Cyber law: framing the future?

From modest beginnings, cyber law is now a recognised disruptor, shaping and challenging the future of litigation. But what is cyber law? As part of a new cyber series for New Law Journal, Dean Armstrong QC and I consider a short history of the laws, crimes and definitions associated with cyber law and share some predictions for the future.

Twenty-five years have passed since US Court of Appeals Judge (and lecturer) Frank H Easterbrook suggested in his legendary paper that there was no more a law of cyberspace than there was a ‘law of the horse’1. Yet even now, when many readily describe themselves as cyber lawyers, and despite a sizeable back catalogue of cyber law matters to draw on, trying to define what cyber law is can still prove challenging.

When asked ‘what is cyber law?’, one frequently resorts to listing examples of major cybercrimes (think WikiLeaks, WM Morrison Supermarkets plc v Various Claimants [2020] UKSC 12, [2020] 4 All ER 1, or the British Airways data breach), or points to legal issues involving tech giants, unheard of at the time of Easterbrook’s paper but now everyday names, such as Lloyd v Google [2019] EWCA Civ 1599, [2019] All ER (D) 09 (Oct) or the Facebook Cambridge Analytica scandal. However, even this short list includes shining examples of whistleblowing, vicarious liability and civil procedure. What is it about these matters then that inclines cyber lawyers to claim them as their own? Absent an explanation for doing so, there remains some intrigue to Easterbrook’s assertion that efforts to collect the strands of any laws that deal with matters of cyberspace (or horses) are ‘doomed to be shallow and to miss unifying principles’.

Considering the tremendous impact that technology has had since Easterbrook’s paper, this seems surprising. After all, Easterbrook’s 1990s-era remark that the ‘beliefs lawyers hold about computers, and predictions they make about new technology, are highly likely to be false’ seems a serious underestimation of the cyber law challenges that individuals, businesses and governments now regularly face. How, then, might we define cyber law?

In the beginning

While in England and Wales there is no dedicated, comprehensive cyber law as such, there are numerous statutes that address some of the central issues. Among these, the Computer Misuse Act 1990 (CMA 1990) is one of the oldest. It was devised following the case of R v Gold and Schifreen [1988] 1 AC 1063 (HL), [1988] 2 All ER 186.

In Gold, the defendants logged in to a British Telecom network from their ‘home micro-computers’ without authority. They did so using a username and password they observed a network engineer using at a trade show (these were simply ‘22222222’ and ‘1234’ respectively, and they granted the defendants access to the network message box for HRH Prince Philip, Duke of Edinburgh).

The men were initially convicted under the Forgery and Counterfeiting Act 1981, following strained arguments that a ‘false instrument’ had been created when the men keyed in the credentials they had acquired with the intention of the system accepting them as genuine. Both men, however, were acquitted on appeal. Lord Brandon, for the House of Lords, stated that the language of the Act was not intended to apply to the situation and that the men’s actions were not a criminal offence, concluding that: ‘If it is thought desirable to make it so, that is a matter for the legislature rather than the courts’.

Two years later, CMA 1990 was enacted. Despite a few amendments to address new offences, the Act remains largely intact and is regarded by many as a cornerstone of cybercrime and cyber law. Its original central principles, which criminalise unauthorised access to computer materials (s 1), unauthorised access to computer materials with the intent to commit or aid further offences (s 2), and unauthorised modification of computer materials (s 3), have proved flexible enough to withstand the many twists and turns technology has taken since 1990, such as the Internet of Things. This is partly due to the Act not defining the term ‘computer’. This definition is thereby shaped by the arguments of cyber lawyers and the courts.

Legislative expansion

While private prosecutions under CMA 1990 are possible, they are rare. However, other legislative instruments have joined the ranks since to deal with the sorts of issues, both civil and criminal, that commonly arise in the cyber law sphere.

These include the Copyright, Designs and Patents Act 1988, which protects computer programs as a form of ‘literary work’ (s 3(1)(b)); the Fraud Act 2006, which makes it unlawful to possess, make or supply for use in frauds ‘any program or data held in electronic form’ (s 8); and the Data Protection Act 1998 (DPA 1998), which built on the foundations of its 1984 predecessor.

While the DPA 1998 is generally considered less effective than more recent related legislation, as prior to 2010 the regulator was unable to issue fines for violations, it has nonetheless proved highly influential in the development of modern definitions of cyber rights and cyber law, coinciding, as it did, with the Internet becoming relatively mainstream.

