Law and Data Security - a growing compendium

Tags: #<Tag:0x00007f0cad253148> #<Tag:0x00007f0cad252fb8> #<Tag:0x00007f0cad252d60> #<Tag:0x00007f0cad252b58> #<Tag:0x00007f0cad252888> #<Tag:0x00007f0cad252568> #<Tag:0x00007f0cad252388> #<Tag:0x00007f0cad2520e0>


This is a wiki page of lose ideas, and not legal advice in any form or of any kind. Please verify the information and ideas independently.

Some of these paragraphs contain independent background research I did for reports and projects. Some contain a motivating portion of irony.

I want to put emphasis on European law and EU initiatives. In the future we are going to see more regulators and institutions to embrace the " cyber-security " sector.
It’s important that we as security professionals within our various disciplines learn how to have a proper dialogue, how to seek cooperation to shape the new initiatives. But it’s also important that we understand the limits of regulation and the true intentions of clients, who are faced with compliance requirements.

If you want to contact me, please send an eMail to marius - at - I am happy to correct an error or inconsistency, or to add references. This is a wiki posting, which is open for changes and extensions.
Corrections are necessary.


Motivation: ASCII Lady Justice

The following image shows a Lady Justice, as an iconography in the style of ASCII art. I have created it as a cover to show the meeting of law and emerging technologies.

ASCII art origins from a time when computer technology was much less developed. Sometimes it seems that the law has been able to catch up. Sometimes it seems that it didn’t.

Computer intrusions - unauthorized computer access.

With the term computer intrusion I describe acts, which either elevate assigned privileges or lead to break-ins, where perpetrators gain unauthorized computer access.
Both can lead to data theft, and loss of confidential data or intellectual property.

Computer Fraud and Abuse Act (CFAA) and LIBE

The US Computer Fraud and Abuse Act (CFAA) punishes “computer hacking” (intrusions, unauthorized use have taken place) or trespass-to-chattels.

Within the EU the LIBE committee works on mirroring the CFAA, to unify national laws within the member states to pursue computer crimes more effectively across the borders.

  • CFAA does not punish eavesdropping
  • damage to hardware is applicable under the CFAA

Trespass-to-chattels does not require hacking / intrusions. It may apply in relation to unauthorized access (search engine abuse, DoS via remote function calls…). But it must be unauthorized.

CFAA applies outside the US (Section 814 Patriot Act) as long as foreign commerce or communication of the US is affected.

Germany - EU nation-state CFAA equivalent

In Germany § 202a of the StGB applies to delicts related to illicit data-access via the means of a computer intrusion, and can be associated with the CFAA.

One key difference seems to be, that the preparation of an illicit computer intrusion is punishable in Germany according to § 202c, which applies in context to the others.

Disruptions of computer technology are defined within § 303b, but the paragraph mainly mentions data-processing. In the legal documents and literature I have seen, this paragraph is not used to charge for the damages of hardware.

I think Germany can benefit greatly from the LIBE draft, since some the noted paragraphs are ambiguous and not organized very well.


Please note that a complete discussion of the various acts and paragraphs, which are relevant in this context, is out of scope.

{1} Trespass-to-Chattels cases, EFF wiki.

{2} University wiki page related to HDD forensic and German law.

Wiretapping, eavesdropping - unauthorized communication interception and recording

With the term wiretapping I describe the unauthorized real-time interception of a private communication. This can be anything, like fax, telephony or generally computer network usage. The term wiretapping is usually used in context with the technical means to perform eavesdropping.

Related to authorized law enforcement activities I tend to describe observation activities with the term “digital observation”. In rare cases I read the term wiretapping in a law enforcement operations context, but usually if there is a lack of certain formalities.

US Wiretap Act, Stored Communications Act

Violations of the Stored Communications Act are subject to civil and criminal liability.

The I.) Wiretap Act and II.) Stored Communications Act (Wiretap Act (Title II 118 USA 2510-22) prohibits the international interception of any “wire, oral or electronic communication”.

It’s a foundation for communication privacy and electronic surveillance law, because it establishes a judicial process by which law enforcement officials may obtain lawful authorization to conduct their observation work. The act prohibits the use of electronic surveillance by private individuals.

