The federal government created the interstate commerce commission in 1887 in order to

1887—The Interstate Commerce Act and the ICC

The Interstate Commerce Act of 1887 laid the foundation for antitrust law in the United States.4 In it, Congress established the Interstate Commerce Commission (ICC) and gave it authority to (1) review the management of interstate carriers, (2) examine the carrier records and documents, (3) sue the companies in federal court when the investigations warranted such lawsuits, (4) summon witnesses, (5) regulate rates and trade practices of the companies, and (6) outlaw price fixing. Price fixing, price setting, or pooling are terms that refer to the special rates, rebates, and price discriminations that the trusts have used against persons, places, or commodities. The focus of the Interstate Commerce Commission was to ensure fairness, efficiency, and the protection of the “public good” in interstate transactions.

2 Institutions that Regulate

The first American federal regulatory agency, the Interstate Commerce Commission, was created in 1887. It was unusual in that it established an agency independent of immediate control by ministers, responsible for making a framework of policy through trial-type procedures, with decisions that could be appealed to general jurisdiction courts (Baldwin 1985, p. 7). The United States' official regulatory procedure is more rule-oriented than those in other Western industrialized states, and courts are more deeply involved in making policy. The American system also allows for much more public participation and opportunity to argue against regulations both within an administrative agency and through courts after administrative agencies have decided.

After World War Two regulation in the United States became open to wider public participation. Administrative agencies must hold public hearings after announcing the topic of a rule they are considering. They must then justify the rule they issue according to the evidence they have. Often an organization concerned with the rule will bring the regulatory agency to court. Federal courts usually review the processes by which the rules were promulgated and decide whether the rule or decision is justified according to the evidence. What lawyers have won in the United States has been observed sometimes with horror, sometimes with envy in other nations.

Other nations do not rely so extensively on the equivalent of generalist courts to assess the procedures by which rules are enacted. The French have a specialized court that hears challenges to administrative decisionmaking, the Conseil d'Etat, or Council of State. The Conseil d'Etat is staffed with people who have built careers within administration; the purpose is to have a court that will take into account public purposes, or the interests of the state, in deciding cases brought by individual challengers. In Britain, practitioners in regulation were frustrated enough with how their general jurisdiction courts supervised administrative decisions that the state created a version of a specialized administrative court in the 1970s (Sterett 1997). Particular judges specialize in hearing complaints about administrators. The political justification for both courts is that specialization in administrative complaints will lead to sensitivity to public purpose and an awareness of what can go wrong in administration. Germany, also, relies on a specialized administrative court staffed by a trained civil service judiciary that lies above a system of specialized tribunals.

A further contribution to the complexity of regulation in the United States is the extent of interest group litigation. Interest group challenges to the general rules under which administrators work are far more numerous than in any other nation. However, social welfare groups have in recent years organized to challenge rules concerning immigration and environmental regulation in Western Europe. The expansion of standards via the European Court of Justice and directives via the European Union have made it more possible to challenge domestic regulation, or refusals to regulate, in Europe. Finally, cross national treaties or other agreements also shape domestic regulation, for example in ozone regulation (Braithwaite and Drahos 2000; Canan and Reichman 1993)

In most countries there are specialized courts between generalist courts or the upper level administrative court and front line administrators. These specialized courts usually include representatives of relevant sectors (e.g., employers and union representatives in labor tribunals) in their staff. Members of specialized courts are not always legally trained. Their procedures are often less formal than those of generalist courts, and those before them do not always have legal representation. The informality and discretion allowed most tribunals provides substantial opportunity for a slip between formal statement of government policy and its meaning in particular cases.

Computer Fraud and Abuse Act

The Computer Fraud and Abuse Act of 1986 makes it a crime for anyone to access without authorization a computer or computer system used by a financial institution, US government agency, or any organization or individual involved in interstate or foreign commerce or communication. In addition to criminalizing many forms of computer hacking, intrusion, or actions that exceed authorized use, the law also addresses computer espionage, computer trespassing, committing fraud using a computer, or causing or threatening to cause damage to a computer [13]. Although the law focuses on behavior by outsiders against an organization or its computing infrastructure, it highlights the need for organizations to establish effective security controls and to monitor their own environments to protect against outside attacks and to ensure that none of its own computing resources are used in ways that would violate the law. The Computer Fraud and Abuse Act has been amended several times by subsequent legislation, increasing the number and types of actions considered crimes under the law and resulting in a broader definition of computers subject to its provisions. Because the statutory definition of “protected computer” includes any computing device used in interstate or international communication, the law can be interpreted to include mobile equipment such as cellular phones or other devices capable of Internet connectivity.