The utility of DPA 1998 was dealt something of a blow in its infancy when, in Durant v Financial Services Authority [2003] EWCA Civ 1746, [2003] All ER (D) 124 (Dec) the Court of Appeal favoured a somewhat narrow definition of the ‘personal data’ that the Act stood to protect. The court held that ‘personal data’ had to affect an individual’s privacy and was distinct from records of transactions or matters in which he may have been involved but that were unconcerned with life events ‘in respect of which his privacy could not be said to be compromised’.

However, the definition was broadened somewhat by subsequent case law. For example, in the matter of Vidal-Hall and others v Google Inc [2015] EWCA Civ 311, [2015] All ER (D) 307 (Mar), browser-generated data was recognised as capable of being personal data. This is despite such data feasibly being a purely transactional record of the websites a web browser’s user(s) had visited, without actual knowledge of ‘who’ the users were.

Within a few years of its enactment, DPA 1998 was joined by the Electronic Communications Act 2000, the Electronic Signatures Regulation 2002, the Privacy and Electronic Communications (EC Directive) Regulations 2003 and others. These instruments regulated such matters as electronic signatures and certain marketing activities, including the use of cookies that track people’s access to websites.

After 20 years of service, DPA 1998 was repealed and replaced by the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. These gave real substance and potency to the UK’s (and Europe’s) data protection laws, by recognising the valuable nature of personal data and substantially increasing the maximum fine for data breaches.

A raft of other laws and regulations focused on cyber issues have also been passed in the years since the CMA’s arrival in 1990, including, quite recently, to address the explosive growth of crypto-assets. All these statutes and regulations combine to provide an initial frame for our definition of cyber law.

Expanding the frame further

As important as the legislative base is, countless cyber matters are not addressed by the specialised statutes and regulations available. Indeed, one of the challenges (and fascinations) of cyber law is that technology in practice regularly outpaces what has been legislated for and can also impact established areas of law in new ways. Hints of this can be seen in Wright v Ver [2020] EWCA Civ 672, [2020] All ER (D) 42 (Jun) which concerned the appropriate jurisdiction for an action for defamation under s 9 of the Defamation Act 2013.

When defamatory statements were printed in physical newspapers and magazines, jurisdiction was relatively straightforward to determine. However, where defamation takes place online, as in Wright, discerning where a statement was published and the jurisdiction(s) the publication was targeted at becomes more challenging. Publication questions then become entangled with issues of ‘views’, ‘likes’ and ‘retweets’.

Such issues might initially appear to be purely evidential and, indeed, this is how the Court of Appeal approached the problem in Wright. However, the stark differences between print and digital publishing can impact the interpretation of this evidence and lead to the creation of distinct principles of cyber law. As Lord Judge CJ noted in Chris Lance Cairns v Lalit Modi [2012] EWCA Civ 1382, [2012] All ER (D) 01 (Nov), a consequence of modern technology is that stories now have the capacity to ‘go viral’. Accordingly, Lord Judge CJ held that ‘the percolation phenomenon’ was a legitimate consideration when assessing damages for libel. A different lens can therefore be focused on a defamation claim depending on whether a statement is inside or outside of the cyber frame.

The development of cyber law principles within established areas of law is even more pronounced in some recent injunction applications. In AA v Persons Unknown [2019] EWHC 3556 (Comm), [2020] 2 All ER (Comm) 704 for example, cryptocurrency was held to be ‘property’. An injunction could therefore be granted to prevent the dissipation of bitcoins stolen during a cyber-attack.

This ruling is important for ratifying the UK Joint Taskforce’s 2019 analysis that crypto-assets meet the four criteria set out in Lord Wilberforce’s classic definition of property in National Provincial Bank v Ainsworth [1965] AC 1175, [1965] 2 All ER 472.

In the recent matter of Ion Science Limited and Duncan Johns v Persons Unknown (21 December 2020, unreported) QBD, the court provided a further ground-breaking decision on crypto-assets, by indicating that the lex situs of a crypto-asset is the place where its owner is domiciled.

Cyber law is also reshaping familiar remedies and heads of damages. For example, the landmark judgment in Vidal-Hall and others v Google Inc [2015] EWCA Civ 311, [2015] All ER (D) 307 (Mar) established that there is no need for pecuniary loss to be suffered before compensation can be awarded for distress under DPA 1998, s 13. This was considered ground breaking at the time, but is now seen as consistent with the right to compensation available under the GDPR.

Elaborating the principle further, in Lloyd v Google [2019] EWCA Civ 1599, [2019] All ER (D) 09 (Oct) the Court of Appeal held that, in principle, damages are capable of being awarded for ‘loss of control of data’ under DPA 1998, even if there is no pecuniary loss or distress. The action was brought for Google’s ‘allegedly wholesale and deliberate misuse of personal data without consent, undertaken with a view to commercial profit’.