The Wiretap Act makes exclusions for Service Providers acting within ordinary scope. It does not include provider’s rights to identify individuals on the basis of their politics (tracking).

EU in the middle: eavesdropping, wiretapping and digital observations

This section is not ready.

Germany - StPo - EU nation state example

In Germany The StPO deals with the law enforcement privileges, related to seizing of evidence materials and lawful searches (with a warrant). It also defines which kind of assets can be seized in context of enabling a forensic investigation.

  • Traditionally Germany makes a clear distinction between law enforcement and service providers
  • Unauthorized data modifications are within § 303a StGB.
    • The modification include deletion, which can also result into further charges, depending on the intentions.
  • § 263a deals with fraud in this context, § 268 with the illicit data modifications.

Please note that a complete discussion of the various acts, which are relevant for law enforcement in this context, is out of scope.

{1} A comparison between US and EU data protection legislation for law enforcement purposes, Study by the CIVIL LIBERTIES, JUSTICE AND HOME AFFAIRS

{2} Investigating Internet Crimes: An Introduction to Solving Crimes in Cyberspace, Book by Todd G. Shipley, Art Bowker

{3} Data protection in the electronic communications sector, Directive 2002/58/EC, Directive 2009/136/EC and related EU acts, EU law publication from 2014.

The Law Of Data Privacy

To start, I would like to dispel the myth that “no one ever gets fined because of data privacy violations” or the myth that “it’s a dead law”.

Companies can get fined by national regulators. The fines are proportional. If you read that GDPR as a data protection law in Europe is associated with multi-million Euro fines, you need to look at that relatively to the size of the potentially affected business.

In many instances I have read about, law enforcement and the military are excluded.

  • The foundation of Privacy is to be found in the United Nations Declaration of Human Rights (Article 12, 19 and 29) from 1948, which was set up just after World War II. This is an important piece to understand, given the experiences of that period.
  • The European Convention on Human Rights (Article 8, 10.1 and 10.2) from 1950 re-emphasize on Privacy as well

In many regards Data Privacy is a consequence of these two corner stones. In this section I focus on Data Privacy in the EU, and keep references to US laws short.

Data Privacy In The US

Another myth is, that the USA do not have any data-protection laws. Unless you are a Military Agency, like the NSA, several acts apply effectively. -The NSA is not a law enforcement agency.

The Electronic Communication Privacy Act (ECPA) from 1986 restricts unauthorized disclosure of electronic messages, such as eMail or Electronic Data Interchange (EDI).

US Data Privacy Silos

This section is not ready.

Traditionally in the US privacy law is split in silos:

  • GLBA (Gramm-Leach-Bliley Act) applies to financial products, enforced by the FTC
  • HIPAA (Health Insurance Portability and Accountability Act) covers mostly entities which deal with medical data, enforced by the HHS’ Office for Civil Rights
  • FISMA (Federal Information Security Management Act) - for government data
  • COPPA (Children’s Online Privacy Protection Act) - data from children under 13

There are cases of exceptionally high fines, related to HIPAA and GLBA.

Data privacy law gets enforced to protect consumers and to answer concerns citizens have related to data profiling for example. But it applies proportionally.


Please note that this section is kept short due to the emphasis on EU law in this wiki post.

EU Data Privacy Directive - the GDPR

GDPR stands for Genral Data Protection Regulation. It also contains a bulk of legal requirements, which affect businesses within the EU / EEA; EU / EEA will be expressed as EU in the following. It’s important to mention that EEA states are affected by the GDPR.

Business entities outside of the EU, which offer goods or services to EU / EEA citizens (irrespective of whether payment is required) are subject to it. This includes the monitoring of behavior within the EU.

Entities outside of the EU have to appoint a local representative. That may include a representative of subsidiaries in case of multi-national organizations. Respective to the organization.

PII, Personal Data, and Personally Identifable Information

GDPR changes what can be considered Personal Data, and consequently the scope of the data protection laws: Pseudonymized data, where an alias is used, is within scope.
A frequently asked question is, whether an IP address can be considered Personal Data. And there is no easy answer to that, because it needs to be classified in the data context.