10.3.7 1998—Federal Internet Tax Freedom Act29

At the federal level, on March 23, 1998, a compromise version of the Internet Tax Freedom Act (ITFA) bill was introduced to the U.S. House of Representatives by Representative Chabot. The new bill proposed (1) reducing the six-year moratorium, proposed in the original version, to three years; (2) “grandfathering” some existing state and local Internet taxes; (3) establishing a Commission on Electronic Commerce to develop a “unified” tax structure for Internet transactions. The three-year moratorium would cover new or discriminatory taxes, such as taxes on Internet access to online services, email, bits, bandwidth, or other Internet-specific taxes. However, the bill would allow states to impose sales and use taxes if they were the same as those now levied on interstate mail-order and telephone transactions.

This was accepted and, seven months later, on October 21, 1998, the U.S. Internet Tax Freedom Act (ITFA) was signed into law. Its stated purpose is “To establish a national policy against State and local government interference with interstate commerce on the Internet or interactive computer services, and to exercise congressional jurisdiction over interstate commerce by establishing a moratorium on the imposition of exactions that would interfere with the free flow of commerce via the Internet, and for other purposes.”

With the Internet Tax Freedom Act (ITFA), Congress accomplished four important goals. First, it mandated that the Internet should be free of new federal taxes (§ 201), foreign tariffs, trade barriers (§ 202), and other restrictions (§ 203). Second, it created a three-year moratorium on state and federal taxes for Internet access, unless such taxes were imposed and enforced prior to October 1, 1998 [§ 101(a)(1)]. It also created a three-year moratorium on multiple discriminatory taxes on electronic commerce [§ 101(a)(2)]. These moratoria, however, contain two exceptions. They do not apply to any person or business who knowingly engages in selling or transferring material on the Web that Congress has deemed “harmful to minors” unless they provide certain procedures to restrict access by persons under age 17 [§ 101(e)(1)]. The moratoria also do not apply to Internet service providers (ISPs) that do not offer screening software to their customers designed to allow the customers to limit minors' access to “harmful material” on the Internet. Third, the ITFA established an Advisory Commission on Electronic Commerce (ACEC) to study the effects of taxation on trade and Internet commerce [§ 102], and fourth, required that the ACEC report its findings to Congress within 18 months of the enactment of the Internet Tax Freedom Act (ITFA) [§ 103]. To complete the report, the ITFA gave the e-commerce advisory commission reasonable access to materials, resources, data and other information from the Department of Justice, Department of Commerce, Department of State, Department of Treasury, and the Office of the United States Trade Representative. Surprisingly, the Internet Tax Freedom Act is a relatively short document containing only two Titles. Title I contains only four sections, entitled Moratorium, Advisory Commission on Electronic Commerce, Report, and Definitions. Title II contains only six sections: Declaration that Internet Should be Free of New Federal Taxes; National Trade Estimate; Declaration that the Internet Should be Free of Foreign Tariffs, Trade Barriers, and other Restrictions; No Expansion of Tax Authority; Preservation of Authority; and Severability.

Federal Regulation

Aside from the states' efforts to professionally regulate the security industry, the federal government, through both direct and indirect means, has had some input into this industry's current standing. Historically, private security's union/business activities, from the Molly Maguires to the Homestead Steel Strike, have forced national scrutiny of the industry.23 Recent events of paramilitary security contractors engaged in covert activities in the Middle East, especially in Iraq and Afghanistan only heighten this penchant for oversight. Through the opinions of the U.S. attorney general and congressional passage of the Anti-Pinkerton acts, private security has been the subject of continuous governmental oversight.24

The administrative agencies of the federal government, who extensively contract out for private security services, also influence private sector qualifications through their numerous requirements. These regulatory agencies have set standards on age, experience, education, and character:

