Summative Assessment Advice

& Feed Forward from

formative assessments

Dr Karen Mc Cullagh

➢ Exam on 19th January 2023.

➢ Administered through Internet Law & Governance

Blackboard site.

Examination ➢ The examination will be available for 3hours 45 minutes but

you are not expected to spend all your time writing. It’s
designed to leave time for thinking, planning, writing, and
taking breaks, and uploading before the deadline.
Preparing to complete the examination?

If you can’t complete

the exam
• If you have an extenuating
circumstance (e.g. illness,
bereavement etc), notify the Hub via
evision (and provide evidence) asap
so that your request for a delayed
first assessment in August can be
considered.

• Do NOT contact me. I have zero

power to help.

• Technical problems: Fill out the

form on the cover sheet of the exam
coversheet.
Format of Summative
Examination
• The examination will comprise 5 questions.

• A mix of essay and problem questions.

• Answer ANY TWO questions.

• Note: please ensure that you answer 2 questions. If you

only answer one question, the maximum grade you can
attain is 50% i.e. a bare pass.

What the examiner is

looking for
• Evidence you Know and Understand the subject matter.
Specifically, the materials you have been asked to read for
class. Only conduct additional independent research after
reading compulsory readings.

• Evidence you can answer the question posed i.e. identify the
relevant issues, create logical arguments, sustain arguments
using appropriate authorities (i.e. academic opinions from
journal articles & books; court decisions), and an ability to
critically analyse and reach well-reasoned conclusions.
 Instruction Words
• Critically analyse: break the subject into its main ideas and evaluate
them
When asked to critically analyse or evaluate .
• Advise: explain the applicability of the law to a particular factual
situation. Evaluate the significance of the results.
• Discuss: investigate a question, going into the pros and cons.
• Discuss Critically: As with discuss but you are expected to undertake
more reflective thinking focused on a quote, comment or court
decision.
• Meaning of different instruction words:
https://www.bangor.ac.uk/studyskills/study-guides/essay-terms.php.en

Identify the elements of a question

Critically discuss the effectiveness of technical, legislative and educational
measures adopted to reduce the risk of online fraud.

Instruction words
Topic words
Focus words

• Make sure you know what the question is asking.

• Return to the question periodically to check you haven’t missed anything!
What can you do to prepare
1. Look at the Readings for classes. Do NOT start by ‘googling’!

2. Recap knowledge i.e. remind yourself: what is the current legal

positon and why – i.e. why was the current law introduced (what was
the background/reason for introducing it). What does the current law
state?
Critical analysis: Do academics think the current law is ‘fit for
purpose/adequate…’ If not, why not – what reforms do they advise.

• Note: take a look at the examples of essay introductions on BB. They

tell the reader what position they’re going to take, and why and how
they will guide the reader through the discussion).

IRAC - Problem Technique

Problem questions don’t need an introduction
Issue - what is the potential legal issue for person A.
Rule – legal rules that apply to the legal issue. i.e. look at the legislation
e.g. Computer Misuse Act (CMA) 1990 (as amended) and case law
• Look at legislation e.g. CMA 2000 – what the law says,
• Look at case law to find out how the law has been interpreted and
applied.
• Look at the facts of the case law to work out if they are similar to the
facts of the scenario – if they are then, using the doctrine of binding
precedent, you would expect the same outcome in the scenario.
• Note: first time you mention legislation give the full title e.g.
Computer Misuse Act (CMA) 2000 (as amended)
• On the next occasion that you refer to the act you can use the
abbreviation e.g. CMA 2000
How to write about Law cases.
Note, non-law students: it is only criminal cases that are ‘prosecuted’.
(criminal cases usually result in a fine or imprisonment)

If it is not a criminal case then it is a civil suit and one party will ‘sue’
the other party for breach of x law. (a variety of remedies depending on
the legal issue e.g. damages (financial compensation)

E.g. R v Rowe is a criminal case (Terrorism). R represents Regina, the

Queen, who doesn’t actually attend court – cases are prosecuted by
government officials in her name.