I refer to the Personal Data based the GDPR definition as PII, in order to simplify and establish a general understanding across different laws. Within different privacy regulations the definitions of PII change, and most readers are accustomed to this.

GDPR, compliance standards and codes of conduct

A company is accountable to demonstrate what measures are taken to ensure data protection (Article 26)

“(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c ) the ability to restore the availability and access to personal data …; (d) a process for regularly testing, assessing and evaluating the effectiveness of … security ….”

The wording of this reminds of the ISO 27000 series, as a specific code of conduct / an industry norm which can be followed. Both GDPR and the EU Data Privacy directive from 1995 (which gets superseded) do not recommend ISO standard specifically.
Within the accountability principle of GDPR it appears, that governance measures need to be demonstrated, which resemble a compliant control framework.

GDPR and business policies

Generally policies, which aid the processes should:

  • minimize data collection and processing
  • mask or anonymize data where it is possible
  • create transparency of data processing activities to a proportional degree
    • enable the monitoring of the processing of consumer customers and employees
  • continuous improvement of the security processes

GDPR and decision-records

A key element of GDPR is, that companies with more than 250 employees need to establish internal record retention on decisions, which are made about data processing activity, that involves PII. This formulates a measure of accountability, that tangents daily practice in information security.

The records need to contain the following information:

  • Purposes of processing
  • Classification (and descriptions of the data classification) of PII
  • Definition of the recipients of PII
  • Details of cross-border transfers including documentation of the transfer security mechanisms
  • Data Retention Policies and Plans
  • Descriptions of technical and organizational security measures

Data Protection Officer

A Data Protection Officier (DPO) is responsible to keep the records (see prior paragraph). A company needs a DPO if there are processing operations with regular and systemic monitoring of data subjects on large scales or special-categories of data.

Mandatory Data-Breach Notification

A data-breach with a high likelihood of harm to the individual must be reported to the individual. A data-breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure […] or access of personal data, transmitted, stored or otherwise[ly] processed

This includes issues with internal access controls.

Not every data-breach needs to get reported to the consumer customer. There are various reporting duties, which may also state, that an entity needs to contact a federal data-privacy organization, like the ICO.

This aspect answers what the consequences of becoming or remaining non-compliant are for possibly negligent entities. If a federal police seizes evidence of stolen data, and notifies an entity, a proportional reaction should include to follow the law. Data-breaches are neither rare, not can they be ignored.

If an entity has no adequate means to detect a data-breach, the consequences can include that consumer customers withdraw their consent under GDPR, in addition to reputation damages and serial investigations which arise from the external detection and reporting.


Individuals, from which personal data is obtained, must be able to give free, verifiable, specific, informed and unambiguous consent. Entities need to provide a way to withdraw this consent easily. If this consent isn’t present, it needs to be re-established, and kept up to the standard. Otherwise an entity is not allowed to process the information from the individuals.

If consent is required from a child, the company which wants to process the data needs to present a privacy notice the child can understand. If the child is under 16 years old, consent cannot be obtained directly. Instead the legal guardian, or a parent, needs to serve the consent on the child’s behalf.

Individual privacy rights

GDPR extends the EU Data Privacy Directive and strengthens the individual rights of consumer customers. Entities must provide extensive materials to fulfill their privacy obligations.

  • The right to be informed about the processing of PII: Privacy polices need to contain the retention period, details on transfers to 3rd parties and the safeguards (such as vested agreements) to protect data as well as the recipients and categories of PII.
  • The right of access states most notably states, that individuals are entitled to obtain confirmation, that their data is being processed (and that the consent is given)/ They have the right to access their personal data. In order to fulfill access requests, entities have to verify the identity of the entitled person.
  • The right of rectification is about correcting personal data, which is inaccurate or incomplete
  • The right to erasure means that individuals have the right to request that their PIIs get deleted, given that the data is no longer necessary in relation to the purpose under which it was obtained, consent was withdrawn and / or the entity cannot demonstrate legitimate interests to continue the data processing.
  • The right to restrict processing is similar to the current legislation, and allows an individual to block or suppress processing of PII.
  • The right for data portability has the data an individual has provided in scope. It states that data, which is processed within individual consent, needs to be delivered by the processing entity. An individual does not need to state a purpose.
  • The right to object states that an entity must stop to process PII for direct marketing, research and development, if an individual objects. An entity may chose to demonstrate a legitimate ground for the processing to override this objection.This right must be presented in the Privacy Policy though, in a very explicit manor. That means the objections need to meet certain formality requirements to avoid conflicts with policy enforcement.
  • Rights to enact limits of automated decision making and profiling exist within the EU Data Privacy Directive already.