Department of Homeland Security

Federal Aviation Administration

Department of Defense

Interstate Commerce Commission

Nuclear Regulatory Commission

Securities and Exchange Commission

Food and Drug Administration

Office of the Inspector General

General Accounting Office25

Federal legislation that impacts on private security practice is another means of regulatory control. Throughout the Clinton and Bush years, and certainly since the debacle of 9/11, various bills have been proposed to nationalize and standardize the security industry and its practice. In reaction to terrorism, Congress has enacted a host of measures that deliver security services in many contexts.26The Homeland Security Act of 200227 signifies a major reorientation in the legislative landscape. The mission of the Homeland Security Agency notes, “In technology and safety, rules and facilities practices, the security world has been turned on its head.”28 In addition, there is an expectation that private security companies and corporations will be active, cooperative players in the defense of a nation as to terror. The Department of Homeland Security (DHS) promotes the integration of private sector security firms working in conjunction with public law enforcement. More specifically, DHS erected a Private Sector Office and Outreach Group dedicated to these ends.29

The federal system entangles itself in all sorts of activities prompted by laws and legislation. Data collection, information gathering, and its maintenance are often the subject of federal legislation such as the following:

The Fair Credit Reporting Act30

The Freedom of Information Act

Polygraphs have also been the subject of congressional oversight with the passage of the Polygraph Protection Act of 198031 and the Employee Polygraph Protection Act.32 With extensive limitations on pre-employment screening and further encumbrances on internal investigations, employees and polygraph vendors see little promise in the future role of the polygraph,33 yet the statutes manifest a federal nervousness about the industry.

There is momentum for increased regulation, particularly since the terrorist attacks of 2001. At the federal level, The Law Enforcement and Industrial Security Cooperation Act of 1996 (H.R. 2996)34 was introduced, though it was not passed. H.R. 2996 encouraged cooperation between the private and public sectors. If passed, this bill would have been a solid step for the security industry to take toward an active role in opening the lines of communication with law enforcement and in turn, sharing ideas, training, and working in conjunction with each other, all indirectly influencing standards. The content of the proposed bill is instructive and certainly foretells an active future for the security industry. The rationale for bill adoption is fourfold:

Seventy percent of all money invested in crime prevention and law enforcement each year in the United States is spent by the private sector.

There are nearly three employees in private sector security for every one in public law enforcement.

More than half of the responses to crime come from private security.

A bipartisan study commission specially constituted for the purposes of examining appropriate cooperative roles between public sector law enforcement and private sector security will be able to offer comprehensive proposals for statutory and procedural initiatives.35

The Private Security Officer Employment Standards Act of 200236 represents formidable federal involvement.

The impetus for federal legislation is real and forceful. So much of what the industry does has grave consequences. Technical and electronic intrusions into the general citizenry, especially in the age of computers, raise many concerns. The private security industry must be attuned to legal and human issues that involve privacy. The industry must adopt policies and practices that achieve “a delicate balance between the forces of liberty and authority—between freedom and responsibility.”37

Regulatory Considerations

The United States Food and Drug Administration (FDA) seeks to regulate most stem cell therapies under the Biologics License Applications (BLA) process. BLAs are evaluated and regulated by the Center for Biological Evaluation and Research (CBER), which is one of the six main FDA centers regulating such products as vaccines, xenografts, and will most likely regulate the emerging field of gene therapies when commercial translation becomes viable. Under federal provisions, the BLA allows a commercial entity to introduce a biological product into interstate commerce per 21 CFR 601. Several key requirements must be met to fulfill the BLA process toward clinical readiness. Some of these factors include intended indication, product and manufacturing information (verification and validation matrices, failure mode and effects analysis, Good Manufacturing Practices (GMP) compliance), and preclinical investigation, study designs and results. With therapeutics of increasing complexity, mechanism of action can also be a constituent of the clearance process, and therefore studies must be designed that best elucidate not only safety and efficacy, but the means by which that efficacy is achieved.

