National Law University and Judicial Academy, Assam

PROFORMA FOR SUBMISSION OF SYLLABUS

Programme: B.A., LL.B.

Academic Year: 2018-19
Semester: IX
Sl. Course Code Course
No Title L T P CR CH
1 9.1 Cyber 5 5 5 [per

Law week]

** L- Lecture; T- Tutorial; P- Project; cr- credit; ch- credit hour

Specialization Courses offered in the Semester (if applicable):

1. ……………..
2. …………….
3. ……………
4. ……………….
5. ………………
6. ………………
7. ………………
8. ……………..
Annexure I

National Law University and Judicial Academy, Assam

Programme:
B.A., LL.B.
Details of Course offered
Odd Semester (IX) – Academic Year 2018-19

Sl. Course Course

No Code Title L T P CR Ch
(Total
Hours)
1 9.1 Cyber 5 5 5 * 16
Law =
80

a. Code and Title of the Course:

9.1 Cyber Law

b. Course Credit: 5 (total marks: 100)

c. The medium of instruction: English

d. Course Compiled by Ishita Das

e. Course Instructor: Ishita Das

Annexure II

1. Course Objectives
 To make students understand the cyber world and cyber law in general and to explain the
various facets of cybercrimes.
 To enhance the understanding of problems arising out of online transactions and provoke
them to find solutions.
 To clarify the intellectual property issues in the cyberspace and the growth and
development of the law in this regard.
 To educate about the regulation of cyberspace at the national and international level.
 To understand the existing legal frameworks relating to e-commerce including the
Informational Technology Act, 2000.

2. Teaching methodology

The methodology is not a traditional lecture method but participatory teaching with a
discussion on legal principles and precedents in the classroom. The students are informed in
advance the topic for discussion and the topic of project/assignment they have to prepare. The
students prepare their topics from the sources suggested to them. The students are also
encouraged to do independent research on their respective assignments. In the classroom, every
student is required to present his/her topic and to have his/her doubt cleared through discussion.
The teacher will be helping and guiding the students in their pursuits of legal learning. The
teacher summarizes after the students have completed their discussion, and she clarifies the
doubts, if any, and answer their queries.

3. Case Law Reporter/Journals

Cyber Law as an independent discipline of study is a fast emerging area of law. Well-tried and
traditional legal ideas sometimes prove unequal to the handling of unprecedented problems of
the area. The students are encouraged to access the judgments of the US courts, the Indian
courts, and articles on the subject available in various prestigious international and national
journals. The study materials have been supplied to the students which consist of articles by
experts in the field and case law reports available in various books and journals.

4. Prescribed Readings
1. Chris Reed & John Angel, Computer Law, OUP, New York, (2007).
2. Aparna Vishwanathan, Cyber Law: Indian and International Perspectives, Lexis Nexis
Butterworths Wadhwa, 2012.
3. Steve Hedley, The Law of Electronic Commerce and the Internet in the UK and Ireland,
Taylor & Francis, 2017.
4. Diane Rowland et al., Information Technology Law, Routledge-Cavendish, 2005.

5. Course Evaluation Method

The Course is assessed in 100 marks in total by an examination system comprising of written
exam. There shall be a Mid-Term Exam and End-Semester Exam.

6. Expected Outcomes of the Course

Students are expected to develop-

 A strong foundation on Cyber Law.

 Keen interest in pursuing higher studies on Cyber Law, including Cyber Crimes.
 A clear understanding of the practical utility of Cyber Law.

7. Detailed Structure of the Course (Specifying course

modules; reference materials and suggested
/compulsory reading)

MODULE 1: CYBERWORLD AND CYBER LAWS

1.1. Introduction to the Cyber World

 Overview of Computer and Web Technology
 Computers and its Impact in Society
 The Internet and Online Resources
1.2. Need for Cyber Law
 Regulation of Cyber Space – introducing Cyber Law
 Cyber Jurisprudence at International and Indian Level
 Overview of I.T. Act, 2000 and Governance
1.3. Overview of E-Commerce, E-Contracts & Dispute Resolution

 Introduction to E-Commerce
 The Concept of E-Contracts
 Online Approaches: B2B, B2C & C2C
 Online Contracts: Click-Wrap, Shrink-Wrap, and Browse-Wrap
 Law in US & EU on E-Contracts
 E-Contracts under the I.T Act, 2000
 Applicability of the Indian Contract Act, 1872
 Tests to determine Jurisdiction in Internet Law cases
 Dispute Resolution
 Electronic Signatures

1.4. Liability of Intermediary

  Introduction to the Concept
 Liability of Intermediaries under the Indian Law
 Liability of Intermediaries under the US Law
MODULE 2: CYBER CRIMES, SAAS AND LICENSING, TECHNOLOGY AND
OUTSOURCING, AND ORM

2.1. Cyber Crimes

 Cyber Crimes against Individuals, Institution, and State

 Hacking
 Digital Forgery
 Cyber Stalking/Harassment
 Cyber Pornography
 Identity Theft & Fraud
 Cyber Terrorism
 Cyber Defamation
 Different offenses under the IT Act, 2000
2.2. SAAS and Licensing

 Different types of Software Licenses

 Open Source Licenses and Law
 Taxation of SAAS and other forms of Software
2.3. Technology and Outsourcing

 Legal mechanisms for Outsourcing

 Implementation and Monitoring in Outsourcing Arrangements
 Taxation of Outsourced Services
2.4. Online Reputation Management

 Reputational Risks and Legal Strategy

 Online Criticisms and Defamation by Customers
 Managing Social Media usage by employees and ex-employees
 Leakage of Confidential Information
 Industry Perceptions and Scandals
 Dealing with Social Media Platforms
 Legal strategy and Processes for handling Reputational Crises

MODULE 3: CYBER LAWS, NATIONAL AND INTERNATIONAL PERSPECTIVES

3.1. Cyber Law - National Perspectives

 Introduction of provisions under the Information Technology Act, 2000

 Digital Signature
 E-Governance
 Regulation of Certifying Authorities
 Duties of Subscribers
 Penalties and Adjudications
 Relevant Rules and Regulations etc.
3.2. Cyber Law- International Perspectives
  OECD Recommendation
 OECD Guidelines
 European Convention on Cybercrime
 Resolution on Lawful Interception of Telecommunications
 UNCITRAL Model Law on Electronic Commerce, 1996
 EU Directives
 WIPO Treaties

MODULE 4: CYBER LAWS: IPR ISSUES, ENCRYPTION AND DECRYPTION, DATA

SECURITY AND PRIVACY, AND CLOUD COMPUTING
4.1. Cyber Law- IPR Issues
 Introduction to the IPR Issues
 Interface with Copyright Law
 Trademarks & Domain Names Related Issues
4.2. Encryption and Decryption Issues
 Introduction to the Two Concepts
 National Perspectives
 International Perspectives
4.3. Data Security and Privacy: Rights and Challenges
 Right to Access Cyberspace – Access to the Internet
 Right to Privacy
 Right to Data Protection
4.4. Cloud Computing
 Introduction to the Concept
 Cloud Computing agreements and the law
 Cloud Computing and Cyber Crime
8. List of relevant print and online resources

Books for In-Depth Study

1. Computers, Internet and New Technology Laws, Lexis Nexis (2012).
2. Justice Yatindra Singh, Cyber Laws, Universal Law Publishing Co, New Delhi, (2012).
3. Dr. Ishita Chatterjee, Laws on Information Technology, Central Law Publication (2014).
4. Verma S, K, Mittal Raman, Legal Dimensions of Cyber Space, Indian Law Institute, New
Delhi, (2004).
5. Jonthan Rosenoer, Cyber Law, Springer, New York, (1997).
6. Sudhir Naib, The Information Technology Act, 2005: A Handbook, OUP, New York,
(2011).
7. S. R. Bhansali, Information Technology Act, 2000, University Book House Pvt. Ltd., Jaipur
(2003).
8. Vasu Deva, Cyber Crimes, and Law Enforcement, Commonwealth Publishers, New Delhi,
(2003). 10. Rani, K Prasanna, Cyber Jurisprudence, Hyderabad: ICFAI University Press, 2008.
9. Lloyd, Ian J., Information Technology Law, UK: Oxford, 2014.
10. Vakul Sharma, Information Technology: Law and Practice, Delhi Universal Law
Publishing, 2004
11. Alan Davidson, The Law of Electronic Commerce, Cambridge University Press, 2009
12. Karnika Seth, Computers, Internet, and New Technology Laws, Lexis Nexis Butterworths
Wadhwa, 2012.

Essential Websites
The websites of the ICANN, the MeitY, the Stanford Law School’s Centre for Internet and
Society Blog, Cyberlaw books by Pavan Duggal, Opensource.com, among others, are
important for this Course.

Annexure III
STUDY/READING MATERIAL
+(,121/,1(
Citation:
Kristen E. Eichensehr, The Cyber-Law of Nations, 103
Geo. L.J. 317 (2015)

Content downloaded/printed from HeinOnline

Sat Jan 26 02:49:24 2019

-- Your use of this HeinOnline PDF indicates your

acceptance of HeinOnline's Terms and Conditions
of the license agreement available at
https://heinonline.org/HOL/License

-- The search text of this PDF is generated from

uncorrected OCR text.

-- To obtain permission to use this article beyond the scope

of your HeinOnline license, please use:

Copyright Information

Use QR Code reader to send PDF

to your smartphone or tablet device
The Cyber-Law of Nations

KRISTEN E. EICHENSEHR*

Concerns about cyberwar cyberespionage, and cybercrime have burst into

focus in recent years. The United States and China have traded accusations
about cyber intrusions, and a December 2012 U.N. conference broke down over
disagreements about cyberspace governance. These events show the increased
risk of cyberconflict and the correspondingneed for basic agreement between
states about governing cyberspace.
States agree that something must be done, but they disagree about almost
everything else. Two competing visions of cyberspace have emerged so far:
Russia and China advocate a sovereignty-based model of cyber governance that
prioritizes state control, while the United States, United Kingdom, and their
allies argue that cyberspace should not be governed by states alone.
Prioracademic writing hasfocused on cyber issues related to states' regula-
tion of their citizens, but this Article addresses the now-pressing state-to-state
issues. A limited analogy to existing legal regimes for the high seas, outer
space, and Antarctica shows that global governance of cyberspace is possible.
Moreover, these existing regimes provide a menu of options for governance and
establish a baseline againstwhich cyber governance can be assessed.
The Article examines three fundamental questions that states have answered
for the other domains and must now answer for cyber: (1) what role, if any,
private parties should play in governance; (2) how the domain should be
governed (no governance system, treaty, or norms); and (3) whether and how to
regulate military activities in the domain. The answersfor the old domains were
similar-multilateral governance, governance by treaty, and some level of
demilitarization. But cyber differs from the old domains in important ways that
suggest the answers for cyber should be different. This Article argues for
multistakeholder governance, governance through norms, and regulated milita-
rization.

TABLE OF CONTENTS

INTRODUCTION .......................................... 318

1. CYBER AS A CONTESTED DOMAIN ......................... 322

* Visiting Assistant Professor, UCLA School of Law. D 2015, Kristen E. Eichensehr. The author
thanks Raechel Anglin, Jack Balkin, Sarah Cleveland, Ashley Deeks, Oona Hathaway, Harold Hongju
Koh, David Koplow, Richard M. Re, W. Michael Reisman, Michael N. Schmitt, Phil Spector, Peter
Trooboff, Stephen Zamora, and participants in the American Society of International Law Southeast
Interest Group Junior-Senior Workshop for helpful conversations and comments. The author is grateful
for the assistance of Clay Greenberg, Sean Quinn, Justin Simeone, and the editors and staff of
The Georgetown Law Journal for their suggestions and assistance. This Article reflects developments
through November 2014 when it was finalized for publication, and any errors are the author's alone.

317
318 THE GEORGETOWN LAW JOURNAL [Vol. 103:317

A. THE CONCEPT OF CYBERSPACE ......................... 322

B. CYBER AND SOVEREIGNTY: AN EVOLUTION ................ 325
1. First Generation: Cyber as Sovereign .............. 326

2. Second Generation: Sovereignty over Cyber ......... 327

3. Third Generation: Global Cyber Governance ......... 328
C. COMPETING VISIONS OF CYBERSPACE .................... 329

II. GOVERNANCE CHALLENGES AND POTENTIAL PRECEDENTS ......... 335

A. CYBER AS TERRITORY, COMMONS, OR COMBINATION .......... 336
B. SOLUTIONS IN EXISTING LEGAL REGIMES .................. 340
1. High Seas .................................. 340

2. Outer Space and Celestial Bodies ................. 342

3. Antarctica .................................. 344

. .. . . . . .
III. GOVERNING CYBER: NEW ANSWERS FOR A NEW DOMAIN? 346
A. THE ROLE OF PRIVATE PARTIES: MULTILATERAL VERSUS
MULTISTAKEHOLDER GOVERNANCE ..................... 346
B. MODALITY OF GOVERNANCE .......................... 352
1. No Governance Arrangement .................... 353

2. Treaty ..................................... 354

3. Norms ..................................... 361
C. MILITARIZATION .................................. 365
1. Limits on Militarization in Other Domains .......... 365
2. The Desirability of Cyber Demilitarization .......... 372
3. Regulated Militarization ........................ 374
a. Translatingthe Existing Laws of Armed Conflict ... 374
b. Banning ParticularTypes of Cyber Weapons ..... 377
CONCLUSION ............................................ 380

INTRODUCTION

On February 18, 2013, the private cybersecurity firm Mandiant released a

report on a group it calls Advanced Persistent Threat 1 (APT1) that has
2015] THE CYBER-LAW OF NATIONS 319

breached "nearly 150" organizations in the last seven years.' Mandiant con-
cluded that APTi is likely the Chinese People's Liberation Army (PLA) Unit
61398.2 China strongly denied Mandiant's accusations. 3 After the Mandiant
report, the U.S. government shifted from oblique allusions to openly naming
China as a major source of cyber intrusions.4 Recent disclosures by Edward
Snowden, however, have complicated the issue: reports indicate that the
United States conducted 231 offensive cyber operations in 2011, including
operations against China, Russia, Iran, and North Korea.5 The disclosures also
come on the heels of a December 2012 International Telecommunications
Union (ITU) conference that broke down over disagreements among the United
States, Russia, China, and others about Internet governance.
The release of information about operations has spurred not just mutual re-
criminations, but also potentially constructive developments. The United States
called for dialogue with China to develop rules of the road for behavior in
cyberspace,6 and a U.S.-China governmental working group on cyber issues
held its inaugural meeting in July 2013.' The United Kingdom has called for a
similar formal dialogue with China.8
The path of progress, however, has not been smooth. In May 2014, China

1. MANDIANT, APTI: EXPOSING ONE OF CHINA'S CYBER ESPIONAGE UNITS 2 (2013), available at http://
intelreport.mandiant.com/MandiantAPT1_Report.pdf.
2. Id.
3. David Barboza, China Says Army Is Not Behind Attacks in Report, N.Y. TIMES, Feb. 20, 2013,
http://www.nytimes.com/2013/02/21/business/global/china-says-army-not-behind-attacks-in-report.
html (quoting Chinese Ministry of National Defense spokesman Geng Yansheng as stating that
"Chinese military forces have never supported any hacking activities").
4. See Tom Donilon, Nat'l Sec. Advisor to the President, Remarks at the Asia Society: The United
States and the Asia-Pacific in 2013 (Mar. 11, 2013), available at http://www.whitehouse.gov/the-press-
office/2013/03/11/remarks-tom-donilon-national-security-advisory-president-united-states-a ("Increas-
ingly, U.S. businesses are speaking out about their serious concerns about sophisticated, targeted theft
of confidential business information and proprietary technologies through cyber intrusions emanating
from China on an unprecedented scale. The international community cannot afford to tolerate such
activity from any country. As the President said in the State of the Union, we will take action to protect
our economy against cyber-threats.").
5. Barton Gellman & Ellen Nakashima, U.S. Spy Agencies Mounted 231 Offensive Cyber-Operations
in 2011, Documents Show, WASH. POST, Aug. 30, 2013, http://articles.washingtonpost.com/2013-08-30/
world/41620705_1_computer-worm-former-u-s-officials-obama-administration.
6. Donilon, supra note 4 ("[W]e need China to engage with us in a constructive direct dialogue to
establish acceptable norms of behavior in cyberspace."). The United States has such a formalized
dialogue with India, for example. See Fourth India-US Strategic Dialogue: India-US Fact Sheet on
International Security, MINISTRY EXTERNAL AFF. (June 24, 2013), http://www.mea.gov.in/in-focus-
article.htm?21 864/Fourth + IndiaUS + Strategic + Dialogue+ IndiaUS +Fact+ Sheet+ on+ International
+ Security (discussing the U.S--India Strategic Cyber Policy Dialogue and "whole-of-government
Cybersecurity Consultations").
7. See Joseph Menn, White House Cites Progress in Cyber Talks with China, Russia, REUTERS
(May 14, 2013, 7:38 PM), http://www.reuters.com/article/2013/05/14/us-cyber-summit-international-talks-
idUSBRE94D19R20130514; Tony Romm, U.S.-China Cybersecurity Talks Inching Along, POLITICO
(July 10, 2013, 4:58 AM), http://www.politico.com/story/2013/07/us-china-cybersecurity-93909.html.
8. See Nicholas Watt, David Cameron Challenges China to Be More Open About Cyber-Security,
GUARDIAN (Dec. 3, 2013), http://www.theguardian.com/politics/2013/dec/04/david-cameron-challenges-
china-cyber-security.
320 THE GEORGETOWN LAw JOURNAL [Vol. 103:317

halted its participation in the U.S.-China working group in response to the U.S.
indictment of five Chinese military officials for hacking into U.S. companies
and committing economic espionage and trade secret theft. 9 Shortly thereafter, a
report by the cybersecurity firm CrowdStrike identified another unit of the
PLA-Unit 61486-that has breached U.S. and European satellite and aero-
space companies. o No end is in sight to these disagreements and recrimina-
tions.
Nonetheless, recent events mark a productive shift in how governments
address cyber issues-namely, a shift toward engaging with each other to
address cyber questions that cannot be resolved within a single sovereign state.
Issues such as cyberwar, cyberespionage, and cybercrime transcend the regula-
tory powers of a single state, call for coordination and cooperation among
sovereigns, and raise the possibility of conflict between states over the contested
domain of "cyberspace." Although scholars previously debated whether or to
what extent sovereign states could regulate cyber and the Internet with respect
to their own citizens," current issues demand a new generation of scholarship
on sovereigns' relationships with other sovereigns regarding cyber issues.
Although powerful states seem to agree in general that some dialogue and
agreement on basic rules are necessary, they disagree about almost everything
else. Governments' statements, strategies, and actions suggest that two compet-
ing visions of cyberspace have emerged so far: China and Russia argue that
cyberspace should be subject to sovereign control, whereas the United States,
United Kingdom, and their allies argue that cyberspace should not be subject to
sovereign control. This Article focuses on three fundamental questions and
areas of disagreement that stem from the states' divergent views about sover-

9. See Ting Shi & Michael Riley, China Halts Cybersecurity Cooperation After U.S. Spying
Charges, BLOOMBERG (May 20, 2014, 5:39 AM), http://www.bloomberg.com/news/2014-05-20/china-
suspends-cybersecurity-cooperation-with-u-s-after-charges.html; see also Press Release, U.S. Dep't of
Justice, U.S. Charges Five Chinese Military Hackers for Cyber Espionage Against U.S. Corporations
and a Labor Organization for Commercial Advantage (May 19, 2014), available at http://www.justice.gov/
opalpr/2014/May/14-ag-528.html. Recent reports have implicated the same Chinese army unit in
breaches of Israeli defense companies. See Brian Krebs, Hackers PlunderedIsraeliDefense Firms That
Built 'Iron Dome' Missile Defense System, KREBS ON SECURITY (July 28, 2014, 10:08 AM), http://
krebsonsecurity.com/2014/07/hackers-plundered-israeli-defense-firms-that-built-iron-dome-missile-
defense-system/ (reporting that Cyber Engineering Services Inc. discovered hacks of Israeli defense
contractors that bear "all of the hallmarks of the 'Comment Crew,"' whose official designation is PLA
Unit 61398).
10. See CROWDSTRIKE, CROWDSTRIKE INTELLIGENCE REPORT: PUTTER PANDA 4 (2014), available at
http://resources.crowdstrike.com/putterpanda. Subsequent reports have tied other cyberespionage opera-
tions to both China and Russia. See FIREEYE, APT28: A WINDOW INTO RUSSIAS CYBER ESPIONAGE
OPERATIONS? 3 (2014), available at https://www.fireeye.com/resources/pdfs/apt28.pdf (alleging Russian
government involvement in cyberespionage against "political and military targets including the country
of Georgia, Eastern European governments and militaries, and European security organizations");
NovETTA, OPERATION SMN: AxioM THREAT ACTOR GROUP REPORT 4 (2014), available at http://www.
novetta.com/files/9714/1446/8199/ExecutiveSummary-Final_1.pdf (alleging with "moderate to high
confidence" that the "Chinese Intelligence Apparatus" is directing cyberespionage operations against a
variety of targets worldwide).
11. See infra section I.B.
2015] THE CYBER-LAW OF NATIONS 321

eignty and cyberspace: the role of private parties in governing cyber (states-only
multilateral model versus multistakeholder model); how cyber should be gov-
erned (no governance system, treaty, or norms); and whether or how to regulate
military activities in the cyber domain (no regulation, demilitarization, or
regulated militarization). These questions provoke strong disagreements be-
tween states about what might be termed the emerging cyber-law of nations. On
the one hand, the United States and its allies argue for a "multistakeholder
model," governance through norms, and regulated militarization. On the other
hand, Russia, China, and their allies argue for a "multilateral model," gover-
nance by treaty, and either no regulation of militarization or partial demilitariza-
tion of cyber.
Although cyberspace is a new domain, the challenges it poses for states are
similar to those that the international community has faced in the past with
regard to other domains, namely the high seas, outer space, and Antarctica.
Some have argued that cyber is similar to these domains because it is a "global
commons." This Article, by contrast, argues that cyber's technical status as a
commons is ultimately not crucial; rather, the most important unifying feature
of the domains from a legal perspective is that they are not currently partitioned
and governed based on traditional Westphalian sovereignty. 12 The absence of
sovereignty as a means for governing the domains creates the need for inter-
sovereign arrangements to coordinate states' use of the domains and to avoid
conflict.
Analysis of the old domains is illuminating because it shows that global
governance of such domains is possible and provides a baseline from which
to analyze various answers to the three fundamental questions for cyberspace.
However, the analogy between cyber and the old domains has limits. The
governance answers were similar across the old domains-multilateral gover-
nance, governance by treaty, and some level of demilitarization. But cyber
differs from the old domains in important ways that suggest the answers for
cyber should be different. This Article therefore argues for multistakeholder
governance, governance through norms, and regulated militarization.
Part I demonstrates that the idea of a cyber domain is a useful analytical
concept and that global governance of that domain is necessary to avoid
conflict. Section L.A explains what states mean in employing the term cyber-
space. Section I.B then traces the evolution of the concept of sovereignty as
related to cyberspace. In the first phase, scholars argued that the Internet was
not subject to control by territorial sovereigns, but second-generation scholars
pushed back, arguing that governments can and should regulate cyber within
their borders. A new generation of scholarship now must confront the intersover-
eign cyber issues. Section I.C describes the move by many states to treat cyber
as a domain in the military sense, like the land, sea, and air. Drawing on a
variety of data points, including statements by government officials, strategy

12. See infra note 30.

322 THE GEORGETOWN LAw JOURNAL [Vol. 103:317

documents, actions in cyberspace, and reactions to cyber incidents, this section

also argues that two opposing visions of cyberspace governance are coalescing:
a state-focused, multilateral vision promoted by China and Russia, and a multi-
stakeholder vision promoted by the United States and its allies. This fundamen-
tal clash about the nature of cyberspace permeates the states' approaches to
cyber governance questions and creates a risk of conflict.
Part II argues that global governance of cyberspace is possible, as evidenced
by the legal regimes created for the high seas, outer space, and Antarctica.
Part II explains the debate surrounding cyber's status as a commons and why
the more relevant issue is the extent to which, regardless of its formal status as a
commons, cyber requires coordination by sovereign states. It explores why the
high seas, outer space, and Antarctica serve as particularly useful comparators,
and concludes by providing a brief overview of the international legal regimes
that govern these domains. The existing legal regimes for the high seas, outer
space, and Antarctica, and the variances among them, provide a menu of options
for governance and establish a baseline against which to assess options for
cyber.
Part III turns to the mechanism for and content of possible governance
arrangements for cyber. The creation of a new governance arrangement pro-
vides an opportunity and a need to address the three fundamental questions
about how to govern cyberspace. Although the absence of sovereignty as the
organizing framework raises the same questions in each domain, it does not
necessarily provide a uniform answer in the different domains, particularly in
light of the differences between cyber and the other domains. Each section in
this Part addresses one of the three fundamental questions and analyzes the
likely and desirable outcome for cyber. For the high seas, outer space, and
Antarctica, the answers were similar: little role for private parties, governance
by treaty, and some level of demilitarization. For cyber, however, the Article
argues that despite arguments by Russia, China, and other states for the same
basic answers as in the other domains, cyber will and should be different.
Drawing on primary sources in evolving national and international debates, this
Part argues for empowerment of private parties, governance through norms,
and regulated militarization. These proposed answers have the best chance of
fostering the establishment of a stable system for cyber governance, and of
doing so relatively quickly.

I. CYBER AS A CONTESTED DOMAIN

In recent years, the idea of cyberspace as a concept and an operational

domain has gained currency among many states and commentators, but contests
over the domain are just beginning.

A. THE CONCEPT OF CYBERSPACE

This Article uses the interchangeable terms cyber and cyberspace, and this
section explains what those terms encompass.
2015] THE CYBER-LAW OF NATIONS 323

In an influential article, Yochai Benkler described the information environ-

ment as composed of three layers: "the physical infrastructure layer," the
"logical infrastructure layer," and "the content layer." 1 3 The physical layer
includes infrastructure like cables, wires, and routers. 14 The logical layer con-
sists of software.1 5 Above both is the content layer, which includes "the stuff
that gets said or written within any given system of communication." 1 6 It is not
always clear which layer or layers are included in discussions of cyberspace,
and the boundaries are not necessarily rigid demarcations-for example, code
functioning at the logical layer could have effects on the physical layer or
elsewhere in the real world. 1 7 As this description suggests, cyberspace is not a
physical place, which renders the term cyberspace potentially misleading. 8
In current parlance, cyberspace includes, but is not coextensive with, the
Internet.19 The Oxford English Dictionary defines the "Internet" as "the global
computer network (which evolved out of ARPAnet) providing a variety of
information and communication facilities to its users, and consisting of a loose
confederation of interconnected networks which use standardized communica-

13. Yochai Benkler, From Consumers to Users: Shifting the Deeper Structures of Regulation Toward
Sustainable Commons and User Access, 52 FED. COMM. L.J. 561, 562 (2000); see also Lawrence
Lessig, The Architecture of Innovation, Inaugural Meredith and Kip Frey Lecture in Intellectual
Property at Duke University School of Law (Mar. 23, 2001), in 51 DUKE L.J. 1783, 1786 (2002)
(describing Benkler's three layers). But see JONATHAN ZIrrRAIN, THE FUTURE OF THE INTERNET AND How
To STOP IT 67 (2008) (describing the Internet as having three or four layers); Lawrence B. Solum

&
Minn Chung, The Layers Principle: Internet Architecture and the Law, 79 NOTRE DAME L. REv. 815,
816-17 (2004) (arguing for understanding the Internet as made up of six layers, instead of three).
14. Benkler, supra note 13, at 562.
15. Id.; Lessig, supra note 13, at 1786 (describing the logical layer as "the system that controls who
gets access to what, or what gets to run where").
16. Lessig, supra note 13, at 1786; see also Benkler, supra note 13, at 562.
17. Cf Joseph S. Nye Jr., Nuclear Lessons for Cyber Security?, STRATEGIC STUD. Q., Winter 2011, at
18, 19 ("Attacks from the informational realm, where costs are low, can be launched against the
physical domain, where resources are scarce and expensive. Conversely, control of the physical layer
can have both territorial and extraterritorial effects on the informational layer.").
18. See Jack L. Goldsmith, The Internet and the Abiding Significance of Territorial Sovereignty,
5 IND. J. GLOBAL LEGAL STUD. 475, 476 (1998) ("The Internet is not, as many suggest, a separate place
removed from our world. Like the telephone, the telegraph, and the smoke signal, the Internet is a
medium through which people in real space in one jurisdiction communicate with people in real space
in another jurisdiction."); see also JACK GOLDSMITH & TIM Wu, WHO CONTROLS THE INTERNET?: ILLUSIONS
OF A BORDERLESS WORLD 16 (2008) (dismissing the term cyberspace as "an influential and charismatic
metaphor"); Mark Graham, Cyberspace, ZERO GEOGRAPHY (Nov. 3, 2011, 10:42 AM), http://www.
zerogeography.net/2011/11/cyberspace.html ("The Internet is characterised by complex spatialities
which are challenging to understand and study, but that doesn't give us an excuse to fall back on
unhelpful metaphors which ignore the Internet's very real, very material, and very grounded geogra-
phies."); infra text accompanying note 42. But see LAWRENCE LESSIG, CODE: VERSION 2.0, at 298
&

391 n.13 (2006) ("There has been a rich, and sometimes unnecessary, debate about whether indeed
cyberspace is a 'place.' I continue to believe the term is useful . . . ."); David R. Johnson & David Post,
Law and Borders-The Rise of Law in Cyberspace, 48 STAN. L. REV. 1367, 1378 (1996) (suggesting
"conceiving of Cyberspace as a distinct 'place' for purposes of legal analysis by recognizing a legally
significant border between Cyberspace and the 'real world').
19. See infra text accompanying notes 22-28.
324 THE GEORGETOWN LAw JOURNAL [Vol. 103:317

tion protocols; (also) the information available on this network." 2 0 It defines

"cyberspace" as "[t]he space of virtual reality; the notional environment within
which electronic communication (esp. via the Internet) occurs."21
The U.S. government has defined cyberspace as "the interdependent network
of information technology infrastructures," which "includes the Internet, tele-
communications networks, computer systems, and embedded processors and
controllers in critical industries." 22 The U.S. definition also notes that "[c]om-
mon usage of the term also refers to the virtual environment of information and
interactions between people. "23
Other governments and nongovernmental organizations have set out similar
definitions. For example, Germany defines cyberspace as "the virtual space of
all IT systems linked at data level on a global scale," and further explains that
"[t]he basis for cyberspace is the Internet as a universal and publicly accessible
connection and transport network which can be complemented and further
expanded by any number of additional data networks," although "IT systems in
an isolated virtual space are not part of cyberspace."2 Kenya defines cyber-
space as "[t]he notional environment in which communication over computer
networks occurs,"2 5 while the United Kingdom defines it as "an interactive
domain made up of digital networks that is used to store, modify and communi-
cate information," and notes that it "includes the internet, but also the other

20. Internet, n., OXFORD ENGLISH DICTIONARY, http://www.oed.com/view/Entry/248411?rskey=

o37NIC&result=2&isAdvanced-false#eid (last visited Nov. 30, 2014). For comparison, the Internet
Engineering Task Force describes the Internet as "a loosely-organized international collaboration of
autonomous, interconnected networks," which "supports host-to-host communication through voluntary
adherence to open protocols and procedures defined by Internet Standards," and explains that "[t]here
are also many isolated interconnected networks, which are not connected to the global Internet but use
the Internet Standards." Scott 0. Bradner, The Internet Standards Process-Revision 3, ¶ 1.1 (Network
Working Group, Request for Comments No. 2026) (Oct. 1996), http://www.ietf.org/rfc/rfc2026.txt.
21. Cyberspace, n., OXFORD ENGLISH DICTIONARY, http://www.oed.com/view/Entry/240849?redirected
From=cyberspace#eid (last visited Nov. 30, 2014).
22. WHITE HOUSE, CYBERSPACE POLICY REVIEw 1 (2009), available at http://www.whitehouse.gov/assets/
documents/CyberspacePolicyReview final.pdf (noting that this definition is included in National
Security Presidential Directive 54 and Homeland Security Presidential Directive 23).
23. Id.
24. FED. MINISTRY OF THE INTERIOR, CYBER SECURITY STRATEGY FOR GERMANY 14 (2011), available
at http://www.cio.bund.de/SharedDocs/Publikationen/DE/Strategische-Themen/css-engldownload.
pdf? blob publicationFile. Additional examples include Canada and New Zealand. Gov'T OF CAN.,
CANADA'S CYBER SECURITY STRATEGY 2 (2010), available at http://www.publicsafety.gc.calcnt/rsrcs/pblctns/
cbr-scrt-strtgy/cbr-scrt-strtgy-eng.pdf ("Cyberspace is the electronic world created by interconnected
networks of information technology and the information on those networks."); N.Z. Gov'T, NEW
ZEALAND'S CYBER SECURITY STRATEGY 12 (2011), available at http://www.dpmc.govt.nz/dpmc/publications/
nzcss (defining cyberspace as "[t]he global network of interdependent information technology infrastruc-
tures, telecommunications networks and computer processing systems in which online communication
takes place").
25. Gov'T OF KENYA, CYBERSECURITY STRATEGY 12 (2014), available at http://www.icta.go.ke/wp-
content/uploads/2014/03/GOK-national-cybersecurity-strategy.pdf.
2015] THE CYBER-LAW OF NATIONS 325

information systems that support our businesses, infrastructure and services." 2 6

The International Organization for Standardization (ISO) defines cyberspace as
the "complex environment resulting from the interaction of people, software
and services on the Internet by means of technology devices and networks
connected to it, which does not exist in any physical form." 2 7 India's definition
closely tracks the ISO definition.2 8
As used throughout this Article, cyber and cyberspace refer to these defini-
tions, which have some differences at the margins, but reflect a relatively
uniform core conception of the meaning of cyberspace.

B. CYBER AND SOVEREIGNTY: AN EVOLUTION

From the Internet's origins as a U.S. government-sponsored research project

to its current ubiquity,29 the idea of "sovereignty" 3 0 as applied to cyberspace

26. U.K. CABINET OFFICE, THE UK CYBER SECURITY STRATEGY: PROTECTING AND PROMOTING THE UK
IN A DIGITAL WORLD 11 (2011), available at https://www.gov.uk/government/publications/cyber-security-
strategy.
27. See ISO/IEC, Standing Document 6 (SD6): Glossary of IT Security Terminology (Oct. 16,
2014), http://www.jtc1sc27.din.de/cmd?level tpl-bereich&menuid 64540&languageid en&cmsare
aid=64540.
28. MINISTRY OF COMMC'N & INFO. TECH., Gov'T OF INDIA, NATIONAL CYBER SECURITY POLICY-2013
(NCSP-2013) (2013), available at http://www.deity.gov.in/sites/uploadfiles/dit/files/National%20Cyber
%20Security%20Policy%20(1).pdf (citing ISO/IEC-27032-2012 and defining cyberspace as "a com-
plex environment consisting of interactions between people, software and services, supported by
worldwide distribution of information and communication technology[,] .. . devices and networks").
For collections of governmental and non-governmental definitions of cyberspace, see Cyber Defini-
tions, COOPERATIVE CYBER DEE CENTER EXCELLENCE, https://www.ccdcoe.org/cyber-definitions.html (last
visited Nov. 30, 2014); Global Cyber Definitions Database, OPEN TECH. INST., http://cyberdefinitions.
newamerica.org/index.html (last visited Nov. 30, 2014); Damir Rajnovic, Cyberspace-What Is It?,
Cisco BLOG (July 26, 2012, 8:25 AM), http:/Iblogs.cisco.com/security/cyberspace-what-is-it/.
29. For brief historical overviews of the development of the Internet, see, for example, Brief History
of the Internet, INTERNET Soc'Y, http://www.internetsociety.org/internet/what-internet/history-intemet/
brief-history-internet (last visited Nov. 30, 2014), or P.W. SINGER & ALLAN FRIEDMAN, CYBERSECURITY
AND CYBERWAR: WHAT EVERYONE NEEDS To KNow 16-21 (2014).
30. The "core element in any definition of sovereignty" is "[t]he assertion of final authority within
a given territory." Goldsmith, supra note 18, at 476 n.5 (quoting Stephen D. Krasner, Sovereignty:
An Institutional Perspective, 21 COMP. POL. STUD. 66, 86 (1988)). Krasner has identified four types
of sovereignty, which "are not logically coupled, nor have they covaried in practice." STEPHEN D.
KRASNER, SOVEREIGNTY: ORGANIZED HYPOCRISY 9 (1999). The four types of sovereignty are: (1) domestic
sovereignty, which refers to "the organization of public authority within a state and to the level of
effective control exercised by those holding authority"; (2) interdependence sovereignty, which refers
to "the ability of public authorities to control transborder movements"; (3) international legal sover-
eignty, which refers to the "mutual recognition of states or other entities"; and (4) Westphalian
sovereignty, which refers to "the exclusion of external actors from domestic authority configurations."
Id. This Article focuses primarily on Westphalian sovereignty and interdependence sovereignty, particu-
larly their weakness or absence in the current cyberspace context. Cf id. at 20 ("The fundamental norm
of Westphalian sovereignty is that states exist in specific territories, within which domestic political
authorities are the sole arbiters of legitimate behavior."); id. at 10 ("Westphalian sovereignty . .
exclusively refer[s] to issues of authority: does the state have the right to exclude external actors . .. ?
Interdependence sovereignty exclusively refers to control: can a state control movements across its own
borders?"). The weakness of Westphalian sovereignty in the globalized context has sparked much
attention in the international relations and international law literature generally in recent years. See,
326 THE GEORGETOWN LAw JOURNAL [Vol. 103:317

and the Internet has shifted dramatically from early conceptions of cyber as
outside the control of sovereigns to descriptive and normative accounts allow-
ing for some regulation of cyber by states. 3 1 This Article argues that the time
has come for the next stage in the relationship between cyber and sovereigns-
namely, agreement among sovereigns on answers to basic governance questions
to address cross-border issues like cyberwar, cyberespionage, and cybercrime.

1. First Generation: Cyber as Sovereign

In 1996, John Perry Barlow of the Electronic Freedom Foundation (EFF)
issued a Declaration of the Independence of Cyberspace, proclaiming:

Governments of the Industrial World, you weary giants of flesh and steel, I
come from Cyberspace, the new home of Mind. On behalf of the future, I ask
you of the past to leave us alone. You are not welcome among us. You have no
sovereignty where we gather.3 2

This Declaration embodied the 1990s view of many Internet organizations and
their allies who believed that sovereignty over the Internet belonged to its users,
not to governments. In other words, the Internet was sovereign unto itself, not
governed by states.
These Internet partisans denied that governments could or should regulate
cyberspace. In a prominent article, David Johnson and David Post argued,
"Global computer-based communications cut across territorial borders, creating
a new realm of human activity and undermining the feasibility-and legiti-
macy-of laws based on geographic boundaries." 33 As a normative matter,
Internet partisans denied that governments should regulate cyberspace, even
if they could. Barlow's declaration of independence asserted that cyberspace
was built "to be naturally independent of the tyrannies [governments] seek to
impose." 34 Johnson and Post argued that "[c]yberspace radically undermines the

e.g., Anne-Marie Slaughter, Sovereignty and Power in a Networked World Order, 40 STAN. J. INT'L L.
283, 284-87 (2004) (noting several fundamental challenges to Westphalian sovereignty and arguing in
favor of "new sovereignty," defined as the idea that "[s]tates can only govern effectively by actively
cooperating with other states and by collectively reserving the power to intervene in other states'
affairs" (emphasis omitted)).
31. See Duncan B. Hollis, Re-Thinking the Boundaries of Law in Cyberspace: A Duty to Hack?, in
CYBERWAR: LAw & ETHICS FOR VIRTUAL CONFLICTS (J. Ohlin et al. eds., forthcoming 2015) (manuscript at
3-7), available at http://papers.ssm.com/sol3/papers.cfmabstractid= 2424230.
32. John Perry Barlow, A Declarationof the Independence of Cyberspace, ELEC. FRONTIER FOUND.
(Feb. 9, 1996), http://w2.eff.org/Censorship/Intemet censorship bills/barlow_0296.declaration; see also
id. ("We must declare our virtual selves immune to your sovereignty, even as we continue to consent to
your rule over our bodies.").
33. Johnson & Post, supra note 18, at 1367; see Timothy S. Wu, Note, Cyberspace Sovereignty?-
The Internet and the InternationalSystem, 10 HARV. J.L. & TECH. 647, 648 (1997) (calling the Elec-
tronic Frontier Foundation, with which Johnson and Post were affiliated, one of the "most outspoken
advocates of 'cyberspace sovereignty"').
34. Barlow, supra note 32.
2015] THE CYBER-LAW OF NATIONS 327

relationship between legally significant (online) phenomena and physical loca-

tion" because, among other things, it "destroy[s] the link between geographical
location and . .. the legitimacy of a local sovereign's efforts to regulate global
phenomena" and "the ability of physical location to give notice of which sets of
rules apply." 3 5
The proponents of cyber sovereignty envisioned the Internet as a self-
governing space, ruled by its users, not by their governments.3 6 They argued
that cyberspace "needs and can create its own law and legal institutions." 3 7 As
an example of such self-governance, they pointed to the domain name system, 38
which "evolved from decisions made by engineers and the practices of Internet
service providers." 3 9

2. Second Generation: Sovereignty over Cyber

Governments and academics pushed back against the notion that territorial
governments could not and should not impose rules on cyberspace. Academics
like Jack Goldsmith and Timothy Wu argued that the Internet was not, in fact, a
space separate and apart from traditional territory. 40 Dismissing the characteriza-
tion of the "Internet as a 'place' as "an influential and charismatic metaphor," 4 1
they pragmatically noted that "underneath it all is an ugly physical transport
infrastructure: copper wires, fiberoptic cables, and the specialized routers and
switches that direct information from place to place."4 2
Pointing to government's ability to control the Internet's underlying hard-
ware, second-generation scholars argued that states could regulate the Internet 4 3
and that "the feasibility of control is a question of the importance to the
sovereign of control and the costs of imposing such control." 4 4 They were right:
governments do in fact regulate the Internet.45 For example, a study showed that

35. Johnson & Post, supra note 18, at 1370 (emphasis omitted); see also id. at 1375 ("The rise of
an electronic medium that disregards geographical boundaries throws the law into disarray by creating
entirely new phenomena that need to become the subject of clear legal rules but that cannot be
governed, satisfactorily, by any current territorially based sovereign.").
36. Barlow, supra note 32 ("Cyberspace does not lie within your borders.... It is an act of nature
and it grows itself through our collective actions.").
37. Johnson & Post, supra note 18, at 1367.
38. The domain name system "associates user-friendly domain names (e.g., www.ntia.doc.gov) with
the numeric network addresses (e.g., 170.110.225.155) required to deliver information on the Internet,
making the Internet easier for the public to navigate." Domain Name System, NAT'L TELECOMMS. & INFO.
ADMIN., http://www.ntia.doc.gov/category/domain-name-system (last visited Nov. 30, 2014).
39. Johnson & Post, supra note 18, at 1388.
40. See Goldsmith, supra note 18, at 476-77; Wu, supra note 33, at 663.
41. GOLDSMITH & Wu, supra note 18, at 16.
42. Id. at 73.
43. See Wu, supra note 33, at 651 ("[W]here widespread usage of the Internet depends on physical
components, a government that controls these components can regulate cyberspace.").
44. Goldsmith, supra note 18, at 488.
45. Examples of computer and Internet-related laws in the United States include: 17 U.S.C.
§ 506(a)(1)(c) (2012) (copyright infringement by making copyrighted work available on public com-
puter network); 18 U.S.C. § 1030 (2012) (Computer Fraud and Abuse Act); 18 U.S.C. §§ 2510-2522
328 THE GEORGETOWN LAw JOURNAL [Vol. 103:317

twenty-six of forty tested countries "filter[ed] citizens' Internet access in 2005

and 2006 ... for political reasons distinct to each country." 4 6
Second-generation scholars also view sovereign governance of the Internet as
legitimate. Goldsmith has explained, "Territorial sovereignty supports national
regulation of persons within the territory who use the Internet," "the means of
communication-Internet hardware and software-located in the territory," and
"the local effects of extraterritorial acts." 47 Goldsmith and Wu recently argued
that "the death of the 1990s vision of an anarchic Internet should be mourned
only a little, for on the whole decentralized rule by nation-states reflects what
most people want." 48 They explain that "only traditional territorial governments
can provide [public] goods," 4 9 and in particular, government regulation is
necessary to deal with issues such as viruses, fraud, and spam.5 o In their view,
"the greatest dangers for the future of the Internet come not when governments
overreact, but when they don't react at all." 5 1
In the debate between the first- and second-generation scholars, the second-
generation camp clearly prevailed. Governments can and do regulate conduct on
and using the Internet,5 2 and in a somewhat paradoxical shift, Internet activists
now turn to the United States and other governments "to protect the original,
unpredictable, and uncontrolled nature of the Internet."53

3. Third Generation: Global Cyber Governance

At the end of their 2006 book Who Controls the Internet?, Goldsmith and
Wu gesture toward the next phase in the cyber sovereignty debate. Citing the
problem of cybercrime, they recognize that "many aspects of the Net will be
governed on a global scale," 54 and note that "many Internet controversies are
fast transforming into disputes among nations, and classic problems of interna-
tional relations," wherein "governments fight[] one another to favor themselves,
using the traditional tools of international politics and international law." 55

(2012) (Electronic Communications Privacy Act); and 31 U.S.C. §§ 5361-5367 (2012) (Unlawful
Internet Gambling Enforcement Act). For a compilation of national legislation implementing the
Council of Europe's Budapest Convention on Cybercrime, see Cybercrime Legislation-CountryPro-
files, COUNCIL OF EUR., http://www.coe.int/t/DGHL/cooperation/economiccrime/cybercrime/Documents/
CountryProfiles/default en.asp (last visited Nov. 30, 2014).
46. GOLDSMITH & Wu, supra note 18, at viii. For example, "South Korea filters pro-North Korean
sites; China filters material on Tibet, Taiwan, and Tiananmen, as well as mundane mistakes by local
officials." Id.
47. Goldsmith, supra note 18, at 476.
48. GOLDSMITH & Wu, supra note 18, at xiii.
49. Id. at 142.
50. Id. at 145.
51. Id.; see also id. at 156 ("A government's responsibility for redressing local harms caused by a
foreign source does not change because the harms are caused by an Internet communication.").
52. See supra note 45.
53. GOLDSMITH & Wu, supra note 18, at vii.
54. Id. at 164.
55. Id. at 165; see also id. at 173 ("Internet conflicts of laws lead nations to use what tools they
can . . to get what they want. This is a very old story indeed.").
2015] THE CYBER-LAW OF NATIONS 329

Government-to-government issues, rather than government-to-individual

ones, are the defining feature of the now-current phase of cyber governance and
cyber sovereignty questions. As Lawrence Lessig has noted, questions of "what
kinds of claims should one sovereign be able to make on others, and what kinds
of claims . . . these sovereigns [can] make on cyberspace" remain unanswered. 6
In the absence of a "founding international constitutional moment, sover-
eigns are pushing different ideologies and understandings of what the Internet
should be. As Goldsmith and Wu foresaw, "the United States, China, and
Europe are using their coercive powers to establish different visions of what the
Internet might be[,] ... [and] will attract other nations to choose among models
of control ranging from the United States's relatively free and open model to
China's model of political control." 58
This Article moves beyond the government-to-individual questions of the
second generation and addresses questions of governance by states vis-h-vis
each other-that is, questions about the creation of public law for cyberspace.5 9
It analyzes how multiple sovereign governments can and should address ques-
tions of cyber governance that cannot be solved by or within a single state and
therefore require international coordination.
The next section provides an overview of recent international cyber controver-
sies created by fundamental divergences among governments on cyber issues.

C. COMPETING VISIONS OF CYBERSPACE

In recent years, the United States and other countries, including the United
Kingdom, Israel, and Iran, have declared that cyberspace is a "domain" in the
military context, like land, sea, air, and space. 6 0 Similarly, China's "Electronic

56. LESSIG, supra note 18, at 302.

57. Id.
58. GOLDSMITH & Wu, supra note 18, at 184.
59. See generally Jack Goldsmith & Daryl Levinson, Law for States: InternationalLaw, Constitu-
tional Law, Public Law, 122 HARV. L. REv. 1791, 1795 (2009) (describing international and constitu-
tional law as public law-"legal regimes that both constitute and govern the behavior of states and state
actors").
60. For examples of such declarations by U.S. officials, see U.S. DEP'T OF DEF., DEPARTMENT OF
DEFENSE STRATEGY FOR OPERATING IN CYBERSPACE 5 (2011), available at http://www.defense.gov/news/
d20110714cyber.pdf ("[T]reating cyberspace as a domain is a critical organizing concept for DoD's
national security missions" because it "allows DoD to organize, train, and equip for cyberspace as we
do in air, land, maritime, and space to support national security interests."); William J. Lynn III,
Defending a New Domain: The Pentagon's Cyberstrategy, FOREIGN AFF., Sept./Oct. 2010, at 97, 101
("[T]he Pentagon has formally recognized cyberspace as a new domain of warfare" that "has become
just as critical to military operations as land, sea, air, and space."); Leon Panetta, Sec'y of Def.,
Remarks on Cybersecurity to the Business Executives for National Security (Oct. 11, 2012), available
at http://www.lawfareblog.com/2012/10/secdef-panetta-speech-on-cybersecurity/ (describing cyber-
space as "a new domain that we must secure"). With respect to other countries, see David E. Sanger,
Obama Order Sped up Wave of Cyberattacks Against Iran, N.Y. TIMES, June 1, 2012, http://www.
nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html (ex-
plaining that Iran announced in 2011 that it had established a military cyber unit); Hadas Duvdevani,
Internet Has Become a Real Battlefield, ISRAEL DEF. FORCES (Jan. 8, 2012, 2:03 PM), http://www.idf.il/
330 THE GEORGETOWN LAw JOURNAL [Vol. 103:317

Warfare strategy" declares that electronic warfare "is a vital fourth dimension to
combat and should be considered equally with traditional ground, sea, and air
forces." 6 1
Although there is growing consensus about treating cyber as a separate
domain, states appear to disagree about most other cyber-governance issues.
Most fundamentally, the United States and its allies, particularly in Western
Europe, argue that cyberspace is not and should not be subject to sovereign
control, whereas China, Russia, and others argue that sovereigns should, singly
or in combination, control cyber. These competing views have a number of
implications for particular cyber-governance questions and suggest positions
that adherents of the opposing views will take with respect to issues of
international law for cyberspace going forward.
By piecing together government policies from disparate statements of govern-
ment officials and strategy documents, as well as states' actions in cyberspace
and their response to cyber incidents over the last few years, this Article
suggests that the divergent views with respect to sovereignty are fostering two
competing visions of cyberspace governance. This section constructs, to the
extent possible, the positions of the United States and Western Europe, on the
one hand, and China and Russia, on the other hand, whereas the remainder of
the Article explores the implications and desirability of these positions for
specific cyber-governance questions.
The United States promotes a multistakeholder vision of Internet governance-
governance by and with the input of diverse parties, including governments,
nongovernmental organizations, the private sector, civil society, academia, and
individuals. The U.S. International Strategy for Cyberspace commits the U.S.
government to "[p]romote and enhance multi-stakeholder venues for the discus-
sion of Internet governance issues."62 It also pledges that the United States will
"[p]rioritize openness and innovation on the Internet" in contrast to govern-
ments that "place arbitrary restrictions on the free flow of information or use it

1086-14464-EN/Dover.aspx; Tom Espiner, UK Launches Dedicated Cybersecurity Agency, ZDNET

(June 25, 2009, 9:00 AM), http://www.zdnet.com/uk-launches-dedicated-cybersecurity-agency-
3039667231/ (reporting UK Prime Minister Gordon Brown's statement that "[j]ust as in the 19th
century we had to secure the seas for our national safety and prosperity, and in the 20th century we had
to secure the air, in the 21st century we also have to secure our position in cyberspace"); see also Gov'T
OF SPAIN, THE NATIONAL SECURITY STRATEGY 24 (2013). A 2011 study conducted by the Center for
Strategic and International Studies for UNIDIR found "33 states . . . that include cyberwarfare in their
military planning and organization," and twelve that public information indicated had or planned to
establish "military cyberwarfare organizations" by 2012. CTR. FOR STRATEGIC & INT'L STUDIES, CYBER-
SECURITY AND CYBERWARFARE: PRELIMINARY ASSESSMENT OF NATIONAL DOCTRINE AND ORGANIZATION 3-4
(2011), availableat http://unidir.org/files/publications/pdfs/cybersecurity-and-cyberwarfare-preliminary-
assessment-of-national-doctrine-and-organization-380.pdf.
61. OFFICE OF THE SEC'Y OF DEF., DEP'T OF DEF., ANNUAL REPORT TO CONGRESS: MILITARY AND SECURITY
DEVELOPMENTS INVOLVING THE PEOPLE'S REPUBLIC OF CHINA 2013, at 37 (2013) [hereinafter PRC MILITARY
AND SECURITY DEVELOPMENTS], availableat http://www.defense.gov/pubs/2013_china report final.pdf.
62. WHITE HOUSE, INTERNATIONAL STRATEGY FOR CYBERSPACE: PROSPERITY, SECURITY, AND OPENNESS IN A
NETWORKED WORLD 22 (2011) [hereinafter U.S. INT'L STRATEGY FOR CYBERSPACE], available at http://
www.whitehouse.gov/sites/default/files/rss-viewer/international-strategy-for cyberspace.pdf.
2015] THE CYBER-LAW OF NATIONS 331

,,63
to suppress dissent or opposition activities. The European Union similarly
supports the continuation of the "present bottom-up, multi-stakeholder model"
and "believes that internet governance and related regulatory issues should
continue to be defined at a comprehensive and multi-stakeholder level."6 4
By contrast, China and Russia, along with other states of the former Soviet
Union, have promoted a sovereign-based vision of Internet governance that has
both domestic and international aspects. On the domestic front, China and
Russia seek to legitimize their efforts to regulate the content of the Internet
available within their countries and to monitor and suppress expression that, in
their view, poses a security threat. On the international plane, they seek to
transfer management of the Internet from the extant civil-society-focused multi-
stakeholder model to a multilateral forum, such as the ITU, which would
increase sovereign states' power over Internet regulation, including content.
The two facets of the sovereign-based vision for the Internet are reflected in a
draft treaty-the "International Code of Conduct for Information Security"-
that China, Russia, Tajikistan, and Uzbekistan proposed at the United Nations in
September 201 1.65 Among other provisions, the draft Code would require states
"[t]o reaffirm all States' rights and responsibilities to protect, in accordance with
relevant laws and regulations, their information space and critical information
infrastructure from threats, disturbance, attack and sabotage."6 6 It would also
require "the establishment of a multilateral, transparent and democratic interna-
tional management of the Internet to ensure an equitable distribution of re-
sources, facilitate access for all and ensure a stable and secure functioning of
6 7
the Internet."
The United States and its allies do not accept this vision and, in particular,
oppose the domestic sovereign control idea on freedom of expression and
association grounds.6 " They also oppose the move to greater sovereign control