Contrast: AMP v Person Unknown – this is a civil case. AMP sued

Persons Unknown for breach of copyright law.

How else could you include some critical

analysis in problem questions?

Consider whether previously decided cases have been properly

interpreted and applied. Note: to do so, you should read and cite
academic articles. Consider if the law is fit for purpose e.g. does it
contain defences, do academics think it should contain defences…
(critical analysis…)

Do problem questions need an ‘introduction’ similar to essay questions

– No. It’s fine to simply start by identifying the issue, … i.e. use the
IRAC method.
Layout information
• Use Word/pdf (preferably Word as it is easier to comment on). Do not
use alternative formats e.g. rtf or odt.

• Do NOT write your name anywhere on your answer. You may

identify yourself using your student number.

• Indicate which question you are answering e.g. Q3.

o You do not have to copy the whole question into your answer (but if you do, it doesn’t count
towards the word count).
o References are not included in the word counts
o Insert page numbers.

• Proof-read: check for spelling errors. Check punctuation. If you see

blue/red lines under words, right-click as the software will offer you a
solution on how to improve your spelling/grammar.

• Be precise in your Language and Spelling e.g. it is Lessig, not Lessing.

• Refer to academics by their surname only e.g. according to Lessig (not

according to L. Lessig or according to Lawrence Lessig).

• Show and tell should be your mantra for gaining more marks i.e.
show the what you have learned by telling the examiner what you’ve
read and providing references so that they can go check what you’ve
read.
In-text references & List of references (i.e. 2 step process). Below
is step 1
• You are welcome to use in-text references e.g.,

…What may be considered pornographic in one section of the society and

shunned upon from the public discourse may be perfectly legal in another
section of the society. Akdeniz (2000)

…Pippen and Bond noted that UK’s Online Pornography (Commercial

Basis) Regulations (2019) proposed age verification was too broad in
criteria, heightened threat of data mining, identity theft and only covered
accessing pornography from commercial sites. (Pippen & Bond 2019)
(Note: you can underline legislation and italicize cases to make them more visible to the reader, but it’s not
as important now that you are typing your answers)

Step 2: Insert a List of references at the end of your answer

I recommend categorizing your references by type, and then

alphabetical order so that you don’t overlook any

References
Books
Akdeniz, Y. (2000). Chapter 13: Governance of Pornography and Child
Pornography on the Global Internet: A Multi-Layered Approach: Law
and the Internet: Regulating Cyberspace eds. Lilian Edwards and
Charlotte Waelde (pp. 223-241 https://www.cyber-
rights.org/reports/governan.htm).

Journal articles
Pippen, A. & Bond, E. “Why is placing the child at the centre of online
OR: Option 2: footnotes (UK law graduates know how to do this already)
What may be considered pornographic in one section of the society and
shunned upon from the public discourse may be perfectly legal in
another section of the society. Akdeniz[12]

… Pippen and Bond noted that UK’s Online Pornography (Commercial

Basis) Regulations (2019) proposed age verification was too broad in
criteria, heightened threat of data mining, identity theft and only
covered accessing pornography from commercial sites.[13]

• Note: if you use footnotes, a list of references is not necessary

_________________
[12] Akdeniz, Y. (2000). Chapter 13: Governance of Pornography and
Child Pornography on the Global Internet: A Multi-Layered Approach:

Essential knowledge tips

• Re-Read and LEARN Lessig & Murray’s theories.
• Law is rarely a complete solution to an internet problem – you need to
be able to explain why (pathetic v active dots) and explain which other
modality/combination of modalities would be useful.
• Know what the theories and modalities are called and how they are
defined e.g., social norms are not known as habits or informal rules.