Concerning implantable or injectable devices, the biomedical industry, inclusive of both manufactures and regulatory bodies alike, have looked to standardized testing strategies like ISO 10993 and its panel of biocompatibility tests. This testing regimen has been highly successful for supplementing regulatory approval with well-known in vitro and in vivo analyses. Where these tests particularly excelled was with materials eliciting limited biological activity such as metals, ceramics, or inert plastics. Additionally, some of the more inert extracellular matrix (ECM)-derived materials, like the purified collagens, have also had successes with this battery of tests, but increasingly complex biomaterials have presented challenges, raising questions of both patient safety and the validity of the tests regarding biologically active materials. In order to begin the standardization process in the cellular therapeutics space, high levels of collaboration will be necessary from regulatory bodies and researchers, both industrial and academic. Advancements to cell-based standardization will come as considerable benefit to the field as a whole.

The Development of OSHA

With the advent of improved safety conditions, accidents and injuries declined until the 1950s. In the late 1950s, rates leveled off until the late 1960s, when accidents and injuries began to increase. This upward trend caused the federal government to become increasingly concerned about safety. Several safety-related laws were passed during the 1960s, but none was as monumental as the federal law creating OSHA. OSHA stands for the Occupational Safety and Health Administration, a federal agency, under the U.S. Department of Labor, established to administer the law on safety and health resulting from the William Steiger Occupational Safety and Health Act of 1970. This federal legislation was signed into law by then-president Richard Nixon and became effective on April 28, 1971. The basic purpose of OSHA is to provide a safe working environment for employees engaged in a variety of occupations.

The OSHA act was significant because it was the first national safety legislation applying to every business connected with interstate commerce. Mason (1976: 21) notes: “The need for such legislation was clear. Between 1969 and 1973 [in the United States] more persons were killed at work than in the Vietnam war.”

The OSHA act of 1970, as amended, states the following (Occupational Safety and Health Administration, 2011a): “To assure safe and healthful working conditions for working men and women; by authorizing enforcement of the standards developed under the Act; by assisting and encouraging the States in their efforts to assure safe and healthful working conditions; by providing for research, information, education, and training in the field of occupational safety and health; and for other purposes.”

The Secretary of Labor via ten regional offices administers OSHA. The secretary has the authority and responsibility to establish occupational safety and health standards. Workplace inspections can result in citations issued to employers who violate standards (Occupational Safety and Health Administration, 2011b).

The National Institute for Occupational Safety and Health (NIOSH) performs numerous functions that aid OSHA and those striving for worker safety. These functions relate to research, the development of criteria and standards for occupational safety and health, training OSHA personnel and others (e.g., employers and employees), and providing publications dealing with both toxic substances and strategies on how to prevent occupational injuries and illnesses. NIOSH is under the Centers for Disease Control and Prevention (CDC), U.S. Department of Health and Human Services.

2 Poultry quality inspection

The inspection and the grading of poultry are two separate programs within the US Department of Agriculture (USDA). Inspection for wholesomeness is mandatory, whereas grading for quality is voluntary. The service is requested by poultry producers and processors.

American consumers can be confident that the FSIS ensures that poultry products are safe, wholesome, and correctly labeled and packaged. Under the Federal Meat Inspection Act and the Poultry Products Inspection Act, the FSIS inspects all raw meat and poultry sold in interstate and foreign commerce, including imported products. It also monitors meat and poultry products after they leave federally inspected plants. In addition, the FSIS monitors state inspection programs, which inspect meat and poultry products sold only within the state in which they were produced. The 1968 Wholesome Poultry Products Act requires state inspection programs to be equivalent to the Federal inspection program. If states choose to end their inspection program or cannot maintain this standard, the FSIS must assume responsibility for inspection within that state.

In its efforts to protect the safety and integrity of poultry products, the FSIS works with many other agencies within the USDA and other agencies, including state inspection programs, the Food and Drug Administration of the US Department of Health and Human Services, and the Environmental Protection Agency.

Since the Federal inspection program began, the poultry industry has grown and changed significantly. In the early 1900s, most meat was slaughtered and used locally; however, nowadays there is a wide variety of meat and poultry products on the market. Meat is slaughtered and processed in sophisticated, high-volume plants, and is often shipped great distances to reach consumers.