63. Id. at 21.

64. European Parliament Resolution on the Forthcoming World Conference on International Telecom-
munications (WCIT-12) of the International Telecommunications Union, and the Possible Expansion of
the Scope of International Telecommunication Regulations, EUR. PARL. Doc. P7_TA (2012)0451, ¶ 5
(2012) [hereinafter European Parliament Resolution], available at http://www.europarl.europa.eu/sides/
getDoc.dotype TA&reference P7-TA-2012-045 1&language EN&ring P7-RC-2012-0498.
65. China, Russia and Other Countries Submit the Document of International Code of Conduct for
Information Security to the United Nations, CHINESE EMBASSY (Sept. 13, 2011) [hereinafter Int'l Code of
Conduct for Info. Sec.], http://nz.chineseembassy.org/eng/zgyw/t858978.htm. The draft treaty's focus
on "information security" echoes an earlier Shanghai Cooperation Organization agreement between
China, Kazakhstan, Kyrgyzstan, Russia, Tajikistan, and Uzbekistan that identified as a major interna-
tional information security threat the "[d]issemination of information harmful to the socio-political and
socio-economic systems, spiritual, moral and cultural environment of other States." Agreement Be-
tween the Governments of the Member States of the Shanghai Cooperation Organization on Coopera-
tion in the Field of International Information Security, Annex 2, ¶ 5, Dec. 2, 2008, available at
media.npr.org/assets/news/2010/09/23/cyber treaty.pdf.
66. Int'l Code of Conduct for Info. Sec., supra note 65 (art. 11(5)).
67. Id. (art. 11(7)).
68. See U.S. INT'L STRATEGY FOR CYBERSPACE, supra note 62, at 22 (arguing that the multistakeholder
model "fuels the freedom of expression and association that enables social and political growth and the
332 THE GEORGETOWN LAw JOURNAL [Vol. 103:317

on the international plane because it could serve as a precursor to regulating

content, would hamper development and responsiveness in Internet adaptation,
and would diminish the power of civil society and Western-influenced groups
that currently control some aspects of Internet policy. 6 9
Prior to the establishment of a formalized government-to-government cyber
dialogue, 0 two think tanks, the Center for Strategic and International Studies
(CSIS) from the United States and the China Institute of Contemporary Interna-
tional Relations (CICIR) established the Sino-U.S. Cybersecurity Dialogue to
provide a forum for U.S. and Chinese officials and scholars to discuss cyber-
security issues. A 2012 report on one of the Dialogue's meetings highlighted
the division between the United States and China on cyber sovereignty as an
unresolved issue.71 As one cyber expert has explained, "[W]hereas Americans
talk of promoting 'cybersecurity,' a fairly narrow term that implies protecting
communications and other critical networks, Chinese officials like to talk about
'information security,' a much broader concept that also includes regulating
content." 7 2
The divergence in views about sovereign control over the Internet precipi-
tated a breakdown at the World Conference on International Telecommunica-
tions (WCIT) in Dubai in December 2012. WCIT was convened for member
states to revise the ITU's International Telecommunications Regulations (ITRs),
a treaty dating from 1988 that governs international communications, primarily
by telephone. 7 3 In June 2011, however, then-Russian Prime Minister Vladimir
Putin stated that Russia's goal was to "establish 'international control over the
Internet' through the [ITU]."74 The Russian proposal to give the ITU control
over facets of the Internet, including the domain name system, sparked opposi-

functioning of democratic societies worldwide"); Hillary Rodham Clinton, Sec'y of State, Remarks on
Internet Freedom (Jan. 21, 2010), available at http://www.state.gov/secretary/20092013clinton/rm/2010/
01/135519.htm ("[T]he internet is a network that magnifies the power and potential of all others.
And that's why we believe it's critical that its users are assured certain basic freedoms. Freedom of
expression is first among them.").
69. See InternationalProposalsto Regulate the Internet: HearingBefore the Subcomm. on Commc 'ns
& Tech. of the H. Comm. on Energy & Commerce, 112th Cong. 24 (2012) [hereinafter Statement of
Amb. Philip Verveer] (statement of Ambassador Philip Verveer, Deputy Assistant Secretary of State and
United States Coordinator for International Communications and Information Policy), available at
http://www.gpo.gov/fdsys/pkg/CHRG-112hhrg79558/pdf/CHRG-112hhrg79558.pdf.
70. See supra note 7 and accompanying text.
71. See generally China Inst. of Contemporary Int'l Relations (CICIR)-Ctr. for Strategic & Int'l
Studies (CSIS), Bilateral Discussions on Cooperation in Cybersecurity, CENTER FOR STRATEGIC & INT'L
STUD. (June 2012) [hereinafter CICIR-CSIS], http://csis.org/files/attachments/120615 JointStatement
CICIR.pdf.
72. Adam Segal, Chinese Computer Games: Keeping Safe in Cyberspace, FOREIGN AFF., Mar./Apr.
2012, at 14, 15.
73. For background, see Jack Goldsmith, WCIT-12: An OpinionatedPrimer and Hysteria-Debunker,
LAWFARE (Nov. 30, 2012, 6:58 AM), http://www.lawfareblog.com/2012/11/wcit-12-an-opinionated-primer-
and-hysteria-debunker-2/.
74. Robert M. McDowell, The U.N. Threat to Internet Freedom, WALL ST. J., Feb. 21, 2012,
http://online.wsj.com/article/SB10001424052970204792404577229074023195322.html; see also CTR.
FOR DEMOCRACY & TECH., ITU MOVE TO EXPAND POWERS THREATENS THE INTERNET: CIVIL SOCIETY SHOULD
2015] THE CYBER-LAW OF NATIONS 333

tion from governments, including the United States and European Union;
Internet and technology companies, including Google; and civil society groups. '75
In congressional testimony, a State Department official explained that "[g]ov-
ernmental proposals" to "include centralized control over the Internet through a
top-down government approach would put political dealmakers, rather than
innovators and experts, in charge of the future of the Internet," "slow the pace
of innovation, hamper global economic development,... potentially lead to an
era of unprecedented control over what people can say and do online," and
"threaten the ability of the world's citizens to freely connect and express
themselves." 6 The European Parliament and U.S. Congress each adopted a
resolution opposing ITU control over Internet governance and endorsing the
multistakeholder model.
At WCIT, Russia proposed revisions to the ITRs to include the Internet in the
ITU's purview and challenge management of the domain name system by the
nongovernmental Internet Corporation for Assigned Names and Numbers
(ICANN).'7 Specifically, Russia proposed that "Member States shall have equal
rights to manage the Internet, including in regard to the allotment, assignment
and reclamation of Internet numbering, naming, addressing and identification
resources and to support for the operation and development of basic Internet
infrastructure." 7 9
The outcome of WCIT was mixed for both camps. The United States and its
allies succeeded in including in the ITRs a specific disclaimer that the treaty
"do[es] not address the content-related aspects of telecommunications"so
Internet regulation-and defeated the Russian proposal to give the ITU, or the
United Nations more broadly, control of the domain name system. 1 However, a

HAVFE VOICE IN ITU INTERNET DEBATE 1, 3 (2012), available at https://www.cdt.org/files/pdfs/CDT-

ITUWCIT12_background.pdf.
75. See Eric Pfanner, Drafters of Communications Treaty Are Split on Issue of Internet Governance,
N.Y. TIMES, Dec. 6, 2012, http://www.nytimes.com/2012/12/07/technology/communications-treaty-hung-
up-on-internet-issue.html; see also Vinton Cerf, Op-Ed., Keep the Internet Open, N.Y. TIMES, May 24,
2012, http://www.nytimes.com/2012/05/25/opinion/keep-the-internet-open.html; Sign-on Letter Oppos-
ing ITUAuthority over the Internet, CENTER FOR DEMOCRACY & TECH. (Sept. 5, 2012), https://www.cdt.org/
letter/sign-on-letter-opposing-itu-authority-over-the-internet (providing text of letter from global civil
society groups to ITU member states and WCIT government delegates opposing expansion of ITU
authority to include the Internet).
76. Statement of Amb. Philip Verveer, supra note 69, at 24.
77. See S. Con. Res. 50, 112th Cong. (2012); European Parliament Resolution, supra note 64, ¶¶ 3,
5.
78. For an overview of ICANN's mandate, see Welcome to ICANN!, INTERNET CORP. FOR ASSIGNED
NAMES & NUMBERS, http://www.icann.org/en/about/welcome (last visited Nov. 30, 2014).
79. Russian Federation, Proposalsfor the Work of the Conference, INT'L TELECOMM. UNION (Nov. 17,
2012), http://files.wcitleaks.org/public/S12-WCIT12-C-0027!Ri!MSW-E.pdf (proposed Article 3A.2).
80. World Conference on International Telecommunications, Dubai, U.A.E., Dec. 3-14, 2012, Final
Acts of the World Conference on InternationalTelecommunications, art. 1.1(a) [hereinafter WCIT Final
Acts], available at www.itu.int/en/wcit-12/Documents/final-acts-wcit-12.pdf; see Eric Pfanner, Mes-
sage, If Murky, from U.S. to the World, N.Y. TIMES, Dec. 14, 2012, http://www.nytimes.com/2012/12/15/
technology/in-a-huff-a-telling-us-walkout.html.
81. See Pfanner, supra note 80.
334 THE GEORGETOWN LAw JOURNAL [Vol. 103:317

version of the Russian proposal was adopted (with some procedural contro-
versy 8 2) as a separate resolution attached to the treaty text. The resolution states
that "all governments should have an equal role and responsibility for interna-
tional Internet governance and for ensuring the stability, security and continuity
of the existing Internet and its future development," and invites Member States
to "elaborate on their respective positions on international Internet-related
technical, development and public-policy issues within the mandate of [the]
ITU at various ITU forums." 8 3 The resolution's insistence on an "equal role"
for "all governments" represents "a pretty firm move away from the multi-
stakeholder model that involved mostly NGOs like ICANN and the [Internet
Engineering Task Force]."8 In other words, the resolution "marks a declaration
of conflict (not war-but conflict) between competing visions of internet gover-
nance."
The United States refused to sign the revised treaty, 6 citing the Internet
governance resolution and provisions about spam, which necessarily involve
governments in content regulation. 7 In the end, eighty-nine countries, including
Russia, China, South Africa, many African countries, and most Middle Eastern
countries, signed the revised ITRs." The nonsignatories include the United
States, Canada, Western European countries, Australia, New Zealand, and
India.8 9
The two-bloc description of the debate regarding cyber governance reflects
the positions evidenced by leading states that have weighed in to date, but the
picture will become more complex over time as other states enter the debate.
Importantly, the divergence in approaches to cyberspace and sovereignty is not
necessarily one between democratic and nondemocratic states. Recent reports
indicate that the Indian government plans to oppose the multistakeholder ap-
proach in favor of a mostly multilateral model because it believes the multistake-

82. See Jochai Ben-Avie, WCIT Watch: Just Taking the Temperature?-A Late Night Resolution on
the Internet, ACCESs BLOG (Dec. 12, 2012, 8:13 PM), https://www.accessnow.org/blog/2012/12/12/wcit-
watch-just-taking-the-temperature-a-late-night-resolution-on-the-inter (chronicling that the chair an-
nounced that he "wanted to have the feel of the room"-essentially a straw poll-on the Internet
resolution); Paul Rosenzweig, WCIT Treaty Breakdown-A Summary and Some Analysis, LAWFARE
(Dec. 14, 2012, 10:36 AM), http://www.lawfareblog.com/2012/12/wcit-treaty-breakdown-a-summary-
and-some-analysis/ (explaining that despite the chair's claim to be taking a straw poll, "it appears that
the resolution was actually deemed adopted by the meeting").
83. WCIT Final Acts, supra note 80, Resolution Plen/3, ¶¶ e, 1.
84. Rosenzweig, supra note 82.
85. Id.
86. Media Note, Office of the Spokesperson, U.S. Dep't of State, U.S. Intervention at the World
Conference on International Telecommunications (Dec. 13, 2012), availableat http://www.state.gov/r/pal
prs/ps/2012/12/202037.htm.
87. Id.
88. Signatories of the FinalActs: 89, INT'L TELECOMM. UNION, http://www.itu.int/osg/wcit-12/highlights/
signatories.html (last visited Nov. 30, 2014).
89. Id.; see also Mike Masnick, Who Signed the ITU WCIT Treaty . . And Who Didn't, TECHDIRT
(Dec. 14, 2012, 5:27 PM), http://www.techdirt.com/articles/20121214/14133321389/who-signed-itu-wcit-
treaty-who-didnt.shtml (providing map of signatory and nonsignatory countries).
2015] THE CYBER-LAW OF NATIONS 335

holder approach gives undue power to unrepresentative groups that support

"Western interests." 90 Divergences based on Western versus non-Western inter-
ests or developing- versus developed-country interests are likely to play at least
as big of a role in future debates as divergences based on democratic versus
nondemocratic governance. The United States and Western Europe, on the one
hand, and China and Russia, on the other, are competing to influence the
policies developed by countries like Brazil, India, and South Africa, and it is not
yet clear where on the spectrum such countries will choose to settle. 91

Despite the relative international uniformity about treating cyber as a domain,

the recent controversies show the extent of disagreement between states over
governing cyberspace. The divergence in views about the nature of cyberspace
poses significant challenges to resolving the fundamental governance questions
discussed in the next two Parts and shows what is at stake in answering those
questions. The disagreements about cyberspace create instability and the need
for a governance regime to prevent conflict.

II. GOVERNANCE CHALLENGES AND POTENTIAL PRECEDENTS

The deep disagreement between states about the relationship between cyber-
space and sovereignty poses challenges for achieving agreement on a gover-
nance regime. Options range from treating cyberspace like sovereign territory to
treating it like a global commons, and each option entails a particular type of
legal regime. When evaluating these or intermediate options, the international
community can make use of past precedents. The same fundamental governance
questions now raised by cyberspace have been answered before, and the ex-
amples on which this Article focuses-the legal regimes for the high seas, outer
space, and Antarctica-show that even where territorial sovereignty does not
exist, global governance is possible.
The Article follows in a long tradition of looking to prior legal regimes
governing earlier-used domains. For example, in considering how to govern the
high seas, scholars looked to governance regimes for land; in designing gover-
nance for airspace, commentators looked to the legal regime for the high seas;
and in designing a legal regime for outer space, lawyers looked to the regime

90. Sandeep Joshi, India to Push for Freeing Internet from U.S. Control, HINDU (Dec. 7, 2013,
11:55 PM), http://www.thehindu.com/sci-tech/technology/internet/india-to-push-for-freeing-internet-from-
us-control/article5434095.ece.
91. Brazil, for example, signed the revised ITRs in 2012, but in 2014, shifted to support the
multistakeholder model, hosting NETmundial, a "Global Multistakeholder Meeting on the Future of
Internet Governance," that produced an outcome document strongly supportive of multistakeholder
governance. See NETMUNDIAL, NETMUNDIAL MULTISTAKEHOLDER STATEMENT (2014), available at http://
netmundial.br/wp-content/uploads/2014/04/NETmundial-Multistakeholder-Document.pdf; see also
Stewart M. Patrick, Brazil's Internet Summit: Building Bridges to Avoid "Splinternet," COUNCIL ON
FOREIGN REL. (Apr. 22, 2014), http:/Iblogs.cfr.org/patrick/2014/04/22/brazils-internet-summit-building-
bridges-to-avoid-splinternet/ (describing Brazil's shift away from the multilateral model).
336 THE GEORGETOWN LAw JOURNAL [Vol. 103:317

for airspace. 92 As the history of these legal regimes makes clear, consideration
of past regimes need not lead ineluctably to repetition of the same legal regimes
in the new domain. Past governance decisions have value as either positive or
negative referents for designing a new governance system.
In line with this view, section II.A explains different characterizations of
cyberspace and suggests a limited analogy to the high seas, outer space, and
Antarctica. Section II.B provides a brief overview of the international legal
regimes established for these old domains with an eye toward features that are
relevant to governing cyberspace.

A. CYBER AS TERRITORY, COMMONS, OR COMBINATION

Even in light of agreement on the definition of cyberspace, states disagree

about how to characterize the domain.
Taken to its logical conclusion, China and Russia's assertions of sovereignty
over the Internet suggest that perhaps cyberspace should be assimilated to
sovereign territory. In other words, cyberspace would be like airspace: 93 states
would have sovereignty over cyberspace coextensive with their physical terri-
tory. 94 On that view, states would seal and defend their cyber borders, stopping
cyber attacks at the border and retaliating for attacks against their "cyber
territory." 95 This framework would be legally simple, but so far, it is not de-
scriptively accurate. States appear generally unable to secure their cyber borders
like they secure their physical territory. 96 There is basically one global Internet,
not individual national internets. Imposing a sovereignty-based model for cyber-
space would thus mark a major change from the status quo and would fundamen-
tally alter the domain being governed. 97

92. See STUART BANNER, WHO OWNS THE SKY?: THE STRUGGLE TO CONTROL AIRSPACE FROM THE WRIGHT
BROTHERS ON 45-56, 260-71 (2008).
93. For a chronicle of how the international legal regime for airspace developed, see id. at 42-68.
94. See Convention on International Civil Aviation art. 1, Dec. 7, 1944, 61 Stat. 1180, 15 U.N.T.S.
295 ("[E]very State has complete and exclusive sovereignty over the airspace above its territory.").
95. See Int'l Code of Conductfor Info. Sec., supra note 65 (art. 11(5)) (reaffirming "all States' rights
and responsibilities to protect . . . their information space").
96. But see David E. Sanger, N.S.A. Leaks Make Plan for Cyberdefense Unlikely, N.Y. TIMES,
Aug. 12, 2013, http://www.nytimes.com/2013/08/13/us/nsa-leaks-make-plan-for-cyberdefense-unlikely.
html (reporting that prior to leaks by Edward Snowden, the NSA had lobbied "to deploy the equivalent
of a 'Star Wars' defense for America's computer networks, designed to intercept cyberattacks" before
they reach private-sector targets).
97. There are also normative reasons to prefer maintenance of the status quo over a "Balkanized"
Internet. See, e.g., Charlotte Alfred, Web at 25: Will Balkanization Kill the Global Internet?, HUFF-
INGTON POST (Mar. 19, 2014), http://www.huffingtonpost.com/2014/03/19/web-balkanization-national-
intemet nA4964240.html (noting concerns that undermining the Internet as a single open network
would facilitate greater governmental control of information); Sascha Meinrath, The Future of the
Internet: Balkanization and Borders, TIME (Oct. 11, 2013), http://ideas.time.com/2013/10/11/the-future-
of-the-internet-balkanization-and-borders/ ("[A Balkanized] Internet is in danger of becoming like the
European train system, where varying voltage and 20 different types of signaling technologies force
operators to stop and switch systems or even to another locomotive, resulting in delays, inefficiencies,
and higher costs. Netizens would fall under a complex array of different legal requirements imposing
2015] THE CYBER-LAW OF NATIONS 337

The failure of territorial sovereignty to serve as the current governing regime

for cyber does not, however, suggest that global governance of cyberspace is
impossible. Other options are available.
At the opposite end of the spectrum from a territorial sovereignty conception
of cyber, some have characterized cyber as a "commons." The "global com-
mons" is often defined by the examples of the high seas, outer space, and
Antarctica.9 8 More technically, the commons refers to resources that are "not
excludable" but are "rival in consumption." 99 That is, common resources are
open for use by anyone, but "[o]ne person's use of the common resource
reduces other people's ability to use it." 100
Divergent views exist about whether cyber is a commons. On the pro-
commons side, the U.S. government has at times deemed cyber to be a com-
mons. For example, the 2005 U.S. Department of Defense Strategy for Home-
land Defense and Civil Support declared, "The global commons consist of
international waters and airspace, space, and cyberspace."o More recently,
then-Secretary of State Hillary Rodham Clinton in her 2010 Internet-freedom
speech referred to "the global networked commons." 10 2 Canada has also de-
clared that "[c]yberspace . .. is a global commons." 10 3 Some academics, think
tanks, and other commentators agree with this characterization.1 04 However, the

conflicting mandates and conferring mutually exclusive rights. And much like different signaling
hampers the movement of people and the trade of physical goods, an Internet within such a complex
jurisdictional structure would certainly hamper modern economic activity.").
98. See, e.g., U.S. DEP'T OF DEF., STRATEGY FOR HOMELAND DEFENSE AND CIVIL SUPPORT 12 (2005),
available at http://www.defense.gov/news/jun2005/d2OO5O630homeland.pdf; Anupam Chander, The
New, New Property, 81 TEX. L. REV. 715, 749-50 (2003).
99. N. GREGORY MANKIW, PRINCIPLES OF MICROECONoMIcs 224 (6th ed. 2012).
100. Id. See generally Garrett Hardin, The Tragedy of the Commons, 162 SCIENCE 1243 (1968).
101. U.S. DEP'T OF DE., supra note 98, at 12; see also id. at 1-2; U.S. DEP'T OF DE., NATIONAL
DEFENSE STRATEGY 16 (2008), available at http://www.defense.gov/news/2008%20National%20
Defense%20Strategy.pdf (discussing the importance of securing "the global commons" in the context
of "goods shipped through air or by sea, or information transmitted under the ocean or through space").
102. Clinton, supra note 68.
103. Gov'T OF CAN., supra note 24, at 2.
104. See ABRAHAM M. DENMARK ET AL., CTR. FOR A NEW AM. SEC., CONTESTED COMMONS: THE FUTURE
OF AMERICAN POWER IN A MULTIPOLAR WORLD 10 (Abraham M. Denmark & James Mulvenon eds., 2010)
("advocat[ing] a broad and multi-pronged strategy to preserve the openness of the four global
commons: maritime, air, space and cyberspace"); Lawrence Lessig, Code and the Commons, Keynote
Address at Conference on Media Convergence, Fordham Law School 3 (Feb. 9, 1999), http://
cyber.law.harvard.edu/works/lessig/Fordham.pdf ("The internet is a commons: the space that anyone
can enter, and take what she finds without the permission of a librarian, or a promise to pay. The net is
built on a commons-the code of the world wide web, html, is a computer language that lays itself
open for anyone to see-to see, and to steal, and to use as one wants."); see also Chris C. Demchak
&

Peter Dombrowski, Rise of a Cybered Westphalian Age, STRATEGIC STUD. Q., Spring 2011, at 32, 32
(suggesting that cyber has been a global commons but "[s]ooner or later, good fences are erected to
make good neighbors, and so it must be with cyberspace"); Justyna Hofmokl, The Internet Commons:
Towards an Eclectic Theoretical Framework, 4 INT'L J. COMMONS 226 (2010), available at http://dlc.
dlib.indiana.edu/dlc/bitstream/handle/10535/5644/The%20Internet%20commons%20towards%20an
%20eclectic.pdf?sequence= 1 (providing detailed analysis of "the Internet commons"); Roger Hurwitz,
Depleted Trust in the Cyber Commons, STRATEGIC STUD. Q., Fall 2012, at 20, 23-24, available at
338 THE GEORGETOWN LAw JOURNAL [Vol. 103:317

government documents and some of the commentators are not clear about how
they define the commons or, in particular, how they define cyberspace.
Other commentators, moreover, note that the physical hardware supporting
cyber is located within territorial sovereigns and often owned by private parties,
and they regard these facts as fundamentally problematic for the commons
conception of cyber. Some therefore argue that only certain aspects of cyber-
space constitute or could constitute a commons.10 5 Still others reject the com-
mons characterization entirely.106
The question of whether cyber or some parts of it meet the formal require-
ments-nonexcludability and rivalrous consumption-to constitute a commons
is an interesting issue, but ultimately not crucial for the purposes of this Article.
Rather, this Article takes a functional approach to the commons question and
focuses instead on the extent to which cyber, regardless of its formal status as a
commons, poses governance challenges similar to the recognized global com-
mons.10 7 A fundamental similarity unites cyberspace and the old domains: by

http://www.hsdl.org/?view&did=722310 ("[T]he vision of a cyber commons informs significant parts

of the cyber policies of the United States and many of its allies and the positions they take with regard
to international regulation of cyberspace."); David Bollier, Elinor Ostrom and the Digital Commons,
FORBES (Oct. 13, 2009, 3:00 PM), http://www.forbes.com/2009/10/13/open-source-net-neutrality-elinor-
ostrom-nobel-opinions-contributors-david-bollier.html ("[T]he Internet has become the largest, most
robust commons in history.").
105. See, e.g., Chander, supra note 98, at 720 (arguing for treating the domain name system as "a
global commons"); Sean Kanuck, Sovereign Discourse on Cyber Conflict Under InternationalLaw,
88 TEX. L. REV. 1571, 1573-80 (2010) (arguing that some portions of cyberspace could be a commons);
Nye, supra note 17, at 19 (distinguishing between cyberspace's "physical infrastructure layer that
follows the economic laws of rival resources" and is therefore "not a traditional 'commons' and its
"virtual or informational layer with increasing economic returns to scale"); Scott J. Shackelford,
Toward Cyberpeace: Managing Cyberattacks Through Polycentric Governance, 62 AM. U. L. REV.
1273, 1288-96 (2013) (arguing that cyber is a "pseudocommons"); Duncan B. Hollis, Stewardship
Versus Sovereignty?: International Law and the Apportionment of Cyberspace 10 (Temple Univ.
Beasley Sch. of Law Legal Stud. Research Paper Series, Paper No. 2012-25, 2012), available at http://
ssrn.com/abstract=2038523 ("[S]tates could agree to certain 'sovereign rights' in cyberspace (e.g., a
right to actively defend core infrastructure) at the same time as they endorse a right to free and
reasonable use of digital electronic telecommunications.").
106. See, e.g., Patrick W. Franzese, Sovereignty in Cyberspace: Can It Exist?, 64 A.F. L. REV. 1, 17
(2009); Mark Raymond, The Internet as a Global Commons?, CENTRE FOR INT'L GOVERNANCE INNOVA-
TION (Oct. 26, 2012), http://www.cigionline.org/publications/2012/10/internet-global-commons (arguing
that the Internet is not a global commons because it does not meet the definitional requirements of
being "rivalrous and non-excludable" and proposing that the Internet is better understood as a "club
good" because it is "non-rivalrous and excludable").
107. This approach is similar to that taken by the Center for New American Security in its report on
"contested commons." The report explains that it examines the seas, air, space, and cyberspace together
as a global commons because they share four broad characteristics:

1. They are not owned or controlled by any single entity.

2. Their utility as a whole is greater than if broken down into smaller parts.
3. States and non-state actors with the requisite technological capabilities are able to access
and use them for economic, political, scientific and cultural purposes.
4. States and non-state actors with the requisite technological capabilities are able to use them
as a medium for military movement and as a theater for military conflict.
DENMARK ET AL., supra note 104, at 11.
2015] THE CYBER-LAW OF NATIONS 339

necessity or agreement,10 8 none of the domains is currently partitioned and

governed based on traditional Westphalian sovereignty. They are, in other
words, "nonsovereign." States have enshrined the nonsovereign status of the old
domains in international treaties.1 09 Although no similar agreement has been
reached for cyber, the current structure of cyberspace offers reasons to treat
cyber like the old nonsovereign domains. Cyber creates a similar challenge for
governance: even though an individual sovereign can regulate some aspects of
cyber and its effects within the sovereign's territory, no one sovereign can
address cyber challenges.110 For example, data uploaded within a single sover-
eign's territory may be stored on multiple servers in multiple countries around
the world."' Even if one sovereign can delete data stored within its territory, it
cannot erase the data from the Internet as a whole, at least not acting alone.
Similarly, email traffic or social media interactions between users who are
physically located within a single country may transit the service providers' data
centers around the world. 112 Preventing such international transit would require
local hosting of websites and storage of data, which is contrary to how the
Internet currently functions, though some countries have considered such require-
ments in the wake of surveillance disclosures.1 13 Relatedly, sovereign states'
ability to control cyberspace is further undermined by states' inability to com-
pletely seal their cyber borders. The fact that states cannot retreat behind cyber
borders,' 1 4 but still want and need to access the cyber domain, creates the
demand for intersovereign interaction to address cyber issues.
To be sure, the analogy between cyber and the old domains has limits. The
nature of cyber differs from the nature of other domains. For example, cyber

108. Treating the high seas and outer space as nonsovereign may be a necessity because it would be
impossible to carve up outer space into sovereign territories and practically impossible to maintain
sovereign control over large parts of the high seas (that is, to maintain sufficient control to exclude
others). The same may not be true with regard to Antarctica, which is a landmass like others that have
been partitioned into sovereign states. Antarctica is by agreement (the Antarctic Treaty), rather than by
necessity, not subject to sovereign claims.
109. See infra section II.B.
110. See Hollis, supra note 31 (manuscript at 11).
111. See, e.g., Jack Clark, Google Cloud Lets Customers Park Their Data in Europe, ZDNET
(Nov. 26, 2012, 6:05 AM), http://www.zdnet.com/google-cloud-lets-customers-park-their-data-in-europe-
7000007900/.
112. Leila Abboud & Peter Maushagen, Germany Wants a German Internet as Spying Scandal
Rankles, REUTERS (Oct. 25, 2013), http://www.reuters.com/article/2013/10/25/us-usa-spying-germany-
idUSBRE99009S20131025.
113. Brazil considered, but ultimately rejected, a data-localization requirement in the wake of
the Snowden disclosures. See id.; see also Paulo Trevisani & Loretta Chao, Brazil Retreats on Plan
That Drew Google's Fire, WALL ST. J., Mar. 20, 2014, http://online.wsj.com/news/articles/
SB20001424052702304026304579449730185773914.
114. Of course, that does not stop states from trying. See Dave Lee, North Korea: On the Net in
World's Most Secretive Nation, BBC NEWS (Dec. 10, 2012, 3:19 AM), http://www.bbc.co.uk/news/
technology-20445632 (describing Kwangmyong, the North Korean intranet that citizens access instead
of the internet).
340 THE GEORGETOWN LAw JOURNAL [Vol. 103:317

is manmade, not naturally occurring. 1 5 Cyber is not a physical space, like the
other domains. In addition, the physical hardware enabling cyber-routers,
servers, cables, etc.-exists within territorial sovereigns and is often privately
owned. 16
Yet analogizing cyber to the recognized global commons provides a helpful
analytical framework for approaching cyber governance. The analogy takes
seriously how at least some states have characterized cyberspace, and it allows
for comparisons across all three governance questions that this Article identifies:
the need to determine who will be included in discussions about the governance
framework, how such a legal framework will be implemented, and what to
do about military activities. The international community's consideration of
and efforts to address the high seas, outer space, and Antarctica as realms of
potential military confrontation renders these domains particularly useful com-
parators for cyberspace. Other cross-border concerns do not pose the militariza-
tion issue that is crucial to addressing the current international tension over
cyberspace.1 1 7

B. SOLUTIONS IN EXISTING LEGAL REGIMES

In the mid-twentieth century, the international community developed legal

regimes to govern the high seas, outer space, and Antarctica. Although these
domains differ from each other, states agreed upon similar answers to the three
fundamental questions in each domain: little or no role for private parties in
governance, governance by treaty, and limits on militarization (though these
vary in degree).

1. High Seas
The high seas have been a domain for transport, trade, and conflict for
thousands of years and have long been regarded as not subject to appropriation
by sovereign states. The customary laws governing the high seas were codified

115. See Kanuck, supra note 105, at 1576-77.

116. Cf id. (noting that in contrast to existing commons, cyberspace poses a challenge because "any
legal arbiter of cyberspace would need to override the long-established rights of sovereignty and
property ownership recognized by the numerous domestic jurisdictions involved").
117. Other analogies may be instructive for particular cyber questions. For example, the interna-
tional community's efforts to address climate change, cross-border pollution, or access to medicines
may provide useful case studies about the role that nongovernmental parties can play in the interna-
tional arena or suggest circumstances in which treaties are likely to succeed or fail. Analogies to such
issues, however, like all analogies, pose challenges. For example, the international community con-
fronts cross-border pollution and climate change against the background international law applicable to
land and airspace; cyber does not rely on the same background principles. Also, for the old domains and
cyber, use by multiple states and other parties is a key benefit that the legal regimes seek to preserve.
Climate change and cross-border pollution, on the other hand, would ideally be dealt with individually
by states, and the international regimes to address them are necessary due to a collective action
problem. In other words, for cyber and the old domains, interconnection/shared use is a feature,
whereas for climate change it is a necessary bug.
2015] THE CYBER-LAW OF NATIONS 341

in a treaty adopted at the first U.N. Conference on the Law of the Sea in April
1958."" The Convention on the High Seas explains that the treaty is "generally
declaratory of established principles of international law." 1 9
Many of the provisions of the Convention on the High Seas were then
incorporated into the U.N. Convention on the Law of the Sea (UNCLOS),
which opened for signature in 1982 and entered into force in 1994.120 UNCLOS
defines the high seas as "all parts of the sea that are not included in the
exclusive economic zone, in the territorial sea or in the internal waters of a
State, or in the archipelagic waters of an archipelagic State." 1 2 1 UNCLOS
affirms the non-sovereignty of the high seas, stating, "No State may validly
purport to subject any part of the high seas to its sovereignty." 1 2 2 It similarly
states that "[t]he high seas are open to all States, whether coastal or land-
locked," and that the "[f]reedom of the high seas," including, inter alia,
navigation, overflight, fishing, and scientific research, may be exercised by all
states "with due regard for the interests of other States in their exercise of the
freedom of the high seas." 1 2 3 UNCLOS added a new and aspirational condition
on the use of the high seas, reserving them for "peaceful purposes." 1 2 4 It also
addressed the treatment of ships on the high seas and recognized that all states
have the right to sail ships under their flag, that ships have the nationality of
their flag state, and that states must exercise jurisdiction and control over ships
flying their flag. 125
The legal regime for the high seas thus ratifies the high seas' immunity from
national appropriation and establishes multilateral governance, governance by
treaty, and a limitation on use to only "peaceful purposes" (though notably not a
ban on all military activity).

118. See Final Act of the United Nations Conference on the Law of the Sea, Held at the European
Office of the United Nations, at Geneva, from 24 February to 27 April 1958, Done at Geneva on
29 April 1958, 450 U.N.T.S. 11.
119. Convention on the High Seas pmbl., opened for signature Apr. 29, 1958, 13 U.S.T. 2312,
450 U.N.T.S. 11 [hereinafter Convention on the High Seas].
120. See United Nations Convention on the Law of the Sea, U.N. TREATY COLLECTION, http://treaties.
un.org/Pages/ViewDetailslll.aspx?&src= TREATY&mtdsg-no=XXI6&chapter 21&Temp mtdsg3
&lang en (last visited Nov. 30, 2014).
121. United Nations Convention on the Law of the Sea art. 86, openedfor signature Dec. 10, 1982,
1833 U.N.T.S. 3 [hereinafter UNCLOS] (misspelling corrected). It is important to note, however, that
UNCLOS reduced the scope of the high seas by, for example, permitting states to claim an exclusive
economic zone. See infra note 171.
122. UNCLOS, supra note 121, art. 89, 1833 U.N.T.S. at 433.
123. Id. art. 87, at 432-33 (misspelling corrected).
124. Id. art. 88, at 433.
125. Id. arts. 90-92, 94, at 433-35 (flagging and jurisdiction); id. arts. 95-96, at 435 (immunity of
warships and noncommercial government ships).
342 THE GEORGETOWN LAw JOURNAL [Vol. 103:317

2. Outer Space and Celestial Bodies

Space became a domain in which states could operate in 1957 when the
U.S.S.R. launched Sputnik 1 as the first artificial satellite. 126 The international
community acted quickly to develop principles and law to govern outer
space. In December 1958, the U.N. General Assembly adopted a resolution on
"the peaceful use of outer space," which recognized "the common aim that
outer space should be used for peaceful purposes only." 1 2 7 The United Nations
established a Committee on the Peaceful Uses of Outer Space, noting the
desire "to avoid the extension of present national rivalries into this new
field." 128
The decision to treat outer space and celestial bodies as not subject to
national appropriation was not a foregone conclusion. Most U.S. and Western
commentators analogized outer space to the high seas, 12 9 but some commenta-
tors, particularly in the Soviet bloc, analogized outer space to airspace, which is
subject to the sovereignty of the territorial state over which it exists. 13 0 (A fatal
logical flaw with the airspace analogy is the "ever-shifting geographical rela-
tions between portions of space and portions of earth," 1 3 1 in contrast to air-
space, which remains stationary over a particular piece of sovereign territory.)
The high seas analogy triumphed in a 1961 General Assembly Resolution,
which specified that "[o]uter space and celestial bodies are free for exploration
and use by all States in conformity
1 32
with international law and are not subject to
national appropriation."
The 1967 Treaty on Principles Governing the Activities of States in the
Exploration and Use of Outer Space, Including the Moon and Other Celestial
Bodies (Outer Space Treaty) solidified outer space's nonsovereign status. 13 3 The
treaty proclaims that "[o]uter space, including the moon and other celestial
bodies, is not subject to national appropriation by claim of sovereignty, by

126. See Neil deGrasse Tyson, The Case for Space: Why We Should Keep Reaching for the Stars,
FOREIGN AFF., Mar./Apr. 2012, at 22, 22.
127. G.A. Res. 1348 (XIII), U.N. Doc. A/4009 (Dec. 13, 1958), available at http://www.oosa.un
vienna.org/oosalen/SpaceLaw/gares/html/gares13_1348.html.
128. G.A. Res. 1472 (XIV), U.N. Doc. A/4351 (Dec. 12, 1959), available at http://www.oosa.un
vienna.org/oosalen/SpaceLaw/gares/html/gares_14_1472.html.
129. M.J. Peterson, The Use of Analogies in Developing Outer Space Law, 51 INT'L ORG. 245,
253-54 (1997).
130. Id. at 254 & n.41.
131. Id. at 254; see also BANNER, supra note 92, at 266.
132. G.A. Res. 1721 (XVI), art. A, ¶ 1(b), U.N. Doc. A/5026 (Dec. 20, 1961) (emphasis added),
available at http://www.oosa.unvienna.org/oosalen/SpaceLaw/gares/html/gares_16_1721.html; see also
G.A. Res. 1962 (XVIII), ¶ 2, U.N. Doc. A/5656 (Dec. 13, 1963), available at http://www.oosa.
unvienna.org/oosalen/SpaceLaw/gares/html/gares_18_1962.html.
133. See Treaty on Principles Governing the Activities of States in the Exploration and Use of
Outer Space, Including the Moon and Other Celestial Bodies, opened for signature Jan. 27, 1967,
18 U.S.T. 2410, 610 U.N.T.S. 205 [hereinafter Outer Space Treaty].
2015] THE CYBER-LAW OF NATIONS 343

means of use or occupation, or by any other means,"1 3 4 and that space activities
shall be conducted in accordance with international law. 13 5
With respect to military issues, the treaty prohibits states from placing in
orbit, installing on celestial bodies, or stationing in outer space nuclear weapons
or other weapons of mass destruction. 13 6 It also declares that "[t]he moon
and other celestial bodies shall be used . .. exclusively for peaceful purposes,"
and prohibits military installations, weapons testing, and military maneuvers on
celestial bodies. 13 7 The treaty assigns states international responsibility for
their governmental and nongovernmental activities in outer space and renders
the launching state liable for damage caused in air or space or on Earth by a
launched object. 1 38
The Outer Space Treaty opened for signature on January 27, 1967, and
entered into force on October 10, 1967, with the ratification of five states,
including the U.S.S.R. and the United States. 13 9 As of January 1, 2014, 103
states have become parties, and another 25 have signed the treaty. 14 0
The issue of control and militarization of outer space bodies was taken up
again in the 1979 Agreement Governing the Activities of States on the Moon
and Other Celestial Bodies (Moon Treaty). 14 1 The treaty specifies that activities
on the moon and other celestial bodies must be "carried out in accordance with
international law, in particular the Charter of the United Nations." 1 4 2 It explic-
itly restricts use of the moon to "peaceful purposes," and prohibits "[a]ny threat
or use of force or any other hostile act or threat of hostile act on the moon" or
use of the moon to threaten or engage in hostile acts with respect to "the earth,
the moon, spacecraft, the personnel of spacecraft or man-made space ob-
jects." 1 4 3 It further prohibits placing or using nuclear or other weapons of mass
destruction on or in orbit around the moon, establishing military bases, or
conducting weapons tests on the moon. 1

134. Id. art. II, 18 U.S.T. at 2413, 610 U.N.T.S. at 208.

135. Id. art. III.
136. Id. art. IV, 18 U.S.T. at 2413-14, 610 U.N.T.S. at 208.
137. Id. art. IV, 18 U.S.T. at 2414, 610 U.N.T.S. at 208. Disagreements exist as to the scope and
interpretation of these provisions, particularly whether they prohibit all military activity in outer space
or only aggressive (that is, nonpeaceful) military activity. See, e.g., MALCOLM N. SHAW, INTERNATIONAL
LAw 545 (6th ed. 2008).
138. Outer Space Treaty, supra note 133, arts. VI-VII, 18 U.S.T. at 2415, 610 U.N.T.S. at 209.
139. See Outer Space Treaty, supra note 133, 610 U.N.T.S. at 206 n.1.
140. See Comm. on the Peaceful Uses of Outer Space, Legal Subcomm., Status of Interna-
tional Agreements Relating to Activities in Outer Space as at 1 January 2014, at 10, U.N. Doc. No.
A/AC.105/C.2/2014/CRP.7 (Mar. 20, 2014) [hereinafter Status of International Agreements Relating
to Activities in Outer Space], available at http://www.oosa.unvienna.org/pdf/limited/c2/AC105 C2_
2014_CRP07E.pdf.
141. Agreement Governing the Activities of States on the Moon and Other Celestial Bodies, opened
for signature Dec. 18, 1979, 1363 U.N.T.S. 3 (entered into force July 11, 1984) [hereinafter Moon
Treaty], available at http://www.oosa.unvienna.org/oosalen/SpaceLaw/gares/html/gares_34_0068.html.
142. Id. art. 2, at 22-23.
143. Id. art. 3(1)-(2), at 23.
144. Id. art. 3(3)-(4).
344 THE GEORGETOWN LAw JOURNAL [Vol. 103:317

The Moon Treaty reiterates that the moon is not subject to sovereignty
claims, 14 5 but also declares that "[t]he moon and its natural resources are the
common heritage of mankind." 1 4 6 This principle has proven controversial be-
cause, to implement it, the treaty obliges states to establish an international
regime to provide for "equitable sharing" of benefits from future exploitation of
the moon. 14 7 As of January 2014, only fifteen states have ratified the Moon
Treaty. 14 8
In sum, the legal regime enshrined in the Outer Space Treaty, along with
the less-accepted Moon Treaty, affirms that space and celestial bodies may not
be assimilated to sovereign states. The regime was developed in multilateral
fora and relies on governance by treaty. The Outer Space Treaty also restricts
militarization by banning nuclear weapons, prohibiting any military activity
on celestial bodies, and limiting activities on celestial bodies to "peaceful
purposes."

3. Antarctica
The nonsovereign status of Antarctica, like that of outer space, was not a
foregone conclusion. In fact, seven states made territorial claims to parts of
Antarctica between 1908 and 1943.149 In 1958, the United States invited the
eleven other countries that had participated in the Antarctic program of the
International Geophysical Year to a conference to discuss an Antarctic treaty.1 5 0
After only six weeks of deliberation, the Antarctic Treaty was signed on
December 1, 1959.151
The treaty freezes1 5 2 preexisting territorial claims and establishes that the
treaty does not constitute a "renunciation or diminution" of existing claims to
territorial sovereignty or prejudice any state's position with regard to any other
state's claim. 153 It further specifies that no acts while the treaty is in force "shall
constitute a basis for asserting, supporting or denying a claim to territorial
sovereignty in Antarctica or create any rights of sovereignty in Antarctica," and

145. Id. art. 11(2), at 25.

146. Id. art. 11(1).
147. See id. art. 11(5), (7)(d); see also Chander, supra note 98, at 753-54 (discussing import of
using "common heritage" phrasing and noting that the United States "denounced as socialist" the Moon
Treaty's equitable-sharing provision).
148. Status of International Agreements Relating to Activities in Outer Space, supra note 140, at 10.
149. Chander, supra note 98, at 754 n.212. The claimant states were Argentina, Australia, Chile,
France, the United Kingdom, New Zealand, and Norway. Id. Although there is an "American sector" in
Antarctica, "the United States has not officially claimed it." Id. at 755 n.215.
150. COMM. ON FOREIGN RELATIONS, THE ANTARCTIC TREATY, S. EXEC. REP. No. 86-10, at 1 (1960).
151. See id. at 2; The Antarctic Treaty, Dec. 1, 1959, 12 U.S.T. 794, 402 U.N.T.S. 71 [hereinafter
Antarctic Treaty]. The original signatories, as reflected in the treaty's preamble, included Argentina,
Australia, Belgium, Chile, France, Japan, New Zealand, Norway, South Africa, the U.S.S.R., the United
Kingdom, and the United States. Antarctic Treaty, supra, 12 U.S.T. at 795, 402 U.N.T.S. at 72.
152. See Comm. ON FOREIGN RELATIONS, supra note 150, at 3.
153. Antarctic Treaty, supra note 151, art. IV, 12 U.S.T. at 796, 402 U.N.T.S. at 74.
2015] THE CYBER-LAW OF NATIONS 345

no claim to territorial sovereignty may be made while the treaty remains in

force. 154
The treaty also demilitarizes Antarctica, prohibiting "any measures of a
military nature" and specifying that "Antarctica shall be used for peaceful pur-
poses only." 1 5 5 It protects the "[f]reedom of scientific investigation" 1 5 6 and
creates a system of inspections whereby observers from States Parties may be
designated to carry out inspections of other states' installations and equipment
in Antarctica.1 5 7 Observers are subject to the jurisdiction of the state they
represent. 158
The Antarctic Treaty currently has fifty States Parties, including the original
twelve signatories. 159
The legal regime for Antarctica-somewhat surprisingly in light of the
preexisting territorial claims-declares the continent to be in essence non-
sovereign. Like the high seas and outer space, the Antarctic legal regime was
developed in multilateral negotiations and relies on a treaty. It also demilitarized
the domain, prohibiting all military activities and reserving the continent for
"peaceful purposes."

In each of the old domains, sovereign states agreed to prohibit sovereignty

claims. They also negotiated governance regimes in multilateral fora, acceded
to a treaty, and limited militarization, but, as evidenced by the descriptions
above, the domains vary to some extent on each of these criteria. The role of
private parties in UNCLOS was comparatively larger than in the other domains
because private parties had long operated in and contributed to the development
of customary international law for the high seas; by contrast, states were the
only, or virtually the only, actors in outer space and Antarctica when the treaties
for those domains were negotiated. Each domain is governed by a multilateral
treaty, but there were major differences in the length of time between first use of
the domains and adoption of a treaty, ranging from thousands of years of use of
the high seas prior to UNCLOS to only ten years of operation in outer space
before the Outer Space Treaty. With regard to militarization, the domains can be
arranged on a spectrum, with Antarctica at one end with total demilitarization,
outer space in the middle with some restrictions, but not a total prohibition, on
military activities, and the high seas at the other end with only a limitation to
"peaceful uses." For each domain, these outcomes were context dependent,
arising in particular geopolitical circumstances. 1 6 0 The next Part analyzes the

154. Id. art. IV(2).

155. Id. art. I(1), 12 U.S.T. at 795, 402 U.N.T.S. at 72.
156. Id. art. II, 12 U.S.T. at 795, 402 U.N.T.S. at 74.
157. Id. art. VII, 12 U.S.T. at 797,402 U.N.T.S. at 76-78.
158. Id. art. VIII, 12 U.S.T. at 797-98, 402 U.N.T.S. at 78.
159. See Parties, SECRETARIAT ANTARCTIC TREATY, http://www.ats.aq/devAS/ats parties.aspxlang = e
(last visited Nov. 30, 2014).
160. See infra note 202.
346 THE GEORGETOWN LAW JOURNAL [Vol. 103:317

extent to which the context for cyber is similar to and different from the old
domains and offers proposals for the role of private parties, possible modes of
governance, and regulation of military activities.

III. GOVERNING CYBER: NEW ANSWERS FOR A NEW DOMAIN?

In contrast to the similarity in answers to the fundamental governance

questions in the old domains, the answers for cyber are unsettled and hotly
contested. Russia, China, and their allies have proposed answers that are
generally consistent with the answers adopted for other domains: a multilateral,
states-only governance system, a multilateral treaty, and, to a certain extent,
demilitarization. The United States and its allies disagree on each issue: they
embrace the multistakeholder model, oppose an overarching cyber treaty, and
do not support demilitarization.
Drawing on the legal regimes for the high seas, outer space, and Antarctica
described in the last Part, this Part analyzes how the same questions will and
should be answered for cyber. This Part addresses the differences in position
between the United States and its allies and China, Russia, and their allies, and
draws lessons as appropriate from the old domains. The comparisons reveal that
despite the fundamental similarity between cyber and the old domains-the lack
of territorial sovereignty in the domains and the consequent need for intersover-
eign coordination-cyber differs from the old domains in ways that suggest
somewhat different answers for the governance questions. In particular, this Part
argues for multistakeholder governance, governance through norms and narrow
treaties, and regulated militarization through the translation and application of
existing laws regulating the use of force.

A. THE ROLE OF PRIVATE PARTIES: MULTILATERAL VERSUS

MULTISTAKEHOLDER GOVERNANCE

The questions of "who participates?" and "who controls?" are basic and
defining issues in any governance system. Russia, China, and the United States
each support answers that favor their national interests.
Russia and China endorse a multilateral model in which states interact with
each other and make decisions about policy and permissible actions in the cyber
domain. The state-based model centralizes authority and opens the door to
greater regulation of information, which is a central theme of Russia and
China's proposed cyber treaty.16' The United States and its allies, on the other
hand, embrace a "multistakeholder model" in which Internet governance in-
cludes "all appropriate stakeholders," such as the private sector, civil society,
academia, and individuals, in addition to governments. 1 6 2 The United States has

161. See Int'l Code of Conduct for Info. Sec., supra note 65 (art. 11(3)) (requiring states to "curb[]
dissemination of information which incites terrorism, secessionism, extremism or undermines other
countries' political, economic and social stability, as well as their spiritual and cultural environment").
162. U.S. INT'L STRATEGY FOR CYBERSPACE, supra note 62, at 10, 12.
2015] THE CYBER-LAW OF NATIONS 347

declared multistakeholder governance to be an "essential" norm for cyber-

space, pledged to "seek the private sector's participation in Internet gover-
nance," and committed to "advocate for inclusiveness in fora that take up such
issues." 1 6 3 The United States has criticized Russia and China for seeking to
"replace the multi-stakeholder approach, where all users have a voice, with top
down control and regulation by states." 1 6 4 Although the United States supports
the multistakeholder model at least in part for freedom of expression reasons, 16 5
the bottom-up governance model also serves U.S. interests because many of
the nongovernmental voices that the model amplifies, including technology
companies and nongovernmental actors, have ties to the United States or share
its values. 166
As an initial matter, it is important to note that no state advocates the third
option that lurks in the background: purely private governance. The historical
role of private parties in developing and managing cyber and the Internet
combined with the views of the first-generation Internet partisans discussed in
section I.B.1 suggest that perhaps governance entirely by private parties would
be viable. As explained in the rest of section I.B, however, the importance of
cyber and the Internet for states and their citizens led to governments decidedly
vetoing an all-private governance model for cyber.1 6 7 Governments worldwide
show no willingness to abandon the field of Internet and cyber governance,
which effectively renders an all-private model a nonstarter.
Taking some governmental involvement in international cyber governance as
a given, evaluating the states' divergent positions on "who participates?" and
"who controls?" is particularly interesting in light of the traditional answers in

163. Id. at 12.

164. Statement by the Delegation of the United States of America, Other Disarmament Issues and
International Security Segment of Thematic Debate in the First Committee of the Sixty-Seventh
Session of the United Nations General Assembly (Nov. 2, 2012) [hereinafter U.S. Delegation State-
ment], available at http://www.state.gov/t/avc/rls/200050.htm. Goldsmith and Wu have noted the
"paradox of government power being used to prevent Internet regulation and censorship." GOLDSMITH
&

Wu, supra note 18, at vii. They note that while activists in the 1990s argued that "it was impossible for
the government to control the Internet," many now "demand[] that the government act to protect the
Internet from perceived threats-whether from telecom firms or foreign governments." Id.
165. See supra note 68 and accompanying text.
166. Cf LENNARD G. KRUGER, CONG. RESEARCH SERV., R42351, INTERNET GOVERNANCE AND THE
DOMAIN NAME SYSTEM: ISSUES FOR CONGRESS 9-10, 19 (2014) (noting criticism of and proposals to
replace U.S. authority over ICANN); Joshi, supra note 90. Relatedly, supporting the multistake-
holder model supports constituencies, like technology companies, that have become increasingly active
in lobbying the U.S. government in recent years. See, e.g., Jeff Bercovici, Tech Companies Seeking
Surveillance Reform Spent $35 Million Lobbying Last Year, FORBES (Dec. 9, 2013, 8:36 AM), http://
www.forbes.com/sites/jeffbercovici/2013/12/09/tech-companies-seeking-surveillance-reform-spent-35-
million-lobbying-last-year/; Data Privacy, Security Drive Tech Lobbying Spending Increase, NETCHOICE
(Apr. 24, 2014), http://netchoice.org/washington-internet-daily-data-privacy-security-drive-tech-lobbying-
spending-increase/.
167. For a stark encapsulation of the possibility of and rejection by states of a predominant role for
private parties, see GOLDSMITH & Wu, supra note 18, at 29-46 (discussing 1997-98 efforts by the
Internet Society and Jon Postel to move Internet policy and root authority away from the U.S.
government and the successful U.S. government assertion of control).
348 THE GEORGETOWN LAw JOURNAL [Vol. 103:317

international law. International law historically developed and operated at the

level of states, not individuals, though modern international law has deviated
from an exclusive focus on states. 168 For example, international human rights
law now empowers private parties with individual rights, and international
criminal law regulates and punishes actions by individuals. But traditionally,
international law was law by and for states.
The old domains generally followed the traditional multilateral model. Both
the Outer Space Treaty and the Antarctic Treaty were negotiated among govern-
ments-the Outer Space Treaty at the United Nations and the Antarctic Treaty
in a twelve-government meeting in Washington-relatively soon after opera-
tions in the domain became possible or realistic. 16 9 Both treaties dealt with
private parties by assimilating them to their national states and making states
responsible for their nationals' actions. 170 The law regarding the high seas
differed somewhat from these purely multilateral models. Private parties oper-
ated on the high seas for thousands of years and contributed to the development
of customary law (lex mercatoria),17 but in the twentieth century, the law of the
sea with respect to issues of governmental concern (for example, delimitation of
the territorial sea and continental shelves) was codified in multilateral treaties
similar to those for outer space and Antarctica.
The cyber domain differs from these old domains in ways that demonstrate
the insufficiency of the multilateral model and the desirability, if not necessity,
of the multistakeholder model for developing international governance.