{1} DPO Network Europe FAQs

{2} International Association of Privacy Professionals - website with resources and training

{3} The ICO defined consent as one of GDPR’s key areas

{4} ICO’s overview on the individual rights

{5} Discussion-starter on the evaluation of evidence to determine the likelihood of harm related to breach-notification duties

{6} SANS data-breach response policy

{7} Verizon DBIR report with statistics and trends related to data-breaches

Compliance and data security

Related to industry-specific data security standards, PCI-DSS (Payment Card Industry – Data Security Standard) is a good example to illustrate the various forms of regulations.

For me, privacy and security are really important. We think about it in terms of both: You can’t have privacy without security. (Larry Page)

The term Data Security describes a different aspect than Data Privacy. But the overlap between Data Security and Data Privacy can be enough to say, that entities with a high data security standard also provide a high amount of data privacy. If a business is compliant to PCI-DSS, it most likely already complies to many of the GDPR requirements.

PCI-DSS is not a law. It applies based on the existing merchant agreements with banks or credit card brands.

Business contract law and PCI-DSS compliance

Non-compliance of PCI-DSS can be defined as a legitimate option - That serves consequences. These include higher fines in case compliance cannot be demonstrated over time, in case of a data breach.

The breaching party must make the the other party whole, but the other party may not be entitled to receive punitive damages. Contract law generally seeks to put the victim of a breach in the same place it would have been if the contract had been performed.

Direct damages, resulting from a data breach, can be understood as a consequence of a breach of contract.

In early 2017 the Target Cooperation settled for a fine, related to a data breach in its credit card data environment.

In smaller cases arbitration may be perceived as a quicker and less costly alternative to litigation, and can be kept confidential if the parties agree. Arbitration is less structured with loosened rules of evidence and with no jury; in the US.

There is a myth related to PCI-DSS compliance and Walmart. Rumor is that Walmart - one of the largest US retailers - is not compliant to PCI-DSS.
That is partly correct - as far as I know. They embed the security standard in their enforceable and audit-able policies, but do not officially commit to PCI-DSS and its ambiguities. That does not mean that they are a negligent merchant. But it means that is is possible to develop a standard within a business, that may proportionally account for data security.


{1} PCI–DSS perspective - introduction article on people, process and technology dimensions for an SAQ–A.

{2} PCI–DSS compendium - cheat-sheet like summary of the standard (version 3.2, 2017)

{3} Blog post about the deprecation of encryption standards related to PCI–DSS 3.2

ISO / IEC 27000 compliance

This section is not ready.

An ISO certification is issued by a certification body, that may be (nationally or internationally) accredited.

The difference between certified and accredited

A myth among certain groups is, that a certified professional (CISSP, CISA…), can directly certify an employer’s ISO 27001 compliance.

This may be considered fraud, and can get prosecuted under national Trade Deception Acts. - As it is for other compliance standards. As an auditor, you should seek orientation and guidance within the auditing standards.

Organizations, such as the ISACA have auditing standards for reasons like this. Another standard, which is useful for orientation is the SAS (Statements on Auditing Standards). Although it is generally referred to in the context of financial accounting, it emphasizes on evidence and quality assurance. It’s often used for SoX (Sarbanes-Oxley) audits.

The fine line in compliance and wording

It is true, that international banks and large cooperate organization employ experts to circumvent compliance standards, like Basel III.

Some do that by emphasizing on the gaps in the wording. Due to this the standards change and attempt to eliminate the ambiguities, which are getting abused. - That is a fine line, and not to be understood as a motivation, because the part-takers in such games (Basel III for example) can afford it.

