying times. The reason for that is farmers can no longer independently fix their tractors that have malfunctioned. That’s because in order to fix modern tractors you need diagnostic software to figure out the problem. You might be asking yourself “Why don’t farmers just get the software”? Well, it turns out John Deere doesn’t allow the software to be purchased in the first place. That fact forces farmers to either pay a John Deere dealer to fix it (often times they are really far away & it’s expensive), or buy totally new equipment from John Deere, effectively wasting the farmers precious time & resources. Prior to this new trend you could purchase a diagnostic manual & fix tractors with little to no ease. Which is what most farmers did. Yet, if the farmer for some reason couldn’t, they’d take it to a tractor mechanic & he’d figure it out. This is now impossible due to John Deere’s reluctance to provide that software. A small percentage of farmers have even gone to great extents to purchase hacked software from Eastern European nations to curtail this dilemma. But farmers shouldn’t be forced to do shady black market deals to fix their property. Thankfully, some motivated people are fighting for the rights of farmers to access the diagnostics of their tractors. But there are still huge road blocks in their way.

The Library of Congress has granted an exemption for farmers from the DMCA Act (which protects corporations from online piracy) in order to shield them from legal repercussion if they were caught. However, immediately after that was implemented John Deere adjusted their terms of service to negate that ruling. A move you’d expect from El Chapo or Pablo Escobar. Despite that hurdle, motivated activists like Guy Mills & Lydia Brasch advocate for the freedom to purchase diagnostic tools. Lydia Brasch, a senator form Nebraska, has proposed the Fair Repair Act in order to help Farmers obtain the tools for repair. At that hearing in Lincoln, Nebraska lobbyists from Apple, Microsoft, & AT&T convened to violently oppose the Act. A rare thing in Nebraskan politics. Why would they show up? Simple, that legislation would set a precedent in the tech field because it would limit the tech firm monopoly over diagnostic info. Nebraska isn’t alone in trying to combat this problem. 12 states have recently proposed similar legislation.

In conclusion, information about fixing your property should be open to the public. That’s because this issue is similar to this scenario. Hypothetically lets say a specific hospital owned the rights to open heart surgery, & refused to give it out to other doctors. People would run riot. There’s no difference from that hypothetical scenario to the things John Deere is doing now.

Is John Deere a bad company? Of course not. But they should be a bit more active in trying to help these farmers instead of them being solely concerned with their own interests? Of course, and as Americans we should hold overly abusive corporations accountable for their actions . Remember, agricultural manufacturers & farmers should have a symbiotic relationship not a parasitic one.