• Lessig, L. “The Law of the horse: What cyberlaw might teach,”

Harvard Law Review, (1999), Vol.113 Iss. 2, 501-549
https://cyber.harvard.edu/works/lessig/finalhls.pdf
• Lessig L. Code: And Other Laws of Cyberspace, New York, N.Y.:
Basic Books (1999), updated as Code v 2, Chapter 7.
http://codev2.cc/download+remix/Lessig-Codev2.pdf (review the Post-Class 1 recap slides)
 Example Examination
Questions & Recap of Topics
& feed forward from
formative assessment

List of topics
• Net Neutrality
• Fake News, Disinformation & Conspiracy theories
• Data Protection
• Computer Misuse
• Robotics
• Artificial Intelligence.

• Advice: make sure you know about Lessig’s 4 modalities of regulation

– useful for every topic.
• Prepare to answer questions on 3 of the topics listed above when
revising for the exam.
 Net Neutrality recap
• What is net neutrality?
• Why is it important?
• How is it achieved: Regulation 2015/2120 – Art 3
• What are specialised services? https://berec.europa.eu/eng/netneutrality/specialised_services/
• What is zero rating?
https://www.oxera.com/wp-content/uploads/2018/07/Zero-rating_1.pdf.pdf

• What did the CJEU decide in Joined Cases C-807/18 and C-39/19
Telenor Magyarország Zrt. v Nemzeti Média- és Hírközlési Hatóság
Elnöke?
http://curia.europa.eu/juris/document/document.jsf;jsessionid=8A94A1417C44745823A1BE1011844B12?
text=&docid=233749&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=14107369
Any more recent cases you could discuss?

Note: we looked at NN in the EU law and in developing countries in class i.. Facebook basics. Is it a
good offer? If not, should developing countries seek to copy the EU experience? If so, why?

Net Neutrality Question

Zero rated packages should not be permitted because of their potential
to undermine the protection given to net neutrality by the EU Open
Internet Access Regulation (Regulation (EU) 2015/2120). Discuss.
 Net Neutrality
• What is net neutrality?
• What is zero rating?
• What are zero rated services?
• Which articles in the Open Internet Regulation 2015/2120 are
important? Be able to cite and reference them.
• What was decided in the Joined Cases C-807/18 and C-39/19 Telenor
Magyarország Zrt. v Nemzeti Média- és Hírközlési Hatóság Elnöke
[2020] https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?
uri=CELEX:62018CJ0807&from=EN
• Is it a good decision? If so, why? What are the implications for mobile
phone operators wanting to offer zero rated packages?
• When were the BEREC guidelines issued i.e. pre/post decision? Why
does that matter i.e. do they need to be considered in light of the

Fake News, Disinformation & Conspiracy Theories

- What is: fake news, disinformation & conspiracy theories? i.e. how do
scholars define these terms.
- Why are they a problem? Can you provide an example of each?
- What potential solutions could we use – do they have strengths and
weaknesses?
- Have scholars identified a single effective solution? If not, why not?
- Note: it might be a good idea to consider Lessig’s four modalities of
regulation too - week 1 reading.
 Data Protection - recap
• Tension between Privacy and data processing: the privacy paradox
• GDPR and UK GDPR - which is applicable?
• Data subject is in an EU member state: GDPR + national data protection law
of x member state (e.g. fixing age of consent)
• Data subject is in the UK – UK GDPR + Data Protection Act 2018

GDPR official text: https://eur-lex.europa.eu/eli/reg/2016/679/oj (quick guide

i.e. easy to search: https://gdpr-info.eu
UK GDPR official text:
https://assets.publishing.service.gov.uk/government/uploads/system/uploads/att
achment_data/file/969514/20201102_-_GDPR_-
__MASTER__Keeling_Schedule__with_changes_highlighted__V4.pdf quick
guide: https://uk-gdpr.org/chapter-1/