Typical ISO 9001, 27001 or PCI-DSS projects are not worth such efforts. Basel III is associated with more than 200 000 risk and control points for large banks. Data Security and Data Privacy compliance is much simpler these days.

ISO 27002

ISO 27002 deals with

  • Business Continuity Planing
  • Access Classification and Control
  • System Development and Maintenance
  • Physical and Environmental Security
  • Compliance
  • Personnel Security
  • Security Organization
  • Computer and Operations Management
  • Asset Management
  • Security Policies

Intellectual Property

Generally in Intellectual Property (IP) affairs, labels and banners count, because they set boundaries.


Original works of authorship can be copyrighted. That affects the individual expression.

An article on this website is affected by copyright. If it includes a source code snippet, the same applies to it. Copyright does not protect the idea, which is being expressed. It only protects the author’s particular expression of that idea.

In technical writing the expression of prose and source code can get combined. This may be a problem. - One legal idea is, that it’s not necessary to put the source code snippet under a software license, such as BSD or MIT License.

-Without further discussing the specifics of software licenses this idea builds on the the assumption, that a “snippet” only consists of a few lines of source code, which cannot become (executable) software without modification, which derivatives it from its original.

This legal idea does not cover complete source code listings, which may appear in an appendix or in select sections. But it avoids conflicts between different software licenses, which may surface here.

Technical writing: source code listings and prose in forum posts

Programmer forums, such as Stackoverflow, face a different problem. a) the commercial service allows 3rd parties to publish technical writing content b) the posts may contain complete listings. c) they may have to deal with software license conflicts, which arise from direct re-use.

Software is protected from unauthorized use by contract law (the license), copyright law and sometimes by patent law. Real property law deals with land and buildings.

In the US, due to the First Amendment, the Copyright Act does not protect ideas, natural laws, facts etc., because that would restrict Freedom of Speech.

Patents, trademarks, trade-secrets

This section is not ready

Patents in the US and EU

The US Patent Act (from 1790) grants the inventor exclusive rights to make, use, sell or import an invention for a limited period of time. The Patent Act applies to useful, novel and non-obvious properties.

Within the EU it’s possible to apply for a patent at the EPO, but these aren’t directly enforceable. In order get an enforceable patent, it must be filed with the national offices.


Trademarks apply to logos, slogans and the likes to identify goods and services. Trademark law protects names, logos or slogans of a company from unauthorized use; but not its software.

Within the EU there is a dual system for Trade mark registration.

In the US the Lanham Act states that Trademarks protect particular goods and services. They get registered at the Patent and Trademark Office. Under the Lanham Act 3 questions get asked in federal trademark cases:

  1. How distinctive
  2. How recognized
  3. How unique

… is the mark.

A trademark can be a name, slogan or a (artful) design, used to identify some goods. It’s not related to the purpose. Design here does not refer to the means to create products.

Trade-secrets: UTSA and EU Directive 2016/943

Trade secrets protect intangible assets. They are primarily addressed by the individual state’s laws in the US and within the EU.

In the US there is the Uniform Trade Secrets Act. Reasonable security serves as evidence.

Such reasonable security may be to prohibit Reverse Engineering of your software in the EULA or ToS. However you may need to take into account, that exceptions can apply, due to Bug Bounties and other business processes within your company, that accept Reverse Engineering. The rule of thumb here is, that labels count.

In 2018 the EU plans to pass a new directive (Directive (EU) 2016/943) “to standardise the national laws in EU countries against the unlawful acquisition, disclosure and use of trade secrets”.

A Trade secret is not registered with the government due to the disclosure, which would eliminate the trade secret status. It applies to information that a company strives to protect from disclosure and that generates economic value through its secrecy.

Common Law Fraud

Before the SoX and Basel section a perspective on common law fraud is relevant. :wink:

In order to sustain a finding of common law fraud, the trial court aims to make findings of (1) representation of an existing fact (2) materiality and (3) its falsity or ignorance of its truth. (5) intent that is should be acted on the person to whom it is made (6) ignorance of its falsity on the part of the person to whom it is made.