As the industry has changed, the FSIS has also changed the inspection program. In its early days the primary concern of the inspectors was disease, and they relied almost exclusively on visual inspection of animals, products, and plant operations. Since the mid-1970s, FSIS has been modernizing inspection to reduce costs and make it more scientifically-based. The requirements in the new final rule on Pathogen Reduction and Hazard Analysis and Critical Control Points (HACCP) are designed to minimize the likelihood of harmful bacteria being present in raw meat and poultry products. However, some bacteria might still be present and may become a problem if meat and poultry are not handled properly.

The FSIS inspector must have knowledge about the particular species inspected, and the carcasses must fit with the available equipment in the plant. In modern poultry plants, USDA-certified inspectors perform the whole inspection process. Individual, high-speed visual inspection of birds (35 birds per minute) is both labor-intensive, and prone to human error and variability. During the past decade, several studies have reported on the developments of automated inspection systems for poultry carcass inspection (Chen and Massie, 1993; Chen et al., 1996a; Park and Chen, 1996).

The Shape of the Challenge

Just as the shape of our technology has changed beyond all recognition since 1990, so too has the shape of the challenge. The almost unconstrained development of Internet-based connectivity can be seen, on one hand, as a phenomenological emancipation of the masses, an extension of the Civil Data Movement and the citizens’ entitlement to publicly held data (see (Sampson and Kinnear, 2010). On the other hand, the empowerment it has given others (particularly sovereign states) to abuse cyberspace has been cast as representing the “end of privacy” prompting a petition to the United Nations for a “bill of digital rights.”

Steering a predictably middle course, the UK strategy sets out the key—and, it is submitted, most elusive—concept within the document: that of a “vibrant, resilient, and secure cyberspace.” The aspiration must surely be right but how can resilience and security be achieved within a vibrant space run by computers? In terms of both computers and our reliance upon them, we have moved so far from the original notion of boxes, functions, commands and programs, along with the consequences that can be brought about by their use, that a fundamental re-think is needed.

So what—and where—is cyberspace? Much has been written recently on the threat, risk and harm posed by “cybercrime,” “e-crime,” “cyber-enabled” criminality but the legislation has been left a long way behind. The EU has a substantial number of workstreams around its “Cybersecurity Strategy” and its own working definition of “cyberspace” though its own proposed Directive has no legal definition but rather one for Network and Information Security to match the agency established in 2004 with the same name. In the United Kingdom, a parliamentary question in 2012 asked the Secretary of State for Justice how many prosecutions there had been for “e-crime” in the past 5 years. In response, the Parliamentary Under Secretary of State gave statistics for ss 1(4), 2 and 3(5) of the Computer Misuse Act while the correlative Hansard entry uses the expression “cybercrime” in its heading.

Wherever it is, constitutional lawyers around the world have wrestled with the applicability of their countries’ legislation with the borderlessness of the virtual word of the Internet; the application of “analog” territorial laws to the indeterminable digital boundaries of the infinite global communications network is, it seems, proving to be too much for our conventional legal systems. Here is why.

When it comes to interpreting and applying law across our own administrative jurisdictional boundaries, an established body of internationally agreed principles, behavior, and jurisprudence has developed over time. Some attempts have been made to apply these legal norms to cyberspace. For example, the International Covenant on Civil and Political Rights sets out some key obligations of signatory states. In addition, activities executed within or via cyberspace should not be beyond the reach of other community protections such as those enshrined in the European Convention of Human Rights or the EU Charter of Fundamental Rights, particularly where issues such as online child sexual exploitation are involved. The first basic challenge that this brings however, is that of jurisdiction.

Cottim has identified five jurisdictional theories and approaches in this context, namely (Cottim A. 2010):

Territoriality theory: The theory that jurisdiction is determined by the place where the offence is committed, in whole or in part. This “territoriality theory” has its roots in the Westphalian Peace model of state sovereignty that has been in place since 1684 (see Beaulac, 2004, p. 181). This approach has at its heart the presumption that the State has sovereignty over the territory under discussion, a presumption that is manifestly and easily rebuttable in most “cyberspace” cases.

Nationality (or active personality) theory: Based primarily on the nationality of the person who committed the offence (see United States of America v. Jay Cohen; Docket No. 00-1574, 260 F.3d 68 (2d Cir., July 31, 2001) where World Sports Exchange, together with its President, were defendants in an FBI prosecution for conspiracy to use communications facilities to transmit wagers in interstate or foreign commerce. The defendants were charged with targeting customers in the United States inviting them to place bets with the company by toll-free telephone call or over the Internet). While the Antiguan Company was beyond the jurisdiction of the court, the President was a US citizen and could, therefore, be arraigned before an American criminal court.

