How to Comply with Internet Regulations

Privacy and Computer Crime Cases | Spirit of the Law

How is a citizen of the Internet to comply with the data laws of the world?  By citizen I especially have in mind a reputable enterprise or professional.

A Tsunami of Laws

A welter of laws from around the globe purport to regulate the citizen's use of computers, collection of data, publishing of information and so on.  The laws are often confusing because they conflict, they overlap, they use vague terminology that can be interpreted in ways that make little sense, and they apply to technology that changes faster than lawmakers can assimilate.

Responsible Global Citizen
The laws of multiple countries can apply simultaneously to any given activity on the Internet.

Compounding the problem, new laws on privacy, hacker crimes, data processing and intellectual property are enacted every day.

The laws often speak in strong declaratory statements, which give the impression that they set bright-line rules and boundaries that can be objectively tested.  Yet the rules and boundaries become less distinct when they meet practical application.

In all the history of law, nothing is so novel as the Internet.  When applying law to particular Internet situations, the authorities struggle.  In the pursuit of justice, thoughtful courts and government officials are forced to eschew mechanical readings of data law. They try instead to divine what the spirit of the law says about the situation at hand.  They inevitably weigh all the factors in case – even when law does not explicitly call for such an “all the facts and circumstances” analysis.  Their analysis adopts surprisingly subjective tone.

Two examples:

Purpose and Context of an Action Relevant to Computer Crime Law

White hat hacker cases are rare, but Moulton v. VC3 is one of them.  A business, VC3, sued an IT professional, Scott Moulton, after he did a port scan and a throughput test of VC3’s servers. VC3 and Moulton were contractors for government agencies that were establishing a network connection between themselves. VC3 claimed that Moulton’s port scan and throughput test violated the Computer Fraud and Abuse Act. The CFAA forbids the "intentional[] access[ing] [of] a protected computer without authorization, [that] as a result of such conduct, recklessly causes damage." 18 U.S.C. Section 1030(a)(5)(B).

Moulton alleged he had a justification for doing the port scan and throughput test, within the scope of his work protecting the system of his client, the 911 center at Cherokee County. Moulton was not trying to steal or compromise sensitive data. When VC3 asked him about his scanning, he declared in an email that “he worked for Cherokee County 911 Center and was testing security.”

In construing the words of the CFAA for this particular case, the court took into account more than just the mechanics of Moulton’s conduct. It weighed Moulton’s purpose when he conducted the scan and test. The court said, “The public data stored on Defendant's network was never in jeopardy. Plaintiff Moulton’s actions never threatened the public health and safety.” The court concluded that Moulton did not violate the CFAA. The implication is that if Moulton’s scan and test were intended to advance a larger scheme to steal or damage data, then the court would view them differently and possibly find a violation of the CFAA.

In other words, the purpose and context of an action, which are discerned from all the facts and circumstances, are relevant to whether the CFAA has been violated.


Proportionality in EU Data Protection Law

The European Directive on Data Protection calls for strict limits on the collection and processing of personal data. A wooden reading of the Directive might lead to bizarre results. For example, in my SANS course, I asked this hypothetical question: A magazine subscription marketing company holds data showing the names and postal addresses of subscribers. But this data grows out of date. The “integrity” principle under the EU Directive suggests that the company must keep its data up to date, but to do that the company would have to pester people by contacting them asking them to update their information. Does EU data law require the company to pester people? I asked. A German lawyer (privacy law expert) who was attending the course answered that such a tasteless outcome would not be required because the pestering would be “disproportionate” to the need for integrity.

In other words, I learned from my German friend, a balancing test of proportionality modulates the literal words of European data protection law.

Another European lawyer, Christopher Kuner, argues that proportionality is a central concept in EU data protection law, even though explicit reference in the law to proportionality is limited. “Proportionality in European Data Protection Law And Its Importance for Data Processing by Companies,” Privacy & Security Law Report, Vol. 07, No. 44, 11/10/2008, pp. 1615.  Mr. Kuner observes that even though “companies are often used to thinking of data protection compliance in terms of satisfying a well-defined set of statutory requirements,” the principle of proportionality blurs the requirements.

Proportionality calls for analysis of whether the results of a data activity are excessive or necessary. A review of proportionality calls for an analysis of all the facts and circumstances of a case to determine what is a socially-good outcome.
 



Conclusion: How to Comply

 Examples like these show the good Internet citizen that “compliance with law” is often not a cut and dried affair.  Compliance involves appeal to subjective notions like good purpose, socially-redeeming motives, or culturally-desirable outcome.

What does this understanding of compliance mean for the Internet citizen in practice? It means compliance often requires more than satisfying a technical IT checklist. It means the citizen is wise to deliberate on the social implications of its activities and strive to document how the activities seek laudable ends.



A practicing attorney, Mr. Wright teaches the law of data security and investigations at the SANS Institute.

Related:
* How investigators should heed privacy
*Sheriff asserts jurisdiction