Cyber Law

Legal base and institutions.

1. National framework of cyber law.
2. International foundations of cyber law.
3. Internet management.
4. Regulators.
5. Law enforcement bodies and mechanisms

National Framework of Cyber Law

Every country across the world has developed a dedicated national legal framework to govern cyberspace and address cyber activities within their territorial jurisdiction and apply to citizens. This cyber legal apparatus encompasses legislation, statutes, rules and codes that relate to various aspects of digital economy and online sphere. Some prominent domains that are covered under national cyber laws include (Centre for Internet & Society, 2021):

1. Data protection and privacy: Laws that govern individual privacy rights related to collection, usage, sharing and security of personal data by public or private entities. Eg. GDPR in EU, Privacy Act in Australia.

2. Cybersecurity: Legal duties around implementing reasonable cybersecurity controls, reporting data breaches, coordinated vulnerability disclosure etc. to ensure security in digital systems and infrastructure.

3. Ecommerce and digital trade: Legal recognition of electronic records and contracts for paperless transactions, enabling digital payments and regulated technology platforms.

4. Intermediary rules: Code of practices and due diligence expectations from technology companies and service providers (intermediaries) in managing content, safety and rights on digital platforms they run. 

5. Cybercrime: Substantive and procedural laws to deter and punish technology assisted crimes like hacking, denial of service attacks, identity theft, online scams and frauds through effective investigation, prosecution etc.

6. Intellectual property (IP): Framework to enforce IP rights like copyright, trademarks and patents with respect to content, brands, inventions and innovations in the online and digital context through remedies and dispute resolution.

7. Electronic evidence: Procedural guidelines around collection, analysis and presentation of evidence in digital form during court trials and legal proceedings in line with standards of due process. 

These set of cyber laws are codified through dedicated legislations on IT or cyber acts, amendments to existing statutes like Criminal Procedure Code, Indian Penal Code, along with sectoral rules framed by regulators. For instance, in India, the primary laws constitute Information Technology Act 2000/8, amended Indian Penal code, Code of Criminal Procedure 1973, data protection bill 2021 (Grover, 2022). In United States, major cyber laws span Computer Fraud and Abuse Act 1986, COPPA 1998, HIPAA 1996, and Digital Millennium Copyright Act 1998 inter alia updated from time to time (Goldman, 2022). Such legal instruments aim to achieve objectives like fostering of ecommerce and digital economy activity by securing public trust and confidence in technology driven services, preventing crime and abuse in online sphere through deterrence mechanisms and enables authorities to safeguard societal interests. 

The ultimate goals of national cyber legal frameworks are to facilitate orderly growth of digital economy by appropriately balancing interests of multiple stakeholders – government, businesses and citizens while effectively addressing attendant risks like cybercrime, privacy violations or disputes by putting in place substantial and procedural safeguards, proportionate liability and adequate remedies. The premise is that rule of law in cyberspace implemented through national regulations and international cooperation will promote responsibility of nations states in preserving free, open and secure internet ecosystem.

International Foundations of Cyber Law

While countries develop their own cyber legal templates and contours based on domestic priorities and imperatives, these national laws don’t evolve in isolation but are significantly influenced by developments in international laws, resolutions, conventions and model statutes. There is greater consensus that governance of cyberspace requires participation and alignment of nation states across the world within a cooperative rules based framework to effectively address cross border impacts of internet economy. Some of the key global instruments and institutions that shape national priorities and inform domestic legislations are:

1. The Budapest Convention on Cybercrime 2001: This is a binding multilateral treaty that provides an overarching intergovernmental framework for tackling cybercrime through fostering international cooperation. It serves as model legislation that many countries across the world including US, UK, France, Canada, Australia have closely adapted while formulating procedural aspects of their cybercrime laws concerning matters like preservation of digital evidence, access to stored computer data, real time collection of traffic data and interdiction (Walden, 2021). The Budapest regime mandates that countries establish nodal national authorities, designate law enforcement units and enable mutual assistance channels. As internet expanded globally, even non European nations are now acceding to join this Convention under the Council of Europe.