168. See JAMES CRAWFORD, BROWNLIE'S PRINCIPLES OF PUBLIC INTERNATIONAL LAW 16-17 (8th ed.
2012) ("[T]he power structures within the international system are such that sovereignty and statehood
remain the basic units of currency," but "[i]t is no longer possible to deny that individuals may have
rights and duties in international law . . . .").
169. See supra text accompanying notes 127-40, 150-51.
170. See Outer Space Treaty, supra note 133, art. VI, 18 U.S.T. at 2415, 610 U.N.T.S. at 209
(specifying that states bear international responsibility for activities carried on by nongovernmental
entities and requiring private actors to obtain authorization from their national state, which has a duty to
supervise the private actors); Antarctic Treaty, supra note 151, arts. VII-VIII, 12 U.S.T. at 797-98, 402
U.N.T.S. at 76-78 (requiring states to give notice regarding expeditions by its nationals, stations
occupied by its nationals, and military personnel, and specifying that observers and scientific personnel
on exchanges are subject to the jurisdiction only of their national state).
171. In certain respects, the role of private parties in cyber governance may be similar to the
historical role of private parties in the formation of international law related to the high seas,
specifically the lex mercatoria. In both instances, private parties developed governance mechanisms
without the intervention of states. See Johnson & Post, supra note 18, at 1389-90 (calling the "origin of
the Law Merchant" the "most apt analogy to the rise of a separate law of Cyberspace"); Henry H.
Perritt, Jr., The Internet as a Threat to Sovereignty? Thoughts on the Internet's Role in Strengthening
National and Global Governance, 5 IND. J. GLOBAL LEGAL STUD. 423, 427 (1998) ("Cybemauts most
closely resemble medieval merchants who developed substantive rules and practices to regulate
transnational trade-the lex mercatoria-outsidetraditional political institutions."). For the high seas,
however, states intervened and developed law for issues of state concern; the same result is likely for
cyberspace. The intervention of states in the law of the sea may, in fact, be a cautionary tale for
cyberspace. When states finally codified the law of the sea, they extended the realm of sovereign
control and decreased the scope of the commons (that is, the high seas) by, for example, allowing states
to have an exclusive economic zone extending 200 miles from their baselines. See W. MICHAEL REISMAN
ET AL., INTERNATIONAL LAW IN CONTEMPORARY PERSPECTIVE 656 (2004) (Note 3).
2015] THE CYBER-LAW OF NATIONS 349

Numerous reasons, both descriptive and normative, favor the multistake-

holder model.
First, nongovernmental actors currently exercise important governance func-
tions with respect to cyberspace. Although developed by the U.S. government's
Defense Advanced Research Projects Agency, 17 2 the Internet has long been run
primarily by private parties. For example, the Internet Engineering Task Force
(IETF)-an "open international community of network designers, operators,
vendors, and researchers" 17 3 -iS "the forum where the basic technical standards
for Internet protocols are set and maintained." 17 4 The IETF does not have a
formal membership structure,17 5 but develops technical standards for Internet
protocols through iterations of proposals and comments until consensus is
achieved.176 Similarly, ICANN, a nonprofit corporation,1 77 performs Internet
Assigned Numbers Authority functions, including allocating IP addresses and
managing the Domain Name System with respect to top-level domains, under
contract from the U.S. government.17 8 Prior to ICANN's founding in 1998, a
single individual-University of Southern California Professor Jon Postel-
carried out these responsibilities. 179
In a recent example of the power of nongovernmental actors, the IETF
and the Internet Society, another nongovernmental organization, in June 2012
"sponsored the 'World IPv6 Launch,' an effort to have major Internet service

172. See generally Mitch Waldrop, DARPA and the Internet Revolution, in DARPA: 50 YEARS OF
BRIDGING THE GAP 78 (2008), available at www.darpa.mil/WorkArea/DownloadAsset.aspx?id=2554.
173. About the IETF, INTERNET ENGINEERING TASK FORCE, http://www.ietf.org/about/ (last visited
Nov. 30, 2014).
174. Getting Started in the IETF, INTERNET ENGINEERING TASK FORCE, http://www.ietf.org/
newcomers.html (last visited Nov. 30, 2014).
175. Id.
176. See Bradner, supra note 20, ¶ 1.2 ("In outline, the process of creating an Internet Standard is
straightforward: a specification undergoes a period of development and several iterations of review by
the Internet community and revision based upon experience, is adopted as a Standard by the appro-
priate body . . . and is published. In practice, the process is more complicated, due to . . . the importance
of establishing widespread community consensus . . . ."); Mission Statement, INTERNET ENGINEERING
TASK FORCE, http://www.ietf.org/about/mission.html (last visited Nov. 30, 2014) (describing the IETF's
"cardinal principles" of "[r]ough consensus and running code").
177. See Articles of Incorporation of Internet Corporationfor Assigned Names and Numbers,
INTERNET CORP. FOR ASSIGNED NAMES & NUMBERS, http://www.icann.org/en/about/governance/articles
(last visited Nov. 30, 2014).
178. See Welcome to ICANN!, INTERNET CORP. FOR ASSIGNED NAMES & NUMBERS, http://www.icann.org/
en/about/welcome (last visited Nov. 30, 2014). The United States announced in March 2014 its intent to
transition its remaining domain name functions to ICANN, and ICANN has convened a multistake-
holder process to develop a transition plan. See Craig Timberg, U.S. to Relinquish Remaining Control
over the Internet, WASH. POST, Mar. 14, 2014, http://www.washingtonpost.com/business/technology/us-
to-relinquish-remaining-control-over-the-internet/2014/03/14/0c7472d0-abb5-1 1e3-adbc-888c8010c799
story.html; see also Administrator of Domain Name System Launches Global Multistakeholder
Accountability Process, INTERNET CORP. FOR ASSIGNED NAMES & NUMBERS (Mar. 14, 2014), https://www.
icann.org/resources/press-material/release-2014-03-14-en.
179. See GOLDSMITH & Wu, supra note 18, at 33-35; ROBERT K. KNAKE, COUNCIL ON FOREIGN
RELATIONS, INTERNET GOVERNANCE IN AN AGE OF CYBER INSECURITY 6 (2010), available at http://www.cfr.org/
terrorism-and-technology/internet-governance-age-cyber-insecurity/p22832.
350 THE GEORGETOWN LAw JOURNAL [Vol. 103:317

providers and web companies accelerate the transition from Internet Protocol
version 4 ('IPv4') to Internet Protocol version 6 ('IPv6')," which the IETF
developed to allow continued growth of the Internet despite exhaustion of the
4.3 billion IP addresses that were available under IPv4.iso The new Internet
protocol was "developed, supported, and largely implemented by non-state
actors." 8 1
Thus, if nonstate parties were cut out of Internet and cyber governance
matters in a shift to a multilateral system, governments or multilateral institu-
tions would need to assume the functions that private parties currently perform.
It is not clear that they could do so or at least that they could do so effec-
tively. 182
Second, private parties are important ongoing users of cyberspace, both
numerically and strategically. There is a preexisting constituency of private
parties that are accustomed to participating in and having a major influence on
cyber policy issues. 18 3 Adopting the multilateral model of cyber governance
that China and Russia advocate is in effect not a question of whether to
enfranchise private parties in cyber governance, but rather whether to disenfran-
chise private parties that have participated in and even controlled governance
for decades. 18 4 Cyber therefore starts from the opposite baseline from the legal
regimes established in particular for outer space, where states operated first
and private parties have only recently begun to operate in ways similar to
governments. 185
Third, private parties own the majority of the underlying infrastructure that

180. David P Fidler, Recent Developments and Revelations Concerning Cybersecurity and Cyber-
space: Implicationsfor InternationalLaw, ASIL INSIGHTS (June 20, 2012), http://www.asil.org/insights/
volume/16/issue/22/recent-developments-and-revelations-concerning-cybersecurity-and. IPv6 increases
the number of possible IP addresses to "approximately 340 undecillion (or trillion, trillion, trillion)." Id.
181. Id.
182. See, e.g., Zoe Baird, Governing the Internet: Engaging Government, Business, and Nonprofits,
FOREIGN AFF., Nov./Dec. 2002, at 15, 15; see also INTERNET Soc'Y, SUBMISSION: ITU WORLD CONFERENCE
ON INTERNATIONAL TELECOMMUNICATIONS REGULATIONS (WCIT-12), at 3 (2012) (arguing that governments
should not "lock-in a regulatory approach that may have significant and unpredictable negative con-
sequences for the ability of networks to evolve, for new services to come about, for new businesses to
be formed worldwide").
183. See Baird, supra note 182, at 15 ("Many of the initial Internet oversight bodies emphasized
self-regulation, bottom-up control, decentralization, and privatization, reflecting a conviction that gov-
ernment would never 'get it' or move fast enough to keep pace with technological change."); Daniel W.
Drezner, The Global Governance of the Internet: Bringing the State Back In, 119 POL. Sn. Q. 477, 481
(2004) ("A cursory review of the nonstate actors involved in the regulation of the Internet [including
the IETF and ICANN] . . suggests the existence of a strong, coherent, epistemic community on these
issues.").
184. See Wu, supra note 33, at 664 ("Because of the pattern of the Internet's growth, most of the
currently existing norms have been established by individuals from the United States and likeminded
countries; thus the norms of those countries can be felt strongly in the higher-level norms and rules of
cyberspace.").
185. For a contemporaneous snapshot of the primacy of states in the early days of outer space
operations, see Nicholas deB. Katzenbach, Sharable and Strategic Resources: Outer Space, Polar
Areas, and the Oceans, 53 AM. Soc'Y INT'L L. PROC. 206, 207 (1959).
2015] THE CYBER-LAW OF NATIONS 351

supports the cyber domain.1 6 This ownership structure means that private
parties may be responsible for implementing policy choices made by govern-
ments.18 7 Private actors may also suffer harm due to governments' actions, as
some U.S. technology companies assert has occurred in the wake of the
Snowden disclosures. 8 8 Private parties have, in essence, a vested interest in at
least some policy decisions concerning cyberspace.
Finally, a move to a multilateral model would mark a qualitative shift in the
nature of the Internet. The current Internet "embodies a mode of social and
technical organization which is decentralized, cooperative, and layered." 18 9
Shifting to a multilateral model, on the other hand, could facilitate increased
governmental control of content and access to information.1 90 The current
decentralized Internet architecture, dependent on informal associations of pri-
vate parties like the IETF, helps to foster other types of freedom from state
control, including the freedoms of speech and association. The United States
has explicitly tied its advocacy of the multistakeholder model to fostering these
freedoms, arguing that the multistakeholder model "fuels the freedom of expres-
sion and association that enables social and political growth and the functioning
of democratic societies worldwide." 1 9 1
As this discussion makes clear, the debate over the multilateral versus
multistakeholder governance models embodies, in microcosm, a larger clash
about the role of states vis-h-vis individuals. The enfranchisement of private
parties that the current system allows is antithetical to the state control over
private parties upon which some governments depend, and the openness and
freedom that a nonstate-run Internet facilitates jeopardizes that state control.
Goldsmith and Wu have argued that nearly "every debate about Internet gover-

186. See U.S. INT'L STRATEGY FOR CYBERSPACE, supra note 62, at 12 ("[I]nfrastructure owners and
operators . . are responsible for the majority of network functionality . . . ."); GOLDSMITH & Wu, supra
note 18, at 73 ("The physical network is by necessity a local asset, owned by phone companies, cable
companies, and other service providers . . . .").
187. See Hearing to Receive Testimony on U.S. Strategic Command and U.S. Cyber Command in
Review of the Defense Authorization Request for Fiscal Year 2014 and the Future Years Defense
ProgramBefore the S. Comm. on Armed Servs., 113th Cong. 2 (2013) (statement of General Keith B.
Alexander, Commander, U.S. Cyber Command) [hereinafter Statement of Keith B. Alexander],
available at http://www.defense.gov/home/features/2013/0713_cyberdomain/docs/Alexander%20
testimony%20March%202013.pdf ("Most networked devices . . are in private hands, and their owners
can deny or facilitate others' cyber operations by how they manage and maintain their networks and
devices."); Austin Ramzy, Google Ends Policy of Self-Censorship in China, TIME (Jan. 13, 2010),
http://content.time.com/time/world/article/0,8599,1953248,00.html (explaining Google's decision to cease
censorship of sensitive topics in China).
188. See Cecilia Kang & Ellen Nakashima, Tech Executives to Obama: NSA Spying Revelations Are
Threatening Business, WASH. POST, Dec. 17, 2013, http://www.washingtonpost.com/business/technology/
2013/12/17/6569b226-6734-11e3-a0b9-249bbb34602c-story.html; Steven Levy, How the NSA Almost
Killed the Internet, WIRED (Jan. 7, 2014, 6:30 AM), http://www.wired.com/2014/01/how-the-us-almost-
killed-the-internet/all/.
189. U.S. INT'L STRATEGY FOR CYBERSPACE, supra note 62, at 22.
190. See KNAKE, supra note 179, at 7.
191. U.S. INT'L STRATEGY FOR CYBERSPACE, supra note 62, at 22; see also Clinton, supra note 68.
352 THE GEORGETOWN LAw JOURNAL [Vol. 103:317

nance is at bottom a debate about speech governance,"l92 and freedom (or not)
of speech is an important marker differentiating types of governments. Funda-
mentally, the answer to "who controls?" also impacts what and how much
control will be exercised.
When states gathered to establish legal regimes for the old domains, private
parties had neither the preexisting governance role nor the ongoing ownership
of the underlying components in those domains that they have in cyber. Nor did
governance of the old domains implicate the freedoms of speech and association
that cyber involves. These divergences suggest that, although multilateral gover-
nance made sense for the old domains, private parties should be treated differ-
ently with regard to cyberspace. States considering legal regimes for cyber do
not operate on a blank slate, as they essentially did in crafting the treaties for
the old domains. Beginning from the nearly opposite baseline from the old
domains with regard to the role of private parties, cyber cannot and should not
be governed by the same multilateral model. For cyber, a multistakeholder
model represents a compromise between an all-private model, which govern-
ments cannot tolerate, and the states-only multilateral model that China and
Russia advocate.
The next section addresses the best modality or modalities to govern cyber
issues.

B. MODALITY OF GOVERNANCE

The international community has a menu of options for governing the cyber
domain. First, states could do nothing. That is, they could leave the domain
governed only by existing internationally agreed-upon rules that apply regard-
less of location. If no governance mechanism is unacceptable, then alternatives
include a broad, multilateral treaty, narrower treaties, or soft law, such as norms.
For the high seas, outer space, and Antarctica, states ultimately created a
governance structure specific to each of them and agreed on the same general
modality of governance: a broad, multilateral treaty. For cyber, the international
community has not agreed upon treaties, except as to cybercrime. 1 93 The
examples of the treaties addressing the old domains may suggest that treaties
are the ultimate end state for any contested domain that poses similar challenges
to the old domains. Or it may simply be an accident of history that the old
domains are governed via treaty.
This section addresses the relative strengths and weaknesses of several
possible options-no governance arrangement specific to cyberspace, a multi-
lateral treaty, narrower or regional treaties, and agreed or common norms. It
discusses their likelihood and utility for cyber, drawing lessons as appropriate
from the choices made with regard to the old domains.

192. GOLDSMITH & Wu, supra note 18, at 150.

193. See infra section III.B.2 (discussing the Budapest Convention) and note 237 (discussing the
recently adopted African Union Convention on Cybersecurity and Personal Data Protection).
2015] THE CYBER-LAW OF NATIONS 353

1. No Governance Arrangement
The first option for a governance structure is not to have one-that is, to have
no governance structure specific to a domain. With the exception of cybercrime
treaties and technical regulations, 1 94 there is no governance mechanism specific
to cyber at present. A no-governance structure is the default absent agreement to
some other mechanism. Importantly, the absence of a domain-specific gover-
nance structure does not mean that no law applies. Generally applicable interna-
tional laws continue to apply to new circumstances, including to states' actions
in cyberspace. 195
In certain circumstances, states might choose not to institute a governance
arrangement specific to a domain. For example, a governance arrangement may
be unnecessary if states have no ability to operate in a domain-for example,
outer space prior to the 1950s-or if customary rules have developed and are
well-accepted. The latter situation prevailed with regard to the high seas prior to
the codification of customary rules in the Convention on the High Seas and
UNCLOS. 1 96 Alternatively, a governance arrangement might be desirable and
necessary but may still not exist just after operation in a domain becomes
possible because of uncertainty about the consequences for states of various
legal rules. 1 97 Outer space in the 1950s might exemplify this situation.198 More

194. See Wu, supra note 33, at 658 (describing the "Internet as an international regime" because
states connected to the Internet "all have implicitly agreed, at a minimum, to a set of technical standards
that facilitate the transmission of data over the Internet," specifically the TCP/IP system).
195. For example, in considering the permissibility under international law of the threat or use of
nuclear weapons, the International Court of Justice made clear that, despite the lack of a treaty
specifically addressing nuclear weapons, states' use of nuclear weapons must comply with the U.N.
Charter restrictions on the use of force and with basic precepts of international humanitarian law.
Legality of Threat or Use of Nuclear Weapons, Advisory Opinion, 1996 I.C.J. 226, 244 (July 8)
(explaining that Articles 2(4) and 51 of the U.N. Charter "apply to any use of force, regardless of the
weapons employed"); id. at 257-60 (discussing the applicability of the Martens Clause, the principle of
distinction, and the prohibition on use of weapons that cause unnecessary suffering); cf Michael N.
Schmitt, International Law in Cyberspace: The Koh Speech and the Tallinn Manual Juxtaposed,
54 HARV. INT'L L.J. ONLINE 13, 17 (2012), http://www.harvardilj.org/wp-content/uploads/2012/12/HILJ-
Online_54_Schmitt.pdf (explaining that it is "well accepted that a lack of directly applicable treaty law
does not create an international humanitarian law-free zone").
196. See Convention on the High Seas, supra note 119, pmbl., 12 U.S.T. at 2314, 450 U.N.T.S.
at 82.
197. Cf BANNER, supra note 92, at 278 (explaining, with respect to the legal status of outer space
in the 1950s, that "[1]egal uncertainty was useful to those with the power to act in space, on either side
of the cold war"); Franzese, supra note 6, at 38 ("[S]tates might want to wait to enter agreements that
define acceptable and prohibited activity until they obtain a better understanding of cyberspace's
strategic potential."); Wu, supra note 33, at 665 ("At this nascent stage of the Internet's influence on
mainstream society, cyberspace retains a high degree of independence simply for reasons of inertia. The
governments of the world have only begun to express their preferences .... ).
198. Cf BANNER, supra note 92, at 272 (chronicling that U.S. officials did not want an international
agreement on space in the 1950s and early 1960s because the dominant position of the United States
meant that "any rules would necessarily fetter the United States the most"); id. at 275 ("The Soviet
Union, the only other nation with a significant space program, had the same incentive to avoid
committing itself to any view of the law that might restrict its own activities in space.").
354 THE GEORGETOWN LAw JOURNAL [Vol. 103:317

problematically, a governance arrangement may be lacking when there is a total

absence of agreement among states regarding the content of the governance
arrangement,1 99 which may be the case regarding the cyber domain now. Com-
plete lack of agreement in that situation is unstable because multiple states
operate in the domain, and the potential for conflict is great in the absence of
shared understandings about permissible and impermissible actions.
The increased importance of the cyber domain to national security and threats
posed because of this dependency appear to have led governments to conclude
that continuing with no governance arrangement is undesirable. 2 0 0 They have
begun proposing governance arrangements: China and Russia have proposed a
treaty, and the United States advocates development of norms.2 0 1 Cyber is not
a situation where governance is unnecessary: states and private actors currently
operate in the domain, and customary rules have not (yet) developed. As con-
cerns increase about the development and deployment of cyber weapons and
accusations by the U.S. government against China (and vice-versa) escalate, the
need for some shared understanding at least about what constitutes unacceptable
actions in cyberspace has become clear.
Even though states appear to agree about establishing some type of gover-
nance for cyber, the question remains what form such regime will and should
take and how it will develop. The remainder of this section addresses that
question.

2. Treaty
At the opposite end of the spectrum from no governance arrangement,
treaties enshrine a formal legal agreement about governance of a domain. The
high seas, outer space, and Antarctica all came to be governed by multilateral

199. Cf Fidler, supra note 180 ("Nothing about the Stuxnet or Flame revelations suggests that
states, especially the great powers and, in particular, those concerned about U.S. cyber power, will scale
back cyber espionage activities or development of offensive and defensive cyber capabilities-a
situation not conducive to developing international legal rules on cybersecurity challenges.").
200. For a prediction of when international cooperation will occur, see Wu, supra note 33, at 657
(describing the institutionalist theory as predicting that "international regimes will arise where states
must coordinate their behavior in order to achieve a desired outcome," such as "where uncoordinated
calculations of self-interest will generate a non-Pareto-optimal outcome (such as the classic prisoner's
dilemma) or even lead to disastrous results, or where an issue area is particularly complex," including
such examples as "security regimes" like "arms control agreements or the United Nations Security
Council"). For a call for additional governance of cyber, see Charles J. Dunlap, Jr., Towards a
Cyberspace Legal Regime in the Twenty-First Century: Considerationsfor American Cyber- Warriors,
87 NEB. L. REv. 712, 720 (2009) (recognizing the need for "improved international cooperation to
create legal architecture to better address the level of cyber activities not falling into the category where
established law of war processes readily apply").
201. Int'l Code of Conduct for Info. Sec., supra note 65; U.S. INT'L STRATEGY FOR CYBERSPACE, supra
note 62, at 8; cf Perritt, supra note 171, at 429 ("Internet regulation is a global problem, like
environmental degradation in the ozone depletion or global warming contexts, because no one country
can adequately deal with the problem on its own. Thus, international cooperation is necessary.").
2015] THE CYBER-LAW OF NATIONS 355

treaties,20 2 but so far cyber largely is not.203 Certain states have proposed cyber
treaties for more than a decade, 2 0 4 but significant skepticism exists about the
prospects for a cyber treaty, 2 0 5 with some commentators calling a "worldwide,
comprehensive cybersecurity treaty" a "pipe dream." 20 6
Nonetheless, China, Russia, Tajikistan, and Uzbekistan in September 2011
submitted to the U.N. Secretary-General a draft International Code of Conduct
for Information Security and requested that the Secretary-General provide the
draft to the General Assembly for discussion.20 7 China explained that the
Code's aim was "to reach consensus on the international norms and rules stan-
dardizing the behavior of countries concerning information and cyberspace." 20 8
The Code itself repeatedly emphasizes the need to maintain "international
stability and security." 2 0 9 To further this goal, it would obligate states not to use
cyber technology or networks "to carry out hostile activities or acts of aggres-
sion" and not to "proliferate information weapons and related technologies." 2 10
The Code would also require states to cooperate in "curbing dissemination of
information which incites terrorism, secessionism, extremism or undermines
other countries' political, economic and social stability, as well as their spiritual
and cultural environment." 2 1 1 In line with China and Russia's preferred vision
and as noted above,2 12 the Code would promote sovereign states' control over

202. The use of broad multilateral treaties to govern the old domains may be a reflection of the
historical period in which they were negotiated. The decades following World War II and the
establishment of the United Nations saw the negotiation of numerous multilateral conventions and
raised the prominence of treaties vis-a-vis customary international law. See RESTATEMENT (THIRD) OF THE
FOREIGN RELATIONS LAW OF THE UNITED STATES pt. III, introductory note (1987) ("The law of international
agreements has grown in significance and scope since the Second World War, as international
agreements have assumed a larger place in the life of the international community of states and in
international law."); see also id. pt. I, ch. 1, introductory note.
203. GOLDSMITH & Wu, supra note 18, at 165 ("Internet treaties in particular have proven elusive.");
Tim Wu et al., The Future of Internet Governance, 101 AM. Soc'Y INT'L L. PROC. 201, 213 (2007)
(quoting Wu explaining that "the role of treaties . . . in the regulation of the Internet[] is fairly minimal,
though not non-existent").
204. In 1996, France proposed a "Charter for International Cooperation on the Internet," and the
"French Minister for Information Technology expressed hope that the initiative would lead eventually
to an accord comparable to the international law of the sea." Wu, supra note 33, at 660 & nn.55-56.
Similarly, in the late 1990s, Russia circulated a draft "arms-control treaty for cyberspace" among U.N.
Security Council members, but the United States and its allies dismissed the draft treaty. James Adams,
Virtual Defense, FOREIGN AFF., May/June 2001, at 98, 104; see also KNAKE, supra note 179, at 7.
205. See, e.g., Jack Goldsmith, Cybersecurity Treaties: A Skeptical View, in FUTURE CHALLENGES IN
NATIONAL SECURITY AND LAw (Peter Berkowitz ed., 2011), http://www.hoover.org/taskforces/national-
security/challenges.
206. Adam Segal & Matthew Waxman, Why a Cybersecurity Treaty Is a Pipe Dream, CNN WORLD
(Oct. 27, 2011, 2:01 PM), http://globalpublicsquare.blogs.cnn.com/2011/10/27/why-a-cybersecurity-treaty-
is-a-pipe-dream/; see also Segal, supra note 72, at 15.
207. See Int'l Code of Conduct for Info. Sec., supra note 65.
208. Id.
209. Id.
210. Id. (art. 11(2)); see also id. (art. 11(11)) (requiring states to pledge to "settle any dispute resulting
from the application of this Code through peaceful means and refrain from the threat or use of force").
211. Id. (art. 11(3)).
212. See supra note 66 and accompanying text.
356 THE GEORGETOWN LAw JOURNAL [Vol. 103:317

cyberspace by enshrining "all States' rights and responsibilities to protect, in

accordance with relevant laws and regulations, their information space and
critical information infrastructure from threats, disturbance, attack and sabo-
tage." 2 1 3 Similarly, the Code would require international governance of cyber-
space through "the establishment of a multilateral, transparent and democratic
international management of the Internet to ensure an equitable distribution of
resources, facilitate access for all and ensure a stable and secure functioning of
the Internet." 2 1 4
The United States has rejected the proposed Code.2 15
Assuming, particularly in light of the U.S. rejection of the proposed treaty,
that a broad treaty for cyber is unlikely to be negotiated or at least unlikely to
garner widespread or worldwide adherence, why is the mode of governance
applied to the other domains unattractive or unlikely for cyber?
Several circumstances shed light on the divergence and explain why a broad
cyber treaty is unlikely in the near future.2 16
First, prospects for a global treaty on cyber suffer substantially due to
fundamental disagreements between the United States and its allies, and Russia,
China, and their allies over the nature of the Internet and cyber, and over the
need for new law. As discussed in the previous section, China, Russia, and their
allies favor a multilateral model that emphasizes state control, whereas the
United States and its allies promote a multistakeholder model with important
roles for nongovernmental actors.2 17 This divergence does not simply affect
how private parties are treated, but rather poses a major obstacle to international
agreement.
U.S. government officials have highlighted the fundamental nature of the
disagreement. The Department of Defense recently explained to Congress that
"Beijing's agenda is frequently in line with Russia's efforts to promote more
international control over cyber activities," and that both countries "continue to
promote an Information Security Code of Conduct that would have govern-
ments exercise sovereign authority over the flow of information and control of
content in cyberspace." 2 18 Director of National Intelligence Clapper has ex-

213. Int'l Code of Conductfor Info. Sec., supra note 65 (art. 11(5)).
214. Id. (art. 11(7)).
215. See U.S. Delegation Statement, supra note 164 ("The United States favors international
engagement to develop a consensus on appropriate cyberspace behavior, based on existing principles of
international law, and we cannot support approaches proposed in the draft Code of Conduct for
Information Security that would only legitimize repressive state practices.").
216. See supra note 202 (noting the prevalence of multilateral treaty negotiations at the time treaties
for the old domains were negotiated).
217. Segal, supra note 72, at 15 ("Washington and Beijing won't agree to a broad treaty governing
cyberspace mainly because they hold fundamentally incompatible views on the Internet and society.");
Segal & Waxman, supra note 206 ("With the United States and European democracies at one end and
China and Russia at another, states disagree sharply over such issues as whether international laws of
war and self-defense should apply to cyber attacks, the right to block information from citizens, and the
roles that private or quasi-private actors should play in Internet governance.").
218. PRC MILITARY AND SECURITY DEVELOPMENTS, supra note 61, at 37.
2015] THE CYBER-LAW OF NATIONS 357

plained the "fundamental difference" in how the countries define cyber threats,
noting that while Russia, China, and Iran "focus on 'cyber influence' and the
risk that Internet content might contribute to political instability and regime
change," "[t]he United States focuses on cyber security and the risks to the
reliability and integrity of our networks and systems."2 1 9 In addition to these
substantive disagreements, states also disagree on the need for new law, with
China, Russia, and others pushing for entirely new legal frameworks, and the
United States arguing that existing international law applies and that law for
cyber is a matter of "applying old questions to the latest developments in
technology." 2 2 0
For the high seas, outer space, and Antarctica, states agreed that the domains
should not be controlled by individual states (or in the case of Antarctica, that
territorial claims would be preserved for later resolution in case international
governance failed). For cyber, there is no similar agreement. Because China,
Russia, and other states believe that cyber should be subject to sovereign states'
control, and the United States and its allies believe cyber should not be
controlled by individual states or states acting in concert, agreement will be
difficult if not impossible.22 1
Second, there is no preexisting system of cyber-specific laws that can be
simply formalized in a treaty. The absence of agreed norms or a modus operandi
makes cyber unlike the high seas. The high seas were first governed formally by
the Convention on the High Seas, which was "generally declaratory of estab-
lished principles of international law." 2 2 2
Third, many and perhaps even all states have a stake in any potential cyber
treaty. The Internet and cyber gain utility from their broad acceptance.22 3 The
number of interested parties who would want to weigh in on and who would

219. Current and Projected National Security Threats to the United States: Hearing Before the
S. Select Comm. On Intelligence, 113th Cong. 18 (2013) (statement for the record of James R. Clapper,
Director of National Intelligence) [hereinafter Statement of James R. Clapper], available at http://
www.intelligence.senate.gov/1 3 1 11 3 pdfs/ 11 389.pdf.
220. Harold Hongju Koh, International Law in Cyberspace, Remarks as Prepared for Delivery to the
USCYBERCOM Inter-Agency Legal Conference (Sept. 18, 2012), in 54 HARV. INT'L L.J. ONLINE 1, 8
(2012), http://www.harvardilj.org/wp-content/uploads/2012/12/Koh-Speech-to-Publishl.pdf.
221. However, the Antarctic Treaty was negotiated despite territorial claims by some states because
those states agreed to freeze their territorial claims during the treaty's existence. See Antarctic Treaty,
supra note 151, art. IV, 12 U.S.T. at 796, 402 U.N.T.S. at 74.
222. Convention on the High Seas, supra note 119, pmbl., 13 U.S.T. at 2314, 450 U.N.T.S. at 82.
223. See DAVID SINGH GREWAL, NETWORK POWER: THE SOCIAL DYNAMICS OF GLOBALIZATION 24-27
(2008); Ti Wu, THE MASTER SWITCH: THE RISE AND FALL OF INFORMATION EMPIRES 282 (Vintage Books
2011) (2010) ("The supreme value of the [World Wide] Web was, and is, its universality."); id. at
318-19 ("[The] network effect, or network externality.... [is the idea that] a network becomes more
valuable as more people use it. . . . And a network that everyone uses is worth fantastically more than
the sum value of one hundred networks with as many users collectively as the one great network.");
Mark A. Lemley & David McGowan, Legal Implications of Network Economic Effects, 86 CALIF. L.
REv. 479, 484 (1998) ("'Metcalfe's Law' asserts that for computers, the value of participation on a
network grows exponentially with the size of the network.").
358 THE GEORGETOWN LAw JOURNAL [Vol. 103:317

need to agree to a treaty is very large. Cyber, therefore, is unlike Antarctica or

outer space, which both involved a limited number of states. The Antarctic
Treaty was negotiated by twelve states, including the seven states that had made
territorial claims in Antarctica.22 4 Similarly, the Outer Space Treaty was signed
when only the U.S.S.R. and United States had the capacity to operate in space,
and thus essentially turned on what the Cold War adversaries could agree
between themselves. The United States and Soviet Union proposed drafts of a
treaty in June 1966, agreement on most provisions was reached in September,
the U.N. General Assembly approved the treaty in December, and it opened for
signature in January 1967.225 Reducing the number of affected states reduces
the number of parties engaged in bargaining and may expand the decision set of
acceptable outcomes.226 Conversely, expanding the number of interested parties
renders agreement more difficult and would seriously hamper negotiation of a
cyber treaty.
Although the prospects for a broad, comprehensive framework treaty for
cyber on the model of the Outer Space or Antarctic Treaties or UNCLOS seem
dim at present, narrower treaties dealing with specific issues or regional treaties
among small groups of like-minded states may be more promising.2 27 For
example, focusing on actions of third parties, rather than states, may allow for
greater interstate agreement than tackling the actions of states themselves.
States with otherwise divergent interests may be aligned vis-h-vis third parties
whose actions harm citizens of diverse states, 2 2 8 and nongovernmental constitu-
encies may have reasons to support such treaties as well. One example of an
issue that garners this sort of broad agreement is cybercrime. 2 2 9 The Council of
Europe's Convention on Cybercrime (the Budapest Convention) entered into

224. Antarctic Treaty, supra note 151, pmbl., 12 U.S.T. at 795, 402 U.N.T.S. at 72. For a list of the
seven claimant states, see supra note 149.
225. See Treaty on Principles Governing the Activities of States in the Exploration and Use of Outer
Space, Including the Moon and Other Celestial Bodies, U.S. DEP'T ST., http://www.state.gov/www/globall
arms/treaties/space l.html (last visited Nov. 30, 2014).
226. Cf Hurwitz, supra note 104, at 31 ("[W]hen more parties are involved, especially when the
issues are complex, there will be a greater number of competing claims that take time to reconcile, if
they can be reconciled at all. Negotiations for . . [UNCLOS], which regulates another commons,
lasted a decade despite building on centuries of admiralty law and being more confined to issues of
state sovereignty.").
227. Specific proposals include narrow treaties that would prohibit attacks on the Internet root
and "limit[] state actor penetration into civilian systems that have limited, if any, intelligence value,"
including, for example, power grids. KNAKE, supra note 179, at 23.
228. See Nye, supra note 17, at 34-35 ("The most promising early areas for international coopera-
tion are not bilateral conflicts, but problems posed by third parties such as criminals and terrorists,"
including cybercrime and cyberterrorism.). Nye's suggestion of a cyberterrorism treaty fits the para-
digm of focusing on third parties, but Nye provides no reason to think that the definitional and other
difficulties that have plagued international efforts to achieve agreement with regard to non-cyber
terrorism would be any less problematic in the cyber context.
229. Other proposals suggest protecting the "security and sanctity of root operations" and "ban[ning]
denial-of-service attacks." KNAKE, supra note 179, at 23.
2015] THE CYBER-LAW OF NATIONS 359

force in 2004230 and is open to any state. So far, forty-four states have ratified it,
including non-Council of Europe members such as Australia, Japan, and the
United States.23 1
The Budapest Convention, however, also exemplifies the limits of regional
treaties. China and its allies have not joined and have expressed disapproval of
the Convention on both procedural and substantive grounds.23 2 As a procedural
matter, they appear unwilling to join a Convention that they were not involved
in drafting, and as a substantive matter, they object to the authority the Con-
vention gives law enforcement authorities to access servers outside their home
jurisdiction.23 3 As an alternative, China and Russia have advocated a new
cybercrime treaty, 2 34 which the United States and its European allies have
rejected.235 The United States continues to push for more states to ratify the
Budapest Convention,2 36 but its insistence on the Council of Europe treaty may
actually hinder the development of broader agreement on cybercrime issues.
Developing countries and other non-European countries might be more likely to
sign treaties that they play a part in drafting 237-even treaties that are substan-

230. Treaty Office, Council of Eur., Status Report on Convention on Cybercrime, COUNCIL EUR.,
http://conventions.coe.int/Treaty/Commun/ChercheSig.asp?NT= 185&CM &DF &CL=ENG (ratifi-
cations as of Nov. 6, 2014).
231. Id.
232. See, e.g., CICIR-CSIS, supra note 71 (explaining China's procedural and substantive objec-
tions).
233. Id. (noting view of CICIR that the Budapest Convention "fails to adequately reflect the
significant concern of the developing world in fighting cybercrime" and that "there exists inevitable
concern over violation of sovereignty and incompatibility with domestic legislations caused by trans-
national collection of evidence"); Mark Ballard, UN Rejects International Cybercrime Treaty, COM-
PUTER WKLY. (Apr. 20, 2010, 3:44 PM), http://www.computerweekly.com/news/1280092617/UN-rejects-
international-cybercrime-treaty (explaining that "developing countries want[] a new treaty drafted by a
global process" and that Russia has opposed the Convention's provisions allowing police "to access
servers in other countries without the permission of the authorities, as long as the system owners
sanction the access" ever since "US police in 2000 hacked computers belonging to two Russian men
who had been defrauding American banks").
234. See Ballard, supra note 233 (explaining that Russia proposed a new cybercrime treaty at a 2010
U.N. conference, but the proposal was rejected in light of U.S. and EU opposition and support for the
Budapest Convention); see also CICIR-CSIS, supra note 71 ("CICIR advocates a new international
convention on cybercrime being drafted through both bilateral and multilateral efforts and by autho-
rized GGE within the UN framework.").
235. See CICIR-CSIS, supra note 71 ("CSIS has stressed the inadequacy of other arrangements for
dealing with cybercrime when compared to the Budapest convention . . . ."); Ballard, supra note 233;
see also U.S. INT'L STRATEGY FOR CYBERSPACE, supra note 62, at 20 (stating U.S. policy to advocate for
broader adherence to the Budapest Convention).
236. U.S. INT'L STRATEGY FOR CYBERSPACE, supra note 62, at 20.
237. For example, in June 2014, the African Union adopted the African Union Convention on Cyber
Security and Personal Data Protection, which deals in part with cybercrime. African Union Convention
on Cyber Security and Personal Data Protection ch. III, June 27, 2014, AU No. Ex.CL/846(XXV),
available at http://pages.au.int/sites/default/files/en AU%20Convention%20on%20CyberSecurity%20
Pers%20Data%20Protec%20AUCyC%20adopted%2OMalabo.pdf; see also The African Union Conven-
tion on Cybersecurity and Personal Data Protection, ZIMBABWEAN (July 21, 2014, 4:15 PM), http://
www.thezimbabwean.co/news/zimbabwe/72617/the-african-union-convention-on.html (assessing
strengths and weaknesses of the convention).
360 THE GEORGETOWN LAw JOURNAL [Vol. 103:317

tively similar to the existing treaty-than to sign the Budapest Convention

itself, which is offered as a fait accompli.238 The ongoing debates about the
Budapest Convention and cybercrime more generally show that "[e]ven ...
where there is general consensus about the need for cooperation, it is very hard
for nations to agree."2 3 9
Other issues for which a treaty might seem particularly useful are cyber arms
control or cyber war, but agreement on such issues is unlikely.240 Both address
the behavior of states and states' fundamental security posture. Treaties about
such issues are not, of course, impossible, 2 4 1 but, as discussed more fully in
section III.C below, agreement to regulate cyber weapons is currently not
feasible for several reasons. First, uncertainty about other states' capabilities
makes states unlikely to enter binding agreements that might turn out to be
detrimental to their interests. 2 Second, for states that are dominant in offensive
cyber capabilities, a cyber arms control or other restrictive treaty may not be
in their interests. 3 Finally, the secrecy surrounding states' cyber capabilities
renders verification of any prohibition or arms control limitation problematic,
and therefore states will be reluctant to enter a treaty that would tie their hands
because of the risk of undetectable defection by other states. 2 4

238. Cf KNAKE, supra note 179, at 13 ("Instead of trying to cajole former colonies into a treaty put
together by former colonial powers, replicating the Council of Europe Convention on Cybercrime in the
Organization of American States, the African Union, and the Association of Southeast Asian Nations
(ASEAN) may be more effective.").
239. GOLDSMITH & Wu, supra note 18, at 166.
240. For additional discussion of issues related to cyber militarization, see infra section III.C.
241. For example, nuclear arms treaties address the behavior of states and their fundamental
security. See, e.g., Treaty Between the United States of America and the Russian Federation on
Measures for the Further Reduction and Limitation of Strategic Offensive Arms, U.S.-Russ., Apr. 8,
2010, T.I.A.S. No. 11-205.
242. Cf Tod Leaven & Christopher Dodge, The United States Cyber Command: International
Restrictions vs. Manifest Destiny, 12 N.C. J.L. & TECH. ONLINE 1, 3 (2010), http://ncjolt.org/the-united-
states-cyber-command-international-restrictions-vs-manifest-destiny/ (arguing that the United States
should "wait until more information is available to better analyze its position before entering into an
international cyber-warfare treaty"); supra notes 197-98 and accompanying text.
243. See Leaven & Dodge, supra note 242, at 23 ("[T]ying the hands of the United States, with its
premier position in cyber-space, would only cause global harm."); Jack Goldsmith, The New Vulnerabil-
ity, NEw REPUBLIC (June 7, 2010), http://www.newrepublic.com/articlelbooks-and-arts/75262/the-new-
vulnerability (book review) (rejecting proposal by Richard Clarke for a treaty that would ban cyber
attacks against civilian infrastructure but not cyber exploitation on the grounds that China, which
targets U.S. civilian infrastructure, would "have little interest in signing on," and "nations subject to
NSA snooping but not good at snooping themselves would not be interested in a carve-out for
state-sponsored snooping"); cf KNAKE, supra note 179, at 21-22 ("The United States is the most feared
bogeyman in cyberspace, given its historical role in developing the underlying technologies and the
high level of capability within U.S. military and intelligence agencies.").
244. See Nye, supra note 17, at 34 ("[D]ifferences in cultural norms and the impossibility of veri-
fication make such [cyber arms control] treaties difficult to negotiate or implement. Such efforts could
actually reduce national security if asymmetrical implementation put legalistic cultures like the United
States at a disadvantage compared to societies with a higher degree of government corruption.");
Goldsmith, supra note 243.
2015] THE CYBER-LAW OF NATIONS 361

3. Norms
If the absence of a governance regime is unacceptable, but a broad multilat-
eral treaty is impossible, development of norms to govern behavior in the cyber
domain may be the best-or only-option. Unlike a meticulously negotiated
treaty text, norms are general principles, not precise rules.2 45
However, norm development is attractive for several reasons.
First, norms are easier to develop than a treaty and therefore may provide a
faster route to establishing at least a partial governance system. Unlike a treaty,
which requires broad agreement and may take years to negotiate, norms can
arise through states acting individually, bilaterally, regionally, or multilaterally
and without agreement of all states.24 6 Norms may develop through unilateral
policy declarations, such as states' issuance of cyberspace policies or speeches
by government officials.2 47 Norms may also arise through actions and state-
ments of groups of states or simply between two states. Bilateral declarations
might include joint communiqu6s248 or, for example, the addition of cyber
attacks as triggers for the provisions of the U.S.-Australia mutual defense
treaty. 2 4 9 On a regional level, NATO in 2011 issued a "Policy on Cyber
Defence," which makes clear that "NATO will defend its territory and popula-
tions against all threats, including emerging security challenges such as cyber
defence" and that NATO will provide assistance if its members suffer a cyber
attack.2 50 In a declaration accompanying a meeting of heads of state in Septem-
ber 2014, NATO further clarified its position that "international law, including
international humanitarian law and the UN Charter, applies in cyberspace."251
Such declarations have the potential to emerge from groups that are not

245. Stephen D. Krasner, Structural Causes and Regime Consequences: Regimes as Intervening
Variables, in INTERNATIONAL REGIMES 1, 2 (Stephen D. Krasner ed., 1983) (defining norms as "standards
of behavior defined in terms of rights and obligations" and rules as "specific prescriptions or proscrip-
tions for action").
246. See U.S. INT'L STRATEGY FOR CYBERSPACE, supra note 62, at 18 (noting that cyberspace issues
have been discussed at, inter alia, the Organization of American States, Organization for Cooperation
and Security in Europe, and African Union); Segal & Waxman, supra note 206 (arguing that progress
for the United States in "promoting a vision of cyber security and freedom" will "be incremental . .
and achieved through multiple arrangements hammered out with a wide array of state and private actors
rather than through a global accord").
247. For an example of such a speech, see Koh, supra note 220.
248. See, e.g., OECD High Level Meeting, The Internet Economy: Generating Innovation and
Growth, Paris, Fr., June 28-29, 2011, Communiqud on Principlesfor Internet Policy-Making, available
at http://www.oecd.org/internet/innovation/48289796.pdf; see also Segal & Waxman, supra note 206
(suggesting that the United States "cultivate allies and like-minded partners through joint policy
declarations, recognizing that Beijing and Moscow are doing likewise" (emphasis omitted)).
249. See Simon Mann, Cyber War Added to ANZUS Pact, SYDNEY MORNING HERALD, Sept. 16, 2011,
http://www.smh.com.au/national/cyber-war-added-to-anzus-pact-20110915- lkbuv.html.
250. NATO, DEFENDING THE NETWORKS: THE NATO POLICY ON CYBER DEFENCE 2 (2011), available at
http://www.nato.int/nato-static/assets/pdf/pdf 2011 09/20111004 110914-policy-cyberdefence.pdf.
251. Press Release, NATO, Wales Summit Declaration Issued by the Heads of State and Government
Participating in the Meeting of the North Atlantic Council in Wales ¶[72 (Sept. 5, 2014), available at
http://www.nato.int/cps/en/natohq/official texts_11 2964.htm?selectedLocale = en.
362 THE GEORGETOWN LAw JOURNAL [Vol. 103:317

simply composed of like-minded allies. For example, in June 2013, the U.N.
Group of Governmental Experts (GGE) on Developments in the Field of
Information and Telecommunications in the Context of International Security
achieved consensus on the very general principle that "[i]nternational law, and
in particular the Charter of the United Nations," applies in cyberspace.25 2
Although the generality of the agreed statement leaves much unclear about the
application of international law in practice, the declaration is significant because
it represents agreement by all fifteen of the GGE member states,25 3 including
Russia and China, which had not previously conceded that international law
applies to cyberspace at all.25 4
The informality and multistage process of norm emergence also has the
potential to provide a greater voice to developing countries and to non-gov-
ernmental actors. In bilateral interactions with, for example, the United States,
United Kingdom, or China, developing countries may be able to exert a stronger
influence on norm development than they would at a single conference to
develop a broad cyber treaty.2 5 5 Enfranchisement of developing countries in
norm creation may promote buy-in to the resulting norms and avoid later
problems, like those surrounding the Budapest Convention,2 56 whereby develop-
ing countries are pressed to accept a fait accompli. Of course, efforts to recruit
developing and other as yet undecided countries to one set of norms or another
may provide an additional arena of competition for the United States and its
allies, and China, Russia, and their allies.25 7
Second, norms can develop through and evolve with state practice. Much
remains unknown about states' capabilities, which change with technological
advances. A treaty aimed at current capabilities risks becoming out-of-date, but

252. U.N. Grp. of Governmental Experts on Devs. in the Field of Info. & Telecomms. in the Context
of Int'l Sec., Rep., transmitted by Note of the Secretary-General, ¶ 19, U.N. Doc. A/68/98 (June 24,
2013) [hereinafter U.N. GGE 2013 Report]; see also Press Statement, Jen Psaki, Spokesperson, U.S.
Dep't of State, Statement on Consensus Achieved by the UN Group of Governmental Experts on Cyber
Issues (June 7, 2013), available at http://www.state.gov/r/palprs/ps/2013/06/210418.htm.
253. The participating states are: Argentina, Australia, Belarus, Canada, China, Egypt, Estonia,
France, Germany, India, Indonesia, Japan, Russia, the United Kingdom, and the United States. U.N.
GGE 2013 Report, supra note 252, Annex.
254. See PRC MILITARY AND SECURITY DEVELOPMENTS, supra note 61, at 37; Ellen Nakashima, U.S.
and Russia Sign Pact to Create Communication Link on Cyber Security, WASH. POST, June 17, 2013,
http://www.washingtonpost.com/world/national-security/us-and-russia-sign-pact-to-create-communica
tion-link-on-cyber-security/2013/06/17/ca57ea04-d788-11e2-9df4-895344cl3c30_story.html.
255. See U.S. INT'L STRATEGY FOR CYBERSPACE, supra note 62, at 12 ("[W]e will actively engage the
developing world, and ensure that emerging voices on these issues are heard."); see also Segal, supra
note 72, at 19-20 (arguing that it is "especially important [for the United States] to find common
ground with rising powers such as Brazil, India, Indonesia, and South Africa" because "[a]greements
with them about acceptable behavior would ratchet up the pressure on China, which rarely prefers to
remain an international outlier").
256. See supra text accompanying notes 232-39.
257. Commentators place particular emphasis on establishing technical partnerships with developing
countries and rising Internet powers as a way to counter similar efforts by countries with opposing
views of desirable cyber norms. See Segal, supra note 72, at 20; Segal & Waxman, supra note 206.
2015] THE CYBER-LAW OF NATIONS 363

norms provide a more nimble mechanism to account for changes in technology

and improved knowledge about states' capacities in cyberspace. For example,
state practice in responding to cyber events will help to develop customary
international law regarding what constitutes a use of force or an armed at-
tack.258 Such state practice will help to establish how states will treat similar
future incidents.
Also, states acting rationally in their own self-interest over time may come to
the same conclusion about acceptable behavior.2 5 9 For example, the United
States currently advocates rule-of-law norms prohibiting intellectual property
theft and other criminal actions in the cyber domain, including by supporting
broad adherence to the Budapest Convention. 2 6 0 As China, Russia, and other
countries become increasingly dependent on cyber infrastructure and innova-
tion, harms to their own citizens and businesses from cyber intrusions and
cybercrime may cause them to shift toward the U.S. position of rule of law in
cyber.26 1 Independent discovery or "independent learning" of norms by indi-
vidual states may pave the way for future formal agreement.2 62
Finally, norms can fulfill some of the same purposes as a treaty, including
coordinating state behavior, promoting stability and order in the international
system, and decreasing the risk of unintended conflict.2 6 3 The potentially decen-
tralized nature of norm formation, described above, raises the possibility that

258. See, e.g., Kanuck, supra note 105, at 1589-90 ("State practice creates a dual-track, recursive
process by which sovereign governments individually or collectively interpret the rules of jus ad bellum
and jus in bello; produce their own national strategies, declaratory policies, military doctrines, and rules
of engagement; and then conduct activities that in turn influence customary international law and the
future application of the U.N. Charter, Geneva Conventions, and other IHL provisions.").
259. Cf Nye, supra note 17, at 29 ("Learning can lead to concurrence in beliefs without coopera-
tion. Governments act in accordance with their national interests, but they can change how they define
their interests, both through adjusting their behavior to changes in the structure of a situation as well as
through transnational and international contacts and cooperation." (emphasis omitted)).
260. See U.S. INT'L STRATEGY FOR CYBERSPACE, supra note 62, at 10, 19-20; see generally EXEC.
OFFICE OF THE PRESIDENT OF THE U.S., ADMINISTRATION STRATEGY ON MITIGATING THE THEFT OF U.S. TRADE
SECRETS (2013), availableat http://www.whitehouse.gov//sites/default/files/omb/IPEC/adminstrategy on
mitigatingtheatheft of u.s._tradetsecrets.pdf.
261. See Nye, supra note 17, at 30 (arguing that Russia and China's tolerance for cybercrime may
decrease as they become more frequent cybercrime targets and explaining that this "independent
learning may pave the way for active cooperation later"); Segal, supra note 72, at 14 (noting
suggestions that broad agreement on cyberspace behavior may be possible because U.S. and Chinese
"long-term interests are aligned," in that "one day China will be as dependent on digital infrastructure
for economic and military power as the United States is today").
262. See supra note 261.
263. See Ashley Deeks, The Geography of Cyber Conflict: Through a Glass Darkly, 89 INT'L L.
STUD. 1, 3 (2013) ("Establishing State-to-State expectations about what types of cyber activities will
trigger what types of responses will provide important incentives for ostensibly neutral States to take
steps to protect their computer networks while minimizing the likelihood of inter-State misunderstand-
ings that lead to unnecessary conflict in the cyber or non-cyber realms."); Koh, supra note 220, at 3
("Developing common understandings about how these rules apply in the context of cyber activities in
armed conflict will promote stability in this area."); cf CICIR-CSIS, supra note 71 ("Both CICIR and
CSIS believe that confidence building measures in the cyberspace are the antidote to strategic
mistrust.").
364 THE GEORGETOWN LAw JOURNAL [Vol. 103:317

conflicting norms may emerge. But even in that circumstance, norms have the
potential to serve a coordinating function and foster valuable clarity about
states' actions. The U.S. International Strategy for Cyberspace advocates norm
development for this reason. The Strategy notes that the world's growing
dependence on cyberspace has "not been matched by clearly agreed-upon
norms for acceptable state behavior in cyberspace." 26 4 It explains that "[i]n
other spheres of international relations, shared understandings about acceptable
behavior have enhanced stability" and brought "predictability to state conduct,
helping prevent the misunderstandings that could lead to conflict."26 5 The
Strategy further asserts that norms "will diminish misperceptions about military
activities and the potential for escalatory behavior." 2 6 6
The United States has recently taken bilateral steps with China and Russia
that explicitly focus on decreasing misperceptions. In June 2013, the United
States and Russia announced an agreement "to reduce the risk of conflict in
cyberspace through real-time communications about incidents of national secu-
,,267
rity concern. The agreement provides for communications and information
sharing between U.S. and Russian computer emergency-response teams, a
direct channel for urgent communications about cyber exercises and incidents, a
direct communications link between the U.S. cyber coordinator and his Russian
counterpart (a repurposing of the Cold War nuclear "hotline"), and a working
group "on issues of threats to or in the use of' information and communications
technologies (ICTs) that will discuss emerging threats and coordinate joint
exercises in order to "strengthen confidence." 2 6 8 The United States and China
also established a working group to discuss cybersecurity issues, though China
suspended its participation in the wake of the May 2014 U.S. indictments of
Chinese military officials for hacking U.S. companies.2 6 9

264. U.S. INT'L STRATEGY FOR CYBERSPACE, supra note 62, at 9; see also U.S. DEP'T OF DEF., supra
note 60, at 10 ("DoD will assist U.S. efforts to advance the development and promotion of international
cyberspace norms and principles that promote openness, interoperability, security, and reliability.");
Segal & Waxman, supra note 206 ("[D]ialogue with China, Russia and others should focus not on
reaching legal agreement but on communicating redlines and developing confidence-building mea-
sures . . . ." (emphasis omitted)).
265. U.S. INT'L STRATEGY FOR CYBERSPACE, supra note 62, at 9; see also U.S. Delegation Statement,
supra note 164 ("[T]ransparency, confidence-building, and stability measures should be developed . .
to enhance international stability and thereby reduce the risk of conflict in cyberspace.").
266. U.S. INT'L STRATEGY FOR CYBERSPACE, supra note 62, at 21.
267. Nakashima, supra note 254.
268. Press Release, White House, Joint Statement by the Presidents of the United States of America
and the Russian Federation on a New Field of Cooperation in Confidence Building (June 17, 2013),
available at http://www.whitehouse.gov/the-press-office/2013/06/17/joint-statement-on-a-new-field-of-
cooperation-in-confidence-building; see also Nakashima, supra note 254 (reporting on the U.S--Russia
pact).
269. See supra notes 7-9 and accompanying text. Although norm development has been the stated
U.S. policy since the International Strategy in 2011, the continuing U.S. commitment to norm
development, at least with China, might reasonably be questioned in light of the U.S. decision to indict
Chinese military officials for cyberespionage despite China's predictable reaction of suspending the
working group, which was intended to serve as an important forum for bilateral discussions on
2015] THE CYBER-LAW OF NATIONS 365

The escalating risk of and rhetoric about conflict due to cyber intrusions
suggest that the current lack of clarity regarding basic principles about state
action in cyberspace is becoming untenable. States must agree on or at least
clarify baseline positions regarding cyber actions in order to avoid conflict in
and stemming from cyberspace. Because fundamental divergences between the
major powers regarding sovereign control over the Internet make an onibus
cyber treaty unlikely, the most promising mechanisms for ordering international
expectations and sovereign actions are piecemeal treaties focused on narrow
issues or negotiated among like-minded groups of states and norms developed
through unilateral, bilateral, and multilateral declarations, and evolving state
practice. The next section turns to the most dangerous area of disagreement and
thus the most crucial area for agreement: the use of military force in and via
cyberspace.

C. MILITARIZATION

Control of territory is a fundamental attribute of sovereignty, and states

typically maintain a military sufficient to provide at least some defense of their
borders. However, the unifying feature that this Article has identified between
the old domains and cyber is the lack of borders-the lack of Westphalian
sovereignty-in the domains. Each domain therefore poses a similar question:
how and to what extent should states militarize a domain that no state is
obligated to defend? For outer space and Antarctica in particular, the interna-
tional community decided that militarization should be somewhat limited or
prohibited entirely. For cyber, however, this section argues that demilitarization
is unlikely and not necessarily desirable-but neither is turning cyber into a
law-free zone, as Russia and China sometimes seem to suggest. Rather, the best
course for cyber is "regulated militarization" through application of existing
international laws regarding the use of force and armed conflict, and perhaps
through bans on particular types of weapons.

