Combating Lawfare via Web3 – A Call to Action for Cyber Law Professionals
By Douglas M. DePeppe, JD, LLM
April 25, 2023
ChatGPT released an entirely AI-generated simulation of the Joe Rogan Experience podcast on April 14, 2023. The video depicted an entirely simulated video of Joe Rogan and Sam Altman, along with their respective commentary. In another release, ChatGPT released an entirely AI-generated interview of former President Donald Trump with Joe Rogan. Real-looking manipulation of video content is the Deep Fakes threat the world countenanced in 2019 with a Deep Fake of Mark Zuckerberg in which artists inserted a manipulated and sinister narrative about Facebook’s monopolistic plans around data. Another doctored video of Congresswoman Nancy Pelosi in 2019 falsely depicted her as drunk and slurring her words.
The threat of disinformation from Deep Fakes and artificial intelligence has led to calls for new legislation to combat false impersonations and other forms of disinformation. A Bill in Congress, H.R. 2395 (the DEEP FAKES Accountability Act) was even introduced in 2021.
Disinformation has emerged as a significant modern global threat to national security (the broader military term “information operations” contains disinformation as one subcomponent of irregular warfare). Many adversaries to the West engage in disinformation tactics, such as the social media campaigns of the infamous Russian Internet Research Agency. Accordingly, the acceleration of AI technology, like ChatGPT, points to a far more troubling disinformation threat environment – and counter-efforts to advanced threats like AI seem nonexistent. As usual with cyberspace, the defenders are playing catchup. Fortunately, in my view, Web3 presents a “leap ahead” way to rebalance things, provided the right approach is charted and the right team is assembled. What follows in this article is: A Call to Action for Cyber Law!
A CALL TO ACTION FOR CYBER LAW!
The founder of the Military Cyber Professionals Association (MCPA), Joe Billingsley, published an article which called for cyber law to play a greater role in restoring trust in cyberspace. He found support for his ideas in the recently released National Cybersecurity Strategy, in which one pillar of the strategy calls for shifting liability for insecure software products and services. Mr. Billingsley also calls out a deficiency in the strategy: “[W]e do not have enough lawyers that sufficiently understand cyberspace.”
My purpose here is to illustrate the astuteness of Mr. Billingsley’s observation by articulating a use case tied to Deep Fakes in which cyber law – and cyber lawyers – demonstrate how the role of law, especially in a Web3 environment, can create an advantage for defenders over attackers. Granted, that is a bold assertion with lots to unpack. I will begin with the concept of a “force multiplier”.
A FORCE MULTIPLIER – CYBER LAW ATTORNEY
A “force multiplier” is, according to Cambridge Dictionary: “something that increases the effect of a force”. During my earlier career as an Army Judge Advocate engaged in legal support to cyber operations, lawyers helped to design the contours of a cyber operation by interpreting international law (e.g., utilizing the Tallinn Manual). In my experience over the past 15 years as a cyber law practitioner in private practice, few corporations utilize expertise in cyber law to design or implement a cybersecurity strategy (that is, until experiencing a data breach and requiring the services of a Breach Coach). This underutilization of cyber law expertise results in the universal shortcoming observed in Mr. Billingsley’s article. That is, there is no deterrent effect because enforcement against malfeasance is rarely even considered. Without deterrence, cyber attackers become emboldened, as we have seen with ransomware attacks and the once-common decision of compromised companies to pay the ransom.
The force multiplying effect of cyber law goes far beyond just affording enforcement options, however. The bold assertion above about charting a new way for defenders to gain an advantage over attackers is a better illustration of cyber law as a force multiplier. So now let’s pivot toward Web3 and a ‘cyber law attorney’s interpretation of cyberspace opportunities’ – to paraphrase and expand upon Mr. Billingsley’s observation.
THE RIGHT TEAM AND APPROACH: LEVERAGING WEB3 FOR DETERRENCE
In a series of writings published on Medium, I revealed the research and analysis which caused me to articulate my view that data ownership represents a leap ahead way to combat various data misappropriation acts. Put simply, property law can afford ownership rights to data, and ownership under property law affords far more effective, efficient and scalable enforcement options.
A principal trait of Web3 is decentralization, and decentralization means, in part, that the very architecture of Web3 enables digital identity control. There is a reasonably well-established concept and model in Web3 called Self-Sovereign Identity by which “individuals or businesses have sole ownership over the ability to control their accounts and personal data.” Moreover, the World Wide Web Consortium (W3C), the standards body established by Web inventor and W3C Director Tim Berners-Lee, recently published the Decentralized Identifiers standard (DID v1.0). Whatever views one may hold about blockchain technology, cryptocurrency controversies, and certain nonfungible token (NFT) fads, Web3 represents the next evolution of the Web. And importantly for cybersecurity, incorporating a role of law strategy involving property ownership can tip the scale in favor of defenders. Let’s explore how.