2. UN Resolutions on Cyberspace: Various United Nations statements and resolutions lay out expectations from member countries to promote peace and security by fostering responsible behavior of nation states in information and communications technology (ICT) context. For instance, the latest 2021 Open Ended Working Group (OEWG) report finalized after years long deliberations by governmental committee of experts outlines voluntary norms and principles in areas like international law and norms, human rights obligations, state responsibility, confidence building measures etc. that enjoy global consensus (Maurer, 2021). By crystalizing common ground, these documents provide a baseline to shape domestic actions and legislation initiatives. Similarly UN General Assembly resolutions on privacy in digital era or security of critical infrastructure set the discourse.

3. World Trade Organization (WTO) rules-based regime: Various WTO agreements especially General Agreement on Trade in Services (GATS) and Agreement on Trade Related Aspects of Intellectual Property Rights (TRIPS) have specific provisions pertaining to digital trade of relevance as more economic activity gets linked to cyberspace. For instance commitments under GATS mean countries need to provide national treatment and most favored nation status to foreign online service suppliers. Under TRIPS countries need to ensure minimum standards on IP protection in digital context. These have direct implications for national regulators and policy makers especially in areas like data flows, source code protection and dynamic technological protection measures (Burri, 2017). 

4. International Standards on Cybersecurity and Privacy: Various international bodies have issued widely accepted standards relating to personal data protection, privacy enhancing techniques, cyber risk management, IoT security etc which often serve as guidance for countries in devising their own national laws and regulations. These include ISO 27001 information security standard, most recent ISO 27701 privacy framework, standards published by groups like Institute of Electrical and Electronics Engineers (IEEE), International Telecommunication Union (ITU) etc which are reassuring indicators of security and trust for end users (Luther, 2022). So technical guidelines and compliance benchmarks formulated by consensus driven global standard setting organizations enable interoperability and also influence regulatory approaches.

Thus while individual countries have latitude in developing national legal instruments that meet domestic objectives, the need for predictability, reciprocity and cooperation necessitates paying attention to emergent international law in the Internet governance field, global consensus norms as well as alignment with premises of multilateral trading regimes. This facilitates greater harmonization across jurisdictions and strengthens collective response to borderless cyber threats.

Internet Management Architecture 

The institutional administration and day to day technical coordination of essential functions to ensure stable operations of the worldwide Internet rests with global multi-stakeholder organizations of non governmental nature representing various constituencies. The underlying principle for this governance model was that management of Internet’s naming and addressing architecture should be vested with private sector led structures having participation of public entities in advisory capacity, away from direct governmental or intergovernmental control in recognition of Internet’s inherently transnational character (Mathiason, 2009). Some of the key organizations discharging these responsibilities include:

1. Internet Corporation for Assigned Names and Numbers (ICANN): This private non profit entity based in California was formed in 1998 and undertakes overall administration of the Internet’s unique identifiers and associated policies through a bottom up, consensus driven, multi-stakeholder decision making process. Specific functions carried out encompass stable coordination of Internet Protocol addresses allocation, management of domain name system including oversight over root servers, country code and generic top level domains like .com or .org alongwith maintenance of WHOIS database of registrants (ICANN, 2022). While governments are a key stakeholder through the Government Advisory Committee (GAC), participation is voluntary and decisions reached through open community wide processes have bestowed legitimacy over technical governance of this global coordination platform. 

2. Internet Assigned Numbers Authority (IANA): This functions as one of the constituent units within overarching ICANN organizational structure. It is responsible for managing registry of unique protocol parameters, maintaining root zone file that enables functioning of DNS and overseeing allocation of blocks of IP addresses to five Regional Internet Registries encompassing the world (Number Resource Organization, 2022). By discharging these limited technical functions vital for Internet integrity in neutral and arm’s length capacity, IANA anchors trust in ICANN led management apparatus.

3. Regional Internet Registries (RIRs): These are autonomous regional bodies that through membership driven policies allocate Internet numbers resources like IPv4 and IPv6 addresses and Autonomous System Numbers in their designated regions the world across. The five RIRs include ARIN for North America, RIPE NCC for Europe, APNIC for Asia Pacific, LACNIC for Latin America and AFRINIC for Africa (Number Resource Organization, 2022). Working to serve needs of local internet communities through open, transparent processes, they provide crucial linkage for convergence of top down coordination with ground level vetted requirements.