Alan, a new PG student at UEA, opens an account with

a new social media platform called "Rainbow
Connection" to stay in touch with friends and family
from home while he's at UEA. Rainbow Connection is a
US start-up established in the State of California, which
uses servers provided by a large Indian cloud computing
provider. In the course of creating his online profile,
Alan is asked to provide the following information
about himself:His name, address, phone number, email
address and date of birth, whether he is in a relationship
with someone. When he answers yes, he is encouraged
to provide his partner's name so that - if they also have
an account with Rainbow Connection - the two accounts
 Data Protection & Social Media
• The relevant legislation is the General Data Protection Regulation 2016/679
(GDPR): https://eur-lex.europa.eu/eli/reg/2016/679/oj Do NOT refer to Directive
95/46/ec or the Data Protection Act 1998. They have been repealed and replaced
(they were mentioned to help you understand how the law has developed and
why).
• Be precise when referring to legislation i.e. which article, paragraph etc.
• For guidance on Art 17, see: https://ec.europa.eu/info/law/law-topic/data-
protection/reform/rules-business-and-organisations/dealing-citizens/do-we-always-have-delete-
personal-data-if-person-asks_en
• For additional marks on whether the law is working as intended (e.g. the right to
be forgotten), you could refer to comments by academics in journal articles.
Here’s an example: Smith, K. (2014), 'The Right to be Forgotten: Legislating for
Individuals to Regain Control of their Personal Information on Social
Networks', Reinvention: an International Journal of Undergraduate Research,
Vol. 7, Iss. 1, http://www.warwick.ac.uk/reinventionjournal/archive/volume7issue1/smith

Cybercrime & cyberterrorism

• Chatz, a UK-based social media platform have identified that one of
their employees, George, has been accessing the customer database to
obtain personal details of Chatz customers. Chatz believes that these
are being passed on to a third party who may be using these details to
commit identity fraud. As a security engineer George does not have
authorisation to access the customer database.
• Another employee, Ava, has recently joined the hacker collective
‘fsociety’. Ava has secretly been using Chatz computers to co-ordinate
DDoS attacks on the Pentagon and the White House and has carried
out a mailbomb attack on her ex-employer Allsafe Cybersecurity.
• A third employee, Darlene, operates an anarchist website from her
Chatz server space. This website contains a list of UK government
offices, advice on how to gain entry to them, including detailed maps,
George, has been accessing the customer database to obtain personal details of Chatz
customers. Chatz believes that these are being passed on to a third party who may be using
these details to commit identity fraud. As a security engineer George does not have
authorisation to access the customer database.
Issue: whether George’s actions constitute “unauthorized access to
authorized data or systems”, and, whether his intention (mens rea) and
actions (actus reus) (i.e. intention to pass to a third party to facilitate
commission of further offence) constitute aggravated unauthorised access.

Rule: s2 Computer Misuse Act (CMA) 1990 (as amended)

Application: discussion of “unauthorized access” cases: R. v Bonnet, R. v

Bennett, DPP v Bignall and R. v Bow Street Magistrates Court and Allison
(Very good answers will note that the facts of R v Bow St are factually
similar to George’s actions).
Note: consider cases in date order because of the doctrine of binding

Application: R. v Bow Street Magistrates Court and Allison , House of Lords 05/08/1999 (belongs in in-text reference or
footnote)

(Facts) In R v Bow Street Magistrates Court and Allison, the defendant

used his authorised access to American Express to gained access to
unauthorised credit card accounts and PINs. The defendant passed the
data to a third party who used it to commit fraud.
(Issue) The issue was whether a person within an organisation who was
authorised to access some data on a computer system at a particular
level, could exceed his authority by accessing data at a level outside that
authority, thereby committing an unauthorised access offence under s1
of the CMA?
(Held) The court ruled that unauthorised access offence under the CMA
1990 was not limited to access obtained by an outsider or hacker.
Ava, has recently joined the hacker collective ‘fsociety’. Ava has secretly been using
Chatz computers to co-ordinate DDoS attacks on the Pentagon and the White House
and has carried out a mailbomb attack on her ex-employer Allsafe Cybersecurity.
Issue: By co-ordinating a DDoS attack and a mailbombing attack
(DDoS), has Ava committed an offence under s.3 of the Computer
Misuse Act 1990 (as amended)?