SoX and Basel

This section is not ready.

Business contracts

Contract law seeks to put the victim of a breach of contract in the same place he / she would have been if the contract had been performed.

Contract law is primarily economic law. A breach of contract is a legitimate option, that bears consequences. The breaching party must make the other party whole (compensate for Direct Damages, which are damages which result immediately from a breach of contract). But the other party my not be entitled to receive punitive damages.

Software contracts may contain license audit clauses, and license violation penalties may be set.

Mirror image rule

An offer message has to meet acceptance, which agrees to the offer entirely, for a contract to emerge. This tradition is known as the Mirror image rule.

Force majeure clause

Vis major; a higher force.

A Force majeure clause is a special contract provision to limit liability. It’s common in commercial agreements, because it allows a Service Provider to excuse performance failures which are caused by extraordinary events. - Such as wars or unforeseeable disasters: higher force.

Often business contracts with Service Providers have Service Level Agreements, with performance bonds such as “99% uptime” over a year. A Force majeure clause adds credibility to such performance bonds.

Merger clause

Merger clauses (or Integration clauses) and parol evidence rules encourage careful, written articulation of contracts.

  • As a customer you can ask to incorporate marketing materials into a contract as an appendix.

Generally speaking: the Merger clause supersedes and merges all prior agreements, representations, promises, warranties and understandings on subject matter. The contract represents the entire agreement between two parties.

Parol evidence rule states that any evidence of any previous agreement or oral understanding may not be introduced in court to contradict final terms of a written contract. Absent ambiguity, fraud or mistake, a written agreement is deemed to contain or integrate all relevant understandings.

Liquidated damages and merger clauses are not related.

Policies and language - tone and presentation

This section is not ready.

Learning to chose words carefully and accurately reduces legal risk

Good policies do not get written in absolutes, but in a language that is fit for the purpose and self-serving to allow enforcement based on the company’s goals and values.
Written policies can make information security appear reasonable. But courts are also known to serve sanctions for not following policies, such as Business Record Retention Policies.

A popular example is that privacy policies of a merchant stated that consumers could expect “reasonable security” and the merchant eCommerce system used clear-text passwords. This is not considered reasonable, and a form of misrepresentation.

Another popular example is, that a company with an equality policy needs to disallow violent or pornographic material at the work place. Employers are liable, if they maintain a hostile work environment.

Business Record Retention

Retaining executive and professional’s mails longer than from hourly staff is often recommended because their business value is greater, especially for outgoing messages. And those mails are more likely to have long-term significance.

Electronc Record - does IT have records?

The IT (the technology departments of a company) may misunderstand its role as the custodian of company archives. There are popular cases of communication issues between the litigation team and IT regarding electronic record retention.

It is obstruction of justice to delete electronic records related to an investigation.

Labels and disclaimers - policies

  • It may be helpful to label the data, which is provided for law enforcement, as a trade secret. This can avoid conflicting follow up investigations by data privacy or tax institutions, which cooperate with law enforcement.

Business records and e-discovery - evidence and archives

Example: The security and privacy policy

Some security policies are phrased like:

We will take steps reasonably necessary to ensure your data is treated securely and in accordance with this privacy policy.

If you take a look at the Verizon Data Breach Investigations Report from 2017, you can see that data breaches are very common. If you keep this in mind for these policies, it may be useful to expect an adversarial reader, who asks:

“What is reasonably necessary? As a customer I would have expected the reasonable necessary security of my data at all times.”

A formulation like this can lead to many difficult questions, and may not allow to present the security measures of the company positively in an investigation.

As law, technology. and best practices develop, company X aspires to reasonably and responsibly reduce the likelihood of harm with its internal security processes.

So what are these security processes? Answer: Our security program is designed to maintain confidentiality, integrity, availability and resilience to ensure data privacy of the customers within commercially reasonable boundaries.
If someone is interested in these boundaries, the portfolio can serve as evidence. The second formulation can allow to present that the security measures were proportional.
In my opinion is a better start point to defend against negligence allegations. It controls the narrative a little differently, because it does not speak in an absolute way. It does not state: “we take steps”. It says: “we aspire to”.

