With technology advancing every day, Ceri Davis of 36 Commercial explores the importance of mastering the language of cyber law
You are standing in the middle of your kitchen: how do you make a sandwich?
Most answers will fail to take into account the numerous and critical processes involved in what, on the face of it, seems like a simple task. They will neglect to address where the bread is stored, how you get there, how you access the bread etc. Writing computer software requires precision and breaking activities down into their constituent parts. That level of granular and analytical detail is vital to understanding and speaking the language of cyber law.
What is Cyber Law?
First, however, you need to understand what cyber law is.
At its most basic, it is any litigation, case or legal issue that is affected or impacted in any way by computers or technology. However, with continuous technological advances, data and technology are increasingly the subject matter of disputes or the key to resolving them. It is this form of cyber law that requires special consideration by practitioners and the courts. Traditional rules and remedies need to be adapted and refined in order to apply them to these developing areas. Therefore, the language of cyber law includes ‘black letter law’ and existing legal concepts. However, simply understanding these is not enough. To understand and speak the language of cyber law it is essential to understand technology and the concepts and terminology that govern it.
Common misconceptions about technology are rife, and they engender fear, uncertainty and doubt (aka FUD) about technology itself and those who use it. In seeking to understand and speak the language of cyber law, it is crucial to understand and vanquish these common misconceptions.
For example, the colloquial use and understanding of the word ‘hacker’ is a distortion of its original, and still commonly used, meaning. Although typically understood to mean someone who gains unauthorised access to, or compromises, a computer system, the word ‘hacker’ was originally used to describe “a person who delights in having an intimate understanding of the internal workings of a system”, particularly computers and computer networks (defined by the 1993 Internet Users’ Glossary, RFC 1392). ‘Cracker’ or ‘attacker’ are the more ‘technically correct’ and less ambiguous terms for an individual with nefarious intent.
The ambiguity of ‘hacker’ has the potential to cause confusion about the nature of not-for-profit voluntary ‘hackathon’ events such as ‘NHS Hack Day’ or ‘Hack the Police’. Contrary to what the names might suggest to many, these events are not attempts to gain unauthorised access to or compromise NHS or police systems. Rather, individuals in the technical community get together with individuals from the NHS/police to find innovative technological solutions to problems they face. Such solutions have included a phone application decision-tree for out-of-court disposals that police officers can use in the field, and software that helps haematologists count cells (rather than having to use a manual tally counter).
Misconceptions not only apply to the definitions of words, but also the expectations and associations that they engender; for example, the concept of ‘intelligence’ in ‘artificial intelligence’ (AI). Hollywood portrays AI as human brain equivalents: unconstrained systems with limitless adaptable intelligence that can learn without being specifically taught and eventually take over the world. Such AI is, and is likely to remain for the foreseeable future, fiction. Examples of real-world AI are the voice processing systems in Siri and Alexa, and systems for flagging inappropriate content online or assisting radiologists to detect potential tumours in X-rays. These systems have learnt how to carry out specific tasks, but they are constrained by what they have been explicitly taught: they do not have the flexibility or adaptability of human intelligence.
Another example is the phrase “you should consider your systems compromised”. Someone unfamiliar with technical parlance could take this phrase out of context and view it as a threat. However, in the aftermath of a potential security incident, it simply represents a statement of good security practice: if an incident may have occurred, it is considered good practice to act as though one definitely has. Thus context and understanding are key.
Precision is Paramount
In The Sorcerer’s Apprentice in Disney’s Fantasia, Mickey Mouse enchants a broom to fetch water for the cauldron. It is soon overflowing, but the broom does not stop. Mickey is only saved by the sorcerer’s return. The story shows how insufficiently precise instructions had unintended consequences: the broom did not stop filling the cauldron once it was full because Mickey did not tell it to; he only showed it how to fetch water and fill the cauldron.
Precision is vital when writing code in order to relay the correct instructions. Similarly, precision is paramount in the language of cyber law. Not only is an understanding of legal and highly technical terminology and concepts required, but they must also be used and deployed correctly to ensure that what is said and done is feasible and has the intended consequences.
There are two important High Court decisions that highlight this point: AA v Persons Unknown and Ors  EWHC 3556 (Comm) and Ion Science Limited v Persons Unknown (unreported, 21 December 2020).