1. Limits on Militarization in Other Domains

The international community agreed to prohibit or limit militarization to
varying degrees for the high seas, outer space, and Antarctica. The limits on
militarization of these domains can be arranged on a spectrum. At one end, the
Antarctic Treaty embraces total demilitarization. It prohibits "any measures of
a military nature" and specifies that the continent "shall be used for peaceful
purposes only." 2 7 0 In the middle, the Outer Space Treaty places some limits on
military activities, but does not prohibit all such activities in outer space. It

cybersecurity issues. See Kristen Eichensehr, The US Needs a New InternationalStrategy for Cyber-
space, JUST SECURITY (Nov. 24, 2014, 10:28 AM), http://justsecurity.org/17729/time-u-s-international-
strategy-cyberspacel.
270. Antarctic Treaty, supra note 151, art. 1(1), 12 U.S.T. at 795, 402 U.N.T.S. at 72.
366 THE GEORGETOWN LAw JOURNAL [Vol. 103:317

prohibits States Parties from placing nuclear weapons or weapons of mass

destruction in outer space or on celestial bodies. 2 7 1 The Outer Space Treaty also
demilitarizes the moon and other celestial bodies, specifying that they may be
used "exclusively for peaceful purposes," and prohibiting military bases, weap-
ons testing, and military maneuvers on celestial bodies.2 72 (The Moon Treaty
also includes provisions demilitarizing the moon.27 3 ) At the other end of the
spectrum is UNCLOS, which declares that "[t]he high seas shall be reserved for
peaceful purposes," 27 4 but does not prohibit all military activities.
These precedents provide a range of options for demilitarizing or limiting
militarization of cyberspace. For example, a cyber treaty could prohibit military
measures using networks or attacks on systems connected to networks, which
would mirror the Antarctic Treaty's prohibition on "any measures of a military
nature" 275 and the Outer Space Treaty's prohibition on military maneuvers on
celestial bodies.27 6 Or it could prohibit placement or testing of weapons on
networks and systems connected to networks, which would mirror (though
broaden) the Outer Space Treaty's prohibitions on placing nuclear or other
weapons of mass destruction in outer space or on celestial bodies, and on testing
weapons on celestial bodies. 2 7 7 Alternatively, a cyber treaty could simply
specify that the Internet and cyberspace should be used only for "peaceful
purposes," along the lines of UNCLOS.27 8
China and Russia's proposed International Code of Conduct for Information
Security appears to suggest each of these possibilities to some extent. The Code
lists as its purpose ensuring that networks are "solely used to the benefit of
social and economic development and people's well-being, and consistent with
the objective of maintaining international stability and security." 2 7 9 States adher-
ing to the Code would commit "[n]ot to use ICTs including networks to carry
out hostile activities or acts of aggression and pose threats to international peace
and security," and "[n]ot to proliferate information weapons and related technolo-
gies." 28 0 The Code's terms and main provisions lack specificity, but they appear
aimed at removing ICTs and cyber more generally as a means and domain of
military (or at least hostile military) action. The possibility of demilitarization
has also been raised in unofficial dialogues between CSIS and CICIR, which in
June 2012 proposed "[r]estrict[ing] weaponization of cyberspace (by which
[CICIR] meant restrictions on the development of special software like Stux-

271. Outer Space Treaty, supra note 133, art. IV, 18 U.S.T. at 2413-14, 610 U.N.T.S. at 208.
272. Id.
273. Moon Treaty, supra note 141, art. 3, 1363 U.N.T.S. at 23.
274. UNCLOS, supra note 121, art. 88, 1833 U.N.T.S. at 433.
275. Antarctic Treaty, supra note 151, art. I(1), 12 U.S.T. at 795, 402 U.N.T.S. at 72.
276. Outer Space Treaty, supra note 133, art. IV, 18 U.S.T. at 2413-14, 610 U.N.T.S. at 208.
277. Id.
278. See UNCLOS, supra note 121, art. 88, 1833 U.N.T.S. at 433.
279. Int'l Code of Conductfor Info. Sec., supra note 65 (art. I).
280. Id. (art. 11(2)).
2015] THE CYBER-LAW OF NATIONS 367

net)," including "pledges not to use cyber warfare and refrain from developing a
cyber range and cyber weapons." 2 81
Several characteristics of cyberspace and cyberconflict could make demilitar-
ization or limits on militarization desirable.
First, no state can completely control the Internet and other systems and
networks or even effectively defend its cyber borders.2 82 In an age of advanced
persistent threats, even supposedly secure or air-gapped systems can be
breached.2 8 3 Similar uncertainty about defensive capabilities and offensive
dominance existed when states agreed to prohibit militarization of the moon
and, to a lesser extent, outer space. When the Outer Space Treaty was negoti-
ated, the United States and the U.S.S.R. were the only nations that had the
capacity to act in space, and they were in a space "race" with an unclear winner.
Neither knew if it would be the first to develop a space weapon. The inability or
uncertainty about a state's ability to control a domain militarily creates an
opportunity for coordination. This is particularly clear in the context of the
Outer Space Treaty. Each state's preferred outcome is to control the domain
itself, and each state's worst outcome is for its adversary to control the domain.
In that circumstance, the uncertainty for each state about its ability to control
the domain if both states militarize creates an incentive to cooperate and agree
that neither state will militarize, an outcome that allows each state to avoid its
worst case scenario-military control of the domain by its adversary. 28 4 Thus,
as a general matter, states may agree to demilitarize domains when it is unclear
whether any state (or if any state then which state) would be able to achieve
military dominance (or at least the securest defenses).
Second, military conflict in the cyber domain poses a great risk of unintended
consequences. The interconnected nature of civilian networks with networks
and systems that would be legitimate military targets creates difficulties in
limiting the effects of attacks to military networks.2 85 In addition, the complex-

281. CICIR-CSIS, supra note 71. CICIR further proposed to "[i]ncrease mutual trust through
pledges not to use cyber warfare and refrain from developing a cyber range and cyber weapons." Id.
282. See Nye, supra note 17, at 20 ("The largest powers are unlikely to be able to dominate this
domain as much as they have others like sea, air, or space."); supra note 96 and accompanying text.
283. See, e.g., Lynn, supra note 60, at 97 (explaining that classified U.S. military networks were
breached when a flash drive was inserted into a computer and malware infiltrated the network of U.S.
Central Command); David E. Sanger & Thom Shanker, N.S.A. Devises Radio Pathway into Computers,
N.Y. TIMES, Jan. 14, 2014, http://www.nytimes.com/2014/01/15/us/nsa-effort-pries-open-computers-not-
connected-to-internet.html; Sanger, supra note 60 (explaining that the Stuxnet worm breached an
air-gapped network at Iran's Natanz nuclear facility).
284. See Goldsmith & Levinson, supra note 59, at 1827 (discussing how international relations
"sometimes seem to follow the logic of coordination games" and in that circumstance, international law
can act as a "focal point for coordination" that allows states to escape a prisoners' dilemma).
285. See Kanuck, supra note 105, at 1595; Koh, supra note 220, at 8 (listing as an "[u]nresolved
[q]uestion" what to do about "dual-use infrastructure," explaining that "[p]arties to an armed conflict
will need to assess the potential effects of a cyber attack on computers that are not military objec-
tives . . but may be networked to computers that are valid military objectives," and stating that
"[p]arties will also need to consider the harm to the civilian uses of such infrastructure in performing
the necessary proportionality review").
368 THE GEORGETOWN LAw JOURNAL [Vol. 103:317

ity of coding creates the possibility that even narrowly targeted worms or
viruses can spread beyond their intended targets,2 86 or that a hacker may cause
extensive damage through sheer incompetence.28 7 Similar fear of unintended
consequences from conflict in outer space and Antarctica may have helped to
motivate the treaties that restricted military activities in those domains.
Third, increased investment in and dependence on the Internet and cyber
more generally increase a state's vulnerability to attack. As many have noted,
cyber is an "offense-dominant environment," where attacks are comparatively
easy to mount but assets are difficult to defend. 28 8 Therefore, "because of
greater dependence on networked computers and communication, the United
States is more vulnerable to attack than many other countries." 28 9 This fact
has not escaped notice: according to the U.S. Department of Defense, a key
principle of China's information operations strategy is that "potential Chinese
adversaries, in particular the United States, are seen as 'information depen-
dent. "'290 The Chinese military itself, however, is becoming increasingly technol-
ogy dependent. 2 91 Taking the long view, China may calculate that its future
vulnerabilities could match or exceed those of the United States, which may
make demilitarization more attractive in the short term.
On the positive side, demilitarization could decrease the risk and create
favorable conditions for increased investment in cyber. A similar rationale
may have contributed to the decision to limit militarization in outer space. At
the time of the Outer Space Treaty, space was little used, but since that time,
satellites have become much more prevalent for communications, global position-
ing systems, and other everyday as well as national security uses, to the point
that certain orbits are now cluttered.2 9 2 Assurance that space would not be
militarized freed countries to invest in technologies in and dependent on the
domain.
Despite these rationales supporting demilitarization of cyber, several determi-
native circumstances make such demilitarization unlikely.
First, a sufficient condition to prevent demilitarization of cyber is that the
United States and the United Kingdom have rejected the idea of a treaty

286. See Sanger, supra note 60 (explaining that the Stuxnet worm spread beyond Iran's Natanz
nuclear facility due to a programming error); see also Statement of James R. Clapper, supra note 219,
at 19 (noting that radical hacktivist groups may "accidentally trigger unintended consequences that
could be misinterpreted as a state-sponsored attack").
287. See Jim Finkle, 'Irrational'Hackers Are Growing U.S. Security Fear, REUTERS (May 22,
2013), http://www.reuters.com/article/201 3/05/22/us-cybersecurity-usa-infrastructure-idUSBRE94
L13R20130522 (reporting concerns from security experts that hackers may unintentionally damage
critical infrastructure).
288. Lynn, supra note 60, at 99; Nye, supra note 17, at 21 ("Because the Internet was designed for
ease of use rather than security, the offense currently has the advantage over the defense.").
289. Nye, supra note 17, at 20.
290. PRC MILITARY AND SECURITY DEVELOPMENTS, supra note 61, at 10.
291. Id. at 11, 33.
292. See generally Space Debris, EUR. SPACE AGENCY, http://www.esa.int/Our Activities/Operations/
SpaceDebris/About space-debris (last visited Nov. 30, 2014).
2015] THE CYBER-LAW OF NATIONS 369

specifically addressing use of force in or via cyber.2 9 3 Their opposition to a

treaty ensures that, as they advocate, cyber will be governed at most by existing
jus ad bellum and jus in bello rules and therefore that cyber will not be set aside
for only "peaceful" or "non-hostile" uses, as the draft Code of Conduct pro-
poses. The United States has declared that "appropriate military operations in
cyberspace are a vital component of national security." 2 94
Second, states already have the capacity to conduct military activities in
cyberspace and have invested in such capabilities.2 9 5 As U.S. Deputy Secretary
of Defense Lynn noted in 2011, "many militaries are developing offensive
capabilities in cyberspace." 2 9 6 Thus, unlike outer space, where militarization
was restricted before any state had the capacity to operate militarily in the
domain, cyber begins from the opposite baseline: it is already militarized, and
demilitarization would require states to walk back from capabilities in which
they have invested and that they deem to be crucial.
Third, military threats in cyberspace stem not just from states, but also from
private actors, who may be less capable but more likely to launch attacks.2 97
Cyber poses low barriers to entry, such that "nonstate actors and small states
can play significant roles at low cost." 2 98 Government officials have predicted
that "it is only a matter of time before the sort of sophisticated tools developed
by well-funded state actors find their way to non-state groups or even individu-

293. See Kanuck, supra note 105, at 1588 n.80 (detailing U.S. and U.K. submissions to the U.N.
Secretary-General opposing the idea of an international treaty addressing cyber conflict).
294. OFFICE OF MGMT. & BUDGET, EXEC. OFFICE OF THE PRESIDENT, STATEMENT OF ADMINISTRATION
POLICY H.R. 4310-NATIONAL DEFENSE AUTHORIZATION ACT FOR FY 2013, at 4 (2012), available at
http://www.whitehouse.gov/sites/default/files/omb/legislative/sap/112/saphr431or 20120515.pdf; see also
Segal, supra note 72, at 17-18 ("The United States' strategy in cyberspace has always been about more
than just defense; as Chinese officials are quick to note, it was the United States that first set up a cyber
command and thus, in their view, militarized cyberspace.").
295. Some have deemed Stuxnet to cross the Rubicon into an age of cyber conflict. See Demchak
&

Dombrowski, supra note 104, at 32; Sanger, supra note 60 (quoting former CIA head Michael V.
Hayden as stating that Stuxnet was "the first attack of a major nature in which a cyberattack was used to
effect physical destruction," and with it, "[s]omebody crossed the Rubicon"). The United Kingdom has
also sought to develop offensive cyber capabilities. Espiner, supra note 60.
296. Lynn, supra note 60, at 99.
297. Statement of Keith B. Alexander, supra note 187, at 3 (explaining that the United States can
deter cyber attacks by states because "foreign leaders believe that a devastating attack on the critical
infrastructure and population of the United States by cyber means would be correctly traced back to its
source and elicit a prompt and proportionate response," but recognizing that "some future regime or
cyber actor could misjudge the impact and certainty of our resolve," suggesting that deterrence against
nonstate actors may not work); Statement of James R. Clapper, supra note 219, at 17 ("Advanced cyber
actors-such as Russia and China-are unlikely to launch such a devastating attack against the United
States outside of a military conflict or crisis that they believe threatens their vital interests," but
"isolated state or nonstate actors might deploy less sophisticated cyber attacks as a form of retaliation
or provocation.").
298. Nye, supra note 17, at 20; see also id. at 22 ("[B]ecause of the commercial predominance and
low costs, the barriers to entry to cyber are much lower for nonstate actors.").
370 THE GEORGETOWN LAw JOURNAL [Vol. 103:317

als." 2 99 U.S. officials have noted that "some terrorist organizations have height-
ened interest in developing offensive cyber capabilities," although they may be
"constrained by inherent resource and organizational limitations and com-
peting priorities."3 00 In light of the threat from nonstate actors, states have less
incentive to demilitarize cyber: even if states agreed among themselves to
restrict military activities in cyberspace, such an agreement would not restrain
nonstate actors, who may already have or will almost certainly acquire military
capabilities in cyberspace. 3 0 1 The potential for nonstate actors to act militarily
in cyberspace is a notable departure from the circumstances in which the Outer
Space Treaty and the Antarctic Treaty militarization provisions were negotiated-
circumstances in which the major and virtually only actors in the domains
were states, and those states could be certain of restricting military activities by
agreeing among themselves.30 2
Fourth, the current context of the debate between the United States,
United Kingdom, and their allies, and Russia, China, and their allies over
militarization of cyberspace lacks the strategic clarity that the Cold War frame-
work provided for the agreements to regulate militarization in the old domains.
The Cold War bipolar system provided predictability about the identity of
adversaries and a mechanism (deterrence) for avoiding conflict. Cyber, by con-
trast, presents a broader range of possible adversaries and increased difficulty
identifying attackers.30 3 In other words, in the cyber domain there are chal-
lenges of both attribution and deterrence, which are interrelated.
The extent of the attribution problem is unclear and debated. Some argue
that attribution is not a significant problem as a technical matter 3 0 4 or as a
strategic matter.3 05 Others, however, argue that attribution problems pose signifi-

299. Statement of Keith B. Alexander, supra note 187, at 3; cf. Statement of James R. Clapper, supra
note 219, at 17 (noting that for the next two years the ability to cause a major cyber attack "will be out
of reach for most actors").
300. Statement of James R. Clapper, supra note 219, at 19; see also id. (noting that hacktivist groups
might "inflict more systemic impacts-such as disrupting financial networks-or accidentally trigger
unintended consequences that could be misinterpreted as a state-sponsored attack"); Finkle, supra
note 287 (reporting House Intelligence Committee Chairman Mike Rogers' statement that terrorists are
seeking, but do not yet have the ability, to launch cyber attacks "on U.S. infrastructure").
301. See Statement of Keith B. Alexander, supra note 187, at 4 ("[W]orldwide terrorist organizations
like al Qaeda and its affiliates have the intent to harm the United States via cyber means," but "so far,
their capability to do so has not matched their intent.").
302. See Katzenbach, supra note 185, at 207 (explaining that for the then-foreseeable future, govern-
mental entities were likely to be the only ones operating in outer space).
303. See KNAKE, supra note 179, at 13 (explaining that attribution is difficult because both the origin
of cyberattacks and identity of an attacker are hard to determine).
304. See Panetta, supra note 60 (asserting that the U.S. Department of Defense has made "signifi-
cant advances" in attribution and therefore that "[p]otential aggressors should be aware that the United
States has the capacity to locate them and to hold them accountable for their actions").
305. See KNAKE, supra note 179, at 14 (arguing that the attribution problem "should not be over-
stated" because "at most twenty groups worldwide" have "the ability to wage anything that rises to the
level of 'war' in cyberspace," and thus, "[i]n the event of a major attack, the list of potential suspects
will be small"); Nye, supra note 17, at 33 (arguing that "[i]nterstate deterrence through entanglement
and denial still exists even when there is inadequate attribution," and noting that because of entangled
2015] THE CYBER-LAW OF NATIONS 371

cant strategic challenges by undermining deterrence.30 6 What is clear is that

there is more of an attribution problem with regard to cyber than with regard to
nuclear weapons during the Cold War, when only a few states possessed such
weapons.
Attribution challenges relate to deterrence because an attacker is more likely
to attack if it believes that it will not suffer retaliation; conversely, an attacker is
less likely to attack if it believes, as nuclear states did during the Cold War, that
the victim or its allies will quickly identify the source of the attack and retaliate
against the attacker's assets.3 07 As U.S. Deputy Secretary of Defense Lynn
explained:

[T]raditional Cold War deterrence models of assured retaliation do not apply

to cyberspace, where it is difficult and time consuming to identify an attack's
perpetrator ... And even when the attacker is identified, if it is a nonstate
actor, such as a terrorist group, it may have no assets against which the United
States can retaliate.30 8

Thus, because there is an attribution problem-of unclear magnitude-in cyber

and the possibility of nonstate attackers, there is also a deterrence challenge,
similar to the one long recognized with regard to nonstate-sponsored terror-
ism.309
Despite these difficulties, deterrence retains some utility and applicability
with regard to cyber attacks between states. U.S. officials and the U.S. Interna-
tional Strategy for Cyberspace rely on deterrence in the cyber domain. 3 1 0 U.S.

networks, China would "lose from an attack that severely damaged the American economy, and vice
versa"); id. at 34 (noting that "reputational damage" caused by "credible" rumors about an attacker's
identity or a state's "reputation for offensive capability" and policy of retaliation can contribute to
deterrence).
306. See Kanuck, supra note 105, at 1596 ("Without positive attribution, there is no ability to
monitor, verify, or signal in the traditional Cold War sense," which "raises the question of whether or
not cyber deterrence is even possible at this juncture.").
307. Cf Adams, supra note 204, at 102 ("Unlike during the Cold War, when the nuclear standoff
produced its own understandable rules of the game that included a sophisticated deterrence mechanism,
no legal or de facto boundaries inhibit cyber-aggressions. Instead, information warfare is a free-for-all,
with more and more players hurrying to join the scrimmage.").
308. Lynn, supra note 60, at 99; see also Finkle, supra note 287 (reporting that U.S. national
security experts are increasingly concerned "that 'irrational' cyber actors-such as extremist groups,
rogue nations or hacker activists-are infiltrating U.S. systems to hunt for security gaps").
309. See Nye, supra note 17, at 34 ("[N]onstate actors are harder to deter, and improved defenses
such as preemption and human intelligence become important in such cases.").
310. See Chuck Hagel, Sec'y of Def., Remarks at Retirement Ceremony for General Keith Alexan-
der (Mar. 28, 2014), available at http://www.defense.gov/Speeches/Speech.aspxSpeechID = 1837 (not-
ing that the U.S. "modem cyber force . . . is enhancing our ability to deter aggression in cyber space");
Panetta, supra note 60 ("In addition to defending the department's networks, we also help deter attacks.
Our cyber adversaries will be far less likely to hit us if they know that we will be able to link [them] to
the attack or that their effort will fail against our strong defenses."); Vice Adm. Michael S. Rogers,
Advance Questions for Vice Admiral Michael S. Rogers, USN, Nominee for Commander, U.S. Cyber
Command (Mar. 11, 2014), http://www.armed-services.senate.gov/imo/medialdoc/Rogers_03-11-
372 THE GEORGETOWN LAw JOURNAL [Vol. 103:317

officials believe that "'rational' super powers like China or Russia ... may have
the ability to destroy critical U.S. infrastructure with the click of a mouse, but
they are unlikely to do so, in part because they fear Washington would retali-
ate." 3 11 But for purposes of assessing the likelihood that states will agree to
demilitarize cyber, the incomplete and uncertain nature of deterrence creates a
lack of clarity about risks and incentives that undermines states' ability to
bargain toward demilitarization or perhaps even more limited arms control.3 12
In sum, unlike Antarctica and outer space at the time restrictions on militariza-
tion were adopted for those domains, the ship has already sailed with regard to
militarizing cyberspace. Walking back militarization would be difficult, par-
ticularly in light of the spread of cyber weapons beyond states. The differences
between cyber and the old domains about timing of militarization and the
proliferation of military capabilities suggest that a different outcome is likely
for cyber, but a different outcome may in fact be desirable.

2. The Desirability of Cyber Demilitarization

Separate from the question of whether demilitarization of the cyber domain is
likely is the question of whether such demilitarization would be desirable. The
characteristics of cyber weapons, as known so far, suggest the answer should
be no.
The potential consequences of cyberconflict are not as severe as those posed
by types of warfare that have been banned outright. One of the major concerns
with regard to an arms race in outer space was fear of unintended consequences.
The possible consequences of space combat gone wrong are severe, including
rendering orbits unusable or creating debris sufficient to render launches of
satellites or manned spacecraft impossible. Fear of consequences is also a
major factor that has animated prohibitions on the use and proliferation of
nuclear weapons. Nuclear weapons pose an existential threat; 313 cyberwar does
not, though it may still risk loss of life and property. 3 14 As one commentator
explained, "[D]estruction or disconnection of cyber systems could return us to
the economy of the 1990s-a huge loss of GDP-but a major nuclear war could

14.pdf; U.S. INT'L STRATEGY FOR CYBERSPACE, supra note 62, at 13 ("The United States will ensure that
the risks associated with attacking or exploiting our networks vastly outweigh the potential benefits. We
fully recognize that cyberspace activities can have effects extending beyond networks; such events may
require responses in self-defense."); supra note 297; cf. Segal, supra note 72, at 17 (arguing that
"Chinese intrusions into U.S. power grids or other critical infrastructure, especially when evidence is
left behind," help China "send a message of deterrence").
311. Finkle, supra note 287.
312. Cf Goldsmith, supra note 243 (arguing that the "main reason" that "true international co-
operation on cyber security" is unlikely is that "attribution of any attack is slow and uncertain, and thus
verification of a cyber-attack ban is hard if not impossible," and noting that "[u]nless the attribution
problem can be fixed, which few think is possible, it is hard to imagine nations (including the United
States) giving up significant offensive capabilities").
313. See Lynn, supra note 60, at 108; Nye, supra note 17, at 22.
314. Lynn, supra note 60, at 108 ("The cyberthreat does not involve the existential implications
ushered in by the nuclear age . . . ").
2015] THE CYBER-LAW OF NATIONS 373

return us to the Stone Age." 3 15 In other words, cyberwar, even cyberwar gone
wrong, may pose less of a downside risk than conflict in other domains or by
other means that the international community has prohibited.
Cyberconflict also has potential upside as compared to conventional warfare.
In particular, cyber weapons have the potential to be more discriminate than
conventional arms because they can be designed to harm only precise targets.
Stuxnet is the best example so far of a highly targeted weapon. It was precisely
designed to sabotage Iranian nuclear centrifuges. Of course, Stuxnet also shows
the difficulty of engineering a cyber weapon with the precision that is theoreti-
cally possible: its existence was revealed after coding errors allowed it to
infiltrate systems other than its targets.3 16 Nevertheless, cyber weapons have at
least the potential to achieve hyper-specific targeting that can achieve military
objectives while avoiding loss of life.317 Improved precision in targeting may
even lead to tightening for cyber weapons of the protections that the principle of
distinction affords to civilians under the law of armed conflict.3 18
Relatedly, cyber weapons may also be targeted to deploy destruction in a
more calibrated way than is possible with conventional arms and may therefore
better effectuate the law-of-war principle of proportionality. 31 9 The ability to
precisely control the effects of cyber weapons could enable states more accu-
rately to effectuate the rule that any harm to civilians from military action may
not be "excessive in relation to the concrete and direct military advantage
anticipated." 3 2 0
Because of the nonexistential downside risk of cyberwar and the upside

315. Nye, supra note 17, at 22.

316. See Sanger, supra note 60.
317. An alternative to Stuxnet was conventional bombing of Iranian nuclear facilities. Id. (explain-
ing that part of the reason the United States collaborated closely with Israel over Stuxnet was to
dissuade Israel from undertaking a conventional military strike against Iranian nuclear facilities); see
also Hollis, supra note 31 (manuscript at 31-32) (proposing that states should have a "Duty to Hack": a
duty to "use cyber-operations in their military operations when they are the least harmful means
available for achieving military objectives" (emphasis omitted)).
318. Cf Michael N. Schmitt, PrecisionAttack and InternationalHumanitarianLaw, 87 INT'L REV.
RED CROsS 445, 466 (2005) ("[A]s weaponry becomes more precise, interpretation of international
humanitarian law is becoming increasingly demanding for an attacker."); Dakota S. Rudesill, Note,
Precision War and Responsibility: TransformationalMilitary Technology and the Duty of Care Under
the Laws of War, 32 YALE J. INT'L L. 517, 544 (2007) ("Responsibility for the effects of attacks logically
varies with control over them, and consequently the scope of unintended effects a reasonable combatant
may legally inflict on those whom the law of war protects varies with technological capacity and other
circumstances.").
319. Cf Nye, supra note 17, at 22 ("[C]yber destruction can be disaggregated, and small doses of
destruction can be administered over time. While there are many degrees of nuclear destruction, all are
above a dramatic threshold or firebreak.").
320. Protocol Additional to the Geneva Conventions of 12 August 1949, and Relating to the
Protection of Victims of International Armed Conflicts (Protocol I) art. 51(5)(b), opened for signature
Dec. 12, 1977, 1125 U.N.T.S. 3; see also Kanuck, supra note 105, at 1595 (suggesting that "the prin-
ciple of humanity might actually require nation-states to use nonlethal information weapons in lieu of
kinetic weapons if they would achieve the same military objective while producing fewer casualties
(civilian or combatant) or shorter disruptions to the affected targets").
374 THE GEORGETOWN LAw JOURNAL [Vol. 103:317

potential from precision in cyber weapons, total demilitarization of the cyber

domain, even if possible, may not be desirable. That is not to say, however, that
restrictions are unnecessary. The next section turns to several current and
possible future means for regulating militarization in the cyber domain.

3. Regulated Militarization
The lack of an overarching agreement to demilitarize cyber does not mean
that states are free to act militarily at will or without limits in the domain or that
smaller-bore agreements are impossible. Standards-based limitations on types of
actions and rules-based prohibitions on types of weapons can helpfully regulate
cyber militarization. 3 2 1 The first category involves applying or translating the
existing laws of armed conflict to cyberspace.322 The second category, which
has been used for conventional weapons but has not yet received much attention
with respect to cyber, would involve banning particular types of cyber weapons.
Unlike the application of the existing laws of armed conflict, extant weapons
bans cannot simply be translated into the cyber context.

a. Translating the Existing Laws of Armed Conflict. In the absence of a

specific agreement governing military action in a domain, states remain bound
by general jus ad bellum and jus in bello principles enshrined in the U.N.
Charter, treaty law, and customary international law. Consensus is growing
that the existing laws of armed conflict apply in cyberspace. Debates in the last
few years have addressed whether and how existing laws of war apply to
cyber,3 23 and foundational questions, such as what constitutes an "armed attack"
in cyberspace.3 24
In the last few years, states have begun to weigh in on these issues. The 2011
U.S. International Strategy for Cyberspace declares that the development of
norms for cyberspace "does not require a reinvention of customary international

321. Michael Reisman describes jus in bello as comprised of two parts: the first "consists of
principles to be applied in determining the proper use and quantum of force in specific cases," while the
second "contains a set of absolute prohibitions," including, for example, "the use of poison gas or
dumdum bullets, the initiation of aggressive war, [and] . . the intentional killing of non-combatants."
W. MICHAEL REISMAN, THE QUEST FOR WORLD ORDER AND HUMAN DIGNITY IN THE TWENTY-FIRST CENTURY:
CONSTITUTIVE PROCESS AND INDIVIDUAL COMMITMENT 422 (2012).
322. For a critical view of "law by analogy," see Hollis, supra note 31 (manuscript at 20-30).
323. See, e.g., William H. Boothby, Methods and Means of Cyber Warfare, 89 INT'L L. STUD. 387
(2013); Jack Goldsmith, How Cyber Changes the Laws of War, 24 EUR. J. INT'L L. 129 (2013); Eric
Talbot Jensen, Cyber Attacks: Proportionalityand Precautions in Attack, 89 INT'L L. STUD. 198 (2013);
Michael N. Schmitt, Classification of Cyber Conflict, 89 INT'L L. STUD. 233 (2013); Sean Watts,
Combatant Status and Computer Network Attack, 50 VA. J. INT'LL. 391 (2010).
324. See, e.g., CICIR-CSIS, supra note 71 ("CSIS and CICIR agreed that the threshold for calling an
event in cyberspace an attack should be high-not everything bad that happens in cyberspace is an
attack or the use of force."); Oona A. Hathaway et al., The Law of Cyber-Attack, 100 CALIF. L. REV. 817,
826 (2012) (proposing that cyber attack should be defined as "any action taken to undermine the
functions of a computer network for a political or national security purpose"); Matthew C. Waxman,
Cyber-Attacks and the Use of Force: Back to the Future ofArticle 2(4), 36 YALE J. INT'L L. 421, 431-37
(2011).
2015] THE CYBER-LAW OF NATIONS 375

law, nor does it render existing international norms obsolete."32 5 But the
Strategy nonetheless recognizes that "unique attributes of networked technology
require additional work to clarify how these norms apply and what additional
understandings might be necessary to supplement them." 3 2 6
More specifically, in September 2012, State Department Legal Adviser Har-
old Hongju Koh laid out the U.S. position that certain basic international law
rules apply to cyberspace.3 27 Koh explained that "the law of armed conflict ...
contemplates that its existing rules will apply to [technological] innovation," 32 8
but acknowledged that the challenge is to "articulate and build consensus
around how it applies and reassess from there whether and what additional
understandings are needed." 3 2 9 Koh took the first steps to build such consensus
by setting out the U.S. position on basic issues, like what constitutes an armed
attack in cyberspace. He explained, "[C]yber activities that proximately result
in death, injury, or significant destruction would likely be viewed as a use of
force." 330 In other words, "if the physical consequences of a cyber attack work
the kind of physical damage that dropping a bomb or firing a missile would, that
cyber attack should equally be considered a use of force." 3 3 1 Koh also clarified
that an actual or threatened cyber attack can trigger "[a] state's national right of
self-defense, recognized in Article 51 of the UN Charter." 3 32 Turning to jus in
bello rules, he further explained that the response to a cyber armed attack need
not "take the form of a cyber action, as long as the response meets the re-
quirements of necessity and proportionality." 3 3 3 Moreover, Koh declared that

325. U.S. INT'L STRATEGY FOR CYBERSPACE, supra note 62, at 9.

326. Id.
327. Koh, supra note 220. A speech of this nature undergoes extensive interagency clearance and is
"generally taken to be the coordinated view[] of the U.S. government as a whole." Rebecca Ingber,
Interpretation Catalysts and Executive Branch Legal Decisionmaking, 38 YALE J. INT'L L. 359, 402
(2013); see also id. at 397-403.
328. Koh, supra note 220, at 3.
329. Id.; see also id. at 8 ("[T]he existence of complicated cyber questions relating to jus ad bellum
is not in itself a new development; it is just applying old questions to the latest developments in
technology.").
330. Id. at 4 (emphasis omitted).
331. Id.; see also id. (providing specific examples, including "operations that trigger a nuclear plant
meltdown," "open a dam above a populated area causing destruction," or "disable air traffic control
resulting in airplane crashes"); Rogers, supra note 310 ("[G]enerally speaking, DoD analyzes whether
the proximate consequences of a cyberspace event are similar to those produced by kinetic weapons.");
see also Dunlap, supra note 200, at 714 (endorsing the "Schmitt test" for what constitutes an armed
attack in cyber, namely an assessment of "when the consequences of a particular cyber event have an
effect that mirrors that of a traditional kinetic attack" (citing Michael N. Schmitt, Computer Network
Attack and the Use of Force in InternationalLaw: Thoughts on a Normative Framework, 37 COLUM. J.
TRANSNAT'L L. 885 (1999))). But see Koh, supra note 220, at 7 (explaining that certain cyber actions "do
not have a clear kinetic parallel" and therefore "raise profound questions about exactly what we mean
by 'force"').
332. Koh, supra note 220, at 4 (emphasis omitted); see also U.S. INT'L STRATEGY FOR CYBERSPACE,
supra note 62, at 13-14; Panetta, supra note 60.
333. Koh, supra note 220, at 4; see also id. at 5 (explaining how proportionality applies to "com-
puter network attacks undertaken in the context of an armed conflict" (emphasis omitted)); Hagel,
376 THE GEORGETOWN LAw JOURNAL [Vol. 103:317

the principle of distinction between military and civilian objects also constrains
military cyber actions, 3 3 4 and states are responsible, as they are in non-cyber
domains, for "'proxy actors,' who act on the state's instructions or under its
direction or control." 3 3 5
China also has recently taken preliminary steps to articulate its views about
international law and cyberspace, after refusing for some time to agree that any
international law applies to the domain.336 In June 2013, China joined consen-
sus at the United Nations on the principle that "[i]nternational law, and in
particular the Charter of the United Nations" applies in cyberspace.33 7 Even in
the wake of this development, however, it remains unclear whether China will
agree that more specific legal provisions, such as the law of armed conflict,
apply to cyberspace.
State declarations about the applicability of the law of armed conflict may be
influenced by recent nongovernmental efforts to address these issues under the
auspices of the NATO Cooperative Cyber Defense Center of Excellence in
Tallinn, Estonia. A group of international legal experts convened to consider the
applicability of the laws of armed conflict to cyberspace and drafted the Tallinn
Manual on the InternationalLaw Applicable to Cyber Warfare, which contains
rules, adopted by consensus of the experts, that reflect customary international
law. 3 3 8 The Tallinn Manual's proposed rules are largely consistent with U.S.
policy, as articulated in Koh's speech.33 9 In particular, the Tallinn Manual con-
cludes that existing jus ad bellum and jus in bello rules apply in cyberspace,34 0
looks to the physical effects of a cyber action to determine if it constitutes a
use of force, 34 1 recognizes that a cyber attack can trigger the right of self-

supra note 310 ("[W]e can respond to cyber attacks in any domain. . . ."); Rogers, supra note 310
("The law of war principles of military necessity, proportionality and distinction will apply when
conducting cyber operations.").
334. Koh, supra note 220, at 5; see also Rogers, supra note 310.
335. Koh, supra note 220, at 6 (emphasis omitted).
336. See PRC MILITARY AND SECURITY DEVELOPMENTS, supra note 61, at 37 ("Although China has not
yet agreed with the U.S. position that existing mechanisms, such as international humanitarian law,
apply in cyberspace, Beijing's thinking continues to evolve.").
337. U.N. GGE 2013 Report, supra note 252, ¶ 19; see also Psaki, supra note 252.
338. TALLINN MANUAL ON THE INTERNATIONAL LAw APPLICABLE TO CYBER WARFARE 6 (Michael N.
Schmitt ed., 2013) [hereinafter TALLINN MANUAL], available at http://www.ccdcoe.org/tallinn-manual.
html.
339. Schmitt, supra note 195, at 15 ("The relative congruency between the U.S. Government's
views, as reflected in the Koh speech, and those of the International Group of Experts is striking. This
confluence of a state's expression of opinio juris with a work constituting 'the teachings of the most
highly qualified publicists of the various nations' significantly enhances the persuasiveness of common
conclusions.").
340. TALLINN MANUAL, supra note 338, at 5; id. at 75 (Rule 20) ("Cyber operations executed in the
context of an armed conflict are subject to the law of armed conflict." (emphasis omitted)); Schmitt,
supra note 195, at 17 ("[T]he Experts rejected any characterization of cyberspace as a distinct domain
subject to a discrete body of law.").
341. TALLINN MANUAL, supra note 338, at 45 (Rule 11) ("A cyber operation constitutes a use of force
when its scale and effects are comparable to non-cyber operations rising to the level of a use of force."
(emphasis omitted)); see also id. at 54-55; Schmitt, supra note 195, at 19-20.
2015] THE CYBER-LAW OF NATIONS 377

defense, 34 2 and determines that the principles of necessity, proportionality,

and distinction apply in cyberspace.34 3 The Tallinn Manual addresses many
more issues beyond these fundamental rules, and given that it is the most
thorough exposition to date of how the laws of armed conflict apply to cyber-
space, it may serve as a focal point for states, particularly NATO members and
their allies, as they consider these issues going forward.3 44
Difficult questions remain, however, about how, in practice, traditional laws
of armed conflict apply to particular cyber cases and how to translate other
law-of-war rules into cyber. For example, the application of neutrality law to
cyberspace remains an important and unresolved question,34 5 and the interre-
lated and overlapping nature of military and civilian networks presents chal-
lenges for applying the principle of distinction.34 6
Progress has been made in clarifying that existing international law applies to
cyber and how international law rules apply, and this trend will continue as
more states address in a thoughtful and detailed manner the applicability of
the laws of armed conflict in cyber. Agreement on and clarity about these issues
will lead to greater stability in the international system by decreasing the
likelihood of misunderstandings and accidental escalation.34 7

b. Banning ParticularTypes of Cyber Weapons. Although efforts to apply and

translate jus in bello to the cyber context are well underway, little attention has

342. TALLINN MANUAL, supra note 338, at 54 (Rule 13); Schmitt, supra note 195, at 21.
343. TALLINN MANUAL, supra note 338, at 61 (Rule 14) ("A use of force involving cyber operations
undertaken by a State in the exercise of its right of self-defence must be necessary and proportionate."
(emphasis omitted)); id. at 110 (Rule 31) (distinction); id. at 159 (Rule 51) (proportionality); see
Schmitt, supra note 195, at 21, 25-28.
344. Persuading other states to utilize the Tallinn Manual's analysis may be more difficult. China,
for example, has criticized the Tallinn Manual on several grounds. Adam Segal, Axiom and the
Deepening Divide in U.S.-China Cyber Relations, COUNCIL ON FOREIGN REL. (Oct. 29, 2014), http://
blogs.cfr.org/cyber/2014/10/29/axiom-and-the-deepening-divide-in-u-s-china-cyber-relations/. For
additional discussion and critique of the Tallinn Manual, see Kristen E. Eichensehr, Book Review,
108 AM. J. INT'L L. 585 (2014) (reviewing THE TALLINN MANUAL ON THE INTERNATIONAL LAw APPLICABLE
To CYBER WARFARE (Michael N. Schmitt ed., 2013)).
345. Deeks, supra note 263, at 6-8 (providing a detailed analysis of how the law of neutrality
applies to cyberspace); Hathaway et al., supra note 324, at 856 (describing the applicability of
neutrality law to cyberspace as "unusually complex"); Kanuck, supra note 105, at 1593 (discussing
how neutrality might apply to cyberspace and the complications caused by cyber's arguable status as a
"commons"); Koh, supra note 220, at 9 (listing "the implications of sovereignty and neutrality law" as
among the "difficult and important questions about the application of international law to activities in
cyberspace").
346. See, e.g., Kanuck, supra note 105, at 1595; Koh, supra note 220, at 8 (explaining that
belligerents must, as part of a proportionality review, consider effects on civilian computers that may be
"networked to computers that are valid military objectives"). But see TALLINN MANUAL, supra note 338,
at 134 (Rule 39) ("An object used for both civilian and military purposes-including computers,
computer networks, and cyber infrastructure-is a military objective." (emphasis omitted)).
347. Cf Koh, supra note 220, at 11 ("[W]e will be safer, the more that we can rally other states to
the view that these established principles do impose meaningful constraints, and that there is already an
existing set of laws that protect our security in cyberspace.").
378 THE GEORGETOWN LAw JOURNAL [Vol. 103:317

yet focused on prohibiting particular types of cyber weapons.34 8 Existing

weapons bans do not translate into the cyber domain.
The international community has long turned to treaties to prohibit particu-
larly harmful or indiscriminate weapons. 34 9 For example, the 1868 Declaration
of St. Petersburg committed states not to use "any projectile of less weight
than four hundred grammes, which is explosive, or is charged with fulminating
or inflammable substances."3 50 In 1899, the Hague Conventions prohibited
"poison or poisoned arms" and arms designed to "cause superfluous injury."351
Declarations to the Hague Conventions also prohibited expanding or "dum-
dum" bullets 3 5 2 and the use of "projectiles" that release "asphyxiating or
deleterious gases."3 53 Later treaties have prohibited, for example, "asphyxiat-
ing, poisonous or other gases," 354 "bacteriological methods of warfare,"

348. The Tallinn Manual states, "It is forbidden to employ cyber booby traps associated with certain
objects specified in the law of armed conflict." TALLINN MANUAL, supra note 338, at 146 (Rule 44)
(emphasis omitted). It defines a booby trap, in line with the definition in the Amended Mines Protocol
to the Convention on Certain Conventional Weapons, as "any device or material which is designed,
constructed or adapted to kill or injure, and which functions unexpectedly when a person disturbs or
approaches an apparently harmless object or performs an apparently safe act." Id. at 146-47. Although
this rule has some similarities with a weapons ban, it differs from such bans, see infra notes 350-59,
because it prohibits a particular use of a weapon, not a weapon itself. For example, a conventional
prohibition on booby traps forbids attaching explosives to medical equipment or children's toys, but it
does not prohibit explosives in general. See Protocol on Prohibitions or Restrictions on the Use of
Mines, Booby-Traps and Other Devices as Amended on 3 May 1996 (Protocol II as Amended on 3 May
1996) Annexed to the Convention on Prohibitions or Restrictions on the Use of Certain Conventional
Weapons Which May be Deemed to be Excessively Injurious or to Have Indiscriminate Effects art.
7(1), adopted May 3, 1996, S. TREATY Doc. No. 105-1, 2048 U.N.T.S. 93 (entered into force Dec. 3,
1998).
349. See Detlev F. Vagts, The Hague Conventions and Arms Control, 94 AM. J. INT'L L. 31, 31
(2000) (distinguishing between "quantitative" arms control, which "permit[s] a given category of
weapons" but limits the number states may have, and "qualitative" arms control, which involves
"prohibitions on the use of specified items"); see also R. R. Baxter, Conventional Weapons Under Legal
Prohibitions, 1 INT'L SECURITY 42, 47-48 (1977) (describing three criteria for deeming particular
weapons to be illegal: (1) "whether the weapon causes unnecessary suffering or superfluous injury";
(2) "whether the weapon has indiscriminate effects"; and (3) "whether the weapon kills through
treachery").
350. See Declarationof St. Petersburg, 1868, 1 AM. J. INT'L L. SUPPLEMENT: OFFICIAL DOCUMENTS 95,
95-96 (1907). For an overview of the adoption of weapons prohibitions through 2000, see Vagts, supra
note 349, at 31-40; see also Baxter, supra note 349, at 42-44.
351. Convention with Respect to the Laws and Customs of War on Land, with Annex of Regula-
tions, art. 23, July 29, 1899, 32 Stat. 1803.
352. Declarationon the Use of Bullets Which Expand or Flatten Easily in the Human Body; July 29,
1899, YALE L. SCH. AVALON PROJECT, http://avalon.law.yale.edu/l9th-century/dec99-03.asp (last visited
Nov. 30, 2014); see also Vagts, supra note 349, at 34-35 (explaining origin of the term "dum-dum"
bullets).
353. Declarationon the Use of Projectilesthe Object of Which is the Diffusion of Asphyxiating or
Deleterious Gases; July 29, 1899, YALE L. SCH. AVALON PROJECT, http://avalon.law.yale.edul19th-century/
dec99-02.asp (last visited Nov. 30, 2014). Interestingly, the United States voted against the prohibitions
on both dum-dum bullets and asphyxiating gases. See JOHN FABIAN Wirr, LINCOLN'S CODE: THE LAWS OF
WAR IN AMERICAN HISTORY 350-52 (2012).
354. Protocol for the Prohibition of the Use in War of Asphyxiating, Poisonous or Other Gases, and
of Bacteriological Methods of Warfare, June 17, 1925, 26 U.S.T. 571, 94 L.N.T.S. 65.
355. Id.
2015] THE CYBER-LAW OF NATIONS 379

chemical weapons,35 6 biological weapons,35 7 antipersonnel landmines,3 58 and

cluster munitions.35 9
As these examples show, prohibitions on particular weapons have been and
can be agreed upon in the absence of an overarching demilitarization agree-
ment. Focusing on specific weapons that, for example, pose the greatest threat
to noncombatants, are the least discriminate, or inflict gratuitous injury can
provide a narrow issue on which states may agree.3 6 0 Weapons prohibitions
offer clear rules and an opportunity to disaggregate narrow issues pertaining to
specific weapons from the broader context of militarization. They therefore
provide a scenario in which agreement may be more likely.
Unfortunately, bans on particular weapons usually occur only after the weap-
ons have been used, caused terrible effects, and produced horrified reactions
among the public and decision makers.3 61 Part of the current challenge for
developing rules for cyberwar is a lack of clarity about states' capabilities and
the likely effects of particular weapons.36 2 States have conducted war games
and tests of cyber weapons, but the full "problems of unintended consequences
and cascading effects have not been experienced." 36 3
The possibility of regulating militarization via bans on particular cyber
weapons may provide a means to complement standards-based regulation in the
future, but the collective failure of imagination, fostered by states' unwilling-
ness to broadcast their weapons capabilities, may prove a determinative hin-
drance until after such weapons are used.364

356. Convention on the Prohibition of the Development, Production, Stockpiling and Use of
Chemical Weapons and on Their Destruction, openedfor signature Jan. 13, 1993, S. TREATY Doc. No.
103-21, 1974 U.N.T.S. 45.
357. Convention on the Prohibition of the Development, Production and Stockpiling of Bacteriologi-
cal (Biological) and Toxin Weapons and on Their Destruction, opened for signature Apr. 10, 1972, 26
U.S.T. 583, 1015 U.N.T.S. 163.
358. Convention on the Prohibition of the Use, Stockpiling, Production and Transfer of Anti-
Personnel Mines and on Their Destruction, openedfor signature Sept. 18, 1997, 2056 U.N.T.S. 211.
359. Convention on Cluster Munitions, opened for signature Dec. 3, 2008, 48 I.L.M. 357, available
at http://treaties.un.org/doc/Publication/CTC/26-6.pdf.
360. Cf. Vagts, supra note 349, at 32 (explaining, with regard to the Hague Conferences, that
military officials were willing to prohibit "weapons that threatened to get out of control").
361. Cf Bond v. United States, 134 S. Ct. 2077, 2083 (2014) (explaining that the "devastation"
caused by use of mustard gas in World War I "led to an overwhelming consensus in the international
community that toxic chemicals should never again be used as weapons against human beings," a
prohibition now codified in the Convention on Chemical Weapons); WiT, supra note 353, at 3 ("Laws
of war typically come in the dismayed aftershock of conflict, not in the impassioned heat of battle....
Humanitarians usually fight the last war when they make rules for the next one.").
362. See Sanger, supra note 60 (reporting that the Obama Administration "was resistant to develop-
ing a 'grand theory for a weapon whose possibilities they were still discovering').
363. Nye, supra note 17, at 26.
364. See Goldsmith, supra note 205, at 6 (arguing that a "weapons ban is . . hard to articulate" in
part due to secrecy surrounding states' capabilities).
380 THE GEORGETOWN LAw JOURNAL [Vol. 103:317

CONCLUSION

The last two years have marked a crucial turning point for sovereigns and
cyberspace. The accusations and mutual recriminations between the United
States and China about cyber intrusions have increased; the fundamental diver-
gence of views about Internet governance has sharpened, as evidenced by the
collapse of the WCIT conference; and states and scholars have clarified their
legal positions about whether and how international law applies to cyberspace.
These developments show both the need for and the difficulty of achieving
agreement on the fundamental governance questions this Article has addressed.
As the histories of the high seas, outer space, and Antarctica show, however,
states can develop governance mechanisms for domains that, by necessity or
agreement, are not partitioned and governed by traditional territorial sover-
eignty. For this reason, study of the legal regimes established for the past
domains provides encouraging signs that chaos and conflict are not inevitable
and that stable legal regimes can be developed over time.
Examination of the legal regimes for the old domains provides further
guidance because, this Article has argued, understanding how cyber differs from
the old domains suggests how, not just that, states can address the cyber issues
that require international coordination. First, in contrast to states' dominance of
the old domains, the historical and ongoing role of private parties in the
governance, use, and ownership of the Internet and its underlying architecture
suggests that the multistakeholder model is preferable to a purely multilateral
model. Second, in the absence of existing customary law (as with UNCLOS) or
a limited group of motivated states (as with Antarctica and outer space), an
omnibus cyber treaty will be more difficult to achieve in general, and impos-
sible in light of the current gulf between the sovereignty-focused conception of
cyber espoused by Russia and China, and the multistakeholder view espoused
by the United States and its allies. In this situation, norm development provides
a workable path forward and the promise of fostering some of the stability that a
treaty would create by allowing states to coordinate their behavior to avoid
conflict. And finally, because the risks of treating cyber as a legal black hole
have become clear, and existing military capacity suggests demilitarization is
unlikely, states must regulate militarization by translating existing laws of
armed conflict to cyber and considering additional cyber-specific rules.
Answering the fundamental questions this Article has addressed is the first
step in a long process of establishing the cyber-law of nations. It took time for
states to figure out how to deal with the challenges of the Internet within their
borders and as related to their citizens. The intersovereign issues posed by cyber
are more complicated and will probably take even longer to solve. But the
process is crucial.
+(,121/,1(
Citation:
Kenneth D. Katkin, Cyber Law: Problems of Internet
Governance, 28 N. Ky. L. Rev. 656 (2001)

Content downloaded/printed from HeinOnline

Sat Jan 26 02:49:27 2019

-- Your use of this HeinOnline PDF indicates your

acceptance of HeinOnline's Terms and Conditions
of the license agreement available at
https://heinonline.org/HOL/License

-- The search text of this PDF is generated from

uncorrected OCR text.

-- To obtain permission to use this article beyond the scope

of your HeinOnline license, please use:

Copyright Information

Use QR Code reader to send PDF

to your smartphone or tablet device
 CYBER LAW: PROBLEMS OF INTERNET GOVERNANCE

Symposium Introduction by Kenneth D. Katkin'

In a famous lecture delivered at one of the first academic Symposia on
Internet law ever to be held, Judge Frank Easterbrook of the United States Court
of Appeals for the Seventh Circuit vigorously questioned the need for scholars
and students even to recognize "Internet Law" as a distinct and legitimate legal
discipline.' According to Judge Easterbrook, the legal problems that arise from
disputes concerning the Internet should, in principle, be soluble entirely through
application of more traditional legal doctrines, such as intellectual property law,
contract and commercial law, tort law, or Constitutional law.' Therefore, based
upon his belief that "the best way to learn the law applicable to specialized
endeavors is to study general rules," Judge Easterbrook advised students and
practitioners that to devote time or effort to studying "the law of the Internet"
would make as much (or as little) sense as studying "the law of the horse.""
But why not study the "law of the horse," one might ask? Judge Easterbrook
explained that:
Lots of cases deal with sales of horses; others deal with people kicked by
horses; still more deal with the licensing and racing of horses, or with the
care veterinarians give to horses, or with prizes at horse shows. Any
effort to collect these strands into a course on "The Law of the Horse" is
doomed to be shallow and to miss unifying principles. Teaching 100
percent of the cases on people kicked by horses will not convey the law
of torts very well. Far better for most students - better, even, for those
who plan to go into the horse trade - to take courses in property, torts,
commercial transactions, and the like, adding to the diet of horse cases a
smattering of transactions in cucumbers, cats, coal, and cribs. Only by
putting the law of the horse in the context of broader rules about
commercial endeavors could one really understand the law about horses.'
Now, I'm sure that many of you have already figured out that Judge Easterbrook
did not deliver this lecture in Kentucky. Here in the Bluegrass State, many might
take issue with Judge Easterbrook's use of equestrian law as the paradigmatic
example of a subject so excessively shallow and narrow that it cannot yield any
unifying principles when studied, even to one who seeks only to understand the
law about horses.
Judge Easterbrook, of course, is correct in some respects. Horse thieves in
Kentucky, for example, must be prosecuted under the same broad criminal

Assistant Professor of Law, Salmon P. Chase College of Law, Northern Kentucky University;
J.D., 1996, Northwestern University School of Law; A.B., 1987, Princeton University.
2 See Frank H. Easterbrook, Cyberspace and the Law of the Horse, 1996 U. CI. LEGAL F. 207

(1996).
3 Id. at 208 (borrowing a phrase originating with Karl Llewellyn and used in a speech by University
of Chicago Dean Gerhard Casper concerning teaching methods).
4
1d. at 207.
5
Id.
2001] SYMPOSIUM INTRODUCTION 657

statutes that prohibit grand larceny more generally.6 Thus, an attorney seeking to
prosecute or defend an alleged horse rustler would be better advised to study
general criminal law than to focus on equestrian law.
But the opposite can also be true. I am unaware, for example, of any
principle of tort law or commercial law that would resolve the question whether a
person who receives injuries while nursing an injured thoroughbred race horse is
entitled to receive workers' compensation benefits. The answer to this question
- that no such benefits obtain - may be derived only from specific doctrines
pertaining to the "law of the horse."' Similarly, general principles of taxation
may not be sufficient to prescribe whether sales tax must be paid when a
thoroughbred race horse is sold. In Kentucky, no such tax need generally be paid
on livestock sales.8 But under "the law of the horse," thoroughbreds are not
livestock, "since we Kentuckians do not customarily consume horseflesh at the
dinner table." 9 Thus, under unique "law of the horse" principles, the livestock
exemption does not apply, and sales tax must be paid after all."
The "law of the horse" also extends to the regulatory arena. In Kentucky,
horses are subject to pervasive regulation by the Kentucky Racing Commission's
Division of Racing and Security. The Racing Commission is a streamlined
division of the Kentucky Public Protection and Regulation Cabinet. It is charged
with enforcement of Ch. 230 of the Kentucky Revised Statutes (which govern
horse racing). Since last year, the Racing and Security division has done the
work that was formerly done by the three separate Divisions of Thoroughbred
Racing, Standardbred and Quarter Horse Racing, and Security."
So the law of the horse may in fact be more complex and comprehensive
than Judge Easterbrook first thought. Indeed, studying the "law of the horse"
directly - and not just in the context of broader legal norms of general
applicability - may actually be necessary if one really wants to understand the
law about horses. But can the same be said about the law of the Internet?
On February 3, 2001, the Northern Kentucky Law Review held a symposium
which demonstrated that the answer is yes. 2 On that day, recognized experts in
the evolving field of Cyberlaw discussed solutions to new legal problems that
have arisen - or will arise - solely out of the operation of the Internet. Some

6 Ky. REv STAT. ANN. § 514.030. See, e.g., Smith v. Commonwealth, 112 S.W. 615 (Ky. Ct. App.
1908).
7 Cf.Michael v. Cobos, 744 S.W.2d 419 (Ky. 1987) (denying compensation claim, on ground that
conditioning and exercising of race horses which had returned to farm for rehabilitation from injury
constituted "agricultural" activity, exempt from workers' compensation).
8 Shadowlawn Farm v. Revenue Cabinet, Com. of Ky., 779 S.W.2d 232, 233 (Ky. Ct. App. 1989).
9id. (citing Stoner Creek Stud, Inc. v. Revenue Cabinet, 746 S.W.2d 73 (Ky. Ct. App. 1987)).
1OId.
11See Ky. Exec. Order Note: 2000 c 84, § I (eff. July 14, 2000) (confirming Ky. Exec. Order No.
98-1566 (Nov. 25, 1998)); see also Tni-City Turf Club, Inc. v. Public Protection and Regulation
Cabinet, 806 S.W.2d 394, 394-95 (Ky. Ct. App. 199 1) (discussing former regulatory regime).
12 For a greater elaboration on this theme, see generally Lawrence Lessig, The Law of the Horse:
What Cyberlaw Might Teach, 113 HARV. L. REV. 501 (1999) (surveying ways that Internet
architecture regulates human behavior, and suggesting that studying such "regulation-by-code" can
yield fresh insights about regulation by instruments of law).
 NORTHERN KENTUCKY LAW REVIEW [Vol. 28:4

of these problems have no analogue in the physical world. Others shed new light
on old problems, in much the same way that studying a foreign language often
yields fresh insights into the structure and descriptive limitations of one's own
native tongue. This issue of the Northern Kentucky Law Review gathers the
insights of each of these speakers, as well as one student author, in full length
analysis of the issues.
Professor Phil Weiser's article discusses the evolving mechanisms of Internet
governance. 3 In response to the oft-recited canard that the government should
not regulate the Internet, Prof. Weiser observes that the Internet is, and always
has been, pervasively regulated and government-financed. Thus, the question is
not whether to regulate, but how government can best foster the growth and
beneficial usage of the Internet as a tool for human and commercial interaction.
In response to this question, Prof. Weiser suggests that the very novelty of the
Internet offers a unique opportunity for experimentation with new regulatory
models, including hybrid models that combine private standard setting and
industry self-regulatory organizations with conventional statutory governance
enforced by courts or administrative agencies.
Picking up on Prof. Weiser's suggestion, Rosemary Harold, Esq., addresses
one especially significant challenge to the federal government's historical model
of telecommunications regulation: technological convergence. For historical
reasons, Congress and the FCC have always regulated conventional telephony as
a "common carrier" service, while subjecting cable television to an entirely
different set of regulations as a quasi-broadcast service. Today, however, these
historical regulatory distinctions are being eradicated by technological
convergence, as telephone lines and cable television lines are competing against
each other to deliver the same broadband Internet services to residential and
small business users. This competition has led to increasing calls for regulatory
parity across technologies. In this context, Ms. Harold illuminates the highly
politicized debate over whether competitive non-facilities-based Internet service
providers should be entitled to obtain "open access" to proprietary cable
facilities, in symmetry with their existing rights to obtain such "open access" to
proprietary telephone common carrier facilities. 4
The commentary of Dennis R. Williams discusses the open access/forced
access debate in light of a recent case, Comeast Cablevision Inc., v. Broward
County, Florida,5 and gives consideration to the First Amendment issues
presented.
Professor Ethan Katsch, writes about new, and highly efficient, approaches to
dispute resolution that the Internet has already generated. As e-commerce
becomes increasingly popular, commercial e-disputes will likely proliferate as
well. But e-disputes may be easier to resolve than flesh-and-blood disputes,
through inexpensive online dispute resolution. Indeed, online dispute resolution
may be desirable even for resolving controversies originating in the "physical"

13 See Phil Weiser, Internet Governance, Standard Setting, and Self-Regulation, 28 N. Ky. L. REv.
822 (2001).
14 See Rosemary Harold, Cable-Based Internet Access. Exorcising the Ghosts of "Legacy"

Regulation, 28 N. Ky. L. REv. 721 (2001).

'" 124 F.Supp.2d 685 (S.D. Fla. 2000).
2001] SYMPOSIUM INTRODUCTION 659

world. Prof. Katsch evaluates several existing approaches to online dispute

resolution, and also suggests other potential opportunities for moving dispute
resolution - one of law's basic reasons for being - online."
Mathias Strasser's article discusses the effect of peer-to-peer software
applications (such as Napster) on traditional copyright law. In essential
agreement with Judge Easterbrook, Mr. Strasser posits that basic copyright
protection on the Web should be governed by the same principles that govern
copyright protection in the "real" world. Applying these principles, Mr. Strasser
concludes that peer-to-peer software application providers should rightly be
subject to infringement liability when software applications are marketed
primarily as tools to engage in copyright infringement, and are in fact used to
infringe.' 7 Today, newer, post-Napster peer-to-peer applications (such as
Gnutella and Freenet) may successfully elude copyright enforcement by relying
on highly decentralized architecture. If so, however, then Mr. Strasser posits that
such decentralization ultimately threatens to erode the benefits of the rule of law
on the Internet, to the detriment of everyone.
Jeff Landen's comment responds to Mr. Strasser's argument, asserting that
the existing copyright law (as applied in the Napster case) will not be sufficient
when applied to peer-to-peer architectures and other evolving technologies.
We are pleased to be able to bring you this collection of esteemed authors in
this fascinating field of law. We hope that you find it informative and useful.
Thank you for supporting the Northern Kentucky Law Review.