4. World Wide Web Consortium (W3C): Formed in 1994, W3C is the global standards defining body for World Wide Web comprising governments, companies and civil society groups that enables convening of experts to discuss, design and set direction for long term growth of web (World Wide Web Consortium, 2022). Through community process, it publishes recommendations on web protocols, specifications and guidelines on accessibility, security and other technology building blocks that get updated periodically to retain relevance. By generating standards through consensus, W3C preserves the universal interoperability of web systems.

5. Internet Engineering Task Force (IETF): This trusted community driven standards organization facilitates technical dialogue and consensus formation among international network technology experts to produce high quality specifications of protocols and procedures that shape functioning of internet infrastructure (Internet Engineering Task Force, 2022). IETF acting through focused expert working groups has been prolific in developing foundational technology standards like IPv6, DNSSEC, ICMP, Border Gateway Protocol, Transport Layer Security etc by prioritizing pragmatic engineering-driven solutions.

Thus we observe that administration and standardization bodies with their respective niche roles together ensure technical coordination and universal acceptance needed for this decentralized global network of networks to retain its universal serviceability, resiliency and seamless interconnection capabilities. Even if they lack traditional legal sanction unlike national level regulators and enforcement agencies, through impartial participation, expertise driven standard setting and voluntary adoption mechanisms they enable pragmatic technological administration vital for continued functioning of Internet infrastructure. Their activities therefore have an indirect but deep impact on digital governance.

Key Sectoral Regulators  

While technical management bodies focus extensively on administration of critical internet resources and infrastructure elements like IP addresses, Domain Names System and standards development in vendor neutral capacity, governance of economic and social activities using Internet as platform requires appropriate regulatory responses from state agencies as they exercise territorial jurisdiction. Different countries have established sectoral regulators that supervise governance of specific industries from economic, legal and public interest standpoint relevant from Internet context. Some prominent regulators in this regard encompass (Marsden, 2011): 

1. Data Protection Authorities: These statutory agencies created under personal data protection legislations are empowered to enforce provisions governing individual privacy rights and lawful handling of personal data by public or private entities through oversight mechanisms like privacy impact assessments, audit of records and consent practices along with remedies like imposition of warning notices or penalties on infringing organizations. Within European Union, these authorities provide harmonized regulation under European Data Protection Board (EDPB) created under General Data Protection Regulation (GDPR) regime.

2. Telecom Regulators: Long standing legacy national telecom regulators implement enabling legislations governing telecommunication infrastructure which forms the backbone for internet and cyber networks. Key roles encompass licensing of service providers for international gateways, fixed line and wireless carriers, administering spectrum allocation through auctions, ensuring quality of service standards, regulating tariffs in consumer interest and mandating lawful interception capabilities. Example includes Federal Communications Commission (FCC) in United States and Telecom Regulatory 

Authority of India (TRAI).

3. Financial Regulators: These agencies establish regulatory architecture and supervisory mechanisms for banking systems and wider capital markets which is vital as financial sector witnesses extensive technology enablement impacting operations, products and services. Different regulators govern domains like banking, insurance, securities markets and payments systems based on national jurisdictions and oversight models. Eg. US Securities Exchange Commission (SEC), Reserve Bank of India (RBI). Many jurisdictions now have dedicated legislation for online financial activities and platforms like peer to peer lending networks, crowdfunding exchanges, third party payment services etc. which expand the ambit of financial regulators.  

4. Consumer Protection Agencies: These state bodies are tasked to promote interests and provide speedy redressal against exploitation for customers transacting over e-commerce platforms, internet based services like ride sharing apps or being profiled based on personal data harvested online by websites and connected devices. As technological transformation gathers momentum, the aim is to address unique risks arising for consumers in digital markets like unfair contract terms, opaque profiling algorithms or inadequate grievance mechanisms through legislative instruments like Digital Markets Acts being proposed across jurisdictions.

5. Competition or Anti-Trust Regulators: These autonomous statutory bodies under mandate from national competition laws ensure level playing conditions in relevant product and services markets through appropriate interventions regarding regulation of mergers and acquisitions, investigating abuse of market dominance or anti-competitive arrangements between enterprises. Advent of powerful technology firms and tendency towards lock-in effects enabled by network externalities mean these regulators have crucial role in assessing phenomena like predatory pricing, self-preferencing by platforms and evaluating conquest acquisitions especially involving nascent digital startups impacting innovation ecosystems.

