In 1996 at a conference on cyber-law, Judge Frank Easterbrook of the US Court of Appeals gave a presentation on Property in Cyberspace in which he argued that cyber-law as a strand of law did not exist, for the same reasons that there was not a law of the horse". He argued that Teaching 100 per cent of the cases on people kicked by horses will not convey the law of torts very well He believed that existing law would be able to convey all the salient points of cyber-law, and therefore it would be better if it was not taught, or did not exist. I am going to use his Horse Law as the basis for this essay and outline the way that pre-internet laws work in cyberspace (if indeed they do); identifying where real-world analogies are brought into the law by the courts and seeing where the law now is terms of cyberspace regulation. I will focus mainly on the criminal law, as civil regulation online has grown up mostly around business practices, and criminal law has and needs to be addressed by the Government. Are laws technologically-neutral? Should they be? Lawrence Lessig wrote a reply to Easterbrook, which argued that 'We see something when we think about the regulation of cyberspace that other areas would not show us'. Lessig did not defend horse law, but defended cyber-law from being ejusdem generis with it. Lessig believed that 'The anonymity and multi-jurisdictionality of cyberspace makes control by government in cyberspace impossible', and that made cyber-law unique and worthy of study. Lessig concludes the essay by predicting 'the values of real-space sovereigns will at first lose out' during the growth of the Internet, and that part of cyber-law's job is to monitor the interactions and inevitable growth and change of these sovereigns in cyberspace. It seems that if you build it, they will come. But academic debate on cyber-law as a subject did not end there. Sommer argues, like Easterbrook, that cyberspace is not a new place for new laws but a new place for old laws. He believes that it will take a while for new practices to develop that need new laws . He draws analogy with wire transfers referencing Article 4A of the Uniform Commercial Code, which codified over a century of wire transfer law, yet was 'built on no prior statute'. So will "cyber statutes" or laws merely codify existing practices into a new arena? Or will they be new and different? In 1984, two hackers called Stephen Gold and Robert Schifreen gained access to BT's Prestel network and started series of (nearly) harmless pranks within the network . They were eventually caught and charged with an offence contrary to s.1 of the Forgery and Counterfeiting Act 1981, which states 'A person is guilty of forgery if he makes a false instrument, with the intention that he or another shall use it to induce somebody to accept it as genuine, and by reason of so accepting it to do or not to do some act to his own or any other person's prejudice'. This seemed like the best charge that existed under the common law at the time, and on conviction the defendants appealed. Both the Court of Appeal and the House of Lords held that the 'instrument' to which the offence referred to could not be forced to apply to 'electronic impulses', under s.8(1)(d) of the Act. Essentially, there was not an offence that existed that seemed to cater for the actions they pursued. The case of Gold and the increasing computerisation of important functions in numerous industries led to the Law Commission Report, Computer Misuse where a new offence of unauthorised access was advocated. This eventually became law in the form of the Computer Misuse Act 1990 (CMA). The CMA was written in a deliberately ambiguous style. Murray says it is well designed, mainly due to the fact that it avoids colloquial terms, which would be hard to define by anyone familiar with them, let alone a court. The CMA was designed to catch a broad variety of activity and define it as criminal. But is this a good thing? It needed a lot of definition when it came to its application. Before Cropp and the subsequent clarification it was not even clear if two separate computers are required for an offence. It was this clarification that led to spate of employee-access cases that defined what the majority of the CMA offences would be. It took several years for a case on the CMA to land at an appeal court, in the form of DPP v Bignell. Like many that had preceded it, Bignell involved access to the Police National Computer (PNC). But the defence raised by the defendants was interesting, and according to a literal interpretation of the CMA - correct. The offence of which they were charged was s.1 of the CMA, which criminalised access but not unauthorised use of authorised access. This was held by Astill J to be the correct. The CMA and its ambiguous wording had failed in that it hadn't criminalised some 'extra-curricular' behaviour. The defendant was authorised to access the PNC but did so on that occasion for an unauthorised purpose. It is worthy to note that Astill J thought that a charge under s.5 of