16 See Ethan Katsch, Online Dispute Resolution: Lessons from the E-Commerce Revolution, 28 N.
Ky. L. REv. 810 (2001).
17See Mathias Strasser, Beyond Napster: How the Law Might Respond to a Changing Internet
Architecture 28 N. KY. L. REv. 660 (2001).
+(,121/,1(
Citation:
Mary Ellen O'Connell, Cyber Security without Cyber War,
17 J. Conflict & Sec. L. 187 (2012)

Content downloaded/printed from HeinOnline

Sat Jan 26 02:52:53 2019

-- Your use of this HeinOnline PDF indicates your

acceptance of HeinOnline's Terms and Conditions
of the license agreement available at
https://heinonline.org/HOL/License

-- The search text of this PDF is generated from

uncorrected OCR text.

-- To obtain permission to use this article beyond the scope

of your HeinOnline license, please use:

Copyright Information

Use QR Code reader to send PDF

to your smartphone or tablet device
 Journalof Conflict & Security Law © Oxford University Press 2012; all rights reserved.
For permissions, please e-mail: journals.permissions@oup.com
doi:10.1093/jcsl/krsOl7

Cyber Security without Cyber War

Mary Ellen O'Connell*

Abstract

Which government agency should have primary responsibility for the Internet?
The USA seems to have decided this question in favour of the military-the US
military today has the largest concentration of expertise and legal authority with
respect to cyberspace. Those in the legal community who support this develop-
ment are divided as to the appropriate legal rules to guide the military in its
oversight of the Internet. Specialists on the international law on the use of
force argue that with analogy and interpretation, current international law can
be applied in a way that allows great freedom without sending the message that
the USA is acting lawlessly when it comes to the Internet. Others reject this
argument as unnecessary and potentially too restrictive. The USA need not ob-
serve international law rules, especially not with respect to the Internet. The way
forward is to follow the Cold War strategy of threatening enemies with over-
whelming force and preparing to act on these threats. This article also questions
the application of international law on the use of force to the Internet. Rather
than rejecting international law in general, however, the thesis here is that inter-
national law rules governing economic activity and communications are the rele-
vant ones for activity on the Internet. Moving away from military analogy in
general and Cold War deterrence in particular, will result in the identification
and application of rules with a far better chance of keeping the Internet open
and safer for all.

1. Introduction

'Cyber' is one of the most frequently used terms in international security dis-
cussions today. It is certainly a word of increasing importance in the interna-
tional lawyer's lexicon. It is not a new term in international law. International
lawyers have been discussing computers and the law governing their use for
several decades.1 For specialists in the area of international law on the use of

Robert and Marion Short Chair in Law and Research Professor of International
Dispute Resolution-Kroc Institute, University of Notre Dame, Notre Dame, IN,
USA. Email: MaryEllenOConnell@nd.edu. With thanks for research assistance to
Cate Behles, Max Gaston, and Conor McGuinness.
Scholarly articles on the international law of cyberspace began to appear in the
mid-1990s. These would, of course, have reflected developments and discussions of
the previous years. See, eg, A Mefford, 'Lex Informatica: Foundations of Law on the
Internet' (1997/1998) 5 Ind J Global Legal Studies 211 and DR Johnson and D Post,
'Law and Borders-The Rise of Law in Cyberspace' (1996) 48 Stanford L Rev 1367.
..............................................................................
Journalof Conflict & Security Law (2012), Vol. 17 No. 2, 187-209
188 Mary Ellen O'Connell

force, however, certain developments since at least 2007 have pushed the term
and what it stands for to a top position on their agendas. 2 Within the broader
discussion, the key issue is how to achieve security on the Internet.
Governments, organizations, and commercial interests want people to have
access to the Internet and all that it offers but not to be harmed by it.
Achieving security is, in turn, leading to the question of how to characterize
the Internet under international law. It could be characterized primarily as a
sphere of economic and communication activity where civil law enforcement
officials have primary jurisdiction. The Internet could, alternatively, be charac-
terized as primarily under the jurisdiction of military defence authorities.
In 2007, Estonia experienced extensive computer hacking attacks that lasted
several weeks. 3 Since then, support has been growing to give priority to military4
solutions to cyber security concerns. Soon after the attacks on Estonia, NATO
began developing policies and capacity aimed at cyber security.5 In 2008, during
the brief Georgia-Russia War over South Ossetia, Georgia experienced
cyber-attacks similar to those suffered by Estonia in the previous year.6 In
2009, the USA began releasing a number of policies on cyber security that
were predominantly military in orientation.7 More tangibly, the USA
announced in 2009 that it would establish Cyber Command as a subunit of
Strategic Command, one of its nine combat commands, within the
Department of Defense.8 Also, in 2009, computer malware, known as the
Stuxnet worm, was released apparently by one or more governments, most
likely the USA and Israel, to slow the progress of Iran's nuclear program, a
problem otherwise being addressed by the Security Council and through nego-
tiations. 9 In 2010, commentators began to reference the Cold War security
policy of threatening massive retaliation to achieve deterrence as a policy to

2 See, eg, R Brust, 'Cyberattacks: Computer Warfare Looms as the Next Big Conflict in
International Law' (1 May 2012) <http://www.abajournal.com/mobile/article/cyberat
tackscomputer -warfare-looms as-next-big-conflict> (accessed 20 June 2012). See
further R Buchan, 'Cyber Attacks: Unlawful Uses of Force or Prohibited
Interventions?' and N Tsagourias, 'Cyber Attacks, Self-Defence and the Problem of
Attribution' in this volume.
3 See s 2.A below and accompanying notes.
4 The North Atlantic Treaty Organization was founded in 1949 for the collective
self-defence of Western European states, the USA and Canada. See <www.nato.
int> (accessed 20 June 2012).
5 According to the NATO website: 'Cyber attacks continue to pose a real threat to
NATO and cyber defence will continue to be a core capability of the Alliance.'
<http://www.nato.int/cps/en/natolive/75747.htm> (accessed 20 June 2012).
6 See s 2.B below and accompanying notes.
7 See, eg, M Clayton, 'The New Cyber Arms Race' ChristianScience Monitor (7 March
2011), <http://www.csmonitor.com/USA/Military/2011/0307/The-new-cyber-arms-
race> (accessed 20 June 2012). See also ns 51-53 and accompanying text.
8 See n 51 and accompanying text.
9 See s 2.C and accompanying notes.
 Cyber Security without Cyber War 189

apply by analogy to Internet security.1a In 2011, the USA Congress began debat-
ing new legislation that would give even more authority to the Department of
Defense for cyber security, at the expense of the Department of Homeland
Security (DHS). 11
Within the debate over security in cyberspace, it should be recognized as a
preliminary matter that cyber space is international space. Activity in cyber-
space and domestic legislation with respect to it must comply with the relevant
international law. Some looking to the military to defend cyberspace are seeking
to exclude considerations of international law either because they are interna-
tional law sceptics in general or they believe international law cannot be applied
to the Internet as a practical matter. Stewart Baker, a Washington DC lawyer
who was an Assistant Secretary for Policy and Technology in the DHS in the
Bush administration, dismisses international law in general and its role in cyber
security in particular. In an online debate sponsored by the American Bar
Association in 2012, he indicated scant regard for the use of international law
'norms' respecting cyberspace and went on to argue: 'Lawyers across the [US]
government have raised so many show-stopping legal questions about cyberwar
that they've left our military unable to fight, or even plan for, a war in cyber-
space'. 12 In 2011, Baker voiced13a similar position in the respected international
affairs journal, Foreign Policy.
Other scholars who apparently understand that international law is generally
the relevant law for cyber security questions may still argue that it is difficult to
fit cyber problems into the rules on international law with respect to the use of
force. 14 Instead of concluding, therefore, that it is necessary to look at other

10 See, eg, M McConnell, 'To Win the Cyber-War, Look to the Cold War' Washington
Post (Washington, 28 February 2010) at BI. (The op-ed's online version has a different
title: 'How to Win the Cyber War We Are Losing' <http://www.washingtonpost.coml
wp-dyn/content/article/2010/02/25/AR2010022502 4 > (accessed 20 June 2012).) For a
law journal article advocating a return to Cold War thinking about cyber security and
international law, see M Waxman, 'Cyber-Attacks and the Use of Force: Back to the
Future of Article 2(4)' (2011) 36 Yale J Intl L 421, eg at 425-26.
11 See ns 55-59 and accompanying text.
12 SA Baker and CJ Dunlap Jr, 'What is the Role of Lawyers in Cyberwarfare?' (1 May
2012) <http://www.abajournal.com/magazine/article/what is the-role-of-lawyers-in-
cyberwarfare> (accessed 20 June 2012).
13 Writing in a recent online edition of the main stream international affairs journal,
Foreign Policy, Baker wrote that 'State Department and National Security Council
lawyers are implementing an international cyber war strategy that relies on interna-
tional law "norms" to restrict cyberwar.' S Baker, 'Denial of Service, Against
Cyberwar with Arcane Rules and Regulations' Foreign Policy (30 September 2011)
<http://www.foreignpolicy.com/articles/2011/09/30/denial of-service?hidecomments=
yes> (accessed 20 June 2012).
14 See, eg, Waxman, who takes issue with both Schmitt's attempt to devise criteria that
could equate cyber attacks with the armed attack necessary to trigger UN Charter art
51 and Dinstein who is confident that the Internet can be regulated under existing
weapons conventions and other rules. Waxman (n 10) fns 156-61 and accompanying
text (Schmitt) and fn 64 and accompanying text (Dinstein), citing MN Schmitt,
'Computer Network Attack and the Use of Force in International Law: Thoughts
190 Mary Ellen O'Connell

international rules, such as those on non-intervention, countermeasures, eco-

nomic law, and the like, these scholars, advocate new interpretations of the
rules on the use of force in order to have the right to respond to cyber problems
15
with military force.
Peter Singer, Noah Schachtman, John Mueller and other security analysts,
however, argue that the threat of cyber-attacks has been blown out of propor-
tion to the detriment of preventing the real challenges to cyber security: cyber-
crime and espionage. 16 Singer and Schachtman argue that rather than drawing 17
from nuclear deterrence thinking, the better analogy is to maritime piracy.
Piracy is a costly and sometimes deadly problem, but is being addressed through
law enforcement methods, which are sometimes carried out by the military, but
the FBI and other national police agencies are active in the effort to stop Somali
piracy. Another apt analogy is to the chemical sector. Chemicals are an indis-
pensable part of everyday life in the 21st century, but chemicals can also be
made into devastating weapons of mass destruction. To prevent this, the
Chemical Weapons Convention prohibits the use and possession of chemical
weapons. 18 The CWC is monitored by Organization for the Prohibition on
Chemical Weapons (OPCW), as well as national defence ministries. Primary
regulation and oversight of the chemical sector, however, is by civil authorities
and such international organizations as the United Nations Environment
Program.
This article discusses the growing emphasis on militarizing cyber security. The
evidence shows that the USA, in particular, is building capacity and developing
strategies that make the Department of Defense a major player in Internet use
and protection. The concern with this development is that the Pentagon will
conceive of cyber space as it does conventional space, with war fighting in mind.
Yet, the international legal rules on the use of force, especially the rules on
self-defence, raise important barriers to military solutions to cyber space prob-
lems. Indeed, the law of self-defence should have little bearing in discussions of

on a Normative Framework' (1999) 37 Colum J Transnatl L 885; Y Dinstein,

'Computer Network Attacks and Self-Defense' (2002) 76 Intl Law Studies 99.
15 The very point of Waxman's article, for example, is to return to the advocacy of some
scholars during the Cold War for expanded rights to use military force by resort to
novel interpretations of the plain terms of the UN Charter and rules of customary
international law. See Waxman (n 10) eg at 431.
16 P Singer and N Schachtman, 'The Wrong War: The Insistence on Applying Cold War
Metaphors to Cybersecurity is Misplaced and Counterproductive' Brookings
Institution (15 August 2011) <http://www.brookings.edu/articles/2011/0815_cyberse-
curity-singer shachtman.aspx> (accessed 20 June 2012); R Singel, White House
Cyber Czar: 'There is No Cyberwar' Wired Magazine (4 March 2010).
17 ibid.
18 See the 1992 Convention on the Prohibition of the Development, Production,
Stockpiling and Use of Chemical Weapons and on their Destruction (opened for
signature 13 January 1993, entered into force 29 April 1997) 1974 UNTS 317
<www.opcw.org/chemical-weapons-convention> (accessed 20 June 2012). As of
time of writing, the CWC had 188 state parties and over 70% of the world's chemical
weapons stockpile had been destroyed.
 Cyber Security without Cyber War 191

cyber security. Even if some cyber incidents could fit a solid definition of what
constitutes an armed attack, responding to such an attack will rarely be lawful or
prudent if the response is a use of force. The emphasis, therefore, in terms of
legal norms and commitment of resources should be in the non-military sphere.
In the USA and other States where the thinking is in conventional military
terms respecting responses to cyber problems, the advocates of such thinking
appear to be trapped by an ideology of militarism. The vast majority of cyber
security incidents are carried out not by government-sponsored hackers causing
deaths and brick and mortar destruction. The major challenge to Internet
security is by private criminals interested in private gain. International law
supports cyber security that is achieved through law enforcement cooperation,
supported by shared legal norms governing the use of the Internet. Resources
devoted to developing a comprehensive treaty on cyber security that
de-militarizes cyberspace and emphasizes law enforcement cooperation, im-
proved international governance, especially through the International
Telecommunications Union, as well as good computer and network defences
will go much farther than military force towards keeping the Internet open and
available for peaceful communication and commerce.

2. Inventing a Cyber War Problem

Security concerns are as old as the Internet itself. Jeffrey Carr describes an
organized attack by some 3000 Chinese hackers in 1998 on Indonesian govern-
ment sites to protest anti-Chinese riots in the country. 19 Since then tens of
thousands of attempts to hack into major computer networks belonging to
defence ministries, banks, the media and the like are occurring daily. Most of
these cyber intrusions have espionage or theft as the purpose and are typically
categorized as 'computer network exploitation' or 'CNE'. 20 A smaller number
have involved 'computer network attacks' or 'CNA'. The 2007 attacks on
Estonia, NATO's response, and the attacks during the 2008 Russia-Georgia
conflict are described below because they are regularly cited in military security
discussions. These cases have undoubtedly influenced the turn to thinking about
military solutions for cyberspace problems. A third CNA event, the use of the
Stuxnet worm against Iran involved a destructive use of the Internet to address
what had been approached as a diplomatic problem. The use of this malware
19 j Carr, Inside Cyberwarfare (O'Reilly 2010) 2.
20 For a helpful, general discussion of the current issues respecting cyber security, see
Brookings Institution, 'The Cybersecurity Agenda: Policy Options and the Path
Forward' (26 October 2011) <http://www.brookings.edu/topics/cybersecurity.aspx>
(accessed 20 June 2012); Brookings Institution, 'Deterrence in Cyberspace:
Debating the Right Strategy with Ralph Langner and Dmitri Alperovitch' (20
September 2011) <http://www.brookings.edu/topics/cybersecurity.aspx> (accessed 20
June 2012); SM Hersh, 'The Online Threat, Should We Be Worried About a Cyber
War?' New Yorker (1 November 2010) 44.
192 Mary Ellen O'Connell

indicates an interest by governments in developing cyber weapons. Additional

evidence of the turn to militarization is found in developments in the USA,
including the establishment of Cyber Command and the development of policies
and legislation that emphasizes the military's role in cyber security.

A. Estonia and NA TO

In response to the moving of a Soviet war memorial from the city of Tallinn in
Estonia to its suburbs, hackers began attacking Estonian government websites
through distributed denial of service (DDOS) attacks in April of 2007.21 Seen as
an affront to the memory of Soviet soldiers who died during the Second World
War, the removal of the statue set off a series of riots within Estonia, while
hackers attacked the government's websites by defacing them and redirecting
users to images of Soviet soldiers. 22 These attacks lasted about a month. Attacks
lasting several days were directed at Estonia's biggest bank as well as at several
newspapers and reached the point of coming 'close to shutting down the coun-
try's digital infrastructure'.2 3 Estonia's defence minister said the hacking had
caused a national security situation and compared the attacks with the closing of
all the country's ports.24 Other officials have called the episode 'cyberwar'. 5
Estonia has claimed that the Russian government instigated the attacks, while
Russia has denied any involvement. 26 To support its charges, Estonia enlisted
the aid of NATO, the EU, the USA and Israeli Internet experts to trace the
attacks to their origin and to gather other information. However, despite the fact
that a number of the computers initiating the attacks had Russian IP addresses,
the hackers had hijacked computers around the globe to send the attacks. It
remains uncertain from where exactly the attacks originated.27 The Estonian
experience raised serious questions about how governments can defend against
cyber-attacks since governments do not control the Internet. Some argued that
Estonia was attacked in a way that triggered the North Atlantic Treaty's Article
5. Article 5 commits NATO to respond to attacks on any member of the
Alliance as permitted under the United Nations Charter provision in Article
28
51 for collective self-defence 'if an armed attack occurs'.
21 'The Cyber Raiders Hitting Estonia' BBC News (17 May 2007) <http://news.bbc.co
.uk/2/hi/europe/6665195.stm> (accessed 20 June 2012).
22 'Estonia Fines Man for Cyber War' BBC News (25 January 2008) <http://news.bbc.co
.uk/2/hi/technology/7208511.stm> (accessed 20 June 2012).
23 M Landler and J Markoff, 'Digital Fears Emerge After Data Siege in Estonia' New
York Times (New York, 29 May 2007) <http://www.nytines.com/2007/05/29/technol-
ogy/29estonia.html?ref=estonia> (accessed 20 June 2012).
24 ibid.
25 ibid.
26 ibid.
27 J Davis, 'Hackers Take Down the Most Wired Country in Europe' Wired Magazine
(21 August 2007) <http://www.wired.compolitics/security/magazine/15-09/ffestonia?
currentPage=all> (accessed 20 June 2012).
28 ibid.
 Cyber Security without Cyber War 193

NATO did not respond to the Estonia attacks with a counter-attack, but did
establish an Internet defence facility in Estonia, called the Cooperative Cyber
Defence Centre of Excellence (CCDCOE). 29 Estonia itself has created a
volunteer unit of cyber-experts akin to the US National Guard and has
become a leader in determining ways to defeat online attacks.

B. Georgia-Russia

The first known use of the Internet during a conventional armed conflict to
interfere with civilian use of the Internet occurred in the 2008 conflict over
the Georgian province of South Ossetia. 30 Georgia triggered the conflict by
attacking Russian soldiers who were part of a peacekeeping contingent in
South Ossetia under the terms of a Georgia-Russia treaty of 1991. In the
night of 7-8 August, Georgia attacked, killing about a dozen Russian soldiers
and wounding many others. Russia counter-attacked pushing to within 35 miles
of the Georgian capital, Tbilisi. Georgia claimed that Russia initiated DDoS
attacks against a number of Georgian websites, including government sites,
media sites and commercial sites. 31 The computer attacks lasted nearly a
month. The physical fighting had lasted about a week.
Under international law, Russian forces in South Ossetia would certainly
have had the right to defend themselves personally from direct attack by
Georgian forces. It is more questionable whether they had the right to
defend their positions in South Ossetia since Georgia's attack clearly spelled
the end of its consent to the 1991 treaty. On the other hand, Russian forces
would arguably have a right to remain in the enclave until the treaty was
terminated lawfully. The Russian move beyond South Ossetia into Georgia
was excessive in relation to either the clearly lawful goal of immediate defence
of self or even the more questionable goal of maintaining control of the en-
clave. Attacks on Georgian computer networks directly connected with its
attacks on Russian troops would be typical of the type of objects that may
be targeted during armed conflict hostilities under the law of armed conflict.

29 j Benitz, 'Baltic States Urge NATO to Bolster Cyber-Defense' NATO Alliance (27
May 2011) <http://www.acus.org/natosource/baltic-states-urge-nato-bolster-cyber-
defense> (accessed 20 June 2012).
30 For details of the computer network attacks that occurred during the South Ossetia

conflict, see S Watts, 'Combatant Status and Computer Network Attack' (2010) 50
Virginia J Intl L 391, 397-98.
31 J Swaine, 'Georgia: Russia "conducting cyber war"' The Telegraph (London, 11
August 2008) <http://www.telegraph.co.uk/news/worldnews/europe/georgia/2539157/
Georgia-Russia-conducting-cyber-war.html> (accessed 20 June 2012). See also E
Tikk and others, 'Cyber Attacks Against Georgia: Legal Lessons Identified'
(Cooperative Cyber Defence Centre of Excellence 2008) 1, 4-15 at <http://www.car-
lisle.army.mil/DIME/documents/Georgia%201%200.pdf> (accessed 20 June 2012).
194 Mary Ellen O'Connell

Attacking non-military government, media and commercial sites are very

difficult to justify under either the law regulating the conduct of armed conflict
or the law on resort to armed force.32

C. Stuxnet

In 2009-10, a computer worm, dubbed Stuxnet (or Stutznet) attacked computers

33
manufactured by Siemens and used in the Iranian nuclear program. The worm
is believed by experts to have been created by the USA with assistance from
Israel and scientists at Siemens.34 The effect of the worm in Iran was to cause
centrifuges to turn far more rapidly than appropriate. In early 2011, officials in
Israel and the USA announced that Iran's nuclear program had been set back
'by several years'. 35 The Stuxnet worm, however, affected computers in other
countries as well, including India, Indonesia and Russia. Indeed, it is believed
that 40% of the computers affected were outside Iran. Stuxnet is said to be 'the
first-known worm designed to target real-world infrastructure such as power
stations, water plants and industrial units'. 36
Ralph Langner, a German computer security expert, is convinced Stuxnet is a
government-produced worm: 'This is not some hacker sitting in the basement of
his parents' house. To me, it seems that the resources needed to stage this attack
point to a nation state'.37 In another interview, Langer added:

Code analysis makes it clear that Stuxnet is not about sending a message
or providing a concept. It is about destroying its targets with utmost
determination in military style .... Stuxnet is the key for a very specific
lock. In fact, there is only one lock in the world that it will open.... The
whole attack is not at all about stealing data but about manipulation of a
specific industrial process at a specific moment in time. This is not gen-
38
eric. It is about destroying that process.

32 See, generally, ME O'Connell, 'The Prohibition on the Use of Force' in C Henderson

and N White (eds), The Handbook of Conflict and Security Law (forthcoming Edward
Elgar Publishing); C Gray, InternationalLaw and the Use of Force (3rd edn, OUP
2008).
33 J Markoff and DE Sanger, 'In a Computer Worm, a Possible Biblical Clue' New York
Times (New York 30 September 2010).
4 WJ Broad and others, 'Israeli Test on Worm Called Crucial in Iran Nuclear Delay'
New York Times (New York, 15 January 2011).
3 ibid.
36 j Fildes, 'Stuxnet Work "Targeted high-value Iranian Assets"', BBC News
(23 September 2010) <http://www.bbc.co.uk/news/technology-11388018> (accessed
20 June 2012).
37 ibid.
38 j Hilder, 'Computer Virus Used to Sabotage Iran's Nuclear Plan "Built by US and
Israel"' Australian (27 January 2011).
 Cyber Security without Cyber War 195

D. Other Evidence of Militarization

NATO's CCDCOE facility in Estonia is part of the NATO military alliance's

steadily increasing focus on cyber security. NATO has had cyber security on its
agenda since the 2002 Prague Summit. 39 Since then, it has expanded its planning
and capacity in the cyber security area, apparently assuming that it has a major
role to play in cyber space. One NATO spokesman noted, '[i]t has become clear
that the challenge we face has become quite significant and needs a more com-
prehensive approach. We need to be ahead of the bad guys; the threat can come
from many sources: cybercrime, cyberterrorism or state activity'. 4° Suleyman
Anil, Head of Cyber Defense at NATO explains that '[s]ince 2006, NATO has
been running operational cyber defence capabilities and has established a good
model in deployment and operating of cyber defence technologies and
capabilities'. 41 Under the 2010 NATO Strategic Concept the Alliance commits to

develop further [its] ability to prevent, detect, defend against and recover
from cyber-attacks, including by using the NATO planning process to
enhance and coordinate national cyber-defence capabilities, bringing
all NATO bodies under centralized cyber protection, and better integrat-
ing NATO cyber awareness, warning and response with member
nations .... 4 2

It is fulfilling these commitments through the CCDCOE,43 which 'conduct[s]

research and training on cyber warfare'; 44 the NATO Computer Incident
Response Capability (NCIRC), which 'handles and reports cyber security
incidents and disseminates important incident-related information to systems,
security management and users'; 45 and through the Cyber Defense Management

39 'NATO and Cyber Defence' NATO <http://www.nato.int/cps/en/SID-E61FF165-

78BBC3C8/natolive/topics_78170.htm?> (accessed 20 June 2012).
0 N Heath, 'NATO Creates Cyber-Defence Command' ZD Net (9 April 2008) <http://
www.zdnet.co.uk/news/security-threats/2008/04/09/nato-creates-cyber-defence-comm
and-39382597/> (accessed 20 June 2012).
41 'Working with the Private Sector to Deter Cyber Attacks' NATO (10 November

2011) <http://www.nato.int/cps/en/natolive/news_80764.htm> (accessed 20 June

2012).
42 Strategic Concept for the Defence and Security of the Members of the North Atlantic
Treaty Organization (19 November 2010) <http://www.nato.int/lisbon2010/strategic-
concept-2010-eng.pdf> (accessed 20 June 2012) para 19.
43 'NATO Launches Cyber Defence Centre in Estonia' Space Daily (14 May 2008)
<http://www.spacewar.com/reports/NATO launches cyber defencecentreinEsto
nia_999.html> (accessed 20 June 2012).
44 ibid.
45 J Hunker, 'Cyber War and Cyber Power: Issues for NATO Doctrine' Research
Division NATO Defence College, Working Paper No 62, 2010 <http://www.ndc
.nato.int/research/series.php?icode=l> (accessed 20 June 2012) at 8.
196 Mary Ellen O'Connell

Authority (CDMA), which 'has sole responsibility for coordinating cyber

46
defence across the Alliance'.
It is the view within NATO that '[g]overnments alone would not be able to
respond to cyber threats. New and innovative cyber technologies are developed
by the private sector. Sharing information and knowledge can (and should) be
improved in this area and NATO is doing its part'.47 Apparently, NATO will be
putting ever greater emphasis on its role in cyber space as outlined in the June
2011 Policy on Cyber Defense. as NATO looks set to become the international
organization with the most resources and authority devoted to cyber security, if
it is not already.
Developments in the USA are following a similar path. While private business
and civil agencies are the major players in cyber security, the Department of
Defense is steadily taking the lead. In 2010, the Pentagon established Cyber
Command. It is a subunit of Strategic Command, one of the nine combatant
commands of the USA's Unified Command System. 49 In his announcement of
the creation of Cyber Command, William Lynn said,

Just as our military is prepared to respond to hostile acts on land, air and
sea, we must be prepared to respond to hostile acts in cyberspace.
Accordingly, the United States reserves the right, under the laws of
armed conflict, to respond to serious cyber-attacks, with a proportional 50
and justified military response, at the time and place of its choosing.

Cyber Command has been given a wide mandate. It not only has responsibil-
ity for defending DOD information networks, it must 'prepare to, and when
directed, conduct full-spectrum military cyberspace operations in order to
enable actions in all domains, ensure US/Allied
51
freedom of action in cyberspace
and deny the same to our adversaries'.
Singer and Schachtman believe that the DOD's cyber strategy is based on
conceiving of cyber security in a way similar to the USA's Cold War strategy.
They relate that the classified version of the cyber strategy presents

a new doctrine of 'equivalence,' arguing that harmful action within the

cyber domain can be met with parallel response in another domain. Swap
in the 'conventional' and 'nuclear' for 'cyber' and 'kinetic' and the new

46 ibid 8-9; see also 'NATO Launches Cyber Defence Centre in Estonia' (n 43).
47 'Working with the Private Sector to Deter Cyber Attacks' (n 41).
4s ibid.
49 'US Department of Defense, Cyber Command Fact Sheet (21 May 2010) <http://
www.stratcom.milfactsheets/CyberCommand/> (accessed 20 June 2012).
50 W Lynn, Former Deputy Secretary of Defense, 'Announcement of the Department of
Defense Cyberspace Strategy at the National Defense University' (14 July 2011)
<http://www.pentagonchannel.mil/onestory-popup.aspx?pid=FttPuXny5i7D8plhC
rgnXrveieDVeMW> (accessed 20 June 2012).
5' ibid.
 Cyber Security without Cyber War 197

doctrine is actually revealed to essentially be the old 1960s deterrence

doctrine of 'flexible response,' where a conventional attack might be met
with either a conventional and/or nuclear response. The Pentagon's
Cyber Command and Beijing's People's Liberation Army's Third Army
Department now fill in for the old52
Strategic Air Command and the Red
Army's Strategic Rocket Forces.

In another related development within the USA, in 2011-12, Congress began

considering new legislation on cyber security. 53 One group in Congress prefers
to keep the primary authority for cyber security in the DHS, but another group
is adamant that the Pentagon take the lead. 54 Senator John McCain is one who
objects to giving DHS more authority, preferring the emphasis to be with Cyber
Command and the National Security Agency (NSA).55 McCain has argued
against turning DHS into a 'super regulator'. General Keith Alexander shares
McCain's concern. General Alexander is, at time of writing, both the head of
Cyber Command and the Director of the NSA.56 McCain and Alexander point
out that Cyber Command and the NSA already have greater technical expertise
than DHS, and use this fact as an argument to continue to favour the military
over DHS with resources and legal authority.57
Plainly some of the pressure to militarize cyber security is being driven by
business concerns in the military security sector. Mike McConnell, for example,
is a past director of the National Security Agency and is now an executive vice
president of the private consulting firm, Booz Allen Hamilton. McConnell
plainly has an interest in seeing that the Pentagon continues to need an
extremely large budget. From that perspective, his op-ed on thinking about
cyber security in terms of Cold War deterrence makes sense:

The United States is fighting a cyber-war today, and we are losing. It's
that simple.... What is the right strategy for this most modern of wars?
Look to history. During the Cold War, when the United States faced an
existential threat from the Soviet Union, we relied on deterrence to pro-
tect ourselves from nuclear attack. Later, as the East-West stalemate
ended and nuclear weapons proliferated, some argued that preemption
made more sense in an age of global terrorism. The cyber-war mirrors the
52 Singer and Schachtman (n 16).
53 T Carney, 'The Rise of the Cybersecurity Industrial Complex' The Examiner (22 April
2011) <http://washingtonexaminer.com/politics/2Oll/04/rise-cybersecurity-industrial-
complex/113362> (accessed 20 June 2012).
4 Hunton & Williams LLP, 'Senators Introduce Cybersecurity Act of 2012' Association
of Corp Counsel (22 February 2012) <http://www.lexology.com/library/detail.
aspx?g=d9fce9l9-5bc4-486b-a92a-685884ec9ea4> (accessed 20 June 2012).
5 'McCain Promises GOP Alternative to "Super Regulator" Cybersecurity Bill' The
Daily Caller (20 February 2012) <http://dailycaller.com/2012/02/20/mccain-promises-
gop-alternative-to-super-regulator-cybersecurity-bill/> (accessed 20 June 2012).
56 ibid.
57 ibid.
198 Mary Ellen O'Connell

nuclear challenge in terms of the potential economic and psychological

effects. So, should our strategy be deterrence or preemption? The answer:
both. Depending on the nature of the threat, we 5can 8
deploy aspects of
either approach to defend America in cyberspace.

Singer and Schachtman point to a similar perspective coming from other

business sources: 'Even the network security firm McAfee is susceptible to
such talk. "We believe we're seeing something a little like a cyber Cold
War... .,59 ,,

3. The Law Restricting Cyberwar

As already indicated at the outset of this article, the emphasis on cyber space as
battle space is in tension with the international law governing the use of force.
Some prefer to dismiss international law from the discussion altogether. Others
do not exclude international law, but interpret it any way that it is in effect
excluded. In May 2011, President Obama indicated that international law
would play a role in US cyber security planning, indicating, however, that it
would be international law as interpreted by those who advocate a broad-
nearly unfettered-right of the USA to resort to force. In International
Strategy for Cyberspace,60 the White House announced:

When warranted, the United States will respond to hostile acts in cyber-
space as we would to any other threat to our country. All states possess an
inherent right to self-defense, and we recognize that certain hostile acts
conducted through cyberspace could compel actions under the commit-
ments we have with our military treaty partners. We reserve the right to
use all necessary means -diplomatic, informational, military, and
economic-as appropriate and consistent with applicable international
law, in order to defend our Nation, our allies, our partners, and our
interests. In so doing, we will exhaust all options before military force
whenever we can; will carefully weigh the costs and risks of action against
the costs of inaction; and will act in a way that reflects our values and
strengthens our legitimacy, seeking broad international support whenever
61
possible.

58 McConnell (n 10).
59 Singer and Schachtman (n 16).
60 'International Strategy for Cyberspace: Prosperity, Security, and Openness in a
Networked World' (May 2011) <http://www.whitehouse.gov/sites/default/files/rss
viewer/international_strategyjorcyberspace.pdf> (accessed 20 June 2012).
(Emphasis added).
61 ibid.
 Cyber Security without Cyber War 199

The reference to international law is admittedly constructive and even note-

worthy given today's political climate where international law scepticism ap-
pears to be on the rise. 62 Yet, the paragraph's phrase 'inherent right to
self-defence' signals adherence to a minority view of the relevant international
law. This minority view countenances a reading of the United Nations Charter
that side steps express restrictive terms for the purpose of justifying broader
rights to use force than the Charter permits. While some might take comfort in
the fact that at least the administration is citing international law in some guise,
it should be recognized that in practice the administration has a poor record of
adherence to even the minority view in its use of force for counter-terrorism.
Indeed, its record of compliance with international law in military-security af-
fairs in general is far from exemplary. 63 In the cyber area in particular, if the
USA has released the Stuxnet virus, then the world already has an example of
willingness to violate international law in cyberspace.
Even if the administration's record were better, even if it adhered to the
mainstream position on the international law of self-defence, the relevance of
this law to cyberspace is being exaggerated. When cyberspace is conceived of
first and foremost as space for communications and economic activity, the
international law on the use of force can be seen as largely irrelevant for
cyber security. The relevant law is the law governing economic rights and
non-intervention, not the law of self-defence. Recall the analogy above to chem-
ical weapons. Yes, chemicals may be turned into a powerful weapon of mass
destruction, which defence officials need to plan for, but the non-military sector
is where most chemical use and regulation is found. The international commu-
nity could not tolerate the immensely useful chemical sector also being part of
the military sphere.
Part of the obstacle in persuading governments that the military paradigm is
the wrong one for cyber security is the fact that most of the international law
scholars working on cyber security questions from the early days of the Internet
were in the military or had close ties to it. This is true of the first American
authors on cyber security, Michael Schmitt, Walter Gary Sharp and George
Walker. 64 After more than a decade of such analysis, few if any scholars
publishing on international law and cyber security do so from a non-military

62 See Baker (n 13); see also J Crawford, Manley 0 Hudson Award Lecture ASIL 2012
(on file with the author).
63 Numerous examples come readily to mind: the continuing operation of the prison at
Guant~inamo Bay, Cuba; the continuing use of military commissions; the failure to
enforce the Geneva Convention prohibition on torture, the failure to enforce the
Convention Against Torture's obligations and the campaign of targeted killing far
from zones of armed conflict hostilities, to name a few. See ME O'Connell, 'Adhering
to Law and Values against Terrorism' (2012) Notre Dame J Intl & Comp Law
(forthcoming).
64 Schmitt (n 14).
200 Mary Ellen O'Connell

perspective. Marco Roscini's 2010 article, 'World Wide Warfare-Jus Ad

65
Bellum and the Use of Force', is a prominent example.
This writing may well be hardening the view that cyber security is fundamen-
tally military security. Approaching the question from a critical stance, however,
reveals that the military security authors are relying on attenuated hypothetical
cases, not the real world of cyber insecurity. The real world problems are crime
and espionage. Stuxnet is a real world problem more obviously in the military
defence category, but as will be explained below, Iran would not be able to meet
several of the conditions of lawful resort to force in self-defence in the case of a
response to Stuxnet. The Stuxnet example indicates that even advocates of a
more relaxed reading of the international law on the use of force have difficulty
showing how military force can be resorted to lawfully in response to cyber
problems.
All writers on the use of force must start with Article 2(4) of the UN Charter as
it.is the general rule.66 It generally prohibits the use of force except in the case of
self-defence per Article 51 or Security Council authorization as per Articles
39-41 .67 Derek Bowett appears to have been the first to try to interpret the
Charter as allowing the use of major military force against another State even
in the absence of an armed attack. Writing in the wake of the 1956 Suez Crisis, he
sought a justification for the Anglo-French-Israeli action that could not be found
in prevailing interpretations of the UN Charter. States he asserted retained a
right to act in self-defence consistently with the customary international law in
place prior to the adoption of the Charter in 1945 as signalled by the term 'inher-
ent right' in Article 51.68 He dismissed Article 51's express condition that an

65 M Roscini, 'World Wide Warfare-Jus Ad Bellum and the Use of Force' (2010) 14
Max Planck UN YBk 85. See also Cl Dunlap, Jr, 'Perspectives for Cyber Strategies on
Law for Cyberwar' (Spring 2011) Strategic Studies Q 81, 81.
66 See generally R Buchan, 'Cyber Attacks: Unlawful uses of Force or Prohibited
Interventions?' in this volume.
67 UN Charter Art 2(4): 'All Members shall refrain in their international relations from
the threat or use of force against the territorial integrity or political independence of
any State, or in any other manner inconsistent with the Purposes of the United
Nations'.
Article 39: 'the Security Council is given authority to 'determine the existence of any
threat to the peace, breach of the peace, or act of aggression' and the responsibility to
'maintain or restore international peace'. It may do so by authorizing the use of force
by member states'.
Article 51: 'Nothing in the present Charter shall impair the inherent right of individual
or collective self-defense if an armed attack occurs against a member of the United
Nations, until the Security Council has taken measures necessary to maintain inter-
national peace and security. Measures taken by members in the exercise of this right
of self-defense shall be immediately reported to the Security Council and shall not in
any way affect the authority and responsibility of the Security Council under the
present Charter to take at any time such action as it deems necessary in order to
maintain or restore international peace and security.'
68 D Bowett, Self-Defence in International Law (Manchester University Press 1958) 3,
184-85.
 Cyber Security without Cyber War 201

armed attack occurs by saying, 'there is no explanation of this curious proviso "if
an armed attack occurs" ,.69 He then develops an argument for self-defence with-
out an armed attack according to the 1841 correspondence over the sinking by
British forces of an American ship called the Caroline.The correspondence con-
firmed that the customary international law of the time permitted the use of force
in self-defence if the necessity was 'instant', 'overwhelming' and leaving 'no
moment' for deliberation. Despite the clear deficiencies as a matter of legal
analysis with Bowett's argument, it is still cited with impressive fidelity by a
minority of scholars, mostly in the USA and UK.
Brownlie soon provided a point-by-point response to Bowett, inspiring the
strict interpreters of the Charter ever since. Brownlie warned against the
tendency by writers to claim justifications for the use of force found in the cus-
tomary law prior to the 1920s. He singles out for particular criticism attempts
to base rights of self-defence on the 1841 correspondence over the Caroline.He
took a strict position on interpreting Article 51, ruling out resort to force in
anticipatory self-defence or against actions not involving armed force. He points
to the conditions on the exercise of self-defence beyond the Charter, namely, the
principles of necessity and proportionality. He defended his strict stance saying,
'[T]he dominant policy of the law and of the United Nations is to maintain
international peace and to avoid creating possibilities of breaches of the
peace, in the form of vague and extensive justifications for resort to force or
70
otherwise.'
The International Court of Justice in six cases relevant to the Charter rules on
the use of force has supported Brownlie's understanding respecting interpret-
ation. Not only must an armed attack or armed attack equivalent be in evidence
to use military force in self-defence, the attack must be significant; it must be
attributable to the state where the self-defence is being carried out; the use of
force must be a last resort and must be likely to succeed in achieving defence,
and must be proportional to the injury suffered.
Attempting to apply these conditions to cyber force actions is difficult, if not
impossible -even for the followers of Bowett. First, in the three cases described
earlier in the article, it is difficult to make the case that the computer network
provocations amounted to an armed attack equivalent. No lives were lost dir-
ectly. Damage to tangible objects occurred only in the case of the Stuxnet attack
on Iran. This sort of damage does not meet the condition that an armed attack
must be significant to trigger Article 51: 'The prohibition of armed attacks may
apply to the sending by a State of armed bands to the territory of another State,
if such an operation, because of its scale and effects would have been classified
as an armed attack rather than a mere frontier incident had it been carried out
by a regular armed forces.' 71 The ICJ made similar assessments of 'scale and
69 ibid.
70 1 Brownlie, International Law and the Use of Force by States (OUP 1963) 428-36.
71 Military and Paramilitary Activities in and Against Nicaragua (Nicararagua v US)
[1986] ICJ Rep 14, 103-4 (the Nicaragua case).
202 Mary Ellen O'Connell

72 73
effects' of violent action in the Oil Platforms case, the Wall advisory opinion
and the DRC v Uganda case.74 The Stuxnet attack while unlawful was not the
equivalent of an Article 51 armed attack.
Second, attribution has not been affirmed at the international evidentiary
standard in any of the three cases. State practice indicates the case for attribu-
tion would have to be made with clear and convincing evidence. 75 In the case of
cyber-attacks generally, convincing evidence is hard to find:

Given the anonymity of the technology involved, attribution of a cyber

attack to a specific state may be very difficult. While a victim state might
ultimately succeed in tracing a cyber attack to a specific server in another
state, this can be an exceptionally time consuming process, and even then,
it may be impossible to definitively identify the entity or individual dir-
ecting the attack. For example, the 'attacker' might well have hijacked 76
innocent systems and used these as 'zombies' in conducting attacks.

We have good information that the Russians interfered with Georgian

Internet sites, but we lack clear and convincing evidence respecting the other
two cases discussed above.
Finally, necessity and proportionality may be the most difficult conditions to
meet. Estonia and Iran have not even established who attacked their computers.
That takes time, and there is the problem of proving that a counter-attack can
achieve a defensive purpose. Finally, counter-attacks in self-defence with a com-
puter application will be challenging to limit in terms of effects to the intended
target. Over 40% of the computers attacked by Stuxnet were outside Iran.7 7
Just because a cyber-attack or cyber espionage do not amount to an armed
attack does not mean that international law has no law against such wrongs.
Interference with a State's economic sphere, air space, maritime space or terri-
torial space, even if not prohibited by treaty is prohibited under the general
principle of non-intervention. This is apparent in a number of treaties, UN
resolutions and ICJ decisions that condemn coercion, interference or interven-
tion that falls short of the use of force. The ICJ has referred to some of this con-
duct as 'less grave forms' of force that violate the principle of non-intervention
72 Oil Platforms (Iran v US) [2003] ICJ Rep 161, 191.
73 Legal Consequences of the Construction of a Wall in the Occupied Palestinian
Territory (Advisory Opinion) [2004] ICJ Rep 136, 195.
74 Armed Activities on the Territory of the Congo (Congo v Uganda) [2005] ICJ Rep 168,
301.
75 See generally on the evidence standards of international law in use of force cases, ME
O'Connell, 'Evidence of Terror' (2002) 7 JCSL 19. Also see N Tsagourias, 'Cyber
Attacks, Self-Defence and the Problem of Attribution' s 3, in this volume.
76 DE Graham, 'Cyber Threats and the Law of War' (2010) 4 J Natl Security L & Policy
87, 92 (citing E Jensen, 'Computer Attacks on Critical National Infrastructure: A Use
of Force Invoking the Right of Self-Defense' (2002) 38 Stanford J Intl L 232-35 and R
Lehtinen and others, Computer Security Basics (2nd ed, O'Reilly 2006) 81).
77 See n 36.
 Cyber Security without Cyber War 203

while not triggering rights of a victim State under Article 51.78 In support, the
court has referenced the UN General Assembly's Declaration on Friendly
Relations,79 the OAS Convention on the Rights and Duties of States in the
Event of Civil Strife,80 and other authoritative
81
sources for the existence and
content of the non-intervention principle.

4. Achieving Cyber Security Lawfully

International law raises substantial barriers to both using cyber weapons and
defending cyber space from cyber-attacks through the use of force. In general,
international law supports regulating cyber space as an economic and commu-
nications sphere and contains coercive means of responding lawfully to cyber
provocations of all types. The same sort of coercive measures that are lawful to
use against economic wrongs and violations of arms control treaties will gener-
ally be lawful to use in the case of a cyber-attack. In the economic sphere,
responses to violations tend to be known as 'countermeasures'; in the arms
control sphere, they are known as 'sanctions'. 8 2 Both are the coercive enforce-
ment measures, not involving the use of significant military force, available to
States acting in response to an internationally wrongful act. In addition, various
arms control treaties, such as the Nuclear Non-Proliferation Treaty and the
Chemical Weapons Convention, provide for the Security Council to take
action in the case of a violation. Despite the availability of these alternatives
to the use of military force, it is important to reiterate that protecting cyber
space, keeping it viable for economic and communication uses, will generally
require defensive measures, not offensive ones. Good computer security cannot
be replaced by countermeasures, let alone military measures.
78 Nicaragua paras 187-201.
79 See Declaration on Principles of International Law Concerning Friendly Relations
and Cooperation Among States in Accordance with the Charter of the United
Nations, GA Res 2625 (XXV), UN Doc N8028 (1970).
80 1928 OAS Convention on the Rights and Duties of States in the Event of Civil Strife
134 LNTS 45.
81 See Nicaragua para 203 (citing Declaration on the Inadmissibility of Intervention in

the Domestic Affairs of States and the Protection of their Independence and
Sovereignty, GA Res 2131 (XX), UN Doc A/EES/36/103 (9 December 1981)). The
Court also referred to the principle of State sovereignty under article 2(1) of the UN
Charter, noting its close connection to the principles of the prohibition on the use of
force and of non-intervention; Nicaragua para 212-14.
82 The definitions of the terms 'countermeasures' and 'sanctions' are not a settled matter
in international law. White and Abass, for example, define countermeasures as
non-forcible measures taken by States and sanctions as non-forcible measures taken
by organizations. This would be a helpful distinction but for the fact that the USA, for
example, labels its unilateral, non-forcible coercive measures 'sanctions'. See gener-
ally, N White and A Abass, 'Countermeasures and Sanctions' in M Evans (ed),
International Law (3rd edn, OUP 2010) 531.
204 Mary Ellen O'Connell

A. Unilateral Peacetime Countermeasures

The international law literature contains little on countermeasures as the lawful

response to cyber-attacks. This is likely because legal scholars in the cyber se-
curity field tend to be divided among those who are expert in domestic Internet
law issues, especially privacy rights and copyright, 83 and those who come from
the world of the international law on the use of force.84 As noted above, few
generalists in international law are writing about Internet security. It is not
85
surprising, therefore, that countermeasures are overlooked.
Yet, countermeasures are the mechanisms through which international law
allows parties to carry out self-help, coercive enforcement of their rights.
Self-help plays a larger role in international law enforcement given the absence86
at the international level of both a central police force and compulsory courts.
The International Court of Justice, in the Gabeikovo - Nagymaros case, laid out
four elements of a lawful countermeasure:

1. In the first place it must be taken in response to a previous international

wrongful act of another State and must be directed against that State.
2. The injured State must have called upon the State committing the wrong-
ful act to discontinue its wrongful conduct or to make reparation for it.
3. The effects of a countermeasure must be commensurate with the injury
suffered, taking account of the rights in question.

4. Its purpose must be to induce the wrongdoing State to comply with its
obligations under international law, and the measure must therefore be
reversible.
If a State is the victim of a cyber-attack or cyber espionage, and it has clear
and convincing evidence that the wrong is attributable to a foreign sovereign

83 In the USA the leading scholar in the area of the Internet is Lawrence Lessig of
Harvard Law School. Lessig does comment on international and foreign law but his
background and training are plainly in the area of US domestic law. Even Jack
Goldsmith, also Harvard Law School, while being called the future of international
law at the school is plainly from the domestic law arena. This is revealed by his
comment that law governing military use of the Internet, is uncertain.
This fact about cyber scholars is changing, however, as intellectual property scholars,
such as Graham Dinwoodie, with strong backgrounds in international and domestic
law relevant to cyber space regulation.
84 A number of scholars have already been cited working in the area of international law
and the use of force, who have analysed military force in cyber space: see eg, Schmitt
(n 14); Dinstein (n 14); Graham (n 77); and Dunlap (n 12).
8 As White and Abass point out, it is also the case that international law scholars have
paid relatively little attention to countermeasures and sanctions and the rules govern-
ing their use. White and Abass (n 83) 531. But see ME O'Connell, The Power and
Purpose of International Law, Insights from the Theory and Practiceof Enforcement
(OUP 2008, paperback 2011) chs 4 and 5 and the citations therein.
86 O'Connell (n 86) 264.
 Cyber Security without Cyber War 205

State, the victim State may itself commit a wrong against the attacking state, so
long as the wrong is commensurate with the initial wrong (proportionality) and
so long as the response is aimed at inducing an end to the initial wrong (neces-
sity) or the provision of damages. In most cases of cyber wrongs, the evidence
that a foreign State is behind a particular act, will be found only after the act is
over or the damage is done. This fact indicates that most countermeasures aimed
at cyber wrongs will be a demand for money damages. The international cyber
community appears to be adept at estimating the amount of money to repair
damage caused by a wrongful cyber event. Thus, a victim State should be able to
meet the elements of lawful countermeasures in way comparable with States
suffering trade injuries and having the right under WTO rules to apply counter-
measures against the wrongdoing state.

B. Security Council Sanctions

If cyber-attacks threaten a State's security but do not amount to armed attacks

under Article 51, it is also possible for the victim State to ask the Security
Council to intervene. The Council has imposed sanctions in a variety of situ-
ations for decades. 87 It could clearly do so in the case of serious cyber-attacks.
To make this clear and to get the benefit of wide notice of such a possibility so as
to deter cyber misconduct, a treaty spelling out the parameters of lawful and
unlawful Internet use would be invaluable.
The international community has adopted treaties in other 'dual-use' areas
s8
that are analogous to cyber space, such as the Chemical Weapons Convention
and the Nuclear Non-Proliferation Treaty.8 9 Both of these treaties seek to end
any use or even possession of chemical or nuclear weapons while at the same
time promoting legitimate non-military uses of chemicals and nuclear power. In
the case of both treaties, the Security Council may become involved if States
violate the treaty. In the case of nuclear weapons, the Council has become
involved in the case of North Korea's nuclear weapons despite the fact that
North Korea has withdrawn from the NPT.
Russia has in fact promoted 'an international treaty along the lines of those
negotiated for chemical weapons and has pushed for that approach....' to reg-
ulating cyberspace. 90 In a speech on 18 March 2012, Vladislav P Sherstyuk, a
87 See V Gowlland-Debbas, United Nations Sanctions and International Law (Kluwer
2001).
88 See n 18.
89 1970 Treaty on Nuclear Non-Proliferation (opened for signature 1 July 1968, entered
into force 5 March 1970) 729 UNTS 161 <http://www.un.org/disarmament/WMD/
Nuclear/NPT.html> (accessed 20 June 2012).
90 J Markoff and AE Kramer, 'US and Russia Differ on a Treaty for Cyberspace' New
York Times (New York, 27 June 2009) <http://www.nytimes.com/2009/06/28/world/28
cyber.htm?_r=l> (accessed 20 June 2012). Waxman dismisses the Russian proposal
because he believes the Russians are developing cyber weapons. This is an
206 Mary Ellen O'Connell

deputy secretary of the Russian Security Council, laid out what he described as
Russia's bedrock positions on disarmament in cyberspace. Russia's proposed
treaty would ban a country from secretly embedding malicious codes or circuitry
that could be later activated from afar in the event of war.
The USA, however, has resisted proposals for a treaty. This may relate to US
plans to use the Internet for offensive purposes as it is believed to have done
regarding the Stuxnet worm. US officials claim publicly that Cyber Command is
primarily defensive, but the reluctance to entertain the idea of a cyberspace
disarmament treaty is raising questions as the true US position. '[T]he
Russian government [has] repeatedly introduced resolutions calling for cyber-
space disarmament treaties before
91
the United Nations. The United States [has]
consistently opposed the idea.'

C. Cyber Law Enforcement Cooperation

Whatever the reasons for the US position, drafting a treaty on disarmament and
alternatives to military force for regulating cyberspace are essential for the
future. In addition to establishing clear rules for national rights and duties on
the Internet, a treaty can clarify what is permissible for individuals. A treaty can
specify the sort of conduct that all States need to regulate through national law
enforcement agencies and in cooperation with other national and international
agencies. A model for this part of a comprehensive treaty is already available in
the form of the Budapest Convention on Cybercrime. 92 Most cyber security
breaches are caused by private criminals.

D. Good Cyber Hygiene

At the end of the day, countermeasures, sanctions and even law enforcement
cannot substitute for frontline computer and network security measures. An
essential step in maintaining a good cyber defence is applying best practices
and educating everyone legitimately using the Internet on good network
hygiene. In this respect, the analogy is better made to stopping pandemics
than to crime or war.

unpersuasive reason not to pursue a convention. While the Chemical Weapons

Convention was being negotiated, however, States continued to maintain chemical
weapons and very likely to continue to develop them. Waxman (n 14). The Russian
proposal has been part of the discussion within the United Nations about achieving
security in cyberspace. This discussion dates to 1998. See Developments in the field of
information and telecommunications in the context of international security, G.A.
Res 53/70, U.N.Doc. AIRES/53/70 (4 January 1999).
91 Markoff and Kramer (n 91).
92 2001 Budapest Convention on Cybercrime <http://www.conventions.coe.int/Treaty/
en/Treaties/Html/185.htm> (accessed 20 June 2012).
 Cyber Security without Cyber War 207

The Internet has made it easier for hackers to steal information remotely.
This is largely due to 'the proliferation of smartphones and the inclination of
employees to plug their personal devices into workplace networks and cart
proprietary information around'.93 As a result standards for cyber hygiene94
have elevated, especially for those who have access to vital information.

Cybersecurity is more than any one individual step; it is a continuous

process where you need to: Learn, Monitor, Analyse, Decide and
Respond. The process must be applied
95
in the context of risks to business
assets and operational resilience.
This approach, set out in a white paper published by IBM on cyber security is
referred to as the lifecycle model to cyber security in which consideration must
be given at each stage to technology, service management and risk.96
Navy Vice Adm Carl V Mauney, deputy commander of US Strategic
Command has remarked, 'Itihis is about setting people to high standards, and
maintaining those standards.., like hand washing, it should be second nature to
everyone operating on the net'. 97 Marine Corps Maj Gen George J Allen said his
biggest concern is educating all users about risks. According to Allen, '[y]oung
people who have grown up with the Internet sometimes aren't cautious enough,
such as some Marines who have posted their deployment dates on Facebook'. 98
He went on to say, '[olur biggest problem is... the digital natives who are very
comfortable with YouTube and other things who don't understand the threats
behind it .... [t]hat's not their fault-that's our fault. It's a matter of educating
them'.99
Every State is heavily dependent on private companies for Internet security -
just as they are for conventional military security.' 0 0 The USA draws signifi-
cantly on private corporations for ensuring national security. Corporations

93 N Perlroth, 'Travelling Light in a Time of Digital Thievery' New York Times (New
York, 10 February 2012) <http://www.nytimes.com/2012/02/11/technology/electronic
-security-a-worry-in-an-age-of-digital-espionage.html?_r=2&pagewanted=l&ref=
technology> (accessed 20 June 2012).
94 ibid.
95 M Borrett, 'Cyber Strategies Revealed' IBM Institute for Advanced Security (11
December 2011) <http://www.instituteforadvancedsecurity.com/expertblog/2011/12/
11/cyber-strategies-revealed/> (accessed 20 June 2012).
96 C Nott and others, 'Cyber Security: Protecting the Public Sector' IBM Institute for
Advanced Security (September 2011) <http://www.instituteforadvancedsecurity.com/
docs/CyberSecurity-protectingthePublicSector.pdf> (accessed 20 June 2012) 1, 7.
97 L Daniel, 'Cyber Command Synchronizes Services' Efforts' US Department of
Defense (9 July 2010) <http://www.defense.gov/news/newsarticle.aspx?id=59965>
(accessed 20 June 2012) (emphasis added).
98 ibid.
99 ibid.
10o 'Much of cyberspace is owned and used by private companies. [Thus i]t is businesses
that will drive the innovation required to keep pace with security challenges.' Borrett
(n 96).
208 Mary Ellen O'Connell

manufacture most of the nation's arms. They produce most of the software and
hardware for the computers the government uses. Corporations, under contract
with the government, carry out many other security functions, including the
101
collection and processing of intelligence and the conduct of covert operations.
However, much of the business community strongly resists implementing cyber
security per government mandate, 10 2 let alone international organization over-
sight.1 0 3 Governments and organizations will need to find incentives to get pri-
vate corporate cooperation and to lead in terms of promoting and supporting
international cooperation, especially through international organizations such as
the ITU. 1° 4 This might be done by shifting resources away from the military
sector to the Internet sector, both private commercial and international organ-
izational. Best practices and promotion of a culture of security can be carried out
most effectively for the Internet through a holistic approach that includes all
actors with an interest in maintaining access to a safe Internet. The International

101 A Etzioni, 'Private Sector Neglects Cyber Security' The National Interest (29
November 2011) <http://nationalinterest.org/commentary/private-sector-neglects-
cyber-security-6196> (accessed 20 June 2012).
102 ibid.
103 The attitude of many in the private commercial cyber sector is captured in this open-

ing sentence of an on-line article by two lawyers on behalf, presumably, of clients:

'Once again, many companies in the telecoms and information and communications
technology (ICT) sector are facing the specter of a.United Nations agency (in this case
the International Telecommunications Union (ITU)) regulating critically important
aspects of the internet as well as substantially expanding its jurisdiction over the
telecoms and ICT industries.' Ambassador DA Gross and E Lucarelli, 'The 2012
World Conference on International Telecommunications: Another Brewing Storm
Over Potential Un Regulation of the Internet' Who'sWho Legal (30 April 2012)
<http://www.whoswholegal.com/news/features/article/29378/the-2012-world-confe
rence-international-telecommunications-brewing-storm-potential-un-regulation-
internet/> (accessed 20 June 2012).
104 The Brookings Institution (n 16). 'Being secure is not just about keeping 'bad guys on
the outside; it's about making the systems inside less vulnerable.'
Reducing vulnerability of internal systems includes ensuring: (1) Each applica-
tion validates its input for reasonability before processing; and (2) Each
application has a way of announcing an exception-whether it is a security
intrusion or simply a failing intelligent Electronic Device (lED) sending bad
input. It is for the security system to decide why the abnormal event occurred.
(ibid)
Katz notes however that attention to architectural tenets is needed beyond just tac-
tical measures. 'These can be applied specifically to cyber threat reduction in general
hardware or software architectures. One conventional precept is to "build for the end
solution"'. Following best practices and having up to date technology is still not
enough says Katz. What is required is a change in how we think of security. 'In
general, what is desired is a culture of security, not solely a culture of compliance
with security regulations'. Jeffrey Katz, Smart Grid Security and Architectural
Thinking, available at <http://www.ibm.com/smarterplanet/global/files/us en-us_
energy smartgridsecurity-and architecturalthinking-katz.pdf> (accessed 20 June
2012).
 Cyber Security without Cyber War 209

Telecommunications Union is the natural organization to lead on common

security in cyber space.

