Let’s Get Physical – Online vs. In Real Life Law

Almost all of computer law (and there really is no such thing as computer law) is the placing of old wine into new bottles. For example, how do you “trespass” when there is no physical space? Is a userid and password a key or an ID? Is there a legal difference between a biometric authentication, which can be compelled to be produced, and a PIN, which may not be able to be produced? A recent case (p.11-12) in Wisconsin illustrates the “real/virtual” world dichotomy.

By all accounts in the record, Brian Barwick was not an ideal citizen. He repeatedly issued death threats to his ex-wife, stalked and harassed a woman he met online, and cursed and threatened the guardian ad litem for his children. He also violated his bond, harassed and intimidated others and … well, engenders very little sympathy.

Among the statutes his online activities invoked was a Wisconsin law that makes it a crime to commit “domestic abuse,” which is defined in the statute as:

(a) “Domestic abuse” means any of the following engaged in by an adult person against his or her spouse or former spouse, against an adult with whom the person resides or formerly resided or against an adult with whom the person has a child in common:
1. Intentional infliction of physical pain, physical injury or illness.
2. Intentional impairment of physical condition.
3. A violation of s. 940.225 (1), (2) or (3)[relating to sexual assault].
4. A physical act that may cause the other person reasonably to fear imminent engagement in the conduct described under subd. 1., 2. or 3.

The key part here is paragraph 4 – the commission of a “physical act” that puts someone in fear of imminent harm or threat. Is the sending of e-mail, posting of messages or chatting on Facebook a “physical act” that gives rise to liability under the statute?

The court had no problem finding that the sending of emails or the act of calling someone constitutes a “physical act” under the broad definition in the statute. Certainly, to send an email, make a call or post something online (or to cause someone else to do so) requires the actor to “do” something—and generally to “do” something physical: type at a keyboard, dictate to a voice recognition program or tell someone else to do so. A telephone threat requires certain physical acts—the act of dialing, the act of speaking, etc. Thus, the court found, consistent with the language and purpose of the statute, that sending a threatening email or making a threatening phone call were both “physical acts.”

But there’s another rule of statutory construction that comes into play here. If there is limiting language in a statute, we have to figure out what that limiting language means, and apply the purpose of that language.

Clearly, the Wisconsin legislature wanted to prohibit some but not all actions that caused someone to be in fear. Only those that were the result of a “physical act” which reasonably put the person in fear of harm are punished under subsection 4. So acts that cause someone to be in imminent fear that are not “physical acts” are not covered by subsection 4 (but might be by 1, 2 or 3).

A verbal threat requires a physical act of moving the larynx and epiglottis, but is not what most people would think of as a “physical act.” For the term physical act to mean something, we have to think of things that are not physical acts. Are there such things? Are there things that might put someone in fear but which are not “physical acts?” If there aren’t, then why did the legislature limit subsection 4 to “physical acts?”

These subtleties are important for the development and harmonization of internet law. The distinction between online and in-person is slowly eroding. Laws that require “in person” or in the presence of someone may or may not apply online. A statute that makes it a crime to knowingly expose one’s genitals “in the presence” of a minor may apply to streaming video, chat or email. If the harm intended to be prevented is the exposure of minors to images, then that makes sense. If the harm intended to be prevented is the physical act of coercion, then maybe not. Similar problems exist when we attempt to apply common law or statutory crimes such as assault or threats to the internet environment. Assault at common law is “an intentional act by one person that creates an apprehension in another of an imminent harmful or offensive contact. An assault is carried out by a threat of bodily harm coupled with an apparent, present ability to cause the harm.” It’s important to note that assault does not require actual physical contact, just an apprehension of physical contact—swing and a miss. Raising your hand to someone. Waiving a closed fist. But the online nature of certain threats removes the “imminent” threat component, since the parties may not be in the same physical space. And that matters in many cases.

The problem is, we are applying laws intended to deal with in-real-life (IRL) situations to situations that are not IRL, but are getting more and more similar to IRL. Distinctions between things tend to vanish or get blurred online. Who is liable for harm in a self-driving car crash? Does negligence law apply? Product liability? Software license agreements? Something else?

For security professionals, this means uncertainty about what the law says and what it means. GDPR and other privacy laws impose duties based on the location of the data subject and the data itself. Companies can be compelled to produce documents and records “in their possession, custody or control” no matter where these are located. Normal paradigms are shifting, shaking and dissolving. To paraphrase Gertrude Stein, “There’s no there there.”

Which is why, despite the fact that there’s no such thing as “internet law,” you need to consult with a lawyer who knows how to apply IRL law online. In a creative way. That helps you. Mostly. I’m saying all the things that I know you’ll like, making good conversation. I gotta handle you just right, You know what I mean? (Apologies to Olivia Newton John.)

Featured eBook
7 Reasons Why CISOs Should Care About DevSecOps

7 Reasons Why CISOs Should Care About DevSecOps

DevOps is no longer an experimental phenomenon or bleeding edge way of delivering software. It’s now accepted as a gold standard for delivering software. It’s time for CISOs to stop fearing DevOps and start recognizing that by embedding security into the process they’re setting themselves up for huge potential upsides. Download this eBook to learn ... Read More
Security Boulevard
Mark Rasch

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 25 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for SecurityCurrent.com, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 32 posts and counting.See all posts by mark