the Data Protection Act 1984 (DPA) would have been more appropriate. This seems to be why he was reluctant to make the offence fit the crime, similar to the approach in Gold. We have had two examples so far of cases failing against defendants because they were charged with offences that were either not intended to apply to computer misuse or lacked enough definition to be clear. One technologically-neutral and the other so generic that it could almost be construed as such. Is this a reluctance of the courts to evolve cyber-law themselves or the Crown trying to make do without proper cyber-law? Two years after Bignell, the House of Lords revisited the same point of law regarding s.1 of the CMA and overruled it . Accessing authorised data for unauthorised purposes was found to be within the remit of s.1. But was this stretching the law too far? It seems to broaden the scope of the CMA to include the specific offences in s.5 of the DPA 1994. Is it just to have two offences for the same action? Despite the final success for the Crown with regards to employee access, the CMA was clearly lacking in one major, developing area: Denial of Service or Distributed Denial of Service (DoS or DDoS) attacks. Murray stated that 'those engaged in DDoS attacks would probably only be liable for the installation of the Trojan software not the attack itself... Legally this meant the UK was failing in its duties under the Council of Europe Convention on Cybercrime ". This became one of the reasons behind the amendments of the CMA in s35-38 of the Police and Justice Act 2006. The amended CMA included provisions designed to catch DDoS attacks like s.3(2)(a) '(guilty of an offence if he intends) to impair the operation of any computer'. But were these modifications necessary? It seems that one of the main victims of DDoS attacks were online gambling websites but beyond this industry, were there people in need of protection? DDoS attacks are hard to relate to any real-space offence or law, with would seem to weaken Easterbrook's argument. It is hard to reconcile any of these actions and crimes with a real-space offence. There have been many attempts by the judiciary to do so, but why? Is it to explain the offence and reasoning to those reading the judgement? To help make sense of the actions to themselves? Why do these unnecessary allegories exist? An act of computer misuse does not only become a crime when it can be compared to a real-space offence. If this were the case, then to apply the Horse Law theory, any cases involving horses would have to be compared with humans, or perhaps objects. In DPP v Lennon an ex-employee of a company was charged with an offence under s.3 of the original CMA. Lennon had used a mail-bombing program to send 5,000,000 emails to the company server, causing it to crash. This is a form of DoS attack, and the amended section s.3 was written to deal exactly with this type of action. In defence, Lennon submitted that he had no case to answer as the sending of the emails was not unauthorised, as he the server was designed to receive emails, and that was all he had done - the quantity was immaterial. This defence succeeded at first instance, and the Crown appealed to the High Court, arguing that there was a difference between spam and bona fide communication, and that difference was consent. Jack J upheld the appeal, and reasoned by comparing the sending of an email to that of a person walking up a garden path of a private house. There is an implied consent that a person can walk up a path if going to deliver a letter, or wants to speak to the person inside, but the homeowner does not consent to a burglar on the path or the letterbox being stuffed with rubbish. Jack J likened this last point to the result of Lennon's actions. A bona fide email would have been accepted, but not the spam. This raises two points, however. Would just sending one hoax email have been a crime? One email would have been less likely to be considered an offence under the CMA. So the correct analogy would surely be that of posting 5,000,000 letters in separate trips up a garden path. Secondly - why was the analogy needed? It was likely needed to justify stretching s.3 to fit a DoS attack. This and the above cases like Gold and Bignell involving statute stretched to breaking point illustrate that the CMA, as vague as it was, desperately needed the update that the PCJA gave it. It is also worth asking if using a mail-bombing program from one machine would these days cause a slow-down of a company server. The increase in broadband speeds could well mean that DDoS now has to be used rather than a DoS attack. The upload speed of connections still lags significantly behind download speeds and Lennon's emails would be likely to have little effect on a modern server. So this case could be argued to be out of date both in its point of law (as the amended s.3 now caters for DoS attacks) and it now would be technologically unlikely that a single machine can slow down a server. So now where does Horse Law stand? In Lennon, a