Take Note: deterrence happens when property right infringement faces enforcement at scale. When data is owned, an unauthorized use can be stopped through enforcement actions enabled by law. For example, the starting point for enforcement might be a cease and desist letter to the offender; and additionally, depending on the nature of the ownership rights, a similar letter – or even a Notice and Takedown action (e.g., under the Digital Millennium Copyright Act in the US) – could be pursued against contributing infringers (e.g., video distribution platforms which are showing the infringing content). The ability to also take enforcement action against contributing infringers can make enforcement scalable, for it becomes a one-against-many strategy (i.e., all the interconnected networks improperly ‘touching’ the infringed data).
To illustrate this strategy further, let’s suppose Joe Rogan constructed legally enforceable ownership rights connected to his podcast business, and let’s further assume that copyright and trademark law applied to his ownership rights. In the US, contributory infringement is an actionable legal theory against entities that participate in the infringement. At a conceptual level, that legal protection could allow enforcement actions against entities involved in showing infringing AI-generated videos, sharing those videos, storing those videos, or receiving compensation in some infringing way. In other words, a large section of the ecosystem involved in infringing conduct could be pursued on legal grounds. Accordingly, a system-wide enforcement regime of this scale could shut down all aspects of the unauthorized use!
This type of property law-based enforcement would not be limited to copyright or trademark protected rights. As the Medium articles I published demonstrate, a much broader digital identity set of ownership claims could protect all sorts of intangible property. For example, LinkedIn has fought a multi-year battle against data scraping companies which used the Internet’s openness to use LinkedIn published website data for business purposes without compensating LinkedIn. LinkedIn has lost its Computer Fraud and Abuse claims against one company, while successfully obtaining injunctive relief for its contract and unfair competition-based claims (hiQ Labs, Inc. v. LinkedIn Corp.). Ownership of its proprietary data, if ownership rights were properly structured, would seemingly make for a simpler enforcement process for misappropriation or infringement claims.
A more fulsome analysis of the legal theories involved is beyond the scope of this article, and the Medium writings provide a conceptual starting point. But also, the objective here was to illustrate how legal know how coupled with new technology can be a force multiplier for entities that adopt cyber law into their cyber strategy, plans, and enforcement actions. To facilitate such an adoption, I joined with partners to form the CyberJuris Network. It is an assemblage of cyber law talent, many having military or government cyber operations experience, who approach this practice of law as component parts of an interdisciplinary team.
CONCLUDING REMARKS ABOUT COUNTERING LAWFARE WITH LAW
I included “Lawfare” in the title of this piece because empowering cyber defenders indeed requires cyber law, as illustrated above. The term “Lawfare” is an elegant, idiophonic term that captures the nature of current adversarial activity online. The openness of Western societies, including our structure of rights protections, has become an attack vector for adversaries. Respect for privacy, liberty, and free speech principles present some of the challenges when endeavoring to enforce rights against misuse. Property ownership, however, creates a strengthened legal protection from which enforcement strategies can be scaled. And in scaling enforcement, deterrence can be achieved and cyber defenders can secure an advantage over attackers. It is the Web3 architecture, coupled with law, which can rebalance the equities in cyberspace.
In 2012, a cheeky article I published entitled Is a Communist or Totalitarian System Preferable in the Internet Age, and which I revisited on LinkedIn in 2019, posited “how the openness and connectivity of the Internet was becoming a strategic vulnerability to democracy”. Referring to Lawfare, I wrote: “Our adversaries have learned that the Internet naturally favors those who crowdsource!” The strategic advantage of claiming ownership rights and enforcing those rights through legal theories like contributory infringement shows that enforcement can also become scalable. It represents a one-to-many enforcement approach, and in that sense, it is akin to a crowdsourcing strategy in that the multitude of infringed parties can pursue enforcement actions against the interconnected entities of the Internet. Rather than the one-off, whack-a-mole approach of current enforcement strategies, data ownership provides a systemic enforcement solution to defenders.
About the Author
As one of the original Army JAG Corps scholarship recipients for a Masters of Laws Degree (LLM) in cyber law, Lieutenant Colonel (retired) Douglas DePeppe advised several US Army cyber operations commands. Subsequently, he served as Legal Advisor to US-CERT at the Department of Homeland Security. While there, he was appointed to the Lawyers Working Group as part of the White House 60-Day Cyberspace Policy Review in 2009. Now founder of a cyberlaw boutique law firm, eosedge Legal, and partnered in the CyberJuris Network, he exclusively practices cyber law for clients around the country. His firm is also the cybersecurity partner to IR Global, the largest professional services network internationally. He was inducted into the Information Sharing Hall of Fame in 2018. When not engaged in cybersecurity compliance and breach coaching, he advises clients concerning data protection through ownership in the sport industry and other markets, arising from his digital identity and Web3 expertise.