Passive personality theory: While the “nationality theory” deals with the nationality of the offender, the “passive personality theory” is concerned with the nationality of the victim.

In what Cottim calls “the field of cybercriminology,” a good example of this jurisdiction assumption can be seen in a case where a Russian citizen who lived in Chelyabinsk, Russia was sentenced by a court in Hartford Connecticut for hacking into computers in the United States.

Protective theory: Cottim’s “protective theory” (also called “security principle” and “injured forum theory”) deals with the national or international interest injured, assigning jurisdiction to the State that sees its interest—whether national or international—in jeopardy because of an offensive action. Cottim sees this rarely used theory as applying principally to crimes like counterfeiting of money and securities.

Universality theory: In his final theory, Cottim identifies the approach of universality based on the international character of the offence allowing (unlike the others) every State to claim of jurisdiction over offences, even if those offences have no direct effect on the asserting State. While this theory seems to have the most potential for applicability to cyberspace, there are two key constraints in the way it has been developed thus far. The first constraint is that the State assuming jurisdiction must have the defendant in custody; the second is that the crime is “particularly offensive to the international community.” While this approach has, Cottim advises, been used for piracy and slave trafficking there is considerable practical difficulty in defining the parameters of the universality approach even in a conventional context and the possibility of extending it to cover cyberspace offending and activity is as yet unexplored.

When it comes to conventional extra-territorial challenges, the device of focusing on key elements such as the nationality of the offender and the geographical location of the causal conduct or consequent harm has produced some successful prosecutions for (and perhaps thereby deterred) some conventional cyber-enabled offending. For example, Cottim cites a case where the Managing Director of CompuServe Information Services GmbH, a Swiss national, was charged in Germany with being responsible for the access—in Germany—to violent, child, and animal pornographic representations stored on the CompuServe’s server in the United States. The German court considered it had jurisdiction over the defendant, although he was Swiss, he lived in Germany at the time. The Amtsgericht court’s approach has been criticized as not only unduly harsh but as unsustainable and it is difficult to argue with Bender who says “it must be noted that the ‘law-free zones’ on the Internet cannot be filled by a ruling like this, but need a new self-regulatory approach” (Bender, 1998).

In some cases litigants also use the jurisdictional differences to argue down the gravity of the sanction or the extent of their liability, particularly where the perpetrator from one jurisdiction brings about consequence in another. A good recent example is Klemis v Government of the United States of America [2013] All ER (D) 287 where the UK defendant allegedly sold heroin to two men in Illinois, USA. One of the men subsequently died and raised questions at the point of sentencing as to how the different legislatures in the two jurisdictions had set the requirements for the relevant actus reus (criminal act) and the mens rea (culpable state of mind) differently. Another recent example of trans-jurisdictional friction is Bloy and Another v Motor Insurers’ Bureau [2013] EWCA Civ 1543. In that case a road traffic collision in the United Kingdom had been caused by a Lithuanian national who had been uninsured at the time. The Motor Insurers’ Bureau is the UK compensation body for the purposes of the relevant EU Directive and was obliged to pay compensation where a UK resident had been injured in a collision in another Member State caused by an uninsured driver. In such cases, the Directive enabled the Bureau to claim reimbursement from the respective compensatory body in the other Member State. However, under the domestic law of Lithuania the liability of the compensatory body was capped at €500 k. The Bureau argued that its liability to pay the victim should be capped by Lithuanian domestic law even though the collision happened on an English road.

Clearly the challenges of unauthorized access and use of data obtain; so too do the jurisdictional challenges of locus of initiators and consequences. However, these have to be understood in the context of the much more pernicious and truly viral threats such as denial of service attacks, malware, data espionage and what Cottim calls the scareword of “cyber-terrorism” which has now become formally adopted by many law enforcement agencies, politicians and commentators. The reality is that, with the requisite knowledge and motivation, a teen with a laptop can alter the “use by” dates on food products in a packing plant on the other side of the world, or command the central heating system of a neighbor’s Internet-connected home to overheat, or send the traffic lights in a far away city into a frenzy. The further reality is that the wattle-and-daub constructs of conventional law making in common law countries, along with their correlative law enforcement practices, will not provide the answer to these threats and risks and even staples such as “crime scenes” and “perpetrators” are no longer adequate within the new frontier of cyberspace.