Thus we observe that in response to pervasive adoption of internet mediated activities across economic and social realms, countries have empowered sectoral regulators to frame supplementary codes and instruments like regulations, practice directions, registrations under their rule making authority which translate legislative intent to guide behaviours and compliance of concerned stakeholders within their domain as they transpose activities over online medium. Their enforcement machinery relies on notifications, directions and sanctions permitted under parent legislations. This distributed governance landscape harnesses expertise needed for specialized oversight roles.

Law Enforcement Setup

While much governance activity relies on soft norms, benchmarking and self regulation codes alongwith calibrated regulatory responses from institutional state machinery, the imperative for deterrence mechanisms and stringent penalties prompted by grave legal violations or national security threats requires dedicated law enforcement apparatus encompassing detection, investigation and prosecution functions through an array of coercive instruments available under criminal jurisprudence. Across the world, typically cyber police units undertake prevention and investigation of technology facilitated illegal acts like unauthorized hacking, online frauds, phishing, ransomware and malware attacks, identity theft, while long term policy approaches focus on public awareness and joint collaboration with industry players. Based on severity and nature of violations, different enforcement agencies assume primary responsibility:

1. Cyber Police Units: Specially trained cyber police cells instituted in most countries tackle cybercrimes like hacking, online proliferation of abusive or illegal content, instances of bullying or impersonation arising through social media platforms alongwith various frauds executed by organized networks to dupe victims using phishing websites and emails, fake online marketplaces etc (Clough, 2015). They rely on specialized forensic data retrieval tools, preserve electronic evidence by securing compromised computer systems, undertake surveillance on the surface web and the dark web working closely with financial investigation units to monitor suspicious transactions on blockchain and cryptocurrencies used for money laundering.

2. Economic Offences Wings: These specialized agencies within criminal justice machinery initiated prosecution in multitudes of financial frauds, cheating, diversion and siphoning schemes involving national public sector banks facilitated through compromise of core banking software controls, tampering with SWIFT transaction messaging gateway or use of fictitious documents often in collusion between corrupt bank officers misusing access credentials and malicious outsiders. Forensic audit of software logs, recovering money trails and extradition assistance channels help tackle such transnational offenses.  

3. Intellectual Property (IP) Investigation Cells: Copyrights piracy through illegal streaming sites distributing movies or sports event broadcasts, sale of counterfeit luxury products on e-commerce sites misusing trademarks of renowned brands alongwith industrial espionage targeting confidential business information and source codes form key priorities for IP specialized enforcement units. China, Singapore and India established dedicated IP Crime units leveraging digital forensics, and global cooperation channels.

4. Prosecutors and Judges: Alongside regular courts, many countries like India, South Korea have also instituted dedicated fast track Cyber Appellate Tribunals or Cyber Courts to ensure specialized competence, speedy trial and imposed deterrence based sentencing against cyber law offenders. Judicial officers and prosecutors therein are encouraged to gain advanced training on issues like electronic evidence, data protection, cyber forensics and procedural aspects concerning trans-border cybercrime jurisdiction issues and international cooperation channels.  

Globally law enforcement agencies are coordinating closely with platforms like INTERPOL, Eurpol in Europe that connect national cyber crime cells via information sharing networks, collaborative training programs and through channels enabled under Budapest convention and bilateral mutual legal assistance treaties to tackle borderless nature of offenses by transnational organized criminal networks. Domestically, the operational efficiency of law enforcement hinges on appropriate constitutional safeguards and parliamentary oversight regarding exercise of coercive capabilities and surveillance functions while collecting evidence.

Conclusion

Thus we observe that a diverse, pluralistic range of institutional regulatory structures and policy frameworks spanning across international, regional and domestic dimensions based on respective comparative competencies collectively contribute towards governance of internet and ICT technologies. As cyberspace based activities witness deeper permeation across economic and social realms, this regulatory apparatus shall continually evolve in response to new issues at global internet governance fora and at national policy making arena towards preserving vital values like freedom of expression, individual privacy, prevention of societal harms, crime control and rights protection in digital age.