While Lloyd is currently on appeal to the Supreme Court, further signs of the availability of damages for contraventions of personal data rights are evident in the recent matter of M v Chief Constable of Sussex Police [2021] EWCA Civ 42, [2021] All ER (D) 02 (Feb).

In M, the Court of Appeal observed (obiter) that the lower court was right to make an award of £500 to the complainant, despite overturning the lower court’s decision on liability meaning no award was payable. Describing the £500 sum as ‘nominal’, the court has established something of a baseline for a non-de minimis breach of an individual’s personal data rights.

As these matters show, the peculiarities of the harms arising and the often extraterritorial nature of many cyber problems has required a previously familiar legal doctrine to evolve. Our cyber law frame is thereby expanded by the addition of these principles and remedies, tailored as they are to the particular cyber problems being addressed.

Where do we go from here?

While the frame we have used to answer ‘what is cyber law?’ is recognisable from the aforesaid matters, it is worth considering what else the frame may need to contain in future in order to more fully address the question.

Self-driving cars are an obvious candidate. In the US in 2018, a pedestrian was killed by such a vehicle during concept testing, when the system failed to identify ‘the object’ as a pedestrian. Despite the chair of the US National Transportation Safety Board stating that the collision was ‘the last link of a long chain of actions and decisions made by an organization that unfortunately did not make safety the top priority’, prosecutors found ‘no basis for criminal liability’ for the company. Instead, the back-up driver was charged for failing to monitor the road and the operation of the automated driving system. This role is unlikely to exist indefinitely, and the law will then have to grapple with questions of liability.

The growing use of algorithms to make important decisions is also beginning to shape the development of cyber law. In 2019, for example, New York State regulators announced an investigation into the algorithm used by Apple to determine the credit limits for users of its credit card, following complaints of sex bias. More recently, the UK’s examinations and qualifications regulator used an algorithm to grade students unable to take their exams in 2020 due to the coronavirus pandemic and this has led to legal challenges. Problems unpicking an algorithmic outcome — that is, determining whether and to what extent a questionable decision resulted from the set of input data selected, the predictors or risk-scoring systems employed, or unrecognised bias among the system’s designers or developers—can make it difficult to establish if the decision was in fact ‘wrong’ and who was responsible if so.

Increased use of facial recognition technologies in public fora may also require the development of specialised cyber laws. As the Court of Appeal noted last year in its judgment for R (Bridges) v The Chief Constable of South Wales Police [2020] EWCA Civ 1058, [2020] All ER (D) 26 (Aug) software can sometimes have an inbuilt bias and this needs to be tested for. However, the computational models underpinning such technologies are becoming increasingly opaque and do not easily lend themselves to explanation, potentially making them inscrutable. New approaches to apportioning liability may therefore be needed.

Indeed, ‘black box’ artificial intelligence technology is raising challenges more generally. In any system, problems can arise at the hardware, software and/or end-user stage in the development chain. However, as the reasons for technology reaching a given decision or responding in a particular way become more difficult to discern, establishing accountability may prove impossible applying first principles.

Smart contracts may also require us to rethink long-established contract law principles and to adopt specialised forms of them for matters within the cyber law frame. If a bot concludes a contract, for example, is an intention to create legal relations present? For that matter, does the bot have legal personality, and can the contract terms even be discerned? We are on the cusp of these sorts of contracts being made autonomously, and the law will need to answer these and related questions of contract enforceability soon.

Comment

As our answer to the question of ‘what is cyber law?’ recognises that cyber law is, in part, a waiting room for new laws and principles that will be needed to meet future legal challenges, we must accept that, to a certain extent, Easterbrook is right: efforts to collect the strands of law that deal with matters of cyberspace may be shallow and may miss unifying principles.

However, this does not mean that the ‘law of cyberspace’ does not exist. Numerous laws already expressly attend to the cyber challenges that society faces, and the body of cyber legislation and case law is being added to all the time. Besides, it is impossible in any field of law to state that the law is complete or unified. One only needs to look at Campbell v Mirror Group Newspapers Ltd [2004] UKHL 22, [2004] All ER (D) 67 (May) to see that tort law is anything but settled.

1 Frank H Easterbrook, ‘Cyberspace and the Law of the Horse,’ 1996 University of Chicago Legal Forum 207 (1996)

Article first published by New Law Journal on 3 March 2021.

Paul Schwartfeger on 19 March 2021