Hostile work environment

Employers are liable if they maintain a hostile work environment (e. g. by allowing violent or pornographic media).

Compliance and investigations - neutrality and corroboration

Intellectual property, trademarks and copyright

Piracy complaints

Many piracy websites are hosted in other countries, and therefore out of reach of local authorities in the US or the EU.

  • You can file complaints to the EU commissioner of Trade or US trade commissioner. These are executive branches of the government.
  • It’s possible to collect evidence and to present it to credit card brands
    • for example: sue foreign web sites at a local court, because it’s likely that the owners won’t show up. This may result into a default judgement, and then serve as enough evidence to file appropriate complaints
      • this way it’s possible that the court issues an arrest warrant for the owners, which might get enforced at a local airport, if the evidence contributes enough legitimacy against the malefactors
      • that can also help to put a lean on the money, when you are dealing with an international piracy site. Or to enforce judgement against the virtual assets of the defendant (such as Bitcoins, which can be stored with 3rd parties)
      • many technology services have local offices. The ToS often prohibit illegal action.
      • in some cases it might be possible to prevent the piracy websites from being able to pay for these services.
      • it’s possible to contact advertisers, to reduce the sources of income of a piracy site
      • it’s possible that the owners of the web site do not list the income of this business at their tax reports…

The strategy here could be to make it very hard to run a piracy site / campaign, and to maintain moral high ground. Being in business with other entities such as credit card brands, ISPs or advertisers is a privilege. The business relations are built upon trust, which sometimes is mentioned in the ToS directly.
Tax authorities word wide often have investigators, whose day job it is to find out if individuals are cheating on tax. That includes certain counties, which have a reputation to “tolerate” a certain amount of “online crime”.

Cyber bully complaints

Cyber bullies and other digital vandals can rarely be identified. These acts usually do not get classified as high crimes, which means that the investigations will be proportionally limited due to / in accordance with the available resources.

  • You can file a Jon Doe lawsuit, and get a subpoena
  • Some popular persons have stated that they hired investigators to prepare evidence for law enforcement, to take action upon. In many cases the bullies are immature young adults.
    • due to this a call from the police or a complaint to the ISP might be sufficient

The strategy here could be to maintain moral and legal high ground, until things uncover over time.

Federal investigation support - labels


Definitions used in this wiki post

These definitions are used in this wiki post, and additionally some of them can help to avoid to misuse a legal term in a technical report. They are not compatible to legal literature.


Negligence involves a failure to exercise reasonable care to prevent foreseeable injury to another person. Courts stress, that intelligent procedures and written policies are “due care”.

A system owner can be held liable for negligence, if attackers abuse his facilities as an instrument of launching an attack.


Conspiracy is planing to commit a crime in the future.

Vicarious liability

Vicarious liability is when one party is held responsible for another’s misdeeds. For example: a company runs insecure systems which get abused for DDoS attacks, employees of a company commit crimes from the company network, banks with bad website security allow unauthorized access to bank accounts.


Necessity means that defendants can seek to rely on the argument, that they should not be held liable for their actions as a crime, because their conduct was to prevent some greater harm.


Loss includes a wide range of harms related to victims of Computer Crimes.

  • costs of responding to the offense
  • conducting a damage assessment
  • restoring the systems and data prior to the offense
  • lost revenue or cost incurred, because of interruption of service
Incidental damages

Incidental damages include reasonable charges and expenses the customer incurs as a result of a data breach by a service provider.

Consequential damages

Consequential damages result from remote effects of a breach, and can include profits which are lost of a consequence of not being able to serve consumer customers.


Signatures are not identification per se. A signature is a legal concept. An identification is a security / operational concept.

In practice mouse-clicks or typewritten names could be signatures, but often they lack a link to the signatory and a link to the signed document.


An Affidavit is a formal statement by a witness, that deters changing testimony of the witness. - Might be hearsay.

Version history

18.08.2017 - published draft version, fixed many typos. Sections on offensive security tool im- and export are missing, and the general state of completeness is 50%.

19.08.2017 - minor corrections

GDPR FAQs - from DPIA (Article 25) to Data Mapping (Article 30, 32)