However, it is not just the domination and manipulation of cyberspace by criminals that has caused public concern. The aftermath of the Edward Snowden revelations about intrusive governmental espionage demonstrated that cyberspace is regarded as a potentially perilous place by private users not just in fear of becoming victims of remote criminality. There is also a real fear that the technological environment allows state agencies to operate in highly intrusive yet anonymous and unaccountable ways, prompting the CEOs of some of the world’s leading IT companies to write an open letter to the President of the United States demanding reform of cyberspace surveillance based on a series of overarching principles that guarantee the free flow of information yet limit governmental authority and impose a substantial degree of oversight (Armstrong et al., 2013).

What then is the size of the challenge presented by this amorphous construct of cyberspace?

Computer crime laws in the United States

There are several federal laws in the United States that deal with the security of data at rest and in transit on a digital device. In this section, a few of the most common laws on digital crime are outlined, with a brief description of each.

At the federal level, the U.S. Department of Justice (DOJ) divides computer crime into three distinct areas, two of which have broad application to the types of crimes involved when compromising a mobile device. The two areas are (Country, n.d.) the following:

Computer Fraud and Abuse Act (CFAA): The CFAA focuses on attacks against computers of government and financial institutions or computers involved in interstate or foreign commerce. The Act covers both narrow areas such as accessing computers without proper authorization to gain data related to national security issues and more broad sections such as accessing a computer without proper authorization to fraudulently gain something of value. The CFAA was amended by the National Information Infrastructure Protection Act to cover new abuses and also those intending to commit the crimes.

Electronic Communications Privacy Act (ECPA): The ECPA is another law covering computer crimes, which makes it illegal to intercept stored or transmitted electronic communication without authorization. The ECPA contains several key areas:

Communication in transit including oral, wire, or electronic communications (Wiretap);

Data at rest (Stored Communication Act), which protects data stored on nonvolatile memory;

Collecting communication metadata such as phone numbers, IP addresses, and other data used to route communication (but not the message itself). This is called the “pen registers and trap and trace devices,” which refers to the actual devices and techniques used to capture the information.

Cyber Security Enhancement Act (CSEA): Passed along with the Homeland Security Act in 2002, the CSEA permits an Internet service provider (ISP) to disclose customer information to a government agent if there is reason to believe that the information is related to a serious crime. This way, law enforcement officers can gain access to this information without having to wait for a warrant as previously required by the ECPA (SANS Institute, 2004).

Digital Millennium Copyright Act (DMCA): Enacted in 1998, the DMCA includes a section on “Circumvention of Technological Protection Measures.” This portion of the document prohibits the circumvention of copyrighted technology. The act is reviewed every three years to determine whether specific technologies remain applicable (SANS Institute, 2004). As it relates to the iPhone, the DMCA originally prohibited users from jailbreaking an Apple device, as the process involves bypassing and modifying the standard firmware partition. In 2010, it was determined that jailbreaking a device was exempt from the DMCA.

In addition to federal and state laws which criminalize computer crimes, a host of regulatory bodies govern corporations who operate in industries that deal with sensitive data. Many of the regulations provide not only specific guidelines and requirements the firms must follow but also civil and criminal statutes with both financial penalties and, in the most serious cases, incarceration. A list of the better-known regulations includes the following:

Payment Card Industry Data Security Standard (PCI)

Health Insurance Portability and Accountability Act (HIPAA)

HITECH Act Enforcement Interim Final Rule (additions to HIPAA)

Federal Information Security Management Act (FISMA)

Family Education Rights and Privacy Act of 1974 (FERPA)

Gramm–Leach–Bliley Financial Services Modernization Act of 1999 (GLBA)

Sarbanes Oxley (SOX)

This section covered only briefly the laws related to computer crimes. However, it should be clear that there are laws designed to protect data both in transit and at rest.