The recent appeals court decision in the Microsoft – Ireland case was a milestone in Internet governance. If it is not challenged, or if it is appealed and holds up in the U.S. Supreme Court, it will mark an important turning point in the attempt to subject the Internet to sovereign states.
Recently there has been a lot of froth about the “fragmentation/balkanization” of the Internet. But this debate is not really about splintering the Internet into disconnected pieces; it is about what I call alignment. Alignment is the attempt to subjugate the cyber domain to existing political-legal jurisdictions. It is about superimposing the authority of territorial states over the global virtual space created by the Internet. This happens through various technical and legal measures designed to confine services and information flows to national territories; e.g., by filtering or blocking access to content from outside the country (e.g., the Chinese Great Firewall); through data localization laws; and through geo-blocking. Most of these things are bad – they undermine or destroy the value of the Internet.
But those who think they are re-establishing “national sovereignty” by means of alignment face a major problem. Alignment creates a profound jurisdictional conundrum. When governments seek to assert sovereignty over globalized information they have two basic choices. Either 1) isolate themselves completely by requiring every Internet service to keep all of their facilities and data in their jurisdiction and completely regulating all cross-border movements of data; or 2) extend their jurisdiction beyond their territory and try to regulate services globally. The first option, taken to its extreme, ends the Internet – it destroys the network effects and efficiency of the global Internet and creates a set of national walled gardens. The second option destroys the whole model of national sovereignty, and opens up Internet services to a welter of conflicting jurisdictional requirements.
Currently, we see both sides of this conundrum being played out. In Microsoft v. USA, alignment was the underlying issue.
Under the Stored Communications Act of 1986, the U.S. government claimed that it can direct a company to disclose records within its “possession, custody or control,” anywhere in the world if that system is operated by a US-based company – even when disclosure would violate the laws of the country where the data was located. The USA Patriot Act of 2001 relaxed and broadened the standards under which the US government could request information. This is an example a government reacting to the jurisdictional paradox by making their laws globally applicable. A great deal of the momentum for “data sovereignty” came from other countries reacting to these U.S. assertions of extraterritorial jurisdiction.
In its current dispute with Microsoft over a customer whose records were stored in Ireland, the U.S. Justice Department argued that the Stored Communications Act does not “limit the ability of law enforcement agents to obtain account information from domestic service providers who happen to store that information overseas.” Microsoft, on the other hand, argued that data stored in Ireland is not subject to US jurisdiction and that it may be contravening Irish law if it hands over the requested data.
The same problem is posed by a proposed change in Rule 41 of the Federal Rules of Criminal Procedure. Under Rule 41’s current incarnation, federal magistrate judges can only authorize searches and seizures within their own jurisdiction, with a few exceptions. The amendments promoted by the U.S. Justice Department would allow a magistrate judge to issue a warrant to hack into and seize data stored on a computer anywhere in the world if the computer’s actual location “has been concealed through technical means.” Civil liberties groups complained that the rule change would be a license to “get a warrant locally, hack globally.” A judge complained that the Justice Department’s interpretation of Rule 41 would effectively “permit FBI agents to roam the world in search of a container of contraband, so long as the container is not opened until the agents haul it off to the issuing district.”
Thus we see how the U.S. government has chosen to respond to the uniquely globalized character of Internet services by asserting global authority, a major deviation from traditional notions of sovereignty.
The court decision confines governments to their territorial jurisdiction – which is appropriate – but does not in any way confine the Internet to a territorial jurisdiction.
There is a tendency to view this problem narrowly as an example of the overwhelming power of the US government. But the problem is not confined to the U.S.; it is a structural feature of the clash between cyberspace and political space. Microsoft v. USA should also be a wakeup call for European “right to be forgotten” advocates. In their attempt to enforce the “right to be forgotten” (RTBF), French and European Union data protection agencies have asked Google to de-link all search engine results, in all countries, if they violate RTBF mandates in one or two countries. This would mean that some European governments are demanding global applicability for their local law. They are demanding it even where RTBF-mandated delinking is considered a violation of fundamental constitutional rights such as freedom of expression recognized by other states.
Clearly, the attempt to align Internet services with jurisdiction does not lead to a predictable, well-ordered world, a world in which traditional notions of Westphalian sovereignty are restored. It leads to a jurisdictional war of all against all.
Superficially, Microsoft’s argument that the U.S. government had no authority to compel disclosure of data located in another jurisdiction seems to rationalize data localization. In reality, Microsoft v U.S.A. was a great victory for the global Internet. The court decision confines governments to their territorial jurisdiction – which is appropriate – but does not in any way confine the Internet to a territorial jurisdiction. Thus, data can move wherever it needs to move or wherever it is most efficient to be held. This means that Governments have to accept the procedural and substantive limitations of their own law. It would be great if European courts showed the same respect for the legitimacy and territorial scope of their laws.
If governments want to be sovereign, then they have to be limited in their authority to their own territory, because sovereignty and territoriality are inextricably linked. If governments want to be extraterritorial, then they have to completely abandon notions of sovereignty and allow new institutions for global governance to develop, in which the multistakeholder community can govern themselves in a transnational environment.
Milton, you seem to present two options for
governments, with extraterritorial option
optimistically governed by a multistakeholder
community. I fear governments would prefer
multinational treaties to “solve” the limited
territorial reach of their sovereign control,
which I fear would be unconstrained by ICANN
or like scope.
Of course governments “would prefer” international treaties; that would privilege them in the making of policy and rules and exclude most of us. But don’t hold your breath waiting for a comprehensive inter-governmental treaty on Internet governance. They could never agree.
It is not disputed (at least not seriously) that offline law applied equally online. If a particular use of the Internet does not cross national borders in any significant way, then it is clear that national law applies.
However, as you correctly point out, much use of the Internet does cross national borders. Therefore several national laws may apply. This phenomenon is not unique to Internet: it applies to many aspects of life, in particular sales of goods and services. Since there can be confusion regarding which court should apply which national law, a significant body of international law has been developed to deal with the issues.
In many cases Internet raises new issues and international law probably needs to be adapted. International law is primarily established by treaties.
You say that treaties regarding the Internet cannot be agreed because states don’t agree. First of all, most treaties are not agreed by all states, regardless of whether they relate to the Internet. Important states (e.g. US, US, plus some others) have agreed Internet-related treaties, such as the Budapest convention.
I agree that states won’t agree a comprehensive treaty on Internet governance, but I don’t think that they should even try. There is no need for a comprehensive treaty. What needs to be done, in my view, is to adapt existing treaties as needed.
You seem to imply that the current multi-stakeholder model would be a better alternative. But states are stakeholders. If states cannot agree amongst themselves, then how can a body that includes states reach agreement? (Unless of course you deprecate the role of states, so that they cannot effectively influence decisions – but this is a denial of representative democracy to the extent that states are democratic).
But I suspect that you have something different in mind: some sort of direct democratic Internet governance by the people for the people. That would be great, but I don’t see any evidence that it is happening.
What I see is domination by powerful states (mostly US, but as you correctly point the EU is trying to join the game, and China probably will too), and powerful corporations, either directly or through de-facto corporatist structures. That’s a far cry from self-governance by the community.
If governments want to be extraterritorial, then they have to completely abandon notions of sovereignty and allow new institutions for global governance to develop, in which the multistakeholder community can govern themselves in a transnational environment.
I agree new institutions will develop, but they don’t appear to be in the multistakeholder manner you suggest. In the ruling, the court asked that the US Congress take up the issue and provide clarification of the Stored Communication Act. The proposed International Communications Privacy Act takes a traditional bilateral approach to allow specific governments access to individual’s data stored abroad.