5. Conclusion

To date, the problem of Internet security has been the domain of international
law scholars with expertise in use of force questions. They have sent the message
that the Internet may be protected through military force or the threat of mili-
tary force, analogizing to Cold War deterrence strategy. Governments have
followed this modelling, pouring resources into the military for keeping the
Internet safe and for taking advantage of what it offers to attack opponents.
Doing so has required strained analogies of cyber-attacks to conventional kin-
etic attacks. The Internet is now far less secure than before there was a Cyber
Command or a NATO CCDCOE. It is time, therefore, to turn to cyber dis-
armament and a focus on peaceful protection of the Internet. The motto should
be: a good cyber defence is good cyber defence.
+(,121/,1(
Citation:
T. Noble Foster; Christopher R. Greene, Legal Issues of
Online Social Networks and the Workplace, 18 J. L. Bus.
& Ethics 131 (2012)

Content downloaded/printed from HeinOnline

Tue Nov 13 01:48:11 2018

-- Your use of this HeinOnline PDF indicates your

acceptance of HeinOnline's Terms and Conditions
of the license agreement available at
https://heinonline.org/HOL/License

-- The search text of this PDF is generated from

uncorrected OCR text.

-- To obtain permission to use this article beyond the scope

of your HeinOnline license, please use:

Copyright Information

Use QR Code reader to send PDF

to your smartphone or tablet device
 LEGAL ISSUES OF ONLINE SOCIAL NETWORKS
AND THE WORKPLACE
T Noble Foster, MBA, JD
ChristopherR. Greene, Esq.

Abstract
Millions enjoy the benefits of using social media every day, but
Facebook, MySpace, Linked/n, and Twitter, among others, have also been
involved in a significant number of legal issues, many of which have ended in
litigation.
As the current undisputed leader of the Online Social Network (OSN)
industry, Facebopk has registered over 600 million users world-wide within a
few short years. Almost any enterprise with that kind of growth trajectory
would understandably attract the attention of government officials. The fact
that Facebook, Twitter, Linked/n, and the other online social networks (also
referredto collectively as "socialmedia") provide a nearly cost-free tool that
empowers ordinary citizens by giving them direct access to an extremely
powerful mass communications network is enough to make government
leaders curious, envious, and fearful.
In this paper, we summarize the different types of legal claims and
remedies associated with OSNs that are currently available under state and
federal statutes and the common law. One of the most frequently reported
types of cases are those arising in the context of employer-employee relations.
For that reason, our findings are based to a large extent on our examination
of legal issues associated with the use of social media in the workplace.

*Assistant Professor of Business Law. Albers School of Business and Economics, Seattle University.
**Attorney at Law. Seattle. Washington.
The authors gratefully thank Shelby Gagnon, Seattle University MBA student, and James Blazey, Esq.,
Seattle area attorney, for their outstanding research assistance.
1. Daniel Bates, Facebook Fatigue Sets in for 100,000 Brits: Users Bored with Site Deactivate
Accounts Amid Privacy Fears, THE DAILY MAIL. June 14. 2011.
http://www.dailymail.co.uk/sciencetech/article-2003131/Facebook-I0Ok-Brits-bored-site-deactivate-
accounts-amid-privacy-fears.html.
2. See Socialcapital.com, Twitter, Facebook and YouTube's Role in Afiddle East Uprising,
http://socialcapital.wordpress.com/2011/01/26/twitter-facebook-and-youtubes-role-in-tunisia-uprising/
(last visited March 7, 2011). (The governments of Egypt, Tunisia, Bahrain, Libya, and Iran can be used
as examples. Each of them tried to suppress, disrupt. or completely shutdown online social networks
when large and publicly open anti-regime demonstrations began. The government of China is doing a
more thorough job online social network suppression). See also. Scott Shane. SpotlightAgain Falls on
Web Tools and Change, NEW YORK TIMES, Jan. 29, 2011,
http://www.nytimes.com/2011/01/30/weekinreview/30shane.html.

131

18 J.L. Bus.& ETHICS 131 (2012)

132 JOURNAL OF LAW, BUSINESS & ETHICS VOL. 18
In addition to these existing remedies, we examine a number of proposed
new federal laws that are targeted at online social networks. Many members
of Congress recently have been paying close attention to social media issues.
Several proposed bills are circulating in draft form in Congress at the time of
this writing. Given the level of recent legislative activity, it is our conclusion
that the question isnot whether Facebook (and other OSNs) will be regulated,
but rather how they will be regulated.

INTRODUCTION

Facebook and other online social networks (OSNs) have quickly attracted a
large and growing following and are now firmly established on the internet scene.
At the time of this writing, Facebook is estimated to have 600+ million users
worldwide.3
A nationwide research report indicates that U.S. internet users spend
906,000,000 hours per month on social networks and blogs.4 According to Neilsen,
a recent Pew Research Center study found that more than half of U.S. Internet
users between ages 18-45 had a profile on a social networking site. In contrast, 30
percent of baby boomers under age 65 had profiles and only 6 percent of people
over 65 had profiles. 5 Also, Neilsen, having tracked 200,000 Internet users and
compared usage from June 2009 to that of June 2010, found that of the total time
spent in online social networks, 85 percent of the time is spent on Facebook, with
Myspace (5.6%), Twitter (1.10%), and Blogger (1.1 %) rounding out the top four.
While time spent on e-mail, portals and instant messaging has declined, there was a
43 percent increase in time spent on social networking and a 10 percent increase on
games, with an overall 32.9 percent of Internet time in June 2010 spent on social
networks and online games. According to another recent survey, Facebook
dominates the social network space: 92% of OSN users are on Facebook; 29% use
7
MySpace, 18% used LinkedIn and 13% use Twitter.
The early adopters of Facebook and other OSNs were individual computer
users, seeking to connect digitally with online "friends." More recently however,
social media has become a powerful tool for enterprises across the globe.
Businesses, nonprofits, and government entities are using Facebook proactively for
recruiting, marketing, fundraising, and for public awareness messaging. A 2010
Burson-Marsteller study showed that, "of the Fortune Global 100 companies, 65

3. David Kirkpatrick, Address at Elliot Bay Bookstore on The Facebook Effect: The Inside Story
of the Company That Is Connecting the World (June 21, 2010). See also, Bates, supre note 1.
4. Scott Duke Harris, Multi-Tasking Sites like Facebook Boom at Expense of Stand-Alone
Networks, Seattle Times, August 3, 2010 (citing What Americans Do Online: Social Media And Games
Dominate Activity, http://blog.nielsen.com/nielsenwire/online mobile/what-americans-do-online-
social-media-and-games-dominate-activity/).
5. Id.
6. Id.
7. Keith N. Hampton. Lauren Sessions Goulet, Lee Rainier. & Kristen Purcell. Social Networking
Sites and Our Lives: How People's Trust, PersonalRelationships, and Civic and PoliticalInvolvement
are Connected to Their Use of SocialNetworking Sites and other Technologies, Pew Research Center's
Internet & American Life Project, (June 16, 2011), http://pewinternet.org/Reports/2011 /Technology-
and-social-networks.aspx.
2012 Online Social Networks and the Workplace 133
percent have active Twitter accounts, 54 percent have Facebook fan pa es, 50
percent have YouTube video channels and 33 percent have corporate blogs."
Although individual and business users of OSNs derive some perceived
benefits from the time they spend online, many also have experienced unexpected,
unintended, and unpleasant consequences, sometimes resulting in litigation. A
recent survey reported that more than 5 million U.S. households experienced some
type of abuse on Facebook in the past year, including computer virus infections,
identity theft, and bullying of children.9
For purposes of our analysis, we have identified three general categories of
such problems, which we describe briefly according to their principle
characteristics.
The first category relates to the sorts of problems encountered by the early
adopters-mostly individual users. This category we call Type I and its primary
distinguishing characteristic is the "self-inflicted injury" element, i.e., a situation in
which the user himself or herself created and then posted some content in the form
of remarks, photos, jokes, etc. on a webpage, not thinking and/or not caring that it
could be seen by an unintended viewer. Primarily, these cases involve claims made
by employees for wrongful termination and center around the issue that somehow
their privacy was violated.
A typical example of this is the case in which a flight attendant posted a
photo of herself on her blog, alongside text containing humorous comments about
her workday experiences. While her intention was to amuse her friends, whom she
expected would visit her blog and MySpace page. However, her MySpace page
was unfortunately also visited by an unintended viewer, her employer. Instead of
being amused, the employer was greatly distressed, due to the photo of the
employee, dressed in the official company uniform, posing for the camera in a way
10
that could be construed by some as suggestive.
In another example, a group of employees started a MySpace page and
posted numerous comments for their own amusement, including: sexual remarks
about management and customers of the company; jokes about some of the
specifications that the company had established for customer service and quality;
and references to violence and illegal drug use. However, company managers were
less than amused after gaining access to the website, and the employees were
terminated.'

8. Burson-Marsteller, The Global Social Media Check-Up 2010, http://www.burson-

marsteller.com/lInnovation and insights/blogs and podcasts/BM Blog/Documents/Burson-
Marsteller%2020100o2OGlobal%/o2OSocial%/o20Media%/o20Check-up%/o20report.pdf (February 20, 2011).
(The Burson-Marsteller Group, established in 1953. is a leading global public relations and
communications firm. It provides clients with strategic thinking and program execution across a full
range of public relations, public affairs, advertising and web-related services. The firm's seamless
worldwide network consists of 72 offices and 60 affiliate offices, together operating in 85 countries
across six continents. Burson-Marsteller is part of Young & Rubicam Brands, a subsidiary of WPP.
one of the world's leading communications services networks (NASDAQ: WPPGY)).
9. Consumer Reports, Online Exposure, June 2011.
http://www.consumerreports.org/cro/magazine-archive/2011 /june/electronics-computers/state-of-the-
net/online-exposure/index.htm.
10. Simonetti v. Delta Airlines. No. 1:05-CV-2321, 2005 WL 2407621 (N.D. Ga. Sept. 7. 2005).
11. Pietrylo v. Hillstone Rest. Grp.. No. 06-5754 (FSH), 2008 U.S. Dist. LEXIS 108834 (D.N.J.
134 JOURNAL OF LAW, BUSINESS & ETHICS VOL. 18

In the time since these early cases were reported, there are near-weekly
reports of new cases of this type:
A teenaged office worker was fired when the office manager visited her
Facebook page and found posted remarks about her menial job which she had
,,12
described as "boring.
An employee posted messages to her Facebook page during a workday
after she had "called in sick." The page was accessed by a co-worker, who
informed colleagues at the office. When the boss found out, the "sick" worker was
fired.
A blogger, with the pseudonym "Pitt Girl," felt compelled to disclose her
true identity when several people seemed close to figuring out who she really was.
The nature of her postings included poking fun at the mayor. When Pitt Girl
14
revealed her true identity, she was fired from her job at a nonprofit organization.
A professor posted humorous comments on her Facebook page, joking
about "not wanting to kill" any students that day. On another presumably bad day,
she requested assistance in finding a "discrete hit-man." After a student reported
the remarks, the professor was suspended immediately.
A Georgia school district allegedly forced a high school English teacher to
resign over postings on her Facebook page. Apparently, the school district objected
to photos of the teacher on a European vacation holding wine and beer, as well as a
post indicating that she was "headed out to play Crazy Bitch Bingo" at a local bar.
The school district stated that it was acting in response to a complaint from a parent,
but, according to the teacher, her Facebook page was private and she hadn't
"friended" any of her students. The teacher subsequently sued the school district,
16
alleging violations of state labor law.
Another high school English teacher was suspended with pay from her job
in Pennsylvania, even though what she wrote was "meant only to serve as
amusement for herself, her husband and seven of her friends who read" her blog. In
one post, she advised students to obtain jobs with the local trash company. In
another, she calls them "rude, disengaged, lazy whiners." In a third post, she stated
flatly, "There's no other way to say this: I hate your kid."

July 25, 2008).

12. Teenage Ottice Worker Sacked DAILYMAIL.COM. http://www.dailymail.co.uk/news/article-
1155971/Teenage-office-worker-sacked-moaning-Facebook-totally-boring-job.htm (last visited Feb.
26, 2009).
13. Woman Fired For Using Facebook While Off Sick, CITYTv.coM,
http://www.citytv.com/toronto/citynews/life/money/article/9857-woman-fired-for-using-facebook-
while-off-sick (last visited April 27, 2009).
14. The Coming-Out Stories of Anonymous Bloggens; CNN.coM,
http://www.cnn.com/2009/TECH/08/21 /outing.anonymous.bloggers/index.html (last visited Feb. 20,
2011).
15. Facebook: Professor Suspended for Posts, HIGHEREDMORNING.COM
http://www.higheredmorning.com/professor-suspended-for-facebook-posts (last visited March 2. 2010).
16. Citizen Media Law Project. Barrow Cnty. School Dist. v. Payne March 4, 2010,
http://www.citmedialaw.org/threats/barrow-county-school-district-v-payne#description. (The
disciplinary action against the teacher, Ms. Payne, was "concluded" or complete. without a settlement
or verdict announced, at the time of the writing. However. her lawsuit against the Georgia school
district remained pending as of the time of the writing.).
17. Kayla Webley. How One Teacher's Angry Blog Sparked a Viral Classroom Debate,
2012 Online Social Networks and the Workplace 135
In perhaps the most extreme case of self-inflicted online injury, followed
by a self-initiated employment termination, a U.S. Congressman recently
announced his resignation, following revelations that he sent sexually explicit
messages ("sexting") and lewd photographs of himself using Twitter to women he
met online.18
In each of these cases, these social media users posted online comments
and/or photos of themselves, thereby voluntarily making them available to others.
Having self-published the troublesome material makes it difficult to take the
position, later on, that personal privacy rights were somehow violated. In United
States v. Gines-Perez, the court held, essentially, that the act of posting information
about one's activities on the web can be regarded as a waiver of privacy rights:

When employees place information on the Internet without taking

measures to protect the information, the employee does not have a
legitimate expectation of privacy in such information because the Internet
is a public medium. A person cannot maintain a subjective belief that
information placed on the Internet will be kept private since such actions
show the person wishes to waive their privacy interest. Most notably, one
court has suggested that even when protectionist measures, such as
password-protecting access to materials placed on the Internet, are taken,
the materials are not considered private because they could be accessed by
the public. In United States v. Gines-Perez, the court held that when
evaluating privacy on the Internet, the objective nature of the medium in
which information is contained is ultimately dispositive and will override
the subjective intention of a person who places information on the
Internet. 19

Whether employer responses to these situations have been justified, ethical,

legal, or not, the effects of Type I cases appear to have a broad impact on hiring
practices. According to a recent poll of U.S. companies, more than one third had
declined to hire applicants after finding unfavorable information about them on
their social network pages.
A second category (which we will refer to as Type II cases) arises out of
somewhat different circumstances. The central characteristic of Type II cases is
that damage is directly caused to the company, and not to the employee, by means
of the employee's use of OSN. These cases are based on well-established theories

TIME/CNN, Feb. 18, 2011,

http://www.time.com/time/nation/article/0.8599,2052123,00.html#ixzzlFx9Ba0fz.
18. Chris Cillizza & David A. Fahrenthold, Rep. Anthony Weiner Resigns, The Washington Post,
June 16, 2011, http://www.washingtonpost.com/politics/anthony-weiner-to-resign-
thursday/2011/06/16/AGrPONXH story_1.html.
19. Aaron Blank, Comment, On the Precipe of E-Discovery: Can Litigants Obtain Employee
Social Networking Web Site Information Through Employers?, 18 CoMMLAW CONSPECTUS 487, 510
(2010) (citing United States v. Gines-Perez. 214 F. Supp.2d 205, 225 (D.P.R. 2002)).
20. DAVID KIRKPATRICK, THE FACEBOOK EFFECT: THE INSIDE STORY OF THE COMPANY THAT
IS CONNECTING THE WORLD, 204 (Simon & Schuster 2010).
136 JOURNAL OF LAW, BUSINESS & ETHICS VOL. 18
of recovery such as copyright infringement, misappropriation of trade secrets and
unfair competition, defamation, false light, invasion of privacy, and trade libel.
Type 11 cases are associated with a shift in the usage patterns of OSNs.
While early OSN users were mostly individuals, more and more businesses
themselves have become very active users. But businesses are using OSNs in a
much different way: primarily as new marketing and recruiting21 tools and not as a
social network per se.
Of course while "businesses" do not act as computer users, individual
employees of the business surely do. The Information Systems Audit and Control
Association (ISACA) has outlined the perceived benefits and identified numerous
22
potential risks to businesses due to employee uses of OSNs. According to
ISACA, the potential benefits to businesses of employees using OSNs include the
following:

Enterprises are using social media in many functional areas of the business
and are enjoying numerous tangible benefits such as increasing brand
recognition, sales, search engine optimization (SEO), web traffic, customer
satisfaction, and revenue.23 In addition, rapid feedback and insight from
consumers provide a mechanism for executives to assess consumer opinion
and use this information to improve products, customer service and
perception.
Enterprises have also discovered that they are able to monitor the market,
their competition and their customers via social media outlets. This allows
engaged enterprises to be on top of any changes that may be needed and to
proactively make appropriate adjustments to strategies, products or
services. The ability to search for and communicate with potential
employees is another area that has seen great enhancement via sites such as
LinkedIn and Plaxo. Also, enterprise use of social media tools usually
24
requires no additional technology to implement.

On the other hand, there are numerous risks to the business enterprise
associated with these new uses of OSNs.25

21. Jennifer Kavur, Smart Recruiting Through Social Networks, NETWORK WORLD, Feb. 23,
2009, http://www.networkworld.com/news/2009/022309-smart-recruiting-through-social.html.
22. Information Systems Audit and Control Association (ISACA), Social Media: Business
Benefits and Security, Governance and Assurance Perspectives (2010). (Abstract: "Initiated as a
consumer-oriented technology, social media is increasingly being leveraged as a powerful, low-cost
tool for enterprises to drive business objectives such as enhanced customer interaction, greater brand
recognition and more effective employee recruitment. While social media affords enterprises many
potential benefits, information risk professionals are concerned about its inherent risks such as data
leakage, malware propagation and privacy infringement. Enterprises seeking to integrate social media
into their business strategy must adopt a cross-functional, strategic approach that addresses risks,
impacts and mitigation steps, along with appropriate governance and assurance measures." (ISACA, at
1).
23. Id. at 5 (citing ENGAGEMENTdb, The World's Most Valiable Brands. Who's Most
Engaged? Ranking the Top 100 Global Brands,
www.engagementdb.com/downloads/ENGAGEMENTdb Report 2009.pdf).
24. Id.
25. Id. at 5, 7-8. (The risks cited include: Data leakage/theft "Owned" systems (zombies): System
2012 Online Social Networks and the Workplace 137
In its 2009 annual study, Internet security firm Proofpoint, Inc. reports that
of the 220 companies surveyed, each with more than 1000 employees, 45 percent
are "highly concerned" about the risk of information leakage via posts to social
26
networking sites like Facebook and LinkedIn. Further, 17 percent of those
companies had disciplined employees for violating social networking policies in the
27
past year and 8 percent had terminated an employee for a violation. The
percentage of such terminations is up from just 4 percent last year, suggesting that
corporate America appears to be steadily increasing tracking of their employee's
28
online activities and cracking down on violators.
The Proofpoint study also shows that 41% of companies surveyed are
highly concerned about information leaks through Twitter and similar short
message services.2 9 No figures are provided for Twitter-related discipline or firings
in the past year. Figures for blogs and message boards are similar to those for
social networking sites: 46% of the companies surveyed are highly concerned about
information leaks through these avenues, 17% disciplined employees for violating
blog or message board policies in the past year, and 9% terminated an employee for
a violation.3 0
We note that the ISACA's list of potential problems is not just an imagined
collection of "worst case scenarios" but is based upon actual cases. Consider the
following selected examples:

Discovery of Electronic Records

In a recent copyright case, "defendants served subpoenas duces tecum on

four third party businesses and social networking websites" . . . (including)
Facebook and MySpace, Inc."3 1

Defamation and False Light

After allegedly disparaging Deep Blue Marine and disclosing proprietary

information on several online investor blogs and chat rooms, Deep Blue's former
operations manager was sued by Deep Blue and its CEO. In addition to seeking an

downtime; Resources required to clean systems; Customer backlash/adverse legal actions; Exposure of
customer information; Reputational damage; Targeted phishing attacks on customers or employees;
Enterprise's loss of control/legal rights of information posted to the social media sites; Customer
dissatisfaction with the responsiveness received in this arena, leading to potential reputational damage
for the enterprise and customer retention issues; Regulatory sanctions and fines; Adverse legal actions)
26. Careful What You Email, Post, Upload and Tweet: US Businesses Embrace Aggressive
Preventative Measures Wire, ECMCONNECTION.COM.
http://www.ecmconnection.com/article.mvc/Careful-What-Email-Post-Upload-And-Tweet-000 1),
(Aug. 10. 2009).
27. Id.
28. Sam Bayard, Employers Are Freaking Out About Twitter and Facebook, Study Shows,
CITIZEN MEDIA LAW PROJECT, (Aug. 10, 2009), http://www.citmedialaw.org/blog/2009/employers-
are-freaking-out-about-twitter-and-facebook-study-shows.
29. Careful What You Email, Post, Upload and Tweet, supra note 26.
30. Bayard. supra note 28.
31. Crispin v. Christian Audigier. Inc.. 717 F. Supp. 2d 965. at 968 (2010).
138 JOURNAL OF LAW, BUSINESS & ETHICS VOL. 18

injunction in federal court to prevent the defendant from posting any further
criticism or materials online, the plaintiffs also brought claims for defamation, false
light, intentional interference with economic advantage, breach of contract
(including publication of trade secrets), and breach of covenant of good faith. 32

Defamation, False Light, Invasion of Privacy, and Trade Libel

In June 2008, Too Much Media, LLC (TMM), a software company that
services the online adult entertainment business, brought claims in New Jersey state
court for defamation, false light, invasion of privacy, and trade libel against a
Washington-based blogger. TMM sued the blogger after she posted comments on
Oprano.com, an online forum for those in the online adult entertainment industry,
33
regarding a security breach in TMM's software product.

Copyright Infringement, Misappropriation of Trade Secrets and Unfair

Competition

A former employee used company computers to gain access to trade secrets and
then used the information to divert business away from former employer to a new
business entity started by the former employee.
An online "lifestyle publisher" sued its former manager and several other
former employees for, among other claims, copyright infringement,
misappropriation of trade secrets and unfair competition. According to the
complaint, the defendant "made and took possession of unauthorized copies of
electronic information stored on the company's password-protected computers and
servers," including the source code for the websites and trade secrets, which
included contact information for advertising clients.
Target Corporation, the large national retailer, filed a lawsuit for copyright
infringement and misappropriation of trade secrets against an initially unknown
Internet user with the "handle" (online pseudonym) "Target Sucks." Based on the
information it received by subpoenaing internet service providers, Target identified
the user as Charles Emmerson William Harris and claimed he posted in-house
Target Corporate information on various retail-employee forums and blogs. Harris

32. Arthur Bright. Deep Blue Marine v. Krajewski, Citizen MEDIA LAW PROJECT. July 30. 2008.,
http://www.citmedialaw.org/threats/deep-blue-marine-v-krajewski (citing Deep Blue Marine v.
Krajewski, No. 2:08-cv-00405-TC (U.S. Dist. filed May 20. 2008)).
33. Citizen Media Law Project, Too Much Media, LLC v. Hale, (April 28, 2009),
http://www.citmedialaw.org/threats/too-much-media-llc-v-hale (citing Too Much Media, LLC v. Hale,
No. L2736-08 (Superior Court of New Jersey, Monmouth County)).
34. Blank, supra note 19, at 491(citing Ameriwood Indus., Inc. v. Liberman, No. 4:06CV524-DJS,
2007 WL 5110313, at I (E.D. Mo. July 3, 2007).
35. Citizen Media Law Project, Hamptons Online v. Florio, (June 16. 2010).
http://www.citmedialaw.org/threats/hamptons-online-v-florio (citing Hamptons Online v. Florio, No.
2:10-cv-01865, Complaint 34 (U.S. Dist. April 27, 2010)).
2012 Online Social Networks and the Workplace 139
allegedly posted Target's "Asset Protection Directives," an in-house theft
prevention manual, on several websites critical of Target, all of which he had
obtained from a recently terminated Target employee.
As these Type 11 cases illustrate, employers have good reason to be
concerned about potential harm to company interests at the hands of their
employees and their use of social media.
A third category of issues arises in cases in which users are adversely
affected by the OSN provider: either directly or via the provider's linkage to a third-
party service provider. These cases we have called Type III and the defining
characteristic of this type of case is found in the actions taken, or not taken, by the
provider itself, and the damage is suffered by the user through no fault of their own.
The facts of the following two cases illustrate the situation.

Facebook/Beacon

A leading example of Type III cases is the Facebook/Beacon case. The

heart of the complaint in this class action case against Facebook focused on "the
communication, transmission, and interception of personally identifying
information and personal private data of the class members" to other Facebook,
37
(and non-Facebook) users without prior knowledge or consent.
In 2007, Facebook had put in place a pre-programmed messaging process
called "Beacon", under the terms of which certain affiliated businesses would feed
data from customers' online transactions out to all of the customer's Facebook
friends. Such messages were posted immediately at the time of the sale. According
to the class action complaint:
No consent was sought, nor was any consent obtained from persons who
utilized the Facebook Beacon Activated Affiliate's website who were not Facebook
members. Thus, non-Facebook persons who utilized the Facebook Beacon
Activated Affiliate websites were not told that their transaction, and indeed, every
transaction they engaged in upon the website, was being communicated to a third
party (Facebook) with whom they had no relationship whatsoever.
Sean Lane, one of the plaintiffs in the case against Facebook, purchased a
surprise gift for his wife for Christmas - a gold ring. To make sure it would be a
surprise, he told her that she should not expect any gifts of jewelry that year.
However, when Sean purchased the ring online at Overstock.com, unbeknownst to
him, news of his transaction was instantly transmitted to all of his Facebook friends
as follows: "Sean Lane bought 14k White Gold 1/5 ct Diamond Eternity Flower
Ring from Overstock.com." Within two hours of his purchase, Sean received an
instant message from his wife, Shannon, asking about the Facebook update stating

36. Citizen Media Law Project, Target Corp. v. Doe, (June 19, 2009),
http://www.citmedialaw.org/threats/target-corp-v-doe (citing Target Corp. v. Doe, No. 1:06-CV-02116-
CC, (U.S. Dist. Sept. 5. 2006)).
37. Class Action Complaint at 5, Lane et al. v. Facebook, Inc. et al., No. 5:08-cv-03845-RS (N.D.
Cal. Aug. 12, 2008).
38. Id. at 27.
140 JOURNAL OF LAW. BUSINESS & ETHICS VOL. 18
that he purchased a ring. Sean, like the other plaintiffs in the resulting class action,
39
had not given his consent for this information to be sent out via Facebook.
This case ended in a settlement agreement, in which Facebook agreed to
completely terminate the Beacon program, to pay $9.5 million to fund a to-be-
established nonprofit Privacy Foundation, to compensate plaintiffs, and to pay
40
attorneys fees and costs.
Facebook founder Mark Zuckerberg later acknowledged that the Beacon
program was a mistake that damaged the reputation of his company, and that "We
didn't react quickly enough because we were just so used to people complaining
about [privacy] things and then eventually being right."4
More recently, in 2010, Facebook instituted another innovation: this time,
the new feature was more descriptively named "Like." Accompanied by a simple
"Thumbs up" icon, the "Like" feature enables Facebook users to click on the icon
whenever and wherever it appears on the screen (usually following a story).
Whenever a user clicks on "Like", the action is recorded in the Facebook database.
When a large number of users click on the same "Like," the aggregated total can be
compared with other "Likes," and those posted articles or photos that generate
higher "Like" totals trigger a number of consequential actions. One of those actions
is the showing of ads to a user's "Friends" which contain actual posts by those
friends as part of the ad itself.
According to one industry observer, "Like" is deceptively similar to
Beacon:

[T]he effort is eerily similar to parts of the now-defunct Facebook Beacon,

but Facebook is now calling them "sponsored stories." and users won't be
able to opt out of their posts being used to advertise to friends." In some
ways, the sponsored stories are a refined version of the disaster now known
as Facebook Beacon. Now, users' off-Facebook activities are basically
part of the Facebook ecosystem thanks to "Likes" published all over the
Web. If you click the Facebook Like button on any given site, that data is
transmitted to your own Facebook profile and can be promoted by
marketers in ads to your friends. We knew something like this was
coming-it was rumored last year in advance of Facebook's f'8
conference-but its still fascinating to watch the evolution of Beacon and
the very different reactions this time around. There are certainly users who
are unhappy with their check-ins and likes being used to generate more
cash, but the privacy concerns appear to be mostly gone-for now, that is.
42

39. /d. at 29-30.

40. Settlement Agreement, Lane et al. v. Facebook, Inc. et al., No. 5:08-cy-03845-RS (N.D. Cal.
Sept. 17, 2009).
41. Kirkpatrick, supra note 20, at page 250.
42. Jacqui Cheng, No optingout of Facebook turning your check-ins, likes into ads, Ars Technica,
(Jan. 26, 2011), http://arstechnica.com/web/news/2011 /01 /no-oting-out-from-facebook-turning-your-
check-ins-likes-into-ads.ars?utm source-rss&utm medium-rss&utm campaign=rss.
2012 Online Social Networks and the Workplace 141
Tagged,Inc.

Facebook is not the only company to have become a litigation target. In 2009 a
similar case was filed against another online social network provider, "Tagged,
Inc.," a smaller and less well-known San Francisco-based social networking site
that claimed to have some 80 million members. In their complaint, plaintiffs
alleged violations of federal and California state statutes, as well as unjust
enrichment.
The complaint focused on the way in which Tagged "harvested" the
contents of the email address books of its member users without their knowledge or
consent and then sent out unsolicited commercial email messages to the harvested
email addresses disguised as personal emails from actual acquaintances.4 5 The
solicitation invited recipients to open the email and click on a link to see some
photos. But clicking the link did not lead to the promised photos alone, it also
automatically registered the unwitting friend as another Tagged member, thereby
setting up another iteration of the misrepresentation and another round of
unsolicited emails.46
Like the Facebook/Beacon, the Tagged case resulted in a settlement
agreement. Tagged was ordered to purge its database of all harvested email
addresses, to provide Tagged members with a clear and conspicuous manner for
cancelling their accounts, to provide third-party verification of compliance with
these measures, to pay each named plaintiff $10,000 and to pay plaintiffs
attorneys' fees and costs.
Type III cases illustrate another significant point: Facebook users may not
fully understand their relationship with the company that provides the online social
network service. Users are not Facebook's customers, rather, the users' identity
and personal information is what Facebook sells to its real customers, its
advertisers. In actual practice, the users are the product.

THE CURRENT LEGAL LANDSCAPE

Well-established law provides a number of remedies for legal injuries

caused by or through activities conducted in the online world of social networks.
As we have described herein, the various injuries caused by or through activities
done in online social networks include: the "self-inflicted injury" to a user due to
content posted online (Type I cases); injuries caused to the company by an

43. Complaint at 2, 4, Slater et al. v. Tagged, Inc. et al. No. CV 093697 (N.D. Cal. filed Aug 12,
2009).
44. Id. at 1-2.
45. Id. at 2.
46. Id. at 4-5.
47. Principle Terms of Settlement Agreement, Slater et al. v. Tagged, Inc. et al. No. CV 093697
(N.D. Cal. Jan. 7. 2010).
142 JOURNAL OF LAW, BUSINESS & ETHICS VOL. 18
employee's use of online social networks (Type 11 cases), and injuries caused to the
user by the online social network (Type III cases).
The different legal theories for recovery are wide-ranging but also
piecemeal, with some remedies originating in broad and well-recognized common
law principles, and others enacted seriatim through specific pieces of legislation,
each one targeted at a particular issue. The resulting legal landscape is a complex
patchwork, with no central organizational or operational framework.

State Law

Under the common law of torts, the list of available legal theories of
recovery includes defamation, wrongful disclosure of confidential information or
trade secrets, and invasion of privacy.
In the employment law area, cases have been styled as wrongful
termination or wrongful discharge suits. Sometimes in an at-will employment
situation, plaintiffs also rely on exceptions to the general at-will doctrine, including:
an implied or express contract; implied covenant of good faith and fair dealing; or a
violation of public policy, such as a violation of free speech or an invasion of
privacy.
State statutory protections include, among others, off-duty statutes, which
protect certain activities, including the use of lawful consumable products while not
at work.
Common law contractual remedies have been the basis for some cases that
have been based on alleged violations of Terms of Service agreements between
users and website operators.
In the next section, we examine each of these legal theories in more detail.

Defamation

Under the common law tort of defamation, employers could incur liability for
defamatory remarks posted by employees or "friends" on the employer's online
social network. Pursuant to the doctrine of Respondeat Superior, employers may
be liable if the employee makes defamatory statements on the employer's online
social network while acting within the course and scope of employment.
This scenario raises two issues: (1) whether an employee's posts are indeed
created while acting within course and scope of employment and (2) what level of
control an employer had over access to the site for editing/posting comments? 48
Employers' liability also could arise from a defamatory statement posted
by a well-meaning "overzealous company cheerleader," on a blog that identifies his
employer, "promoting the company's products or services at the expense of
defaming the company's competitors."

48. Gundars Kaupins & Susan Park. Legal and Ethical Implicationsof CorporateSocial Networks,
22 Employee Responsibilities and Rights Journal 79 (2010).
49. Scott R. Grubman, Note. Think Twice Before You Type: Blogging Your Way to
Unemployment, 42 GA. L. REV. 615. 628. 623 (2008).
2012 Online Social Networks and the Workplace 143
Disclosure of Confidential Information/Trade Secrets

As of 2006, approximately forty-five states have modeled their trade secret

50
laws on the Uniform Trade Secrets Act (UTSA). Depending on the type of
information disclosed on the online social network, an employee may face liability
for misappropriation under state trade secret laws, whether UTSA-based or
otherwise. Trade secrets are information that is proprietary and valuable because it
51
is secret. It can lose its value via disclosure to others, especially competitors who
may use it. It is protectable under the Uniform Trade Secrets Act as well as under
the common law. If an employee is acting within the course of employment when
they post confidential corporate or personnel information on the employer's online
social network, or their own online social network, the employer may be subject to
liability.
Under the UTSA, misappropriation of a trade secret is the "disclosure or
53
use of a trade secret of another without express or implied consent." For an
employee to be liable for misappropriation, the employee must "have used improper
means to acquire knowledge of the trade secret."5 4 An employee may also be liable
for misappropriation under the UTSA if, at the time of disclosure, he knew or had
reason to know that "their knowledge was: derived from or through a person who
had utilized improper means to acquire it; acquired under circumstances giving rise
to a duty to maintain its secrecy; or derived from or through a person who owed a
duty to the person seeking relief to maintain its secrecy or limit its use." 5 5

Common Law Tort of Invasion of Privacy

To prevail under an invasion of privacy theory, an employee would have to

prove that their "solitude of seclusion or private affairs were infringed and that the
infringement would highly offend a reasonable person." An employee's
expectation of privacy must be "objectively reasonable and a plaintiffs subjective
belief that something is private is irrelevant." 56
Considering that courts often consider information available on the Internet
to be in the public domain, even if the privacy features on the social network system
are implemented, it would be difficult for an employee to successfully claim a

50. Id. at 620.

51. Alowogroski v. Rucker, 971 P.2d 936 (1999).
52. Gundars Kaupins & Susan Park, Legal and Ethical Issues Associated with Employee Use of
Social Networks, 1 Advances in Business Research, 82, 83, 86 (2010).
53. Grubman, Supra note 49. at 620 (quoting Uniform Trade Secrets Act § 1(2)(ii) (amended
1985)).
54. Id. at 620 (quoting Uniform Trade Secrets Act § 1(2)(ii)(A)).
55. Id. at 620, 621 (citing Uniform Trade Secrets Act § 1(2)(ii)(B)(I)-(111)).
56. Pietrylo v. Hillstone Rest. Grp.. No. 06- 5754 (FSH), 2008 U.S. Dist. LEXIS 108834. at * 19-
20 (D.N.J. July 25. 2008) (citing 3 Restatement (Second) of Torts § 652B).
144 JOURNAL OF LAW, BUSINESS & ETHICS VOL. 18
"reasonable expectation of privacy to information in the public domain."57 As one
journalist put it, "the rule of thumb is: If it's in the public domain, it's fair game."58
An employee may have a stronger privacy claim if the employee
implements the privacy features on the social network system and an employer
hacks past them. However, since the basic assumption is that anything posted on
the internet is in the public domain and not private, "it would be tough to claim that
the expectation of limited access provided by the privacy features, even if
reasonable, is an expectation of "privacy."59

At-Will Employment Doctrine and Common Law Exceptions

Under common law at-will employment doctrine, "employers may

discipline or terminate employees for almost any reason . . . employers generally do
not need any reason at all for firing one of their employees." 60
However, there are recognized, well-established exceptions (although not
uniformly applied across the country) to the at-will employment doctrine,
including: (1) implied or express contract; (2) implied covenant of good faith and
fair dealing; and (3) a violation of public policy. An open question is whether a
wrongful termination case in the context of alleged impropriety in the online world
is somehow different from a termination case that does not involve the use of an
OSN. Also in question is whether it matters if an employee is terminated for their
actions on their employer's official OSN site or their own personal OSN site.

Implied or Express Contract

The implied contract exception is applicable "when an implied contract is

formed between an employer and employee, even though no express, written
instrument regarding the employment relationship exists." Several state courts
have held that in some situations an employee handbook or manual created an
implied employment contract, such as when it contains certain types of language.
Specifically, if an employee handbook includes (1) language that provides that
employees will only be terminated for just cause, or (2) language outlining
procedures for discipline or termination of an employee, an implied employment

57. Ian Byrnside, Six Clicks of Separation: The Legal Ramifications of Employers Using Social
Networking Sites to Research Applicants, 10 VAND. J. ENT. & TECH. L. 445, 461 (2008).
58. Id. (quoting Martha Irvine, When MySpace Become's Everyone's Space, Globe & Mail
(Toronto), Dec. 30, 2006, at R12).
59. Id. at 462 (quoting George's Employment Blawg, Employer's Using Facebook for
Background Checking. Part I, http://www.collegerecruiter.com/weblog/archives/2006/09/employers
using.php (last visited Dec. 5, 2006)).
60. Grubman. supra note 49, at 626 (citing Rafael Gely & Leonard Bierman. Workplace Blogs and
Workers'Privacy,66 LA. L. REV. 1079, 1091 (2006)).
61. Id. at 628 (quoting Charles Muhl, The Employment-at Will Doctrine: Three Major Exceptions,
MONTHLY LAB. REV., Jan. 2001, at 7).
2012 Online Social Networks and the Workplace 145
62
contract may exist. If there is a handbook and it does not address employee
63
actions while online, there may be inadequate grounds for termination.
According to various court decisions, an employee is not considered an at-
will employee if an express or implied contract with the employee was formed by
64
the employer. In this situation, an employer may be liable for wrongful
termination if the employee is fired for posting an item on the employer's OSN site
that is not found to be contrary to the employer's interest and/or is unrelated to the
65
employee's work.

Implied Covenant of Good Faith and Fair Dealing

According to one academic observer, the implied covenant of good faith

and fair dealing exists in every employment relationship:

In general, a "covenant of good faith and fair dealing is implied in every

employment relationship." This covenant "provides that neither party will
act in bad faith to deprive the other of the benefits of the employment
relationship." The covenant prohibits an employer from "taking adverse
action to deprive an employee of a contract benefit," and obligates
employers to "treat similarly situated employees in a like manner."
Finally, the covenant "gives effect to the parties' reasonable expectations
but does not alter those expectations." 6

Thus, an employer may incur liability if a company policy is provided

regarding the use of online social networks and the policy is not applied
consistently to all employees. Also, regardless of an official OSN policy, if an
employer led an employee to reasonably expect that his online activities were
acceptable, the employer may incur liability if the employee is later disciplined for
67
those activities.

Violation of Public Policy

If an at-will employee is terminated for a reason that implicates a "clear

mandate of public policy," such as a right to privac or freedom of speech, the
employee may have a claim for wrongful termination. The employee plaintiff has
the heavy burden of proving a clear mandate of public policy was violated by being

62. Id.
63. See id. at 628-629.
64. Kaupins & Park. supra note 48.
65. Id.
66. Grubman, Supra note 49, at 627 (quoting Gregory S. Fischer, A Brief Analysis of After-
Acquired Evidence in Employment Cases: A Proposed Model for Alaska (and Points South), 17
ALASKA L. REv. 271. 282 (2000)).
67. Id. at 628.
68. Pietrylo, 2008 U.S. Dist. LEXIS 108834, at 14 (citing Pierce v. Ortho Pharm. Corp., 417 A.2d
505 (N.J. 1980)).
146 JOURNAL OF LAw, BUSINESS & ETHICS VOL. 18

fired and, according to some courts, the termination must implicate more than just
private interests of the parties.69

Violation of a Public Policy Favoring Freedom of Speech

Under the U.S. Constitution, First Amendment protections for freedom of

70
speech do not apply to private action, but only to state action. However, freedom
71
of speech protections are not absolute even for public employees. As long as the
interests of the public employee outweigh the government's interests in
effectiveness of operation, First Amendment protections extend to a public
employee who speaks about an issue of public concern.72 Speech on private
73
employment matters is unprotected.
According to the Third Circuit, to be successful in a claim against an
employer based on a protected activity such as freedom of speech, a public
employee must fulfill a three-step test. 4 The public employee must show: (1) that
the speech involved an issue of public concern; (2) that "his interest in the speech
outweighs the state's countervailing interest as an employer in promoting efficiency
of the public service it provides through its employees;" and (3) that the protected
activity was a substantial or motivating factor in the termination.

Violation of a Public PolicyAgainst the Invasion of Privacy

While privacy interests of employees must be balanced against an

employer's interest in managing the business, a right to privacy may be a source of
a clear mandate of public policy that could support a claim for wrongful termination
76
of an employee for OSN activity.
These issues were examined in a case in which a group of restaurant
employees created a MySpace page for the purpose of posting comments about
their workplace, intending to limit access to current and former employees.
However, restaurant managers gained access to the employees' online account
passwords: either by voluntary action of employees or by allegedly pressuring
employees to provide their passwords. After perusing the postings, management
found them to be offensive, and the employees were terminated. The fired
employees filed suit and, in addition to claiming several statutory violations, their
allegations included: a violation of the common law tort for invasion of privacy; a

69. Id. at 14 (citing DeVries v. McNeil Consumer Prod. Co.. 250 N.J. Super. 159, 593 A.2d 819
(App. Div. 1991)).
70. Id. at 14 (citing American Mfrs. Mut. Ins. Co. v. Sullivan, 526 U.S. 40, 49-50 (1999)).
71. Id. at 15 (citing Azzaro v. County of Allegheny, 110 F.3d 968, 976 (3d Cir. 1997)).
72. Id. at 15 (citing Curinga v. City of Clairton, 357 F.3d 305, 310-11 (3d Cir. 2004)).
73. Id. at 16 (citing Connick v. Myers. 461 U.S. 138. 146, 103 S.Ct. 1684 (1983)).
74. Pietryo, 2008 U.S. Dist. LEXIS 108834, at 16 (citing Baldassare v. New Jersey, 250 F.3d 188,
195 (3d Cir. 2001)).
75. Id. at 16 (citing Baldassare v. New Jersey, 250 F.3d 188, 195 (3d Cir. 2001)).
76. Id. at 17, 18 (citing Hennessy v. Coastal Eagle Point Oil Co.. 129 N.J. 81. 609 A.2d 11(1992),
Borse v. Pierce. 963 F.2d 611, 628 (3d. Cir. 1992)).
2012 Online Social Networks and the Workplace 147
violation of a public policy favoring freedom of speech; and a violation of a public
policy against the invasion of privacy. 7 Because there was an issue of material fact
on the counts involving an invasion of privacy both the tort and public policy
claims, plaintiffs survived a motion for summary judgment. However, on the count
for a violation of a public policy favoring freedom of speech, summary judgment
was granted because plaintiffs could not show that the speech in question was a
"matter of public concern."78

State Off-Duty Statutes

Some states have enacted legislation to restrict employers from considering

private aspects of an applicant or employee's off-duty, off-site lives. These statutes
are apparently grounded in the belief that such activities should have no
employment-related consequences in employment decisions. As of 2007, more
than half of states had passed statutes to protect employees from adverse actions, or
"lifestyle discrimination," by employers in relation to an employee engaging in
lawful, off-duty conduct.79
Many of these statutes focus on providing employees protection against
employer action based on the use of lawful consumable products such as tobacco
and alcohol. Due to aggressive lobbying efforts in the late 1980s to state
legislatures by the tobacco industry, over 35 states, as of 2006, have enacted
legislation protecting the rights of employees and prospective employees to smoke
80
while off-duty.
Consider the following selected examples:

California

Section 96(k) of California labor law authorizes the Labor Commission to

accept "claims for loss of wages as the result of demotion, suspension, or discharge
from employment for lawful conduct occurring during nonworking hours away
82
from employer's premises."

77. Pietrylo v. Hillstone Rest. Grp., No. 06- 5754 (FSH), 2008 U.S. Dist. LEXIS 108834 (D.N.J.
July 25, 2008).
78. Id.
79. John S. Hong. Can Blogging and Employment Co-Exist?41 U.S.F.L.
REV. 445, 461 (2007).
80. Id. at 461 n.88 (citing Rafael Gely & Leonard Bierman, Workplace Blogs and Workers'
Privacy,66 LA. L. REV. 1079, 1099 (2006)).
81. CAL. LAB CODE § 96(k) (West 2003).
82. Robert Sprague. Emerging Technology and Employee Privacy. Rethinking Information
Privacy in an Age of Online Transparency, 25 HOFSTRA LAB. & EMP. L.J. 395, 413 (2008) (quoting
CAL. LAB. CODE § 96(k) (West 2003)).
148 JOURNAL OF LAW, BUSINESS & ETHICS VOL. 18

Colorado

A Colorado statute 83 prohibits an employer from terminating "the

employment of any employee due to that employee's engaging in any lawful
activity off the premises of the employer during nonworking hours."84 However,
the statutory protection does not apply if the activity "relates to a bona fide
occupational requirement or is reasonably and rational] related to the employment
activities and responsibilities of a particular employee."
In Marsh v. Delta Airlines,8 Marsh, a baggage handler for Delta Airlines,
was fired after writing a letter critical of management which was published in the
local newspaper. The U.S. District Court held that Delta did not violate
Colorado's statute by firing Marsh because Marsh owed Delta a duty of loyalty,
which Marsh breached by trying to settle publicly a private dispute with
88
management.

Connecticut

A Connecticut law protects employees who exercise certain federal and

89
state constitutional rights (free speech) from adverse action by employers. In
Daley v. Aetna Life & Cas. Co., Connecticut's statutory protection was held to be
limited to speech related to matters of public concern and "internal employment
policies are not a matter of public concern."

New York

A New York labor law statute bans" employers from discriminating against
employees on the basis of their legal political activities, legal use of consumable
products, and legal recreational activities." 92 However, those activities must be
"off-site, during non-work hours and without the use of employer's property."93
The protection offered by the law specifically prohibits activity which "creates a
material conflict of interest related to the employer's trade secrets, proprietary
information or other proprietary or business interest." 94 Note that the term "legal
recreational activities" does not include romantic relationships or extramarital

83. COLO. REv. STAT. § 24-34-402.5(1) (2006).

84. Sprague, supra note 82, at 413 (quoting COLO. REv. STAT. § 24-34-402.5(1) (2007)).
85. Id. at 414 (quoting COLO. REV. STAT. § 24-34-402.5(1)(a) (2007)).
86. Marsh v. Delta Airlines, Inc., 952 F. Supp. 1458 (D. Colo. 1997).
87. Id. at 1460.
88. Id. at 1463 (citing § 24-34-402.5(1)(a)).
89. Sprague, supra note 82, at 414 (citing CONN. GEN. STAT. § 31-51 q (2007)).
90. Id. (citing Daley v. Aetna Life & Cas. Co., 734 A.2d 112, 122 (Conn. 1999)).
91. Id.
92. Id. (citing N.Y. LAB. LAW § 201-d(2)(a)-(c) (McKinney 2002)).
93. Id.
94. Id. at 414 (citing N.Y. LAB. LAW § 201-d(3)(a) (McKinney 2002)).
2012 Online Social Networks and the Workplace 149
affairs. 95 In Cavanaugh V.Doherty, the court ruled that an employee who was
"terminated as a result of a discussion during recreational activities (dinner at a
restaurant) outside of the workplace in which her political affiliations became an
96
issue, stated a cause of action for a violation" of the off-duty statute.

North Dakota

A North Dakota statute bans discrimination by an employer based on an

employee's "participation in lawful activity off the employer's premises during
nonworking hours which is not in direct conflict with the essential business-related
"97
interests of the employer. In Hougum v. Valley Mem '1 Homes, a chaplain was
terminated after being discovered engaging in "unseemly behavior" in a Sears store
bathroom. The North Dakota Supreme Court held that it was a disputed issue of
fact whether he was fired for only participating in the lawful activity off the
.98
employer's premises.

Contractual Issues Relating to Violations of Terms of Service Agreements

Terms of Service agreements are commonly found at the point of user

registration to a new website. Many times these agreements are not read, or are not
fully understood by the user, who indicates assent merely by clicking on an
"Agreed" button on the screen. Terms of Service agreements typically include
language such as in these examples:

Facebook: "You understand that... the Service and Site are available for
your personal, non-commercial use only." 99

MySpace: "The MySpace Services are for the personal use of Members
only and may not be used in connection with any commercial endeavors except
those that are specifically endorsed or approved by MySpace.com." 100

Employers that engage in checking online social network profiles for the
purpose of making employment decisions may commit a direct violation of terms of
101
service by using the service for commercial purposes. Nevertheless, the practice
is widespread, and Facebook has taken the position that employers doing

95. Sprague, supra note 82, at 414 (citing McCavitt v. Swiss Reinsurance Am. Corp., 237 F.3d
166. 168 (2d. Cir. 2001)).
96. Id. at 415 (quoting Cavanaugh v. Doherty, 675 N.Y.S.2d 143, 149 (App. Div. 1998)).
97. Id. (quoting N.D. CENT. CODE § 12-02.4-03 (2004)).
98. Id. (quoting Hougum v. Valley Mem'1 Homes, 574 N.W.2d 812, 820-821 (N.D. 1998)).
99. Byrnside, supra note 57. at 466 (quoting Facebook.com, Terms of Use,
http://www.facebook.com/terms.php).
100. Id. at 466 (quoting MySpace. Com, Terms of Use Agreement,
http://www.myspace.com/Modules/Common/Pages/TermsConditions.aspx).
101. Id.at466.
150 JOURNAL OF LAW, BUSINESS & ETHICS VOL. 18
background checks do not violate the terms of service if the person conducting the
background check is a reFistered Facebook user and is not violating privacy settings
of applicant/employee.10
Arguably, a clearer violation would occur if an employer gained access to
the site by fraudulently misrepresenting their affiliation to the user or the website,
by threatening or coercing employees into disclosing their 1Rasswords or access
codes, or by using another's account to investigate applicants.

Federal Law

Numerous federal laws regarding privacy have been enacted by Congress

in response to particular problem areas as they arise, one at a time. As a result,
federal law in this area is neither comprehensive, nor integrated into a central
conceptual framework.
The following federal statutes are concerned either directly with privacy
protection or indirectly and may have provisions that could be the basis for legal
claims in certain situations involving social media.
When an employee makes use of a website, blog, or another form of social
media to comment negatively about an employer, the employee's actions may be
protected by one or more federal laws. This may be the situation when the actions
of the employer are perceived by the employee to be forms of racial discrimination,
or constitute wrongful discrimination against a fellow employee who is taking leave
from work for family medical reasons, or may be violations of securities laws.

