Almost all of computer law (and there really is no such thing as computer law) is the placing of old wine into new bottles. For example, how do you “trespass” when there is no physical space? Is a userid and password a key or an ID? Is there a legal difference between a biometric authentication, which can be compelled to be produced, and a PIN, which may not be able to be produced? A recent case (p.11-12) in Wisconsin illustrates the “real/virtual” world dichotomy.
By all accounts in the record, Brian Barwick was not an ideal citizen. He repeatedly issued death threats to his ex-wife, stalked and harassed a woman he met online, and cursed and threatened the guardian ad litem for his children. He also violated his bond, harassed and intimidated others and … well, engenders very little sympathy.
Among the statutes his online activities invoked was a Wisconsin law that makes it a crime to commit “domestic abuse,” which is defined in the statute as:
(a) “Domestic abuse” means any of the following engaged in by an adult person against his or her spouse or former spouse, against an adult with whom the person resides or formerly resided or against an adult with whom the person has a child in common:
1. Intentional infliction of physical pain, physical injury or illness.
2. Intentional impairment of physical condition.
3. A violation of s. 940.225 (1), (2) or (3)[relating to sexual assault].
4. A physical act that may cause the other person reasonably to fear imminent engagement in the conduct described under subd. 1., 2. or 3.
The key part here is paragraph 4 – the commission of a “physical act” that puts someone in fear of imminent harm or threat. Is the sending of e-mail, posting of messages or chatting on Facebook a “physical act” that gives rise to liability under the statute?
The court had no problem finding that the sending of emails or the act of calling someone constitutes a “physical act” under the broad definition in the statute. Certainly, to send an email, make a call or post something online (or to cause someone else to do so) requires the actor to “do” something—and generally to “do” something physical: type at a keyboard, dictate to a voice recognition program or tell someone else to do so. A telephone threat requires certain physical acts—the act of dialing, the act of speaking, etc. Thus, the court found, consistent with the language and purpose of the statute, that sending a threatening email or making a threatening phone call were both “physical acts.”
But there’s another rule of statutory construction that comes into play here. If there is limiting language in a statute, we have to figure out what that limiting language means, and apply the purpose of that language.
Clearly, the Wisconsin legislature wanted to prohibit some but not all actions that caused someone to be in fear. Only those that were the result of a “physical act” which reasonably put the person in fear of harm are punished under subsection 4. So acts that cause someone to be in imminent fear that are not “physical acts” are not covered by subsection 4 (but might be by 1, 2 or 3).
A verbal threat requires a physical act of moving the larynx and epiglottis, but is not what most people would think of as a “physical act.” For the term physical act to mean something, we have to think of things that are not physical acts. Are there such things? Are there things that might put someone in fear but which are not “physical acts?” If there aren’t, then why did the legislature limit subsection 4 to “physical acts?”
These subtleties are important for the development and harmonization of internet law. The distinction between online and in-person is slowly eroding. Laws that require “in person” or in the presence of someone may or may not apply online. A statute that makes it a crime to knowingly expose one’s genitals “in the presence” of a minor may apply to streaming video, chat or email. If the harm intended to be prevented is the exposure of minors to images, then that makes sense. If the harm intended to be prevented is the physical act of coercion, then maybe not. Similar problems exist when we attempt to apply common law or statutory crimes such as assault or threats to the internet environment. Assault at common law is “an intentional act by one person that creates an apprehension in another of an imminent harmful or offensive contact. An assault is carried out by a threat of bodily harm coupled with an apparent, present ability to cause the harm.” It’s important to note that assault does not require actual physical contact, just an apprehension of physical contact—swing and a miss. Raising your hand to someone. Waiving a closed fist. But the online nature of certain threats removes the “imminent” threat component, since the parties may not be in the same physical space. And that matters in many cases.
The problem is, we are applying laws intended to deal with in-real-life (IRL) situations to situations that are not IRL, but are getting more and more similar to IRL. Distinctions between things tend to vanish or get blurred online. Who is liable for harm in a self-driving car crash? Does negligence law apply? Product liability? Software license agreements? Something else?
For security professionals, this means uncertainty about what the law says and what it means. GDPR and other privacy laws impose duties based on the location of the data subject and the data itself. Companies can be compelled to produce documents and records “in their possession, custody or control” no matter where these are located. Normal paradigms are shifting, shaking and dissolving. To paraphrase Gertrude Stein, “There’s no there there.”
Which is why, despite the fact that there’s no such thing as “internet law,” you need to consult with a lawyer who knows how to apply IRL law online. In a creative way. That helps you. Mostly. I’m saying all the things that I know you’ll like, making good conversation. I gotta handle you just right, You know what I mean? (Apologies to Olivia Newton John.)