Rule: s3 CMA 1990: Unauthorised Acts with intent to impair, or with

recklessness as to impairing the operation of a computer

Application: Consider cases such as R v Jeffery and R v Weatherhead,

Rhodes, Gibson & Burchall, and DPP v Lennon to advise whether Ava’s
actions in co-ordinating a DDoS attack would be covered by the
amended s.3.

Conclusion: Ava has committed a section 3 offence, for which the

R v Jeffery, Southwark Crown Court 13/04/2012 (information in yellow should

be in a footnote or in text reference)

In R v Jeffrey the defendant, associated with Anonymous, used the log-

on details of a system admin to access 10,000 database records from
abortion provider and post anti-abortion messages on its home page.
The issues were whether the defendant had caused a computer to
perform a function with intent to secure unauthorised access to a
programme or data held in a computer, contrary to s1 (1) and (3) of the
Computer Misuse Act 1990 and whether the defendant had obtained
unauthorised access to a computer with intent of impairing the operation
of that computer, contrary to 3 (2) of the Act?
The defendant pleaded guilty to committing the offences and was
sentenced to 2 years 8 months imprisonment.
 Darlene, operates an anarchist website from her Chatz server space. This website
contains a list of UK government offices, advice on how to gain entry to them,
including detailed maps, and advice on how to make home-made explosives and
incendiary devices. The website is called ‘Cleanse with Fire’.
Issue: Has Darlene…

Rule: ss.57-58 of the Terrorism Act 2000 and/or Part I of the Terrorism
Act 2006.

Application: (insert your analysis) Analysis of the leading case law R v

M and R v Rowe confirms that Darlene has committed the more serious
s.57 offence of ‘possession of an article in circumstances which give
rise to a reasonable suspicion that possession is for a purpose connected
with the commission, preparation, or instigation of an act of terrorism.’

Also, once informed by a police officer, Darlene, would also commit the
David: recently developed the online personality WelshLibertas and claims to be a freedom fighter for
an independent Wales. He has built a website which contains a considerable amount of rhetoric about
English oppression of the Welsh. The website has a section entitled “strike back”. In this he exhorts
fellow Welsh people to attack symbols of English imperialism such as the Palace of Westminster,
Windsor Castle and the Bank of England. The website also contains excerpts from publications such
as the Anarchists Cookbook showing how to make explosives.
• Do David’s acts have/lack the ideological motivation required for terrorist activity? (need to know how terrorism is
defined)
• Section 57 deals with possessing articles for the purpose of terrorist acts. Section 57 includes a specific intention.
Section 58 deals with collecting or holding information that is of a kind likely to be useful to those involved in acts
of terrorism. Section 58 does not include a specific intention. Also, collecting information (without making a record
of it) falls with s.58 only s 59 deals with incitement terrorism overseas; Terrorism Act 2000.
• Could he be charged under s.1(2) of the Terrorism Act 2006.? See s34 for definition of terrorism. For s.1(2) to apply
David would first have to be given notice by a constable under s.3 of the TA 2006.
• Could the excerpts from the Anarchist Cookbook be described as possession of “an article in circumstances which
give rise to a reasonable suspicion that possession is for a purpose connected with the commission, preparation, or
instigation of an act of terrorism.” This is an offence under s.57 of the Terrorism Act 2000.
• Is it also an offence under s.2 of the Terrorism Act 2006 (dissemination of terrorist publications)? Note: s.3 CMA
19990 as amended would also apply.
• Relevant cases to consider: R v Rahman and Mohammed, R v Zafar and R v Brown [re a free speech defence in
relation to the publication The Anarchists Cookbook]
(a) Is hacktvism too grey an area for the application of strict rules as are
found in ss 1-3 of the CMA 1990?
(b) Should the CMA 1990 include a defence for those involved in hacktivist
activity?
(c) Would Art 5 of the Budapest Convention on Cybercrime allow for a
• Firstly what is the scope of s.3 of the Computer Misuse Act? This
defence?
occurs when an individual carries out any act which is intended to
impair the operation of a computer, to prevent access to data or to
hinder the operation of a program. This seems clearly to cover acts
such as DDoS often used by Anonymous.
• What about intent? Surely if Anonymous intend some form of civil
disobedience they should have a defence? This is the Klang argument
as seen in Civil Disobedience Online and Virtual Sit Ins, Civil
Disobedience and Cyberterrorism however there is no such defence
under the Computer Misuse Act – see DPP v Lennon and R v
Cuthbert (in relation to s.1).
• Students can point to cases where arrests and prosecutions have been
Finding relevant cases
Supreme Court decisions can be accessed here:
https://www.supremecourt.uk/decided-cases/