real-world analogy had to be drawn to make the offence fit the actions. This would support Easterbrook's theory, in that the offence had to have a real world basis to work. But the court should not have had to resort to that as the amendments were already on the way. The relevant addition for Lennon, was s.3(2)(a): "to impair the operation of any computer" Could this have a real world counterpart? Perhaps slowing down a postman? Removing a garden path? These analogies start to fall down when you continue the metaphor. If cyber-law were truly Horse Law they would surely stand up? So far this essay has concentrated mainly on criminal law, and since Easterbrook's original title was "Property in Cyberspace" civil law must be considered also. Contract law is an area that has had a great deal to do with the early computer age - e-commerce and the larger technology companies that exist today could not have prospered as they have done without contract law. Murray argues that this is the cornerstone of a modern society, and remains 'true of today's information society'. Contract law and the Internet has been given a good overview in Murray's book, but more detailed analysis will be brought to the analogies that the courts have applied to bring contact law into the 20th century, decades before the Internet. As already mentioned in Sommer's article, there have been rules and practices relating to instant communication, with the emphasis on money transfer or contract formation, for over a century. The courts have had ample time to develop the law on its use. The Postal Rule applies in contracts made by non-instantaneous means of communication, and means that as soon as the acceptance of an offer is posted, the contract is formed. For instant communication like telex, telephone or fax, the contract is concluded when the acceptance is received by the offeror. Lord Denning's famous passage at 332-334 can be applied easily to contracts online. Email is a good example of the postal rule still functioning online - email is not perfect, not instantaneous and there is no sure-fire way to confirm that an email was received or read. So, the postal rule applies. When purchasing products online, some online retailers specify in the terms and conditions that the contract is concluded only when a dispatch confirmation email is sent. This seems a good example of Sommer's idea that cyberspace didn't bring about new practices, so old law can still be used to regulate it. But what forms of instant communication exist on the Internet that are used to conclude contracts? Instant Messaging (IM) is one of the first, and oldest, methods of communication online, but is it ever used to conclude contracts? The author would suggest not, although lately there has been an increase in companies offering 'live help' via a flash chatbox, as a form of customer support. But to think of a contract being finalised over that medium would be a great leap. In any case, if it were, then it is likely that the rules applicable to Telex, confirmed in Brinkibon v Stahag Stahl und Stahlwarenhandels GmbH would apply. So where is Horse Law now? What effects are technology and the Internet having on older areas of law? Easterbrook and Sommer would believe that Internet Law is just a new area in which old laws can fill, but what about the Internet changing old law? One area where the Internet has had a great effect is injunctions. This equitable remedy available to prevent damaging information being made public, which effectively restricts the press, cannot stand once the information is already out there. This exception to injunctions has been used recently to bring about the end of injunctions in a unique way, usually using social networking sites such as Facebook and Twitter . The Trafigura case broke because the MP's question in Parliament was being circulated on Twitter, so the information was out there. When allegations involving the private life of John Terry, the Captain of the England Football team surfaced, an injunction was not granted as the information was already out there and he would be unlikely to defeat the public interest defence. These cases show that Internet innovations can have a great bearing on areas of law once thought settled. It is not just old areas of law coming on to the Internet, but Internet phenomenon changing the way other areas of law act. How would it be best to study these interactions? The Internet defeating injunctions could be taught under Defamation, but where to tie all together as part of a larger debate about Internet governance? The social media cases have used the spotlight Lessig introduced to illuminate chinks in the armour of settled areas of law. Just as the Spycatcher book was for sale to commuters at train stations, the latest celebrity scandal arrives via an anonymous tweet. It is all but unstoppable, and at the very most, organisations seem to be only able to delay the information getting out. But where does legislation stand on cyber-law since the CMA amendments? In the wash-up of Parliament