Stored Communications Statutes

The Electronic Communications Privacy Act (ECPA)104 was initially

passed by Congress in 1986 and includes federal wiretapping laws and federal laws
105
prohibiting unauthorized access to communications in electronic storage.
Specifically, the ECPA is split into two sections: Title 1, the Wiretap Act , and
Title 11, the Stored Communications Act.107
The previous federal Wiretap Act, which addressed only wire and oral
communications, was amended by Title I of the ECPA to "address the interception
of.. electronic communications." 108 U nder the Act, intentional interception by

102. Id.
103. See id. at 466. 467; sea, e.g., Pietrylo v. Hillstone Rest. Grp., No. 06- 5754 (FSH), 2008 U.S.
Dist. LEXIS 108834 (D.N.J. July 25. 2008).
104. Electronic Communications Privacy Act (ECPA), Pub.L. No. 99-508, 100 Stat. 1848 (1986).
105. Konop v. Hawaiian Airlines, Inc., 302 F.3d 868, 874 (9th Cir. 2002) (citing Electronic
Communications Privacy Act (ECPA), Pub.L. No. 99-508, 100 Stat. 1848 (1986)). The Wiretap Act
and SCA have since been amended by the Uniting and Strengthening America by Providing
Appropriate Tools Required to Intercept and Obstruct Terrorism Act (USA PATRIOT Act, Pub.L. No.
107-56, 115 Stat. 272 (October 26, 2001)).
106. Wiretap Act. 18 U.S.C. §§ 2510-2522 (2004).
107. The Stored Communications Act (SCA), 18 U.S.C. §§ 2701-2711 (2003).
108. Konop, 302 F.3d at 874.
2012 Online Social Networks and the Workplace 151
anyone, including an employer, of wire, oral, or electronic communications is
unlawful and a federal crime.109 However, there are statutory exceptions for
"business use in the ordinary course of business," "providers of communication
systems," and "consent." 1 0
Although case law so far primarily focuses on interpreting the interception
of telephone conversations, it is useful to consider because it is likely to be
similarly applied to electronic communications.1 I For instance, in Fischer v. Mt.
Olive Lutheran Church,112 Fischer, an employee, claimed that an employer
eavesdropped on personal telephone conversations, allegedly of an explicit, sexual
nature, made on a work telephone. Fischer claimed Mt. Olive violated Title I of the
113
ECPA. As a defense, Mt. Olive asserted the business use exception, which
would permit the telephone conversation interception as long as it was in the
"ordinary course of its business," on the basis that the conversations may have
114
included counseling and been part of the minister's job function. Fischer's claim
survived summary judgment when the court held that his "telephone conversation
was not in the ordinary course of business because it was not a business call and
monitoring a personal call was not justified by valid business concerns."115
Also, in Sanders v. Robert Bosch Corp., the court held that, in spite of
bomb threats to the security office of Bosch, the taping of security guards' phone
calls was not covered by the business-use exception. The court reasoned that the
security guards could have been informed of the recording and it did not further the
security office's business.11
Title 11 of the ECPA created the Stored Communications Act (SCA), which
was intended to "address access to stored wire and electronic communications and
transactional records."" 8 The SCA makes it unlawful and a federal crime for
anyone to "access" without "authorization", or in excess of authorization, a "facility
providing electronic communication services and thereby obtaining access to a wire
or electronic communication while it is in electronic storage."1 19 Title 11 includes
exceptions for "providers of communications" 12 0 and "conduct authorized . . . by a

109. Gail Lasprogata, Nancy J. King & Sukanya Pillay. Regulation of Electronic Employee
Monitoring: Identifying Fundamental Principles of Employee Privacy Through a Comparative Study of
Data Privacy Legislation In the European Union, United States, and Canada, 2004 STAN. TECH. L.
REV. 4, 72 (2005) (citing The Wiretap Act. 18 U.S.C. §§ 2510-2522 (2004)).
110. Id. at 73.
111. Laura Evans, Monitoring Technology in the American Workplace: Would Adopting English
Privacy Standards Better Balance Employee Privacy and Productivity, 95
CALIF. L. REV. 1115. 1124
(2007).
112. Fisher v. Mt. Olive Lutheran Church. 207 F. Supp. 2d 914 (W.D. Wis. 2002).
113. Lasprogata. supranote 109, at 75 (citing Fisher, 207 F. Supp. 2d at 922-923).
114. Id.
115. Id. at 75 n.223 (citing Fisher, 207 F. Supp. 2d at 923).
116. Sanders v. Robert Bosch Corp., 38 F.3d 736 (4th Cir. 1994).
117. Evans, supra note 111, at 1124 (citing Sanders, 38 F.3d at 738, 740).
118. Konop v. Hawaiian Airlines, Inc., 302 F.3d 868. 874 (9th Cir. 2002) (citing S.Rep. No. 99-
541. at 3 (1986). reprinted in 1986 U.S.C.C.A.N. 3555. 3557).
119. Lasprogata, supra note 109, at 72 (citing The Stored Communications Act (SCA), 18 U.S.C §§
2701-2711 (2003)).
120. Id. at 73.
152 JOURNAL OF LAW, BUSINESS & ETHICS VOL. 18

user of that service with respect to a communication intended for that user."' 21 A
common issue with SCA cases is the question of whether the user gave consent
"authorizing" that person to access the communications and, further, whether that
122
consent was freely given or given under duress. There has been no guidance
123
from Congress on the definition of "conduct authorized" and federal courts have
equated "consent" under the Wiretap Act with "authorization" under Stored
Communications Act.124
Konop v. Hawaiian Airlines is one of the few cases to involve electronic
communications and claims of both Title I and Title II violations. Among other
allegations, Robert Konop, a pilot, alleged that Hawaiian Airlines, his employer,
accessed his personal website by using the passwords of other pilots. 26 In
upholding a lower court's dismissal of Konop's Title I claims, the court held that
the unauthorized access of Konop's private, secured website by Hawaiian Airlines
was not an "unlawful interception of an electronic communication while it was in
,127
transit." Under Title I of the ECPA, an "interception" of an electronic
communication is only prohibited when it occurs while the communication is in
128
transit. In terms of Konop's Title 11 claims, the court held that Hawaiian Airlines
may have violated Title II, the SCA, because the two pilots whose passwords
Hawaiian Airlines managers used may not have actually used the website;129 the
130
pilots were effectively not "users" who could authorize access.

Whistle Blowing

The U.S. Department of Labor through the Occupational Safety and Health
Administration (OSHA) provides overall protection for federal workers via the
Office of the Whistleblower Protection Program. The office administers a total of
twenty-one different statutes affecting the rights of workers in numerous industries.

The twenty other whistleblower protection statutes administered by OSHA

protect employees who report violations of various airline, commercial
motor carrier, consumer product, environmental, financial reform, food

121. Pietrylo v. Hillstone Restaurant Grp., 2008 U.S. Dist. LEXIS 108834, at *8 (D.N.J. July 25.
2008) (quoting 18 U.S.C. § 2701(c)(2)).
122. Id.at*10.
123. Konop, 302 F.3d at 880.
124. Pietrylo, 2008 U.S. Dist. LEXIS 108834, at *9 (citing In re DoubleClick, Inc. v. Privacy
Litigation, 154 F.Supp. 2d 497, 514 (S.D.N.Y. 2001)).
125. Konop, 302 F.3d at 874 (9th Cir. 2002).
126. Evans, supra note Ill, at 1125 (citing Konop, 302 F.3d at 872).
127. Lasprogata, supra note 109, at 77 n.228 (citing Konop, 302 F.3d at 876-879).
128. Id. at 77.
129. Evans. supra note 111, at 1125.
130. Lasprogata. supra note 109, at 76 n.227 (citing Konop, 302 F.3d at 879-880).
2012 Online Social Networks and the Workplace 153
safety, health care reform, nuclear, pipeline, public transportation agency,
railroad, maritime and securities laws.

Whistleblower laws protect against retaliatory actions by employers when

workers are terminated, demoted, or otherwise adversely affected when they report
violations of law on the part of their employers. Such reports have sometimes been
made in the form of online postings to websites. One example can be found in the
application of provisions of the Sarbanes-Oxley Act.

Sarbanes-Oxley Act of 2002132

Sarbanes-Oxley protects whistle blowing employees who report securities
violations, by providing that:

An employer may not "discharge, demote, suspend, threaten, harass, or in

any other manner discriminate against an employee . . . that] provide[s]
information, cause[s] information to be provided, or otherwise assists[s] in
an investigation regarding . .. when the information or assistance is
provided to [designated persons], including "[a] person with supervisory
authority over the employee."133

If a company monitors blog postings for evidence of misconduct related to

securities fraud, a blo er, who uses an official company blog, may be able to claim
whistleblower status.

131. TheoWhistleblower Protection Program, THE U.S. DEPT. OF LABOR (July 16. 2011)
http://www.whistleblowers.gov; Asbestos Hazard Emergency Response Act (AHERA). 15 U.S.C. §
2651; Clean Air Act (CAA), 42 U.S.C. § 7622; Comprehensive Envtl. Response, Comp. & Liab. Act
(CERCLA), 42 U.S.C. § 9610: Consumer Fin. Prot. Act of 2010 (CFPA), Section 1057 of the Dodd-
Frank Wall St. Reform and Consumer Prot. Act of 2010, 12 U.S.C.A. § 5567; Consumer Prod. Safety
Improvement Act (CPSIA). 15 U.S.C. § 2087; Energy Reorganization Act (ERA). 42 U.S.C. § 5851;
Fed. R.R. Safety Act (FRSA), 49 U.S.C. § 20109; Fed. Water Pollution Control Act (FWPCA), 33
U.S.C. § 1367; Int'l Safe Container Act (ISCA), 46 U.S.C. § 80507; Nat'l Transit Sys. Sec. Act
(NTSSA), 6 U.S.C. § 1142; Section I1(c) of the Occupational Safety & Health Act, 29 U.S.C. § 660;
Pipeline Safety Improvement Act (PSIA), 49 U.S.C. § 60129: Safe Drinking Water Act (SDWA), 42
U.S.C. § 300j-9(i); Sarbanes-Oxley Act (SOX), 18 U.S.C.A. § 1514; Seaman's Prot. Act, 46 U.S.C. §
2114 (SPA), as amended by Section 611 of the Coast Guard Auth. Act of 2010, P.L. 111-281; Solid
Waste Disposal Act (SWDA), 42 U.S.C. § 6971; Surface Transp. Assistance Act (STAA), 49 U.S.C. §
31105; Wendell H. Ford Aviation nv. & Reform Act for the 21st Century (AIR21), 49 U.S.C. § 42121;
Section 1558 of the Affordable Care Act (ACA), P.L. 111-148; Amendments to SOX, enacted July 21,
2010 - Sections 922 and 929A of the Dodd Frank Act (DFA); Section 402 of the FDA Food Safety
Modernization Act (FSMA), P.L. 111-353; Surface Transportation Assistance Act (STAA), 49 U.S.C.
§31105: Toxic Substances Control Act (TSCA), 15 U.S.C. §2622.

132. Sarbanes-Oxley Act of 2002. Pub. L. No. 107-204 § 1. 116 Stat. 745 (codified in scattered
sections of 11, 15, 18, 28, and 29 U.S.C.).
133. Grubman, Supra note 49, at 645 (quoting Sarbanes-Oxley Act § 806; 18 U.S.C. § 1514A(a)
(Supp. 2002).
134. Id. at 645.
154 JOURNAL OF LAW, BUSINESS & ETHICS VOL. 18
Labor Relations

Section 7 of the National Labor Relations Act (NLRA) 135provides: All

covered employees have the right to engage in "self-organization, to form, join, or
assist labor organizations, to bargain collectively through representatives of their
own choosing, and to engage in other concerted activities for the purpose of
collective bargaining or other mutual aid or protection." (Includes activity via the
internet). 136
Employees may also find protection against employer retaliation for
actions that are construed to be related to the right to discuss wages and working
conditions among themselves as a step toward organizing for collective bargaining
purposes.
According to a NLRB representative, "company social media policies that
prohibit making negative remarks about one's boss or company online are actually
in violation of labor laws that protect employees' right to talk about things like
wages and working conditions." 3 Section 7 may be violated if an employer's
OSN policy, which prohibits employees from accessing the employer's OSN page
to discuss work-related policies, is overly-broad rearding confidentiality, wage-
secrecy, solicitation, or is found to be discriminatory.
In a recent ruling, the National Labor Relations Board has found that
Section 7 protection extends to cover such online activities as an employee using
"vulgar language to deride her boss" on Facebook when he denied one of her
requests. Several of her co-workers joined in on the thread, also making negative
comments about the supervisor. The employee and others made these comments on
their own time and on their own computers. The NLRB found that such comments
are protected speech, and ruled that the termination of these employees was
unlawful. 3 9
Although the NLRA does not protect an employee's individual action
taken on his own behalf, it does cover employees who engage in "non-union related
concerted activity." Also, the NLRA does not allow an employee to "disparage the
employer, engage in insubordination, or post confidential information about the
company on the employer's site." 4 0 According to the NLRB, depending on the
location of the discussion, the nature and subject matter of the comment, and
whether the comments were provoked by an employer's unfair labor practice,
comments posted on Facebook can lose protected status.

135. 29 U.S.C. §§ 151-169 (2000).

136. Kaupins & Park. supra note 48 (quoting 29 U.S.C. § 157).
137. Jolie O'Dell, For Employees, Facebook Counts as Free Speech, MASHABLE SOCIAL MEDIA
Nov. 9. 2010), http://mashable.com/2010/11/09/facebook-free-speech/.
138. Kaupins & Park, supra note 48.
139. O'Dell. supra note 137.
140. Id.
141. O'Dell. supra note 137.
2012 Online Social Networks and the Workplace 155
Railway Labor Act (RLA)
Rather surprisingly given the title of the statute, the Railway Labor Act
(RLA)142 became the basis for a case involving blogging by an airline pilot. This
1926 statute was enacted primarily to address labor issues in the railroad industry at
a time when airline pilots were few and blogging was completely unknown. The
Railway Labor Act provides that, "employees shall have the right to organize and
bargain collectively through representations of their own choosing. . .. It shall be
unlawful for any carrier to interfere in any way with the organization of its
employees .. .
The Act specifically aplies to airline as well as railroad employees. In
Konop v. Hawaiian Airlines, the 9th Circuit reversed a district court's order
granting summary judgment against a pilot for Hawaiian Airlines who alleged a
violation of the RLA when he was suspended for the contents of his blog. The pilot
had used his blog to post comments regarding union representation/negotiations.
He asserted that the airline's actions interfered with his right to assist in union
organization. The 9th Circuit suggested that the Konop holding would extend to
employees covered by NLRA as well.

Discrimination

Title VII of the 1964 Civil Rights Act

Under Title VII of the 1964 Civil Rights Act,145 employers cannot "fail or
refuse to hire or to discharge any individual, or otherwise to discriminate against
any individual with respect to his compensation, terms, conditions, or privileges of
employment, because of such individual's race, color, religion, sex, or national
,,46
origin."
While many employers do not ask job applicants specific questions about
religion, national origin, or race in the formal application process, employers can
and increasingly do use social media to find out more about applicants online.' 4
Through this informal process, it is possible for employers to ferret out information
about an applicant that is not in accord with the intent of Title VII, and it is of
course possible for employers to make decisions about employment based on such
information. Employment decisions made in this manner may in fact discriminate

142. The Ry Labor Act (RLA), 45 U.S.C. §§ 151-188 (2000).

143. Id. at§ 152 Fourth.
144. Konop, 302 F.3d 868.
145. 42 U.S.C. §§ 2000e-2 (2000).
146. Grubman. supra note 49. at 640 (quoting 42 U.S.C. §§ 2000e-2(a)(1) (2000)).
147. Lora Bentley, Create Job Applicant Screening Policies Up Front to Minimize Risk, IT
Business Edge (July 10, 2009, 2:03 PM),
http://www.itbusinessedge.com/cm/conmmunity/features/interviews/blog/create-job-applicant-
screening-policies-up-front-to-minimize-riskl/?cs=34045; See also, Tim Gould, Why Checking that
Applicant's Facebook Page Could Come Back to Bite You, 1R MORNING (Dec. 3, 2010),
http://www.hrmorning.com/why-checking-applicant%/E2%/80%/99s-facebook-page-could-come-back-
to-bite-you/.
156 JOURNAL OF LAW, BUSINESS & ETHICS VOL. 18
against an applicant on the very characteristics that Title VII makes unlawful. Due
to the way in which the information is made available (by the applicant him- or
herself) and also due to the way in which the information is accessed (by an
employer using the internet to access publicly available information) the act of
discrimination is difficult to prove. After all, an employer can truthfully state that
the formal company hiring process specifically prohibits managers from asking
applicants questions about race, religion, national origin, etc. The application forms
that the company uses may be free from any such probing questions.
When there is extrinsic proof that an employee was discharged by an
employer due to a protected characteristic described in a blog, the employee will
148
have a greater chance of proving a Title VII violation. However, there are many
stumbling blocks to a successful Title VII case, including: when there are multiple
posts and topics discussed on the blog; proving that the employer actually
previously saw the blo and proving the employer based its decision on the
protected characteristics.
Simonetti v. Delta Airlines, Inc., 150 is an example of this type of case.
Ellen Simonetti was fired in November 2004 for posting "inappropriate
photographs" of herself in her uniform on her blog.15 1 Simonetti filed a Charge of
Discrimination with the United States Equal Employment Oportunity Commission
(EEOC) alleging sex discrimination in violation of Title VII.
She was issued a Right to Sue letter on June 11, 2005 and she filed her
lawsuit three months later stating therein four causes of action, including:
Counts 1 & 3- By suspending and later terminatin her, Delta
discriminated against her on the basis of sex, in violation of Title VII.
Count 2- Delta terminated her in order to retaliate for her EEOC filing,
itself a violation of Title VII. 155
Count 4- Delta terminated her in order to interfere with the rights of
employees to organize in regards to the union, pay, etc., in violation of the Railway
Labor Act § 152.156

Americans with Disabilities Act (ADA) and the Age Discrimination in

Employment Act (ADEA)

Presumably, similar cases that involve alleged discrimination on the basis

of disability or age could be brought against employers pursuant to the Americans
with Disabilities Act (ADA)15 7 or the Age Discrimination in Employment Act

148. Grubman, Supra note 49, at 640.

149. Id.
150. Complaint, No. 1:05-CV-2321, 2005 WL 2407621 (N.D. Ga. Sept. 7, 2005).
151. Id. at 1.
152. Id. at 2.
153. Id. at 1, 2.
154. Id. at 4, 5.
155. Simonetti v. Delta Airlines. 2005 WL 2407621 at 5.
156. Id. at 6.
157. 42 U.S.C. §§ 12101-12213 (2000).
2012 Online Social Networks and the Workplace 157

(ADEA), although neither Act contains provisions relating specifically to the use
of information about the applicant which has been made public by the applicant or
by others.
The Americans with Disabilities Act (ADA) prohibits discrimination in
employment decisions against "an individual with a disability who, with or without
reasonable accommodation, can perform the essential functions of the employment
position that such individual holds or desires." 59 In addition to broadly prohibiting
160
questions directly or indirectly related to a disability, employers are also
prohibited by the ADA from questioning applicants regarding the "existence or
161
nature" of possible disabilities. The ADA does not specifically address the
situation in which information about the disability might be found via the
applicant's own online postings, or information about the applicant posted online
by others.
According to the Age Discrimination in Employment Act (ADEA), it is
against the law for an employer "to fail or refuse to hire or to discharge any
individual or otherwise discriminate against any individual . .. because of such
162
individual's age." Again, the ADEA does not specifically address the situation in
which information about the applicant's age might be found via the applicant's own
online postings, or information about the applicant posted online by others.

The Communications Decency Act of 1996, "Good Samaritan" Provision

In terms of an employer's liability for defamatory statements posted on an

employer's OSN by a "friend," not necessarily an employee, the "Good Samaritan"
Provision, added in 2000 by Congress to amend the Communications Decency
Act of 1996, provides immunity for providers and users, stating that "[n]o provider
or user of an interactive computer service shall be treated as the publisher or
164
speaker of any information provided by another information content provider."
Further, the provision states that service providers face no liability for "any action
voluntarily taken in good faith to restrict access to or availability of material that the
provider or user considers to be obscene, lewd, lascivious, filthy, excessively
violent, harassing, or otherwise objectionable, whether or not such material is
constitutionally protected."165
Although it is not clear whether Congress intended the Good Samaritan
provision to apply to individual users of an OSN, the language of the Act itself, in
addition to subsequent case law, suggests that individual users may indeed have

158. 29 U.S.C. §§ 621-634 (2000).

159. Byrnside, supra note 57, at 449 (quoting Americans with Disabilities Act, 42 U.S.C §
12112(a)).
160. Byrnside, Supra note 57, at 450.
161. Id. at 450 (citing 42 U.S.C. § 12112(d)(2)).
162. Grubman, Supra note 49, at 646 (quoting 29 U.S.C. § 623(a)(1)).
163. 47 U.S.C. § 230(c)(1) (2000).
164. Kaupins & Park. supra note 48 (quoting 47 U.S.C. § 230(c)(1) (2000)).
165. 47 U.S.C. § 230(c)(2)(A) (2000).
158 JOURNAL OF LAW, BUSINESS & ETHICS VOL. 18
166
immunity under the Act. "Providers" or "users" of "an interactive computer
167
service" are continually identified in the Act as protected entities. Additionally,
"interactive computer service" is defined as "any information service, system, or
access software provider that provides or enables computer access by multiple users
to a computer server, including specifically a service or system that provides access
to the Internet and such systems operated or services offered by libraries or
educational institutions." 6 8
Employer or company liability for defamatory posts on the company's
OSN likely depends on the company or employer's level of involvement and
control over the OSN:

The greater role that a [OSN] user plays in publishing the information, the
more likely it is that courts will view the user as an original publisher....
The most obvious scenario in which the [OSN] user could enjoy immunity
would be if a third party posted defamatory statements in the user's
"Comments" section. In this case, the user would have republished the
statements in a completely passive manner, much like the AOL and
169
CompuServe 'republish' statements made on their forums.

Fair Credit Reporting Act (FCRA)

In addition to regulating credit checks, the Fair Credit Reporting Act1 0

"also governs employment background checks for the purpose of hiring, promotion,
1'71
retention, or reassignment." The FCRA and its protections do not apply when an
employer does its own background check. Only when a third-party screening
company conducts and prepares the background check (including searching online
172
profiles) for the employer is the FCRA and its protections applicable. If a third
party prepares a background check on an employee or applicants, under FCRA, the
employee or applicant must be: notified of the investigation; given the opportunity
to give or refuse consent; and notified if information from the report if used to make
an adverse hiring decision. 1 In terms of notification of the investigation, the

166. Kaupins & Park, supra note 48.

167. 47 U.S.C. § 230(c) (2000).
168. Id. §230(f)(2).
169. Ryan Lex, Can MySpace Turn Into My Lawsuit?: The Application of Defamation Law to
Online Social Networks, 28 Loy. L.A. ENT. L. REV. 47. 67 (2008).
170. 15 U.S.C. §§ 1681-1681t (2000 & Supp. 2003).
171. Byrnside, supra note 57, at 465 (quoting Privacy Rights Clearinghouse. Fact Sheet 16(a):
Employment Background Checks in California (Nov. 2005), http://www.privacyrights.org/fs/fsl6a-
califbck.htm#3).
172. Byrnside, supra note 57, at 465 (citing 15 U.S.C. § 1681b(c)).
173. Byrnside, supra note 57, at 451 (citing 15 U.S.C § 1681m).
2012 Online Social Networks and the Workplace 159
FCRA requires an employer to "clearly and accurately notify applicants in writing
if they will be the subject of a consumer credit report prepared by a consumer
reporting agency."

Federal Computer Fraud and Abuse Act (CFAA)

If an employer who, in accessing an employee's social networking profile

or site, violates the OSN's terms of service, a federal cause of action may be present
175
under the Computer Fraud and Abuse Act (CFAA) "to the extent that the
recruiter/employer exceeded authorized access (as authorized in the terms of
service) in obtaining data from a computer system (the [social network site's]
16
server). Not only is accessing a computer without authorization prohibited by the
CFAA, 1 but the Terms of Service of many OSNs prohibit users from fraudulently
accessing their sites by misrepresenting themselves.
Thus, under the CFAA, an employer may be subject to both criminal and
civil liability if they access an online social network's server through
misrepresentation, impersonation, or without authorization under the terms of
service. 8

Economic Espionage Act of 1996 (EEA)

Under the provisions of the Economic Espionage Act of 1996,179 an

employee may face federal criminal liability for misappropriation of trade secrets
on an online social network.
Three elements must be present for an employee-blogger to be criminally
liable under the EEA. First, the employee-blogger, "with intent to convert a trade
secret ... knowingly ... [and] without authorization copies, duplicates, sketches,
draws, photographs, downloads, uploads, alters, destroys, photocopies, replicates,
transmits, delivers, sends, mails, communicates, or conveys such information." 18
Second, the misappropriated trade secret must be "related to or included in a
product that is produced for or placed in interstate or foreign commerce."181 Lastly,
the accused employee must have intended or known that the misappropriation
182
would injure the trade secret's owner.

174. Byrnside, supra note 57, at 450 (quoting 15 U.S.C. § 1681d (1994)).
175. 18 U.S.C. § 1030 (2000 & Supp. 2002).
176. Byrnside, supra note 57, at 468 (quoting George's Employment Blawg, Employer's Using
Facebook for Background Checking, Part 1, http://www.collegerecruiter
.com/weblog/archives/2006/09/employers using.php (last visited Dec. 5, 2006)).
177. Byrnside, supra note 57. at 468 (citing 18 U.S.C. § 1030).
178. Id. at 468 (citing 18 U.S.C. § 1030).
179. 18 U.S.C. §§ 1831-1839 (2000 & Supp. 2002).
180. Grubman, supra note 49, at 621 (quoting 18 U.S.C. § 1832(a)).
181. Id. at 621 (quoting 18 U.S.C. § 1832(a)).
182. Id. at 621 (citing 18 U.S.C. § 1832(a)).
160 JOURNAL OF LAW, BUSINESS & ETHICS VOL. 18
Securities and Exchange Commission (SEC) Rule 10b-5

Under SEC Rule 1Ob-5,1 83 it is unlawful for an individual "to make any
untrue statement of material fact or to omit to state a material fact necessary in
order to make the statements made, in the light of the circumstances under which
they were made, not misleading."
If, when the stock price is fluctuating, an employee discloses material
nonpublic information on an online social network, the employee may subject their
employer to suit under the SEC Rule 1Ob-5.185

Proposed New Federal Legislation

In the wake of a steady stream of alarming headlines relating to stories

about unauthorized release of the personal data of online users of social networking
sites, and the sometimes less than fully responsive corrective measures taken by
Facebook (and others) to revise privacy policies and procedures in each instance, a
draft bill was introduced in the 111th Congress that directly addressed privacy in
the online world. Representative Rick Boucher, a democrat from Virginia,
186
principally sponsored the bill [Hereinafter, the "Boucher bill"]. The stated
purpose of the bill was "to require notice to and consent of an individual prior to the
collection and disclosure of certain personal information relating to that
individual."18
Rick Boucher and Cliff Stearns (R-Fl) had made progress on drafting new
privacy legislation via their work in a Subcommittee of the House Energy &
Commerce Committee. This Committee has jurisdiction over privacy legislation
and the Federal Trade Commission (FTC) and the Federal Communications
Commission (FCC). However, Boucher was defeated in the 2010 mid-term
elections and there were numerous other changes in the leadership and membership
of the full Committee, and it has been reported that extensive groundwork will have
to be accomplished to educate the new members before any revised privacy bill can
be expected to emerge.
The Boucher bill "drew strong criticism from industry and consumer
groups."1 89 The draft bill would have required websites to inform users how they
collect and use personally identifiable information but would have maintained an
opt-out standard for collection of consumer data, except where certain types of

183. 17 C.F.R. §240.10b-5 (2007).

184. Grubman. supra note 49. at 623 n.37 (quoting 17 C.F.R. § 240.10.b-5 (2007)).
185. Id. at 622, 623.
186. Staff Discussion Draft. H.R. Res. , 111th Cong. (2010). available at
http://www.infolawgroup.com/uploads/file/Boucher%/20PrivacyDraft 5-10.pdf.
187. Id. at 1.
188. Gerry Waldron, The Outlook for 2011: Privacy Legislation in the House, INsIDEPRIVACY (Jan.
18, 2011), http://www.insideprivacy.com/united-states/congress/the-outlook-for-20 11-privacy-
legislation-in-the-house/.
189. Kerry Monroe. Stearns Is Reworking Draft Boucher-Stearns Online Privacy Bill,
INSIDEPRIVACY, Jan. 21, 2011, available at http://www.insideprivacy.com/united-states/steams-is-
reworking-draft-boucher-stearns-online-privacy-bill/.
2012 Online Social Networks and the Workplace 161
particularly sensitive information are shared with third parties. 190 Industry leaders
protested that the draft legislation was "too restrictive" and could hamper the
current system of ad-supported free content on the Internet, while privacy advocates
argued that the draft bill did not go far enough in protecting consumer privacy.
Rep. Stearns has revealed that he is currently revising the draft bill to address those
concerns and plans to offer a new version soon.191
The new Congress seems to be very interested in online privacy issues. In
addition to Congressman Cliff Stearns' plan to reintroduce the draft privacy
legislation that he co-authored with Congressman Rick Boucher last year, there is a
growing list of sponsors of other proposed legislation, including: Senator John
Kerry (comprehensive privacy legislation), Senator Mark Pryor (children's privacy
and a "do-not-track" bill); Senator Patrick Leahy, Chair of the Senate Judiciary
Committee (created a new Privacy and Technology Subcommittee chaired by
Senator Al Franken; Congresswoman Jackie Speier (do-not-track legislation);
Congressman Bobby Rush (reintroduced comprehensive privacy bill); and
Congresswoman Mary Bono Mack (as chairwoman, scheduled hearings on online
privacy with House Subcommittee on Commerce, Manufacturing and Trade).
In response to media reports that Google collected partial Social Security
numbers of children who participated in the Doodle 4 Google art contest, Reps.

190. Staff Discussion Draft, H.R. Res. , 11Ith Cong. (2010). According to the Boucher Privacy
Discussion Draft Executive Summary, the Boucher bill contained the following key provisions:
Disclosure of privacV practices: Any company that collects personally identifiable information about
individuals must conspicuously display a clearly-written, understandable privacy policy that explains
how information about individuals is collected, used and disclosed.
Collection and use of information: As a general rule, companies may collect information about
individuals unless an individual affirmatively opts out of that collection. Opt-out consent also applies
when a website relies upon services delivered by another party to effectuate a first party transaction,
such as the serving of ads on that website.
No consent is required to collect and use operational or transactional data-the routine web logs or
session cookies that are necessary for the functioning of the website-or to use aggregate data or data
that has been rendered anonymous.
Companies need an individual's express opt-in consent to knowingly collect sensitive information
about an individual, including information that relates to an individual's medical records, financial
accounts, Social Security number, sexual orientation, government-issued identifiers and precise
geographic location information.
Disclosure of information to unaff iliated parties: An individual has a reasonable expectation that a
company will not share that person's information with unrelated third parties. If a company wants to
share an individual's personally-identifiable information with unaffiliated third parties other than for an
operational or transactional purpose, the individual must grant affirmative permission for that sharing.
Many websites work with third-party advertising networks, which collect information about a person or
an IP address from numerous websites, create a profile and target ads based on that profile. The bill
creates an exception to the opt-in consent requirement for third-party information sharing by applying
opt-out consent to the sharing of an individual's information with a third-party ad network if there is a
clear, easy-to-find link to a webpage for the ad network that allows a person to edit his or her profile,
and if he chooses, to opt out of having a profile. provided that the ad network does not share the
individual's information with anyone else.
Implementation and enforcement: The Federal Trade Commission would adopt rules to implement
and enforce the measure. States may also enforce the FTC's rules through State attorneys general or
State consumer protection agencies.
191. Kerry Monroe. Stearns is Reworking Draft Boucher-Stearns Online Privacy Bill,
INSIDEPRIVACY (Jan. 21, 2011), http://www.insideprivacy.com/united-states/steams-is-reworking-
draft-boucher-stearns-online-privacy-bill/.
162 JOURNAL OF LAW, BUSINESS & ETHICS VOL. 18
Edward Markey (D-MA) and Joe Barton (R-TX), Co-Chairmen of the House Bi-
Partisan Privacy Caucus, stated that they planned "to convene a Caucus hearing to
discuss industry practices as they relate to online privacy."192 According to one
political observer:

It is notable that so many members of Congress are focusing in on privacy

issues this early in the 112th Congress. Congressional engagement on
these issues makes clear that consumer privacy legislation will be a key
issue for consumers and businesses that care about privacy to focus on this
Congress. This is especially true in light of recent Federal Trade
Commission and Department of Commerce privacy efforts. Neither
agency has endorsed new legislation, but the Commerce Department is
seeking comment on the question and the FTC has suggested that, if self-
regulatory efforts fail, legislation may be necessary to implement Do-Not-
Track.

The Senate is also taking a close look at Facebook's information gathering

practices. Sens. Al Franken (D-Minn.), Chuck Schumer (D-N.Y.), Sheldon
Whitehouse (D-R.I.) and Richard Blumenthal (D-Conn.) have sent a letter to
Facebook urging it to put a stop to a plan that would allow third party application
("app") developers the ability to gather Facebook users personal information, such
as phone numbers and addresses.

"Anyone with ten minutes, $25 and a Facebook user's phone number and
address and no other information can obtain a breathtaking amount of
information about that Facebook user - and that Facebook user's family,
friends, neighbors and landlord," the senators wrote. "Combined with a
targeted Google search, these two pieces of information can allow someone
to obtain almost all of the information necessary to complete a loan or
credit card application. It is hard to contemplate all the different ways in
which this information could be abused."194

The Obama administration has reportedly signaled its intention to support a

Commerce Department proposal for new legislation known as the "Privacy Bill of
Rights." 195

192. Josephine Liu, Congressional Scrutiny of Privacy Issues Likely to Continue, INSIDEPRIVACY
(March 18, 2011), http://www.insideprivacy.com/united-states/congress/congressional-scrutiny-of-
privacy-issues-likely-to-continue/.
193. Erin Egan, Privacy Bills Begin Dropping in Congress; More to Follow, INSIDEPRIVACY (Feb.
18, 2011), http://www.insideprivacy.com/united-states/congress/privacy-bills-begin-dropping-in-
congress-more-to-follow/.
194. Sens. Franken, Schumer, Whitehouse, Blumenthal Warn New Facebook Plan May Reveal
Sensitive User Information, Increasing Risk For Fraud, Theft And Abuse: Senators Ask Zuckerberg to
Block Third Parties' Easy Access to Users' Mobile Phone and Home Address Information, AL
FRANKEN, U.S. SENATOR FOR MINNESOTA, http://franken.senate.gov/?p=press release&id=1374.
195. Jennifer Valentino-Devries & Emily Steel, White House to Push Privacy Bill,
WALL STREET JOURNAL (March 16, 2011),
http://online.wsj.com/article/SB10001424052748704662604576202971768984598.html?mod=WSJ hp
2012 Online Social Networks and the Workplace 163
Meanwhile, Facebook itself is reportedly quite aware of the looming
prospect of new federal laws and regulations targeted at its operations. The
company has already taken strategic steps to protect its interests by ramping up its
"executive, legal, policy, and communications ranks with high-powered politics
from both parties, beefing up its firepower for battles in Washington and beyond."
196

IMPLICATIONS

Social Media Policies in the Workplace

There are conflicting messages circulating in the business world regarding
the implications of the use of social media in the workplace. On the one hand,
many businesses report great success with taking a freewheeling approach that
encourages employees to make unrestricted and proactive use of social media to
advance marketing, sales, and customer relations efforts.197 However, other
employers might need to take a different approach and implement strict controls
over employee use of social media in order to avoid the very real legal and ethical
issues that have occurred and will likely continue to occur.
The decision over adopting a restrictive or moderate approach will be
based on a number of factors, including the nature of the business and employees'
legally protected rights. For example, a company that sells its products to the US
Department of Defense will need to adopt a different social media policy than that
of a trendy fashion retailer.
In either case, employers should have a written social media policy, make
sure that social media policies are internally consistent with other company policies,
and recognize that the social media policies will need to be continually reevaluated
and updated. As we have discussed, it is a virtual certainty that there will be new
legislation on this subject. While the current pattern of piecemeal lawmaking
continues to react to the rapidly evolving technology, it is quite possible that some
of the new laws will contradict each other in whole or in part. In an effort to
conform to new legislation, it should be expected that any social media policies will
need to be revisited at least once a year to make any changes necessary.
Communicating a new social media policy to all stakeholders in the
business organization is important. Those who should be made aware of the new
policy are not only employees, but directors, officers, shareholders, suppliers, and
customers as well.

LEFTWhatsNewsCollection.
196. Miguel Helft & Matt Richtel, Facebook Prepares to Add Friends in Washington, NEW YORK
TIMES (March 29, 2011). http://www.nytimes.com/2011/03/29/technology/29facebook.html.
197. Brian Solis, 21 Twitter Tips From Socially Sawy Companies FAST COMPANY (April 23.
2010), http://www.fastcompany.com/article/21 -twitter-tips-from-socially-savvy-
companies?page=0%2C4. For example, Zappos, Dell, and Starbucks all report success via use of social
media.
164 JOURNAL OF LAw, BUSINESS & ETHICS VOL. 18
The following proposed checklist of social media policies, compiled from a
198
number of sources, covers both restrictive and moderate approaches.

A Restrictive Approach

A restrictive policy approach is one based on rules and prohibitions. In this

approach, employee use of company equipment is subject to monitoring and
penalties for non-compliance are set forth.

Employers should:

* Advise employees (and publish periodic reminders) that company-

issued computers and other communication devices are the
property of the company, that employees are subject to monitoring
of their use of such equipment at all times, and that employees
should not therefore mistakenly develop an expectation of privacy
around their communications on such equipment. Employees
should also be reminded that all company communications,
including email, is subject to discovery in litigation.

* Not permit use of company computers or networks for social

media activities, except for official company-sponsored activities.
Employees should be advised that they are not allowed to post
anything work-related online, except as necessary to conduct
official business. Unless employees have express authorization to
do so, they should not post online comments about the company's
plans, nor post photos of themselves or others wearing company
uniforms, products, or logos.

* Deploy and maintain effective filters/blockers on the company's

network and protect the official company website from hacking.
Keep in mind that there are readily available step-by-step guides to
show employees how to by-pass blockers. 199

* Establish a monitoring system to regularly search the internet to

search for any references to the company in order to detect any
misleading, offensive, or embarrassing material.

* Monitor the activity of employees online to assess if there is a

problem with information being leaked, or inappropriate messages
being posted.

* Not allow anonymous postings or emails.

198. Daliah Saper, Saper Law Offices, Presentation: The Legal Implications of Social Media
(transcript available athttp://www.saperlaw.com).
199. How to Bypass a Firewall or Internet Filter WIKIHOW.COM
http://www.wikihow.com/Bypass-a-Firewall-or-Internet-Filter (last visited May 27, 2011).
2012 Online Social Networks and the Workplace 165
AModerate Approach

For companies that want to adopt a less restrictive approach, a moderate

approach shifts away from issuing a list of rules and instead focuses on educating
and counseling employees.
Given that employees can post messages via their own privately-owned
cell phones and blackberries, bypassing internal network safeguards, asserting
control over company-issued equipment is not sufficient these days. Educating and
counseling employees is important since risks to the company occur at the
flashpoint of individual decisions made by employees. Employees must make
those decisions alone, typically without taking the time to consult the employee
handbook before clicking on the "Send" button.
While it is still necessary in this approach to have a continually updated
company policy regarding internet and email usage, other steps should be taken as
well, including:

Employers should:

* counsel employees on appropriate and inappropriate use of

company equipment, i.e., computers, cell phones, and
Blackberries. Employers should provide examples of appropriate
postings and inform employees of the consequences of
inappropriate postings. Hold training sessions and discuss case
summaries that illustrate how seemingly innocent comments can
cause serious problems.

* Counsel employees on using their best judgment and common

sense, and remind them that all communications should be
professional and appropriate enough to be read on the front page
of a newspaper or to be read aloud from a deposition transcript in a
courtroom, without risk of embarrassing themselves or the
company.

* Keep in mind that employees may have a legal right to post online
comments, even unfavorable comments, about their employer.
Recently, a terminated employee sued following her termination
for making vulgar comments on Facebook about her supervisor.
The National Labor Relations Board found that "Facebook posts
are legally protected speech, even for employees who write
negative things about their employers," and that "company social
media policies that prohibit making negative remarks about one's

200. Saper, supra note 198.

166 JOURNAL OF LAW, BUSINESS & ETHICS VOL. 18
boss or company online are actually in violation of labor laws that
protect employees' right to talk about things like wages and
working conditions."

CONCLUSION

Despite some recent anecdotal evidence of current Facebook users

abandoning their online accounts ("100,000 Britons are said to have deactivated
their accounts ... Six million logged off for good in the U.S.") the number of social
network users collectively continues to grow.
Internet users of all ages are more likely to use an OSN today than they
were in 2008. However, the increase in OSN use has been most pronounced among
those who are over the age of 35. Among other things, this means the average age
of adult-OSN users has shifted from 33 in 2008 to 38 in 2010. Over half of all adult
OSN users are now over the age of 35.203
As for variation in the frequency of use of OSNs, Facebook and Twitter are
used much more frequently by their users than Linkedin and MySpace. Some 52%
of Facebook users and 33% of Twitter users log in daily, while only 7% of
204
MySpace users and 6% of LinkedIn users do the same.
One clear implication of these survey findings can be derived from the fact
that the majority of OSN users are in a working age group (not students or
retirement age) and that half of them access their OSN accounts on a daily basis.
These observations suggest that there is a high likelihood that much social
networking activity is conducted by employees in the workplace, during working
hours, using equipment and networks provided by employers. It is no surprise,
therefore, that one of the first large waves of social media cases was generated by
the convergence of social networks and the workplace. More of the same can be
expected for the foreseeable future.
The common law remedies that are grounded in contract or tort law may be
expected to continue to play a role in cases that arise from this context. However,
increasing efforts by legislators and regulators will likely soon displace at least
some existing common law with more comprehensive and inclusive statutory
approaches intended to bring more consistency regarding guidelines for acceptable
use and more certainty regarding the penalties for noncompliance. In the short
term, employers, employees, providers of social networks, and others associated
with them will need to become well informed about emerging legislative efforts
targeted at social media, and to stay abreast of the rapidly evolving regulatory
environment.
It is unlikely that any new legislation will fully coordinate and integrate the
current statutory patchwork that is already on the books. For this reason,

201. O'Dell. supra note 137.

202. Bates, supra note 1. Facebook is still expanding worldwide and has around 600 million users
because of its growing popularity in countries such as Mexico and Brazil..
203. Hampton et al., supra note 7. at 3.
204. Id. at 8.
2012 Online Social Networks and the Workplace 167

compliance with federal legal requirements will require considerable attention and
effort on the part of social network providers as well as from employers who seek
to keep workplace policies up to date.
Technological advances205 will no doubt continue to outpace the law and
company policies on social media. Therefore, the best company policies will be
those that are based on broad principles and not geared to specific types of
technological devices or systems.

205. What Has Privacy Got to Do with Social Networking?, ACTIANCE (Apr. 8, 2011),
http://blog.actiance.com/2011/04/08/what-has-privacy-got-to-do-with-social-networking/ (For example,
new social networking sites are gaining popularity such as Google+1 which provides some aspects of
privacy by default that differ significantly from Facebook's approach).
168
+(,121/,1(
Citation:
Maneela, Cyber Crimes: The Indian Legal Scenario, 11
US-China L. Rev. 570 (2014)

Content downloaded/printed from HeinOnline

Thu Oct 11 01:22:08 2018

-- Your use of this HeinOnline PDF indicates your

acceptance of HeinOnline's Terms and Conditions
of the license agreement available at
https://heinonline.org/HOL/License

-- The search text of this PDF is generated from

uncorrected OCR text.

-- To obtain permission to use this article beyond the scope

of your HeinOnline license, please use:

Copyright Information

Use QR Code reader to send PDF

to your smartphone or tablet device
 CYBER CRIMES: THE INDIAN LEGAL SCENARIO
Maneela*

Crime is an act or omission, which is prohibited by the law. Cyber

crime may be said to be an act which violates net etiquettes. Cyber crime is
the latest and perhaps the most specializedand dynamicfield in cyber laws.
One of the greatest lacunae of this field is the absence of a set of
comprehensive law anywhere in the world. Further the growth ratio of
Internet and cyber law is not proportional,too. The idea of Internet was
conceived in the early 60's while a code for its regulation was mooted in
late 90's. This clearly brings about the reasonfor the complication of cyber
crime. Any crime essentially consists of two elements namely, actus reus
and mens rea. In the same way, cyber crime is also caused due to these two
underlying factors-I. Actus Reus in cyber crimes; and IL Mens Rea in
cyber crimes.

INTR OD U CTIO N ............................................................................................ 57 1

I. A CTUS REUS IN CYBER CRIMES ............................................................... 571
II. MENS REA INCYBER CRIMES ................................................................. 572
III. CLASSIFICATION OF CYBER CRIMES ...................................................... 572
A. Internet Fraudand FinancialCrimes ...................................... 573
B. Online Sale of Illegal A rticles .................................................. 573
C. Online Gam bling ...................................................................... 574
D. Digital Forgery ......................................................................... 574
E. Cyber Defamation..................................................................... 575
F. Cyber Stalking .......................................................................... 575
G. Ph ishing .................................................................................... 5 76
H. Cyber Terrorism ....................................................................... 578
I. Cyber Consp iracy......................................................................... 579
IV. COMPARATIVE SCANNING OF CASES REGISTERED & PERSONS ARRESTED
UNDER INFORMATION TECHNOLOGY ACT .................................................. 579
V. CHANGES BROUGHT BY THE INFORMATION TECHNOLOGY (AMENDMENT)
ACT , 2 0 0 8 ..................................................... 582
A. Main A mendm ents .................................................................... 582
B. Some New Sections Have Been Introduced to Combat New
Offen ces .................................................................................................. 5 82
C. Other Changes .......................................................................... 583
D. Loopholes of Information Technology Act, 2008 ..................... 583

Dr., Department of Law, D.A.V. (P.G.) College, Muzaffarnagar (U.P.), C.C.S. University, Merrut
(U.P.), India. Research fields: Labour Laws and Cyber Laws.

570
2014 THE INDIAN LEGAL SCENARIO 571

VI. SUG GESTIO N S ........................................................................................ 585

CONCLU SIO N............................................................................................... 586

INTRODUCTION

Since, the independence of India, i.e., August 15th, 1947, it has been
struggling through to make its stand in the world. Many new technologies
were brought and many new are still to be found. One such revolution was
brought about by the introduction of the Internet, which is considered as the
pool of knowledge. But who could think of the time when this rich source of
knowledge will be misused for criminal activities.
There are many such disturbing activities that occurred in past and
demanded for some rules and regulations urgently, some set definite
patterns that can be put forward while carrying out any business transaction
over the net, ranging from simple friendly e-mail to carrying out the whole
set of work, without which it may go wild and beyond control and it can be
used as a tool for the destruction of mankind. New forms and manifestations
of cyber crimes are emerging every day. Therefore, to control cyber crimes
new legislative mechanisms are required.
The largest challenge to the law is to keep pace with technology. The
march of technology demands the enactment of newer legislation both to
regulate the technology and also to facilitate its growth. It was at this point
of time that the government of India felt the need to enact the relevant cyber
laws which can regulate the Internet in India. Internet and cyberspace need
to be regulated and a regulated cyberspace would be the catalyst for the
future progress of mankind. Here lay the seeds of origin of cyber law in
India.
This research paper is an honest attempt to examine the cyber crimes
and their impact on the present legal scenario in India. Part I of this research
paper summarizes Actus Reus in cyber crimes, Part II explains mens rea in
cyber crimes, Part III investigates classification of various types of cyber
crimes, Part IV examines comparative scanning of cases registered and
persons arrested under Information Technology Act, Part V deals with
changes brought by the Information Technology (Amendment) Act 2008
and Part VI discusses at length suggestions to tackle cyber crimes.

I. ACTUS REUS IN CYBER CRIMES

The element of actus reus in cyber crimes is relatively easy to identify,

but it is not always easy to prove. The fact of occurrence of the act that can
572 US-CHINA LAW REVIEW Vol. It: 570

be termed as a crime can be said to have taken place when a person is:'
(a). trying to make a computer function;
(b). trying to access data stored on a computer or from a computer, which
has access to data stored outside.

II. MENS REA IN CYBER CRIMES

There are two vital ingredients for Mens Rea to be applied to a cyber
criminal 2 :
(a). The access intended to be secured must have been unauthorized; and
(b). The offender should have been aware of the same at the time he or she
tried to secure access.
Mens Rea does not enquire into the mental attitude of the wrong doer
but it simply means that the mens rea is judged from the conduct by
applying an objective standard. The act is not judged from the mind of the
wrong-doer, but the mind of the wrong-doer is judged from the acts. An act
which is unlawful can not be excused in law on the ground, that it was
committed with a good motive.
To be guilty of cyber crime in India, a person must act voluntarily and
willfully. For example, a person who deliberately sends Virii online is guilty
of cyber crime but a person who forwards an e-mail without realizing it
contains a virus or spreads a virus when his/her account is hacked is not
guilty. This means that to constitute a cyber crime in India mens-rea is an
essential element along with actus reus. Section 43 (c) read with S/66 amply
clears the above point. S/43 mentions penalty and compensation for damage
to computer, computer system, etc. whereas S/66 mentions punishment and
fine for computer related offences.

III. CLASSIFICATION OF CYBER CRIMES

Cyber crimes are crime related to information technology, electronic

commerce etc. Cyber crimes are increasing in all countries and they are
bound to explode new legal issues. There are a variety of crimes committed
on the Internet but some of them are:
(a). Internet fraud and financial crimes

NANDAN KAMATH, LAW RELATING TO COMPUTERS, INTERNET & E-COMMERCE 269 (Universal Law
Publishing Co., New Delhi 2000).
2 Ibid.
2014 THE INDIAN LEGAL SCENARIO 573
(b). Online sale of illegal articles
(c). Online gambling
(d). Digital forgery
(e). Cyber defamation
(f). Cyber stalking
(g). Phishing
(h). Cyber terrorism
(i). Cyber conspiracy etc.
These cyber crimes will be discussed one by one. (This list is not
exhaustive)

A. Internet Fraudand FinancialCrimes

Money is the most common motive behind all crime. The same is also
true for cyber crime. More and more cyber crimes are being committed for
financial motives rather than for "revenge" or for "fun". There are various
fraudulent schemes envisaged over the Internet from which the criminals
benefit financially. Various Internet frauds include online auctions, Internet
access devices, work-at-home plans, information/adult services,
travel/vacations, advance fee loan, prizes etc. Payment method varies from
credit/debit card to cheque to even sending cash. Financial crimes include
cyber cheating, credit card frauds, money laundering, hacking into bank
servers, computer manipulation, accounting scams etc. Internet offers
certain unique advantages, which no other medium has, like anonymity and
speed. The Internet also offers a global marketplace for consumers and
business. 3 These factors together work up to make up a haven for any
fraudulent activities online.
The IT Act deals with the crimes relating to Internet fraud and online
investment fraud in Sections 43(d), 65 and 66. Under the Indian Penal Code,
Internet fraud would be covered by Sections 415 to 420 which relates to
cheating .4

B. Online Sale of IllegalArticles

Internet is being used now to sell articles which otherwise are not

3 Fraud Section, Criminal Division, U.S. Department of Justice, available at

http://intemetfraud.usdoj.govt.
4 Statutory provisions are from relevant acts.
574 US-CHINA LAW REVIEW Vol. It: 570

permitted to be sold under the law of a country. This would include sale of
narcotics, weapons and wildlife, pirated software or music and distribution
of data on private persons and organizations etc. by information on websites,
auction websites or simply by using email communication. In December
2004, the CEO of Bazee.com was arrested in connection with sale of a CD
with objectionable material on the website. The CD was also being sold in
the markets in Delhi. The Mumbai City Police and the Delhi Police5 got into
action. The CEO was later released on bail by the Delhi High Court.
Online sale of illegal articles are governed by Section 8 of the Narcotic
Drugs and Psychotropic Substances Act, 1985 which prohibits sale or
purchase of any narcotic drug or psychotropic substance. Section 7 of the
Arms Act, 1959 prohibits sale of any prohibited arms and ammunition,
whereas Section 9B of the Indian Explosive Act, 1884 makes sale of any
explosive an offence. Wild
6
Life (Protection) Act, 1972 prohibits sale of
banned animal products.

C. Online Gambling

Gambling is illegal in many countries. The problem is that virtual

casinos are based offshore making them difficult to regulate.7 That means
that people offer gambling services on the Internet from countries where
gambling is permitted and players from countries where gambling is illegal
play and bet. It is in this situation that the Internet helps the gamblers to
evade law. 8
Section 3 of the Public Gambling Act, 1867 prohibits gambling.
Relevant provisions of the IPC dealing with cheating, criminal
misappropriation or criminal breach of trust could be applied 9
in cases of
online gambling. However, there is no direct law on this point.

D. DigitalForgery

Forgery is creation of a document which one knows is not genuine and

yet projects the same as if it is genuine. Digital forgery implies making use
of digital technology to forge a document. Desktop publishing systems,
color laser and ink-jet printers, color copiers and image scanners enable

5 Suit No. 1279 of 2001, Delhi High Court.

6 Supra note 4.
7 BBC Online Network, available at http://news.bbc.co.uk.
8 Keith Mench, Online Gambling, available at http://www.netsafe.org.nz/gambling/gambling-
default.asp.
9 Supra note 4.
2014 THE INDIAN LEGAL SCENARIO 575

crooks to make fakes, with relative case of cheques, currency, passports,

visas, with certificates, ID cards etc. 10
Advanced design, copying and publishing technology is enhancing the
capability to produce high-quality counterfeit currency and financial
instruments such as commercial cheques, traveler's cheques and money-
orders. One of the most popular case was that of Abdul Kareem Telgi who
along with several others was convicted in India on several counts of
counterfeiting stamp papers and postage stamps totaling several billion
rupees.1 1
Section 91 of the IT Act amended the provisions of Section 464 12
of the
IPC in relation to "forgery" to include "electronic records" as well.

E. Cyber Defamation

This occurs when defamation takes place with the help of computers or
the Internet. In comparison of offline attempt of defamation, online
defamation is more vigorous and effective. Quantitatively, the number of
people a comment defaming a person might reach is gigantic and hence
would effect the reputation of the defamed person much more than would an
ordinary publication. Recently cyber defamation came into highlight, when
fraud profiles of several high politicians (L.K. Advani 13 , Miss Mayawati 14 ,
Dr. Manmohan Singh 15) appeared on the social networking site "Orkut".
Cyber defamation is covered under Section 499 of IPC read with
Section 4 of the IT Act. While Section 499 of IPC provides provision for
defamation, Section 4 of IT Act gives legal recognition to electronic
records. 16

F. Cyber Stalking

Cyber stalking is an electronic extension of stalking. Cyber stalking or

on-line harassment is a terrifying pursuit of the victim, actions that usually
leave no physical cuts or bruises. Cyber stalking involves following a
person's movements across the Internet by posting messages (sometimes
threatening) on the bulletin boards frequented by the victim, entering the

10S.K. VERMA & RAMAN MITTAL, LEGAL DIMENSIONS OF CYBER SPACE 235 (ILI Publications, 2004).
11S.C. No-430/2002 (Crime No-545/00).
12 Supra note 4.
13Amar Ujala dated August 29, 2007, Regional Daily Newspaper.
14 Amar Ujala dated August 28, 2007, Regional Daily Newspaper.
15 Amar Ujala dated August 29, 2007, Regional Daily Newspaper.
16 Supra note 4.
576 US-CHINA LAW REVIEW Vol. It: 570

chat-rooms frequented by the victim, constantly bombarding the victim with

e-mails etc. Cyber bullying is worse than face-to-face bullying because it
has no geographical boundaries. Former Miss India and ad film maker Rani
Jeyraj says, "Earlier, if a man wanted to get at you, he would spread rumors.
Now the damage can be far worse. It's like having your own newspaper and
writing bad things about someone and circulating it worldwide". 17 A recent
data confirms the truth:18
Cyber Crime Rate Yes No No awareness
Had bad experience in the social networking sites 61.6% 38.4% -
Received abusive/dirty mails in inboxes from 78.1% 21.9% -
known/unknown sources
Has experienced cyber stalking 37.0% 49.3% 13.7%
Has experienced phishing attacks 50.7% 42.5% 6.8%
Has been impersonated by email account/social networking 28.3% 60.3% 11.4%
profiles/websites etc
Has seen his/her "cloned" profile/email ids 41.1% 46.6% 12.3%
Has been a victim of defamatory statements/activities 68.5% 23.3% 8.2%
involving him/herself in the cyber space
Has received hate messages in their inboxes/message boards 42.5% 47.9% 9.6%
Has seen his/her morphed pictures 31.5% 57.5% 11.0%
Has been bullied 39.7% 50.7% 9.6%
Has experienced flaming words from others 43.8% 46.6% 9.6%
Victimized by their own virtual friends 45.2% 53.4% 1.4%
Has reported to authorities 37.8% 47.3% 14.9%
Feels women are prone to cyber attacks 74.0% 26.0% -

Cyber stalking is covered under Section 503 of IPC that is criminal

intimation, cyber stalking in effect is criminal intimidation with the help of
computers. 19

G. Phishing

Phishing is a new kind of cybercrime and method of committing online

financial fraud. In the cyber world, phishing (also known as carding and
spoofing) is a technique that Internet fraudsters lure unsuspecting victims
into giving out their personal finance information. It tricks computer users
into entering critical and sensitive information in fake websites, which is
later used by them for identity theft and swindling user bank accounts.
When users respond with the requested information attackers can use it to

17Economic Times, Oct. 4, 2007, National Daily Newspaper.

1' http://www.cybervictims.org.
19Supra note 4.
2014 THE INDIAN LEGAL SCENARIO 577

gain access to the accounts. 20 The term "phishing" is derived from "fishing"
where bait is offered to fish.2 1
The Delhi High Court in the case of NASSCOM v Ajay Sood
elaborated upon the concept of "phishing". The defendants were operating a
placement agency involved in head-hunting and recruitment. In order to
obtain personal data, they could use for purposes of head-hunting, the
defendants composed and sent e-mails to third parties in the name of
NASSCOM. 2 2 The plaintiff had filed the suit inter alia praying for a decree
of permanent injunction restraining the defendants from circulating
fraudulent e-mails purportedly originating from the plaintiff. The court
declared "phishing" on the Internet to be a form of Internet fraud and hence,
an illegal act. This case had a unique bend since it was filed not by the one
who was cheated but by the organization who was being wrongly
represented that is NASSCOM. The court held the act of phishing as passing
off and tarnishing the plaintiff's image.
An alternate form of phishing is by installing malicious code on your
machine without your knowledge and permission. This code works secretly
in the background monitoring all the sites you visit and passwords you type
in. It then passes this information to the identity thieves.
Apart from loosing peace of mind, a victim of phishing is robbed of his
identity. This means the fraudsters have access to all the bank and credit
card information and can make purchases or withdraw cash itself from the
victim's account.
The increasing use of electronic channels for payments has posed a
new security problem for banks. India's largest bank, the State Bank of
India, has reported an attempt at phishing to the Indian Computer
23
Emergency Response Team (CERT-In).
Other banks like HDFC, IDBI, ICICI Bank Home Loans, HSBC,
Standard Chartered, ABN Personal Loans, Bank of India and Kotak
Mahindra have their phishing sites. The site called www.hadfcbank.com is
very much similar to the URL of the actual HDFC Bank's website
www.hdfcbank.com. Similarly, the phishing site for IDBI Bank comes with
an extra i-www.idbiibank.com.
Sections of IPC and IT Act which are applicable
24
to Internet fraud and
online investment fraud covers phishing as well.

