Security in Internet Governance and Networks: Analysing the Law (SIGNAL)
SIGNAL is a project on the legal aspects of internet security hosted at the Norwegian Research Center for Computers and Law (NRCCL). SIGNAL examines changes in legal frameworks for internet security by focusing on established, new and proposed legal security requirements – at both international and national levels – directed at critical internet infrastructure (CII) and cloud computing.
About the Project
Ensuring internet security is a growing concern. The security of the internet depends not only on technological factors but also on an adequate legal framework. Therefore, the SIGNAL project scrutinizes legal requirements for such security.
One set of requirements examined by the project concerns the prevention of cybercrime. Criminal laws play a significant role in combatting cybercrime at the national level, but there is also an international convention on cybercrime (the so-called Budapest Convention of 2001) which shapes the national rules.
An important remit of the project is to assess the extent to which the Budapest Convention is sufficiently “up-to-date” in relation to technological developments.
Another focus is legal rules for use of cryptography. Encryption is an important enabler of internet security, but it can also be a tool for cybercrime, and this dual potential raises vexing issues.
Amongst the questions discussed in the project are the extent to which police should be given access to unencrypted or decrypted data sent over the internet, and what limitations human rights law impose on such access.
The role of IGOs
At the international level, there is no single intergovernmental organization with a mandate to ensure all aspects of internet security. Instead, there are several organizations with overlapping but distinct policy frameworks. Some of these organizations, however, are moving to increase their security mandates.
The project investigates the possible effects of their increasing influence in the field.
The security focus of the project is complemented by privacy-focused research. Particularly relevant for SIGNAL are attempts to introduce legal incentives to develop privacy-enhancing technologies and "privacy by design". Such incentives have been largely absent from legislation on privacy and data protection.
However, the new EU regulation on data protection contains new provisions on data protection by design and default, which require a detailed analysis.
The primary objective is to enhance understanding of the regulatory framework for internet security by critically analyzing established and proposed legal security requirements directed at critical internet infrastructure (CII) and cloud computing services.
The secondary objective is to assess critically:
- the degree to which the relevant legal security requirements take sensible account of internet development;
- the degree to which these requirements impact upon governance of CII and cloud computing services;
- the extent to which intergovernmental organisations are exercising and able to exercise increasing influence on such governance;
- the degree to which the above legal security requirements engender fragmentation of the internet.
Project management and execution
The bulk of research will be conducted by three doctoral research fellows, each of whom will work primarily on one of the main research prongs (apart from that dealing with privacy-enhancing technologies (PETs)), with input and guidance from Bygrave and Mahler. Bygrave is taking the lead in research on PETs (a prong of research that will not form the main part of a PhD).
Project plan and organisation
The project will run for five years, starting on 1 January 2016. In addition to research, the project will involve holding three symposiums and a concluding conference. The first symposium will be held in September/October 2017; the second in May/June 2018; the third in May/June 2019. The final conference will be held in September/October 2020.
See a more detailed plan.