before the 2010 General Election, the government pushed forward the controversial Digital Economy Act 2010 (DEA). But recently Talk Talk and BT, two ISP's, have been granted a judicial review of the Act by the High Court. What the most important provisions in the Act, though, are relating to punishments for copyright infringement. Section 9 deals with most of these, and includes provisions that allow the Secretary of State to direct OFCOM to assess whether 'technical measures' should be implemented in cases of persistent infringement. The fullest extend of the measures allows Ofcom to force ISP's to 'suspend the service provided to the subscriber'. Leaving aside the arguments about Internet access as a human right, this provision does not fit in well with the Horse Law theory. For Easterbrook to be correct, the provision would have to have some other application in real-space or a use away from cyber-law. This is not now just an analysis of an unruly horse damaging property, but an internet-only provision. There is no real world equivalent of cutting someone off from the Internet. People are not banned from using telephones, roads or public transport generally, yet here we have a provision which can restrict access to a vital part of a modern society. The author now argues that Horse Law has come full-circle and has ended. In contrast with the vague terminology of the 1990 CMA, the DEA is explicit as to its technical terms and definitions. It uses phrases like 'internet service providers' and requires information to be sent to 'the electronic or postal address held by the internet service provider for the subscriber'. Although the Act is careful not to mention email directly, the inclusion of a provision specifically allowing for contact electronically would have been unthinkable a decade ago. To show advances in understanding recently, he law has allowed contact via a variety of new mediums; and these little inroads technology and Internet are making into the legal system are further evidence of cyber-law being an individual subject. The DEA was not technologically neutral. The language and definition make that clear, and despite virtuous arguments about the practicability of the measures themselves, this Act would find it hard to function correctly beyond cyber-law if it were technologically neutral. If it were technologically neutral, it would make no sense at all, perhaps having to refer to 'restriction of access to a series of network of services'. It would be so generic and its language would refer to a looming elephant in the room. It would be make little sense. In recent years there has been an increase in laws surrounding the use of the Internet and computers. Some have related to civil law and some criminal. The initial civil provisions seem to have had more success that the criminal law, owing much to the fact that practices haven't changed greatly with technology, but have increased in speed. A letter in the post may take two days and emailing to conclude a contract can take two minutes, but still get lost along the way. This supports part Sommer's argument well, in that the Internet was not a place to develop new practices, just a place for old practices to move into. It also helps that the instant communication of the 20th century paved the way for civil law online, with business developing practices that were adopted universally to promote certainty filling in the gaps. With regards to criminal actions and consequences, initially the CPS tried to shoe-horn new actions into old laws, and the courts seem stuck on the idea that computer crimes need to be compared to real-world crimes for them to make sense. But it is not known to whom the explanation is owed (the author hopes it is not the judiciary themselves). To many people today, even an offence as specific (and technically useless) as 'it is an offence to access the C: drive of another's computer without permission' would make sense and need no analogy to translate into the real world. Technologically neutral laws have been tried and failed; even widely generic laws haven't worked properly until an update. It is now clear that the laws that do work are ones that take into account the exact purpose and authorisation of the people involved (Allison). Cyber-laws need to be technologically aware and precise, because that is part of the nature of computers themselves. But they also need to avoid slang in order to target people who would try and argue a defence on a definition of a word that doesn't exist outside of a message board. A description of the effects of the actions, as the CMA does, is a good idea place to start. This is how many criminal laws have worked for over a hundred years (Offences Against the Person Act 1861) and how computer laws should work. The CMA describes slowing down computer, which works. It would be wrong to talk about a botnet. Drafting legislation to know about computers and be technologically-aware is important, but at the same time it must not try and use static definitions likely to change.