20http://www.us.cert.gov.
21Economic Times, June, 2006, National Daily Newspaper.
22119 (2005) DLT 596, 2005 (30) PTC 437 (Del).
23http://infotech.indiatimes.com.
24 Supra note 4.
578 US-CHINA LAW REVIEW Vol. 11: 570

H. Cyber Terrorism

Cyber terrorism is the convergence of terrorism and cyberspace. It is

generally understood to mean unlawful attacks and threats of attack against
computer networks and the information stored therein when done to
intimidate or coerce a govt. or its people in the furtherance of political or
social objectives .25
The F.B.I. has defined cyber terrorism as26
The unlawful use of force or violence against persons or property to
intimidate or coerce a govt, the civilian population, or any segment thereof, in
furtherance of political or social objectives through the exploitation of systems
deployed by the target.
Another definition of Cyber Terrorism is that "It is the premeditated,
politically motivated attack against information, computer systems,
computer programmes, and the data which result in violence against 27
non-
combatant targets by sub-national groups or clandestine agents".
Cyber-terrorism is the use of computers and information technology,
particularly the Internet, to cause harm or severe disruption with the aim of
advancing the attacker's own political or religious goals as the Internet
becomes more pervasive in all areas of human endeavor, individuals or
groups can use the anonymity afforded by cyberspace to threaten citizens,
specific groups 28 (i.e. members of an ethnic group or belief), communities
and entire countries.
From the above definitions, it can easily concluded that "cyber
terrorism" refers to two elements:
(i) Cyber Space; and
(ii) Terrorism.
This means that the term necessarily refers to any dangerous, damaging,
and destructive activity that takes place in cyber space. There have been
reports of Osama Bin Laden and others hiding maps and photographs of
terrorist targets and posting instructions for terrorist activities on sports chat
rooms, pornographic bulletin boards and other websites.
Recently F.B.I. has warned America of cyber attacks. It has said that
the destruction caused by such cyber attacks can be easily compared to
disastrous weapons causing mass destruction of life and property. Internet is
used not only for spreading message of Jehad but new techniques of making

25 Nagpal, Defining Cyber Terrorism, Asian School of Cyber Laws.

26 JCFAJ Journal of Cyber Law, Vol. 1, No. 1, at 77 (Nov., 2002).
27 YOGESH BARUA & DENZYJ P. DAYAL, 3 CYBER CRIMES (2001).
28 http://in.wikipedia.org/wiki/cyber-terroism.
2014 THE INDIAN LEGAL SCENARIO 579

bomb, making new members for terrorist activities, raising funds for
terrorist attacks and other heinous motives. 29 Arizona University's "Dark
Web Project" claims that on Internet 50 crore pages, 10 lakh pictures, 15
thousand videos, 300 forums related to terrorist activities and more than
30,000 terrorist members exist.
In India alone, 300 websites are hacked every month. The majority 30
of
hacked websites are that of govt. organizations, V.I.P.'s and celebrities.
Information Technology Act 2000 completely missed any provision
regarding prevention of Cyber terrorism but IT (Amendment) 31
Act, 2008 has
severely dealt with cyber terrorism under Section 66/F.

L. Cyber Conspiracy

Nowadays, social networking sites besides trudging long distances to

revive with old friends have also become new synonym for criminal
conspiracy. Communities set up these networking websites that are though
said to be successful tool for social and political discussions but behind this
rosy picture is a dark under-belly. In August 2007, Mumbai teenager Adnan
Patrawala was kidnapped from the suburbs and later found murdered in Nay
Mumbai allegedly by friends he made on Orkut. 32 The 16-year-old boy was
lured with a fake female on-line profile "Angel" to a late night meeting in a
shopping mall.3 3 He was then kidnapped and strangled to death, before his
parents could pay the ransom.
Criminal conspiracy is dealt under Sections 120-A and 120-B of Indian
Penal Code (IPC). There is no direct provision on this point in IT Act.3 4

IV. COMPARATIVE SCANNING OF CASES REGISTERED & PERSONS ARRESTED

UNDER INFORMATION TECHNOLOGY ACT

Cyber crimes may be spiralling but the country is grappling with poor
conviction rates in courts. Scanning of data of cases registered and persons
arrested under Information Technology Act bears testimony to this fact. The
following data 35 shows that controlling cyber crimes needs immediate
attention of the authorities at the helm of affairs.

29Computers & Law, No. 77 (Maneela, May 2010), at 21.

30 Dainik Jagran, Regional Daily Newspaper (Jan. 23, 2009).
31Supra note 4.
32Times of India, National Daily Newspaper (New Delhi, August 23, 2007).
33 Economic Times, National Daily Newspaper (Oct. 9, 2007).
34 Supra note 4.
35 National Crime Records Bureau, Cyber Crimes Statistics 2011.
580 US-CHINA LAW REVIEW Vol. 11: 570
Table 2 Cyber Crimes/Cases Registered and Person Arrested under Information
Technology Act during 2008-2011
Cases Registered % Persons Arrested %
Variatio Variatio
S1. Crime Heads fin n in
No. 2008 2009 2010 2011 2011 2008 2009 2010 2011 2011
over over
2010 2010
1 Tampering computer 26
21 64 94 46.9 26 6 79 66 -16.5
source documents
Hacking with
Computer System
2 i)Loss/Damage to 56 115 346 826 138.7 41 63 233 487 109.00
computer 82 118 164 157 -4.3 15 44 61 65 6.6
resource/utility
ii) Hacking
Obscene Publication /
3 transmission in 10:5 139 328 496 51.2 90 225 361 443
electronic form
Failure
i) Of compliance/orders
of Certifying Authority 1
3 2 6 200 1 2 6 4 -33.3
4 ii) To assist in
0 0 3 - 0 0 0 0 @
decrypting the
information intercepted
by Govt. Agency
Un-authorised
5 access/attempt to 3
7 3 5 66.7 0 1 16 15 -6.3
access to protected
computer system
Obtaining licence or
Digital Signature
6 Certificate by 0 1 9 6 33.3 11 0 1 0 -100
misrepresentation /
suppression of fact
7 Publishing false Digital 0 0 0 0 1
1 2 3 50.0 -
Signature Certificate
8 Fraud Digital Signature 3 4 3 12 300.0 3 0 6 8 33.3
Certificate
Breach of 8
confidentiality/privacy 73.3 440.0
10 Other 4 423.3
Total 28 85.4 311.1
Note: @ denotes infinite percentage variation because of division by zero.

With the legal recognition of electronic records and the amendments

made in the several sections of the Indian Penal Code(IPC), 1860 vide the
IT Act, 2000 several offences having bearing on cyber-arena are registered
under the appropriate sections of the IPC. Besides this law enforcement
agencies find easier to handle cybercrime cases under IPC cybercrime cases
are not necessarily dealt under the IT Act, 2000. The following graphical
2014 THE INDIAN LEGAL SCENARIO 581

illustration bears testimony to the fact. Offences like Fraud (S/423), Forgery
(S/191) and Counterfeiting (S/464) are registered under IPC.
Cyber Crimes/Cases Registered and Persons Arrested
under Indian Penal Code during 2007-2011
Cases Registered.
*3 2007 E 2008 0 2009 0 2010 ] 2011

300-
259

250-
217
C/1

200-
U 15o

u ri00- e0 79
4 9 41

50- 2

0 0 0 3 0o 3

0
Public Sewant False electronic Destruction of Forgery Criminal Breach of Countefeiting
Offences by/ Against evidence electronic evidence Trust/Fraud

Cyber Crimes/Cases Registered and Persons Arrested

under Indian Penal Code during 2007-2011
Persons Arrested.
U 2007 M 2008 0 2009 0 2010 M 2011

277

129

30c 2s

Jo 01 0 0 1
0j4 4 0 00 0

-ubift.- Of~n
f- n es seeetoni Dsru inof
F,rry -- Bre.ch f co... f--ig
Tru./Fr-d
582 US-CHINA LAW REVIEW Vol. It: 570

The National Crime Records Bureau 2011 statistics clearly illustrates

that incidence of cyber crimes (IT Act+IPC Sections) has increased by
67.4% in 2011 as compared to 2010 (from 1,322 in 2010 to 2,213 in 2011).
Cyber Forgery 61.3% (259 out of total 422) and Cyber Fraud 27.9% (188
out of 422) were the main cases under IPC category for cyber crimes.

V. CHANGES BROUGHT BY THE INFORMATION TECHNOLOGY (AMENDMENT)

ACT, 2008

The IT Act, 2000 was promulgated twelve years ago primarily to

bolster the e-commerce business and not intended to deal with cyber crime
issues. When the law was framed, there were no technology like MMS or
sophisticated devices like mobile phones, or mobile phones with cameras or
Internet connectivity. The IT Act, 2000 was struggling to cope with the
change in modem technology. The act remained static while the rest of the
world has changed a lot. To justify the need of the hour on December 23rd,
2008 the Parliament of India passed "The Information Technology
Amendment Bill 2008".

A. Main Amendments

Compensation limit has been removed from Section 43 (previously it

was one crore rupees under IT Act, 2000). Under Section 48 the name of
Cyber Regulations Appellate Tribunal has been changed to Cyber Appellate
Tribunal. In Section 66, "dishonesty" and "fraudulent" intention has been
made necessary.

B. Some New Sections Have Been Introduced to Combat New Offences

S/66A-Punishment for sending offensive messages.

S/66B -Punishment for dishonestly receiving stolen computer
resource.
S/66C-Punishment for identity theft.
S/66D-Punishment for cheating by personation by using computer
resource.
S/66E-Punishment for violation of privacy.
S/66F-Punishment for cyber terrorism.
S/67A-Punishment for publishing or transmitting of material
containing sexually explicit act.
S/67B -Punishment for child pornography.
2014 THE INDIAN LEGAL SCENARIO 583
C. Other Changes

The definition of intermediary has been modified. As the amendments

in various sections now intermediaries are made more responsible and liable
towards their acts. New Section 67C asks intermediaries to preserve and
retain certain records for a stated period. New Section 69B is also quite
stringent to intermediaries. Section 69A has been introduced to enable
blocking of websites by the central government. Section 69B provides
powers to central government to collect traffic data from any computer
resource. It could be either in transit or in storage. This amendment was
necessary for security purpose but it may lead to abuse of power by
government. Section 72A has been introduced to cover offences regarding
disclosure of information in breach of lawful contract. Section 80 empowers
inspectors instead of D.S.P's to enter, search, etc.

D. Loopholes of Information Technology Act, 2008

ITA-2000 suffer from many loopholes, some of them are removed in

ITAA-2008 but some of them prevail even now. The IT Act, 2000 has
provided punishment for various cyber offences ranging from three to ten
years. These are non-bailable offences where the accused is not entitled to
bail as a matter of right.
However, what amazes the lay reader is that the amendments to the IT
Act have gone ahead and reduced the quantum of punishment. For example,
in Section 67, which relates to offence of online obscenity the quantum of
punishment on first conviction for publishing, transmitting or causing to be
published any information in the electronic form, which is lascivious and
has been reduced from the existing five years to three years. Similarly, the
amount of punishment for the offence of failure to comply with the
directions of the controller of certifying authorities is reduced from three
years to two years. (S/68)
Government has actually relaxed the laws governing some most
common cyber offences. Common cyber crimes, such as introducing viruses,
cyber stalking, defamation, impersonation and stealing of access codes like
passwords and pin numbers are bailable offences under ITAA-2008. Earlier
these were non-bailable offences.
Hacking or unauthorized access to a computer system has been deleted
from the list of crimes in the ITAA-2008. The original legislation had
stipulated jail term up to three years and Rs. 2 lakh fine for hacking, now it
has come under the ambit of computer-related offences that are bailable.
The legislation has now stipulated that cyber crimes punishable with
584 US-CHINA LAW REVIEW Vol. It: 570

imprisonment of three years shall be bailable offences. Since the majority of

cyber crime offences defined under the amended IT Act are punishable with
three years, (except-cyber terrorism, child pornography and violation of
privacy), the net effect of all amendments is that a majority of these cyber
crimes shall be bailable. This means that the moment a cyber criminal will
be arrested by the police, barring a few offences, in almost all other cyber
crimes, he shall be released on bail as a matter of right by the police, there
and then.
It will be but natural to expect that the concerned cyber criminal, once
released on bail, will immediately go and evaporate, destroy or delete all
electronic traces and trails of his having committed any cyber crime, thus
making the job of law enforcement agencies (LEA's) to have cyber crime
convictions, near impossibility. This would put the LEA's under extreme
pressure.
Section 69 of 2008 Act had given the central government the power to
intercept and monitor any information through computer systems in national
interest, permitting it to monitor any potentially cognizable offence. This
will give government endless power to "intercept or monitor any
information through any computer resource". Unauthorized interceptions
could soon become common. This is bound to infringe civil liberties like
right to privacy or right to anonymous communication with legitimate
purposes.
Another major change that ITAA-2008 have done is that cyber crimes
in India shall now be investigated not by a Deputy Superintendent of Police,
as under ITA-2000 but shall now be done by low level police inspector such
an approach is hardly likely to withstand the test of time, given the current
non-exposure and lack of training of Inspector level police officers to tackle
cyber crimes, their detection, investigation and prosecution.
Having discussed the innumerable negative changes of ITAA-2008, it
is also necessary to mention briefly if there are any benefits at all that are
envisaged in ITAA-2008.
Certain provisions that have been put in the right frame are as follows:
Cyber terrorism and child pornography have been made non-bailable. The
law has dealt severely with sections relating to child pornography (S/67B)
and cyber terrorism (S/66F). The punishment for child pornography is
imprisonment up to 5 years along with a fine up to Rs. 10 Lakhs, while for
cyber terrorism, the punishment is imprisonment for life.
Perhaps these provisions can be considered as the silver lining in the
otherwise dark cloud.
2014 THE INDIAN LEGAL SCENARIO 585
VI. SUGGESTIONS

Some suggestions to tackle cyber crimes are as follows: There should

be clear provisions for handling IPR, domain name issues and related
concerns such as cyber squatting certain provisions like electronic payments
need urgent and specific attention. Trained officials well trained and
equipped police force, investigators with the expert knowledge in computer
forensic should be appointed to attain to the grievances of the complainant.
There should be clear briefs on how the act will apply to any offence,
and how action will be taken against any person who has committed the
crime outside India(S/75). Crimes like cyber theft, cyber stalking, cyber
harassment, cyber defamation need to have specific provisions in the act to
enable the police to take quick action. To cope with modern cyber crimes
(MMS, mobile phones), there is a need for a constant innovation and
improvement in the present act. There is a need for incorporating new
technologies. There is a further need towards adoption of new technologies.
The IT Act should include special and tighter norms to protect data
from theft, frauds, etc. Different provisions concerning privacy need to be
appropriately defined specific provisions dealing with problems as
spamming need to be incorporated.
Under IT Act, 2000, the authentication technology acceptable was only
digital signatures. This is not suffice, so technologies like biometrics which
include fingerprints, thumb impression or retina of an eye to prove identity
should be recognized. Offences instead of being prosecuted under civil and
criminal procedure both, covered under criminal procedure only then the
process could be much faster.
To keep a check on cyber terrorism, all cybercafes should be
continuously monitored to ensure that they maintain regular and proper
records of its users with adequate identity checking procedures being duly
adopted as per law, stringent laws should be made regarding cyber terrorism
so that terrorists may not use web to commit crimes such as online credit
card fraud or using e-mail to plan a crime, a terrorist attack (Taj Hotel
Bombay November 26, 2008) or hack into some sites.
If India has to make a quantum jump in law-making, it needs to
develop capacities to protect material interests and to avoid exploitation by
those who own technology. Government should take note of social
networking sites and put in place a proper mechanism to curb the misuse.
The IT Act needs to be amended to clarify the rights, obligations and
liabilities of bloggers and address blogging as a phenomenon.
The specialized nature of cyber crime requires a specialized response.
586 US-CHINA LAW REVIEW Vol. It: 570

It requires cops specially suited and trained to deal with it. Detection of
cyber crimes requires Internet research skills, necessary court orders
including search warrants of premises and electronic surveillance.
The absolutely poor rate of cyber crime conviction in the country has
also not helped the cause of regulating cyber crimes. There have only been
few cyber crime convictions in the whole country, which can be counted on
fingers. There is a need to ensure specialized procedures associated with
expertise manpower for prosecution of cybercrime cases so as to tackle
them on a war footing. Investigators and judges should be sensitized to the
nuances of the system. It must be ensured that the system provides for
stringent punishment of cyber crime and cyber criminals so that the same
acts as a deterrent for others. This is necessary so as to win the faith of the
people in the ability of the system to tackle cyber crime. Special and fast
track courts should be set up to settle cases of cyber crimes expeditiously.
Harmonization of cyber laws across the globe is needed, so that
investigating agencies like Central Bureau of investigation (CBI) have more
teeth for tackling hi-tech crimes. Although the Department of Information
Technology (DIT) has a computer emergency response team (Cert-in) for
assisting the combat efforts of law enforcing agencies, it needs to be
developed further.
Quick response to the Interpol references and bilateral requests, liberal
sharing of forensic technology and more cross-country training exchange
programmes besides timely alert could prove a deterrent against the cyber
menace. Mobile Hi-tech crime detecting units must be established.
Cooperation in investigation from other countries and extradition should be
secured for tackling cyber crime.
Internet security does not seem to be a priority with Indian Internet
companies. On an average, Indian companies spend less than 1% of their
funds on security. This is considerably lower than the worldwide average of
5% and needs to be increased considerably. It requires sincere and effective
efforts in this direction.

CONCLUSION

Certainly, revolution was brought about by the introduction of the

Internet, but who could think of the time when this rich source of
knowledge will be misused for criminal activities. The largest challenge to
the law is to keep pace with technology. A combined effort from public,
users, technocrats is the dire need of the present time. If the suggestions
given above will be followed, cyber crimes will be effectively combated.
+(,121/,1(
Citation:
Amlan Mohanty, New Crimes under the Information
Technology (Amendment) Act, 7 Indian J. L. & Tech. 103
(2011)

Content downloaded/printed from HeinOnline

Thu Oct 11 01:20:55 2018

-- Your use of this HeinOnline PDF indicates your

acceptance of HeinOnline's Terms and Conditions
of the license agreement available at
https://heinonline.org/HOL/License

-- The search text of this PDF is generated from

uncorrected OCR text.

-- To obtain permission to use this article beyond the scope

of your HeinOnline license, please use:

Copyright Information

Use QR Code reader to send PDF

to your smartphone or tablet device
2011] 103

THE INDIAN JOURNAL OF LAW AND TECHNOLOGY

VOLUME 7, 2011

NEW CRIMES UNDER THE INFORMATION TECHNOLOGY

(AMENDMENT) ACT
Amlan Mohanty*

ABSTRACT
This paper delineates the legislative response to cyber crime in India with an analysis
of the InformationTechnology (Amendment) Act, 2008 focussing on the new crimes
introduced by the amendment, on the touchstone of cyber crime legislative standards
acrossjurisdictions. Thus, a brief look at the jurisprudentialbasisfor criminalisation
of cyberspace activities has been undertaken, following which, the new crimes have
been examined section-wise. The paper uses the theoretical framework set out in the
first section to probe the various problems that the Amendment Act poses in light of
bad drafting and lack of understanding in the area.

TABLE OF CONTENTS
. INTRODUCTION .................................. 104
II. REGULATION OF CYBERSPACE .......... ............ 105
A. Need for regulation of cyberspace activities ............... 105
B. Need for criminalisation of offences in cyberspace . .......... 106
C. Types of offences to be criminalised.................... 107
III. NEW CRIMES UNDER THE INFORMATION
TECHNOLOGY (AMENDMENT) ACT, 2008 ............. 108
A. An overview of changes under section 66 and 67 . .......... 108
B. Critical analysis of the new offences introduced by
the Amendment Act ......................... ..... 109
C. The Void for Vagueness Doctrine ............... ...... 118
IV CONCLUSION ........................ ................ 119

The author is a fourth year student at the National Law School of India University, Bangalore. He
may be contacted at mohanty.amlan@gmail.com.
104 THE INDIAN JOURNAL OF LAW AND TECHNOLOGY [Vol, 7

I. INTRODUCTION

On December 22,2008, the Information Technology (Amendment) Act,

2008 was passed by the Lok Sabha with almost no discussion whatsoever.' The
Bill had been introduced in 2006 and in the wake of the terrorist attacks in
Mumbai on November 26, 2008, the Act was passed as a reactionary measure.
The fact that the Bill was not discussed prior to it being passed is clear in its
drafting. In some places, apart from being just poorly drafted, it is also vague
and criminalises offences without defining the scope of the activity that could
classify as criminal.

The Bill was passed by the Rajya Sabha on December 23, 2008, and received
Presidential assent in early 2009. However, even after this, the Act did not
come into force until October 26, 2009, when it was notified by the Central
Government. The Act though passed in such a rush did not come into effect
until a year later. This time could have been used to discuss the Bill and address
the various problems with it.

This essay looks at the new offences introduced by the Amendment Act as
a legislative response to the increasing threat of cyber crime in India today, and
analyses these offences in light of similar provisions in other jurisdictions. The
essay first looks at the jurisprudential basis for criminalisation of activities over
the internet. In this section, the essay looks at self-regulation as an adequate
means ot policing the internet and whether government intervention and
criminalisation of cyberspace activities isnecessary. The section concludes with
a brief framework which is used in the analysis of the provisions in the rest of
the essay. Various new offences introduced by the Act have then been studied
section-wise, using the framework as explained in the first section. The scope
of this essay is thus limited to the new crimes introduced by the amendment
and determining the adequacy of the legislative response to the growing need

Pavan Duggal, IT Act Amendments - Perspectives by Mr. Pavan Duggal, CYBERLAWS.NET, http://
www.cyberlaws.net/new/pd-onITAinendnents.php (last visited Jan. 23, 2010).
Karen M. Sanaro & Christyne Ferri, India's New Information Technology Law Impacts Outsourcing
Transactions, ST. B GA.,June, 2009, http://www.technologybar.org/2009/06/indias-new-information-
technology- law- impacts-outsourcing- transactions/ (last visited Jan. 23, 2010).
Press Release, Ministry of Communications & Information Technology (October 27, 2009),
PIB.NIC.IN, http://pib.nic.in/release/release.asp?relid= 53617 (last visited Jan. 23, 2010).
2011] AMLAN MOHANTY 105

for a legislation that brings within its fold emerging forms of cyber crime. The
essay concludes by looking at the various problems that the Amendment Act
poses in light of bad drafting and lack of understanding in this area.

II. REGULATION OF CYBERSPACE

A. Need for regulation of cyberspace activities
A good starting point for an illuminated argumentation on the
criminalisation of activities in cyberspace is the aspect of regulation of these
activities itself and associated questions of its desirability, necessity and feasibility.
The rhetoric of the cyber libertarians, seeking self-regulation of the internet,
while challenging perceived essentialities for any kind of regulation, like
territorial boundaries, real relationships and notions of property, is firmly
grounded on the assertion that cyberspace is capable of being regulated through
the creation of institutions and mechanisms for the regulation of conduct in
cyberspace through the formulation of community based rules that are
constituted, decreed and enforced by its participants without necessitating state
intervention. On the other hand, those demanding government regulation stress
on the inadequacy of such a system to combat instances of grievous criminality.
A closer look at the contentions of both parties provides an academic space for
a discussion on the criminalisation of cyberspace activities and a canvas to
contextualise the nature of offences introduced by the amendment.
The cornerstone of the self-regulation theory is that the absence of
government involvement in regulatory mechanisms does not result in
cyberanarchy and suggests that the application of geographically based
conceptions of legal regulation to cyberspace activities makes no sense at all,
and further, that cyberspace participants are better positioned than the
government to design a comprehensive set of rules that are cheaper to enforce
and are practically sound. The justification for such an idealistic viewpoint is
buttressed by moral considerations often expressed by the participants of
cyberspace who unequivocally express their objections to being disciplined by
orders of the government and declare the space that they have created for
themselves to be independent of the tyrannies of government order.'

Jack L. Goldsmith, Against Cyberanarchy, 65(1) U. CI. L. REN. 1199 (1998).

John Perry Barlow, A Declarationof the Independence of Cyberspace, ELECTRONIC FRONTIER FouNDATION,
http://hones.eff.org/barloNw/Declaration-Final.html (last visited December 5, 2009).
106 THE INDIAN JOURNAL OF LAW AND TECHNOLOGY [Vol, 7

Entrusting the internet community with the power to create legal rules and
institutions will overcome inherent difficulties associated with geographical
determinacy and territorial enforcement and evolve into a mechanism to govern
a wide range of new phenomena that have no clear parallel in the non-virtual
world,6 thus saving the legislature the time and energy to draft laws to deal with
such situations. The proponents of self-regulation draw credibility from their claim
that State laws enacted to deal with cyberspace activities have been unsuccessful,
and that existing laws and methods of lawmaking are inadequate,' and so, the
internet should be self-regulated. The underlying principle entrenched in these
views is that cyberspace is the antithesis of regulations and the impracticalities of
regulation by external forces including law enforcement forces are too compelling
to make such an attempt. The dispensability of government intervention is
intimately twined with the complicated nature of social relationships in cyberspace,
wherein criminal acts are reprimanded by third party Internet users who impose
community defined sanctions on offenders as a form of punishment akin to State
law enforcement mechanisms that seek to penalise the same crimes by utilising
additional State resources with less than desired effects.

B. Need for criminalisation of offences in cyberspace

To highlight the limitations of self-regulation, or the opposite parties'

contentions in this case, would be to make a case for the criminalisation of
offences in cyberspace through State intervention, a position several scholars
have taken with the advent of serious offences and increasing criminality on
the internet such as paedophilia, cyber frauds, data theft, impersonation and
cyber terrorism.9 The typical self-regulation punishment model is centred on
banishment from the group,o a procedure for social control that appears lenient
and lacking in deterrence value as opposed to criminal sanctions imposed by
the State to deter any destructive or anti-social conduct in cyberspace. It appears

6 David R. Johnson & David Post, Law and Borders: The Rise of Law in Cyberspace, 48 (5) STAN. L.
REv. 1367 (May, 1996).
Jason Kay, Sexuality, Live Without A Net: RegulatingObscenity And Indecency On The Global Network,
4CAL. INTERDISCIPLINARY L.J. 355 (1995).
Keith J.Epstein & Bill Tancer, Enforcement of Use Limitations By Internet Services Providers: How To
Stop That Hacker, Cracker, Spammer, Spoofer, Flamer, Bomber, 9 HASTINGS COMM. & ENT. L.J. 661-
664 (1997).
S.V. JOGA Rio, LAW OF CYBER CRIMES AND INFORMATION TECHNOLOGY L-AW 10 (2004).
o Based on terms and conditions of access and use, imposedby service providers, commonly referred to
as 'netiquette'.
2011] AMLAN MOHANTY 107

that the stream of anti-governmentalism has been laid to rest in view of the fact
that the internet has quite simply become too mainstream, and being the
preferred platform for electronic commerce, the need for governmental regulation
cannot be ignored." Perhaps the greatest argument in favour of criminalising
unlawful conduct on the internet is its distinctiveness from territorial crime.
The very fact that cyber crimes are easier to learn how to commit, require fewer
resources relative to the potential damage caused, can be committed in a
jurisdiction without being physically present in it and the fact that they are
often not clearly illegal 2 make criminalisation of such conduct not only
important, but essential. The conclusion that must be reached is that the State
must step in with some level of regulation of cyberspace.

C. Types of offences to be criminalised

An analysis of the new crimes introduced by the IT (Amendment) Act on

the touchstone of cyberspace conduct sought to be criminalised by statutes and
conventions around the world would help in determining the suitability and
stringency of the new sections in the Indian scenario.

There are essentially four main types of conduct that a domestic legislation
should penalise - (1) offences against the confidentiality, integrity and availability
of computer data and systems, (2) computer-related offences with the intention
to defraud, (3) content related offences, and (4) offences related to infringements
of copyright and related rights.14 In order to acquire a jurisprudential
understanding of cyber crimes in general, and to gain a critical insight into the
nature of offences introduced by the amendment and whether they serve the
function expected of them, it is important to comprehend why these particular
forms of conduct are criminalised across jurisdictions. Further, it is also essential
to understand the range of unlawful conduct that involves computers. With

Robert Shaw, Should the Internet be Regulated, 2(4) IFo INSTITUTE FOR EcoNoMIC RESEARCH AT THE
UNIVERSITY OF MUNICH 42 (October, 2000), http://www.ifo.de/DocCIDL/Forum4Ol-pcl.pdf (last
visited December 14, 2009).
MACCONELL INTERNATIONAL, CYBER CRIME... AND PUNISHMENT? ARCHAIC LAWS THREATEN OLOBAL
INFORMATION, (World Information Technology and Services Alliance, 2000), http://www.witsa.org/
papers/McConnell-cybercrime.pdf (last visited December 1, 2009).
David S. Wall, Cybercrimes: New Wine, No Bottles?, in INVISIBLE CRIMES: THEIR VICTIMS AND THEIR
RECULATION ( Pam Davies, Peter Francis &Victor Jupp eds., 1999).
14 European Convention on Cybercrime, Guidelines for member states, 2001, http://
conventions.coe.int/Treaty/EN/Treaties/Htnl/185.htm (last visited December 12, 2009).
108 THE INDIAN JOURNAL OF LAW AND TECHNOLOGY [Vol, 7

the first, second and fourth type of conduct, private individuals may not be able
to detect and proceed against the perpetrators and it therefore falls upon the
State to intervene and impose criminal sanctions. It is necessary to criminalise
acts falling within the third category as they are offences that shock the
conscience of society and threaten public morality.

III. NEW CRIMES UNDER THE INFORMATION TECHNOLOGY

(AMENDMENT) ACT, 2008

Having erected a framework for comparative scrutiny of the Information

Technology Act, 2000 (hereinafter, "IT Act") with cyber crime legislative
standards across the world, it is plainly visible that the IT (Amendment) Act,
2008 (hereinafter "ITAA") was introduced to tackle unresolved cyberspace
issues such as internet fraud, pornography, data theft, phishing etc., that were
not explicitly covered under the old legislation but are at the heart of internet
activity, nevertheless.

A. An overview of changes under section 66 and 67

Under the old act, criminal offences were specified under Sections 6 5,"
6616 and 671 of Chapter XI ("Offences"). The provisions were broad in scope
and encompassed typical cyber crimes without specificities, a possible explanation
for 175 out of the 190 cases in total being booked under Section 66 and 67 of
the IT Act, 2000.18 With the introduction of new offences under the
Amendment Act, there are a host of differentiated offences that have criminal
penalties attached to them. The new offences range from sending of offensive
messages, hardware and password theft to voyeurism, pornography and cyber
terrorism, which have been inserted through amendments to Section 66 and
67 of the IT Act, 2000 and form the focus of this paper. In addition, the civil
wrongs set out under S.43 of the IT Act have now been qualified as criminal
offences under the ITAA 2008, if committed dishonestly or fraudulently. 9

" Section 65 deals with 'Tampering with computer source documents'.

1 Section 66 deals with 'Hacking with Computer Systems'.
7 Section 67 deals with 'Publishing of Obscene Information'.
1 NATIONAL CRME RECORDS BUREAU, CYBER CRIME STATISTIcs (2007), http://ncrb.nic.in/cii2007/cii-
2007/CHAP18.pdf.
1 Section 66, IT (AMNDIMENT) ACT, 2008.
2011] AMLAN MOHANTY 109

B. Critical analysis of the new offences introduced by the Amendment Act

(i) Sending of Offensive Messages (S.66A)

The introduction of S.66A 2 0 to the IT Act, 2000 unarguably expands the

scope of the act to deal with instances of cyber stalking, threat mails, spam and
phishing mails, with an attempt to strengthen the law and circumscribe aspects
of unlawful cyber conduct that were left untouched under the old legislation,
but a few flagrant issues do emerge on closer inspection of the provision.

The wording in this section has an element of ambiguity in the phrase

'menacing character', which though perceptibly intended to protect against
instances of threat mails or cyber stalking, is too broadly articulated to serve as
an effective tool to combat the said offence. While the term 'grossly offensive'
does find mention in similarly purposed legislations, the word 'menacing character'
is conspicuously absent from statutes used by governments to combat instances of
cyber stalking and threat mails, 21 which isof assistive value in the assertion that
the phrase ismisplaced. The expected ineffectiveness of S.66A(a) may be illustrated
by the simple example of an employer using a mildly harsh tone in an e-mail
correspondence with his employee in order to censure him, declaring possible
termination if the employee's indolence continues, or a friend remarking to another
in jest, that he will 'beat him up' if he fails to get tickets to the movie they had
planned to watch the following weekend. In both cases, one may trace elements
of 'menace', so to speak, when it evidently does not exist. Neither does the
legislation speak of circumstances where there is reciprocity of sentiments.

0 Section 66A: Any person who sends, by means of a computer resource or a communication device,-
a) any information that is grossly offensive or has menacing character; or
b) any information which he knows to be false, but for the purpose of causing annoyance,
inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred or ill
will, persistently by making use of such computer resource or a communication device,
c) any electronic mail or electronic mail message for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about the origin of such
messages, shall be punishable with imprisonment for a term which may extend to three years
and with fine.
See, S.1(a)(i), MAucIoUS COMMUNICATIONs ACT, 1988, (United Kingdom) http://www.harassment-
law.co.uk/law/act.htm , and relevant sections, S. andS.4, PROTECTION mOm HARASSMENT ACT, 1997,
and CRIINAL CODE (STALKING) AMENDMENT
atailableathttp://www.harassment-law.co.uk/law/act.htm,
ACT, 1999, (Australia) available at www.1egislation.qld.gov.au/LEGISLTN/ACTS/1999/
99AC018.pdf.
110 THE INDIAN JOURNAL OF LAW AND TECHNOLOGY [Vol, 7

The fundamental problem with the section, moving on to clauses (b) and
(c), is simply that several of the words used in the section such as 'inconvenience',
'annoyance', 'obstruction' or 'ill will' are not defined either in the primary or
Amendment Act, leading to uncertainty in interpretation and increasing the
possibility of misuse of the provision, a possible reason for some statutes drafting
defences to the charge, within the section itself.2 However, the efforts of the
legislature to address developing situations of cyber crime such as threat mails,
e-mail and SMS spamming, cyber stalking and phishing, must be commended.

(ii) Theft of Computer Resource (S.66B)

The relevant section to be analysed in this regard is S.66B23 of the

Amendment Act, which appears to deal with situations where there has been
theft of a 'computer resource' or 'communication device'. Under this section, an
individual who receives a stolen computer, cellphone or any other electronic
device fitting the definitions contained within the Act maybe imprisoned for
up to three years. Using this section, the police may tackle the growing menace
of trading and purchase of stolen laptops and mobile phones, with the caveat of
a potentially adverse result ensuing wherein purchasers of second hand phones
may be considered suspects or wrongfully charged under this section."

There may be an allegation of redundancy of this section given the pre-

existence of a criminal provision for 'dishonestly receivingstolen property' 25 with
identical phraseology and punishment, but such an accusation may be displaced
if one exercises scrutiny over the relevant definitions. 'Computer resource' has
been defined to include 'data',26 thus markedly different from the IPC provision,

Title 47, Section 223(e), CommuNicATIONs DECENcY AcT, 1997 (United States of America), available
at http://www.cybertelecom org/cda/47usc223.htm.
Section 66B: Whoever dishonestly receives or retains any stolen computer resource or communication
device knowing or having reason to believe the same to be stolen computer resource or communication
device, shall be punished with imprisonment of either description for a term which may extend to
three years or with fine which may extend to rupees one lakh or with both.
4 Naavi, Is ITA 2000 Stringent Enough on Cyber Criminals?, NAAV7I.ORG PORTAL ON INDIAN CYBER LAW
(February, 2009), http://www.naavi.org/cleditorial09/editjan27itaaanalysis12deterrance.htm (last
visited December 12, 2009).
Section 411, INDIAN PENAL CODE, 1860: Whoever dishonestly receives or retains any stolen property,
knowing or having reason to believe the same to be stolen property, shall be punished with imprisonment
of either description for a term which may extend to three years, or with fine, or with both.
Section 2(1)(k), INFORMATION TECHNOLOGY ACT, 2000: "computer resource" means computer,
computer system, computer network, data, computer data base or software.
2011] AMLAN MOHANTY 111

the significant implication being that an electronic document, CD or text

message containing stolen information may be brought within the umbrella of
'computer resource'. In terms of technological significance, this can be extended
to include theft of digital signals of TV transmissions.

Interestingly and more importantly, one finds that this section is in

consonance with the statements of objects and reasons of the IT Act, 2000 and
ITAA, 2008 as it stresses on the need to protect e-commerce and e-transactions
involving informational exchange and electronic data exchange. With the
introduction of S.66B, and the criminalisation of stolen information transmission
and retention, there is a crucial deterrent factor attached to illegitimate or illegal
data exchanges which is the primary focus of the IT Act itself. The immediate
focus of the Amendment Act, interalia, is the prevention of cyber and computer
crimes and utilising the framework laid down previously in this paper and the
identification of unlawful cyberspace conduct, it is also known that offences
against the availability of computer data and systems (including the 'misuse of
devices' with respect to sale, procurement, import and distribution) must be
criminalised" and the section succeeds in doing so.

(iii) Identity Theft and Impersonation (S. 66C and S. 66D)

An examination of identity theft protection laws for internet users indicates

that the harm sought to be prevented is not radically different from the territorial
crime of the same nature. The basic nature of the crime involves the use of
identifying information of someone to represent oneself as the individual for
fraudulent purposes, essentially, the wrongful appropriation of one's identity by
another.3 While familiar traditional crimes of identity theft would include
forgeries featuring credit cards, thefts and making of false statements, online

Naavi, Information Technology Act 2000 Amendment Details unveiled, NAAVI.ORG PORTAL ON INDIAN
CYBER LAw (December, 2008), http://www.naavi.org/cleditorial08/editdec25itaaanalysis1.htm (last
visited December 12, 2009).
Statement of Objects and Reasons of the Information Technology Act, 2000, available at http://
naavi.org/ita2008/objects2008.htm and Statement of Objects and Reasons of the Information
Technology Amendment Act, 2006, availableat http://naavi.org/ita_2008/index.htm (last visited
December 12, 2009).
Supra note 11.
Neal K. Katyal, Criminal Law in Cyberspace, 149 (4) U. PA. L. REN. 1027 (2001).
112 THE INDIAN JOURNAL OF LAW AND TECHNOLOGY [Vol, 7

versions of the same crime merely involve the use of computers with similar
consequences, for example, logging into someone's account and making a
defamatory statement, online shopping using someone else's credit card etc.

Prior to the amendment act, the crime of identity theft was forcibly brought
under S.66 within the ambit of 'hacking', which presupposes that there was
an infiltration of a computer resource involving 'alteration,deletion or destruction'
of the information residing therein, facilitating the crime of identity theft.
However, under the new provision, S.66C, the means by which the identifying
information is accessed is discounted and only the act of making fraudulent or
dishonest use of the information itself is criminalised. The benefit of separating
the two offences cannot be overemphasised, given that a separate criminal
provision exists for extraction of such data through fraudulent means.

While S.66C deals with deceitful use of passwords, electronic signatures

and the like, S.66D3 involves use of a 'communicationdevice' or 'computer resource'
as a means of impersonation, which in effect, entails the use ot computers,
cellphones and PDA's for fraudulent purposes. While the former provision
includes intangible but unique identifiers and symbols attached to individuals,
the latter envisages instances where the offender has physical access to someone
else's personal devices. However, in the absence of a clear definition of 'unique
identificationfeature' and the advent of new forms of cyber crime such as SMS
spoofing," there may exist grey areas relating to identity theft, such as the misuse
of cellphone numbers, which, in the strict sense, may not be consistent with

Section 66, IT ACT, 2000: (1) Whoever with the intent to cause or knowing that he is likely to cause
wrongful loss or damage to the public or any person destroys or deletes or alters any information
residing in a computer resource or diminishes its value or utility or affects it injuriously by any means,
commits hacking.
Section 66C, ITAA, 2008: Whoever, fraudulently or dishonestly makes use of the electronic signature,
password or any other unique identification feature of any other person, shall be punished with
imprisonment of either description for a term which may extend to three years and shall also be liable
to fine with may extend to rupees one lakh.
Section 43 under the IT Act imposes civil penalties for such acts, but after notification of the IT
(Amendment) Act, 2008, under Section 66, it is a criminal offence if niens rea exists.
Section 66D: Whoever, by means for any communication device or computer resource cheats by
personating, shall be punished with imprisonment of either description for a term which may extend
to three years and shall also be liable to fine which may extend to one lakh rupees.
See Vineeta Pandev, Cell Abuse: SMS Spoofing's Forgery, THE TIMEs OF INDIA, July 185 2004, http://
timesofindia.indiatimes.com/india/Cell-abuse-SMS-spoofings-forgery,/articleshow/782197.cms (last
visited December 16, 2009).
 2011] AMLAN MOHANTY 113

the idea of a 'unique' identification feature of an individual, and not fitting the
definition of 'computer resource' or 'communication device' under S.2(1) (k)
and (ha), may lie outside the scope of both, S.66C and S.66D, which is a
serious concern for cyber crime officials.

A comparative analysis of the punishment stipulated under these provisions

with identity theft provisions of other jurisdictions may be attempted to critically
examine the nature of punishment under the Amendment Act. One must
acknowledge the fact that similar legislations have different degrees of
punishment based on the nature of crime committed subsequent to the identity
theft taking place, a provision that could have been transplanted into the Indian
legislation to make it more comprehensive, instead of having a uniform
punishment of three years for the crime of identity theft 36 So, for example, if
the crime involves drug trafficking, or is a violent crime, the punishment is
lesser" than if the offence is committed to facilitate an act of domestic terrorism.
It may also depend on the value of goods or money accumulated over a period
of time as a result of the identity theft9 and may also vary based on the number
of identifying markers stolen.i
(iv) Voyeurism (S. 66E)
Based on the theoretical framework laid down earlier, the offence of
voyeurism would locate itself under the heading 'content-related offences' and
based on the subject of the crime, may be slotted into the category of crimes
against individuals, specifically, against their person. While the Expert
Committee's Report made a recommendation for imprisonment for a period of
one year and fine not exceeding rupees two lakh, the Amendment Act

6 See Identity Theft and Assumption Deterrence Act of 1998, Pub. L. No. 105-318, § 1028 112 Stat.
3007 (1998).
See Identity Theft and Assumption Deterrence Act of 1998, Pub. L. No. 105-318, § 1028(b)(3)(A)
112 Stat. 3007 (1998).
S See Identity Theft and Assumption Deterrence Act of 1998, Pub. L. No. 105-318, § 1028(b)(4) 112
Stat. 3007 (1998).
" See Identity Theft and Assumption Deterrence Act of 1998, Pub. L. No. 105-318, § 1028 (b)(1)(D)
112 Stat. 3007 (1998).
40 See Identity Theft and Assumption Deterrence Act of 1998, Pub. L. No. 105-318, § 1028(b) 112
Stat. 3007 (1998).
4 MINISTRY OF INFORMATION TECHNOLOGY, REPORT OF THE EXPERT COMMITTEE, http://www.mit.gov.in/
download/ITAct.doc (last visited December 16, 2009).
114 THE INDIAN JOURNAL OF LAW AND TECHNOLOGY [Vol, 7

prescribes imprisonment for a period of three years but similar fine of rupees two
lakh. However, it does not make mention of compensation to the victim which
was explicitly recommended by the Expert Committee, to the tune of rupees
twenty five lakhs.42
The issue that immediately springs up on an analysis of the provision is
whether it is appropriate to refer to the wrongful conduct represented in the
section as 'voyeurism' in the literal sense since 'observation' of the 'private
area' of persons is not criminalised. While this is understandable if one assumes
the circumstances under which the offence was introduced in the Bill<4 as not
requiring such a provision, since it was not observation as such, which was the
concern at the time, but rather, capturing, transmitting and publishing the
image of private parts of an individual.

However, on glossing over the Standing Committee's Report, it is clear

that it acknowledges the emergence of new forms of computer misuse and is
concerned with situations of 'video voyeurism'.44 Based on these considerations,
it is absurd to exclude from the purview of the section, the 'observation' of
private areas of a person. To reinforce this assertion, we may divert our attention
to similar criminal legislations, which do include 'observation' within the section,
such the Sexual Offences Act, 2003 of the United Kingdome4 and the Canada
Criminal Code. 6 It is also relevant to note that these statutes include viewing
of 'private acts' besides 'private areas' of persons, which has been ignored in the
Amendment Act. Finally, the observation that may be made, taking into account
cyberlaw jurisprudence and the nature of acts that the IT Act seeks to
criminalise, is that viewing of such images or videos through online streaming
on a website such as YouTube or downloading and viewing on a communication
device or computer resource as defined under the Act should also have been
specified as illegal within this particular section.

42 Id.
4 One of the main circumstances for the introduction of this provision was the DPS MMS scandal.
The scandal involved a video clip featuring two students from Delhi Public School, one of whom
recorded the video on his cellphone, distributed it to his friends, which was further forward to the
others, eventually finding its way on to the internet and being listed for sale online. The episode
resulted in criminal proceedings being launched against the CEO of Baazee.com. See Avnish Bajaj v.
State, 2008 150 D.L.T. 769.
4 MINISTRY OF INFORMATION TECHNOLOGY, REPORT OF THE STANMING COMMITTEE (2006), 3 and 6,
available at http://www.naavi.org/cleditorial07/standingCommitteereportita2006.pdf (last visited
December 16, 2009).
 2011] AMLAN MOHANTY 115

(v) Cyber Terrorism (S.66F)

Perhaps the most contentious issue in relation to the Amendment Act is

that of cyber terrorism, which is essentially the convergence of terrorism and
cyberspace.4 ' Terrorism, by itself is not a new phenomenon, but with the
development of modern technologies, the creation of laws specifically dealing
with the same or related acts, conducted through the medium of cyberspace,
was imminent.

An analysis of this section can be fractioned into the first and second clause,
the subject matter of each being considerably dissimilar with their own particular
complications. The section is comprehensive in that sub-clause (A) first
enumerates the methods by which the act is committed, the wrongful conduct,
as it were,4 8 and then proceeds to describe the potential damage that may be
caused by such acts. However, in the portion describing the likely damage, the
definition is restricted to cases linked to destruction of property or death of
individuals." While the clause also speaks of damage to essential supplies and
critical information infrastructure, there is no mention of damage to private
property. Using the generally accepted definition of cyber terrorism,5o it is clear
that damage need not be restricted to property belonging to the government.
So long as it induces fear in the minds of people, it may be regarded as terrorism.
Also, being a provision specific to cyber terrorism, it is surprising that the term

4 Section 67(1): A person commits an offence if- (a) for the purpose of obtaining sexual gratification,
he observes another person doing a private act, and (b) he knows that the other person does not
consent to being observed for his sexual gratification....
6 Section 162(1): Every one commits an offence who, surreptitiously, observes - including by
mechanical or electronic means - or makes a visual recording of a person who is in circumstances
that give rise to a reasonable expectation of privacy....
4 Supra note 9, at 62.
4 See Section 66F 1(A) (i), (ii) and (iii).
4 Section 66F 1(A):...and by means of such conduct causes or is likely to cause death or injuries to
persons or damage to or destruction of property or disrupts or knowing that it is likely to cause
damage or disruption of supplies or services essential to the life of the community or adversely affect
the critical information infrastructure....
so 'Unlawful attacks against computers, networks and the information stored therein, when done to
intimidate or coerce a government or its people in furtherance of political or social objective', Peter
Grabosky & Michael Stohl, Cyberterrorism, 82 REFORM 8 (Autumn, 2003).
116 THE INDIAN JOURNAL OF LAW AND TECHNOLOGY [Vol, 7

'virtual properties', belonging to both the government or private citizens, has

not been used anywhere in the section.

In the second sub-clause,) predominantly dealing with access to sensitive

information, data and computer databases (possibly belonging to the military),
there is no explicit mention of specific cyber-related activities or offences, which
may have provided additional clarity as to the manner in which the penetrated
data or information may be used to imperil the security of the State. For example,
the data may be used to locate sensitive targets, private bank accounts may be
used to fund terrorist programmes and terrorist propaganda may involve
dissemination of confidential data divulging military capabilities of the State in
question. It is obligatory for the definition to cover acts involving the internet
such as money settlement through internet banking, use of internet channels
to communicate terrorist plans across countries, hacking and defacement of
governmental and non-governmental websites, virus and trojan attacks aimed
at secure infrastructural and cyber assets of the country etc. 4 What is undesirable
is to have an overlap of functional definitions between the IT Act, the IPC
and the Unlawful Activities Prevention Act as this will only create ambiguities
and loopholes that will aid the terrorists eventually. Thus, the section does not
seem comprehensive enough to cover most unlawful conduct on the internet
that would typically be associated with cyber terrorism.

In an effort to analyse and contrast this section with similar criminal

provisions across territorial jurisdictions, we may divert our attention to the
issue of punishment prescribed under the section and whether the section is
devised in a manner that exhibits recognition of international developments

5 Virtual property may include accounts, websites, virtual currency, virtual housing spaces and other
real estate in cyberspace, virtual pets, weapons and characters etc.
5 See Naavi, ITA 2000 Amendment Bill defines Cyber Terrorism, prescribes life sentence, BLOGGER NEWS
NETWORK (December, 2008), http://www.bloggernews.net/1 19157 (last visited December 10, 2009).
5 Section 66F 1(B):... knowingly or intentionally penetrates or accesses a computer resource without
authorisation.. any restricted information, data or computer database... so obtained may be used to
cause or likely to cause injury to the interests of the sovereignty and integrity of India, the security of
the State....
5 Naavi, IT Acts Amendments and Cyber Terrorism, MERI NEWS (December, 2008), http://
www. merinews.com/article/it- act- amendments- and- cyber- terrorism/152449.shtmi (last visited
December 8, 2009).
 2011] AMLAN MOHANTY 117

in cyber crime, especially in relation to cyber terrorism. Considering the

content of the law, there does not appear to be widespread discrepancies
with cyber terrorism-centred legislations across the world taking cognisance
of the fact that there is an increasing use of computers to facilitate attacks of
terrorism,55 and that 'it is safer and more convenient to conduct disruptive
activities from a remote location over the Internet than it is driving planes
into buildings'.5' As regards penalties, imprisonment for life appears to be the
norm across jurisdictions"7 and uniformly the harshest amongst all internet-
related crimes."

It is inconceivable to think that the cyber terrorism provision in the ITAct

will lie stagnant in the years to come, given the dynamic nature of terrorist
activity, which is bound to traverse yet unforeseen criminal territories, but it is
discomforting to see that the first legislation addressing the incidence of cyber
terrorism falls drastically short in terms of comprehensiveness, clarity and
particularity.

(vi) Sexually Explicit Content and Child Pornography (S.67A and S.67B)

Without entering into complicated questions of internet content regulation

and obscenity on the internet, an analysis strictly of the provisions of the
amendment Act reveals the section dealing with sexually explicit content, S.67A,
a sub-section of S.67, which was present prior to the Amendment Act, to be
well drafted and clearly defined. The terms used in the section such as 'publishes',
'transmits' have been previously defined in the act, assisting interpretation of
the section to a considerable extent. In terms of penalties, compared to S.67,
S.67A has an enhanced imprisonment term as well as fine for both first and
subsequent convictions. Since the offence of obscenity is not a new addition to
the list of offences, it has been excluded from the scope of this paper.

5 E.g., in Australia, § 100.2(2)(h) and (i) of the Criminal Code Act (Cth), include the term
'electronic communication', to stress on the increasing use of computers as a medium in terrorist
activities. The Criminal Code Act was amended by the Security Legislation Amendment (Terrorism)
Act, 2002.
5 Yee F. Lim, CYBERSPACE LAW: COMMENTARIES AND MATERIALS 353 (2007).
5 See Section 66F(2) of the IT (Amendment) Act, 2008 and Section 101.1(1) Criminal Code Act
(Cth).
5 Supra note 56, at 355.
118 THE INDIAN JOURNAL OF LAW AND TECHNOLOGY [Vol, 7

On the matter of child pornography, S.67B is a welcome introduction to

the list of offences under the IT Act, particularly for the stringency that has
been embedded into the provision, with not only 'publishing' or 'transmitting'
of pornographic content involving children, constituting offences, but so also
its collection, online viewing, downloading, promotion, exchange and
distribution. This is in contrast to the offence of voyeurism as operationally
defined under this Act, and previously discussed in this paper, which does not
criminalise the act of viewing itself. The problem with the section however, is
definitional, with ambiguity in the meaning of the phrase 'abusing children
online', 5when read along with S.67B(e) which also discusses abuse in relation
to children, but specifically mentions the phrase 'sexually explicit' to indicate
the nature of abuse. The absence of the same in the previous sub-clause leads
on to believe that the constitution of 'abuse' under S.67(d) is not of a sexual
nature, although it is not necessary that they must be mutually exclusive. Further,
the use of the word 'indecent' in S.67B(b) appears problematic when read in
conjunction with the word 'obscene' placed before it in the same sub-clause
given that in India, there are obscenity tests laid down through precedent,60
but nowhere has the word 'indecent' been defined or explained.

C. The Void for Vagueness Doctrine

In order to support the view that an absence of clarity in criminal statutes
is indeed a ground for protest, the researcher would like to briefly examine the
Doctrine of Void for Vagueness, indigenous to the American legal system,
having been derived from the due process clauses of the Fifth and Fourteenth
Amendments to the U.S. Constitution.61 The basis of the doctrine is uncertainty
and lack of specificity and the philosophy underlying the principle appears to
be quite simple - no one may be required at peril of life, liberty, or property to
speculate as to the meaning of a penal law.62 Thus, if it is found that a reasonably
prudent man is unable to determine by himself the nature of the punishment,

" Section 67B(d) of the Information Technology Act, 2008.

60 See Rahul Matthan, Obscenity and Pornographyon the Internet, in THE LAw RELATING TO COMPUTERS
AND THE INTERNET 45 (2000).
61 Void for Vagueness Doctrine, LAW.JRANK.ORC, http://aw.jrank.org/pages/! 1152/Void-Vagueness-
Doctrine.html (last visited on April 24, 2011).
62 id.
 2011] AMLAN MOHANTY 119

the prohibited conduct as envisaged under the statute, and what class of persons
the law seeks to regulate, for lack of definiteness, the law may be regarded as
'void for vagueness'. 6 The objective of a criminal statute is fairly simple, allowing
citizens to organise the affairs of their lives with the knowledge of acts that are
forbidden by the law, and the negation of this should logically be considered an
infirmity of the legal system.

The researcher has used the example of this doctrine to buttress the argument
that a criminal statute must be drafted with precision, leaving no room for
ambiguity, particularly with reference to phrases that enumerate classes of persons,
acts constituting an offence or a generic term that may be susceptible to multiple
interpretations. Thus, for example, the phrase 'gangster' when used in a penal
statute, may render the statute void, since the phrase is open to wide-ranging
interpretations, both by the court and the enforcing agencies.6 4

While there exist several such instances, the author would like to limit the
illustrations to this one specific case, merely to demonstrate the fact that mere
uncertainty in a single phrase of a hastily drafted statute could render the law
unconstitutional and void, thereby necessitating precaution in the framing ot
penal statutes that are bound to affect a majority of citizens, as is certainly the
case with a statute regulating activities on the internet in a country as large as
ours.

IV. CONCLUSION

The Information Technology (Amendment) Act, 2008 serves as a suitable

case study for an analysis of the legislative exercise of law and policy formulation
in the field of cyber crime legislation, revealing quite emphatically the need for
carefully worded provisions, foresight in the drafting process and imagination
with respect to explanations to particular sections. The inadequacies of the
legislation and the resultant realistically anticipated problems reinforce the notion
that criminal legislations cannot be left open to broad interpretations, especially
with regard to internet regulations, considering the fact that cyberspace provides

6 A. G. A., The Void for Vagueness Doctrine in the Supreme Court, 109(1) U. PA. L. REv. 67
(1960).
6 Lanzettav. NewJersev, 306 U.S. 451 (1939); Edelmanv. California, 344 U.S. 357 (1953).
120 THE INDIAN JOURNAL OF LAW AND TECHNOLOGY [Vol, 7

certain liberties in action that make it easier to transgress laws, and with such
characteristics inherent to the environment, any regulatory mechanism or
legislative measure must seek to be comprehensive, clear and narrow in
interpretive scope.

While the purpose of the Information Technology (Amendment) Act was

to address increasing trends of cyber crime and in effect, make it difficult to be
a cyber criminal, the irony rests in the fact that what the Amendment Act
eventually has created is a situation wherein it perhaps, isn't 'easier to be a
criminal', but rather, 'easier to be classified as a criminal'. The danger, in both
cases, cannot be overemphasised.