• BAILII https://www.bailii.org

• Note: it’s acceptable to rely on cases discussed in textbooks instead of

trying to find additional cases for the CMA question.
• Murray, Information Technology Law: The Law and Society (4th edn)
is available as an e-book via the library. Chapter 19 contains a
discussion of CMA cases.
If you’re logged into UEA, this link will work: https://www-oxfordlawtrove-
com.uea.idm.oclc.org/view/10.1093/he/9780198804727.001.0001/he-9780198804727
 Norfolk County Council is considering permitting US-based company
Ghost Cars to launch a fleet of autonomous, self-driving cars in
Norwich. The Council asked for clarification on two points, firstly that
the self-driving cars would be programmed not to contravene UK road
traffic laws as the speed limits vary from country to country and that the
vehicle would comply default speed would comply with UK as opposed
to US speed limits.
A representative from Ghost Cars has confirmed that the cars are
programmed not to exceed the maximum speed permitted on the
respective local road on which they are driven.
Despite this assurance, Norfolk Council remains concerned because
analysis of driving data from other countries where the service is
already available suggests it may be possible to circumvent that
limitation. It is not clear exactly how this is done, but there are
indications on different web forums that users may be able to access
certain emergency codes on the web. If entered into the car’s keyboard,

Autonomous vehicles
Automated and Electric Vehicles Act 2018, Read the Explanatory note:
11. Automated vehicles are those that have the capability of driving
themselves without human oversight or intervention for some, or all, of a
journey. In an automated vehicle the driver can, in at least some circumstances
or situations, hand all control and responsibility to the vehicle and effectively
become a passenger, using it in automated mode. United Kingdom law on
compulsory motor insurance has focused historically on ensuring that victims
of road traffic collisions are compensated quickly and fairly. In the case of an
automated vehicle being operated in automated mode, however, accidents
could take place not as a result of human fault, but because of a failure in the
vehicle itself, for which the only recourse available to an otherwise uninsured
victim might be to sue the manufacturer through the courts. This Part extends
compulsory motor vehicle insurance to cover the use of automated vehicles in
automated mode, so that victims (including the ‘driver’) of an accident caused
by a fault in the automated vehicle itself will be covered by the compulsory
Automated and Electric Vehicles Act 2018
Explanatory note
Section 3: Contributory negligence etc.
• This Section applies contributory negligence principles to the
apportioning of liability in relation to accidents involving automated
vehicles, where the injured party to some extent caused the accident or
the damage resulting from it.

Section 4: Accident resulting from unauthorised alterations or failure

to update software
• This Section allows insurers to exclude or limit their liability to the
insured person for accidents caused by the vehicle’s software being
altered in breach of the insurance policy, or by safety-critical software
updates not being applied. This applies subject to various conditions

Artificial Intelligence

• Does Artificial Intelligence technology and datafication have the potential to

deepen existing ?inequalities and power asymmetries.
- what is AI? How does it work?
• What data does it rely upon and how does it become intelligent?
• Is there potential for bias? How?
• Predpol example https://themarkup.org/prediction-bias/2021/12/02/crime-
prediction-software-promised-to-be-free-of-biases-new-data-shows-it-
perpetuates-them
• Does the GDPR provide any remedies e.g. art 22 GDPR/UK GDPR?
Next steps