The UK Jurisdiction Taskforce’s legal statement on cryptoassets and smart contracts (“the legal statement”) states that whether English law would treat a particular cryptoasset as property ultimately depends on the nature of the asset, the rules of the system in which it exists, and the purpose for which the question is asked. In general, however, cryptoassets are to be treated in principle as property (emphasis mine). This suggests that, although the presumption is that cryptoassets are property, there may be circumstances where cryptoassets (or a particular type of cryptoasset) should not be treated as property, and it will be a matter of analysing and deciding on a case by case basis.
In AA v Persons Unknown and Ors, the court had to consider whether Bitcoin could be the subject of a proprietary injunction. The court concluded “that a crypto asset such as Bitcoin are property” (sic) and that “[…] for the reasons I have given, as elaborated upon in the Legal Statement which […] I consider to be an accurate statement as to the position under English law, I am satisfied for the purpose of granting an interim injunction in the form of an interim proprietary injunction that crypto currencies are a form of property capable of being the subject of a proprietary injunction” (para ).
Several observations can be made:
- For the purpose of the matter before it, the court only needed to consider the proprietary status of Bitcoin. Bitcoin is a subset of cryptocurrencies, which are a subset of cryptoassets. The court’s conclusion, however, related to all cryptocurrencies, irrespective of any differences between them, either in terms of their natures or the rules of the systems in which they exist.
- The court considered the purpose for which the question as to the proprietary status of Bitcoin was being asked. However, it did not consider the nature of Bitcoin (or cryptocurrencies generally), or the rules of the system/s in which it/they exist, to determine whether Bitcoin/cryptocurrencies should be treated as property (as per the indication in the legal statement).
- The court’s conclusion that cryptocurrencies are a form of property appears to have been only for the purpose of an interim proprietary injunction. However, this judgment has been subsequently cited as authority for the general proposition that cryptoassets are property under the law of England and Wales.
- The legal statement provides that cryptoassets are to be treated in principle as property, and courts have used this conclusion and the reasoning as a basis for determining that cryptoassets are in fact property. However, as outlined above, the legal statement appears to present a presumption as to the proprietary status of cryptoassets and it is for the courts to determine whether a particular cryptoasset is in fact property. If this analysis is not conducted, broad categories of cryptoassets risk being classified as property when their natures or the rules of their systems do not necessarily support such a conclusion.
In Ion Science Limited v Persons Unknown, the court considered the lex situs of cryptoassets and stated that it is the place where the person or company who owns it is domiciled. This is somewhat confusing considering the technical aspects of cryptoassets.
As per the legal statement, cryptoassets are not transferred, unchanged, from one person to another: a new cryptoasset is created on transfer and the transferor’s cryptoasset is regarded by the consensus as spent or cancelled. Further, as cryptoassets are controlled and transferred by use of the private key, the person who has knowledge and control of the private key is generally considered the owner of the associated cryptoasset.
Consequently, if cryptoassets are obtained through fraud (as in the case of Ion Science), or used to meet a ransomware demand (as in the case of AA), in both the technical and legal title sense the fraudster/attacker owns the cryptoassets and the victim’s cryptoassets are considered spent/cancelled.
It is said that cryptoassets are held on trust in fraud and ransomware cases. Therefore, it may be more appropriate to say that the lex situs is the place where the person or company with beneficial ownership is domiciled. That formulation is, however, problematic where beneficial and legal ownership rest together. For example, two individuals may have the private key and be domiciled in different jurisdictions, or a private key may be split between two or more people by virtue of a secret sharing algorithm and they have to act in concert in order to deal with the cryptoasset. Who ‘owns’ the cryptoasset in these circumstances to determine the lex situs? As these questions come before the courts, specific, rather than general, principles may emerge to ensure legal and technical precision.
The Language of Cyber Law
The language of cyber law is complex and highly technical, which is why expert legal advice should always be sought when faced with cyber litigation. It is, however, like learning any other language: it gets easier once you learn the basic rules.
So, you are standing in the middle of your kitchen: tell me again, how do you make a sandwich?
This article was first published in the New Law Journal, 25 June 2021, Issue 7938: https://www.newlawjournal.co.uk/content/cyber-law-language-matters