The recent appeals court decision in the Microsoft – Ireland case was a milestone in Internet governance. If it is not challenged, or if it is appealed and holds up in the U.S. Supreme Court, it will mark an important turning point in the attempt to subject the Internet to sovereign states.
Recently there has been a lot of froth about the “fragmentation/balkanization” of the Internet. But this debate is not really about splintering the Internet into disconnected pieces; it is about what I call alignment. Alignment is the attempt to subjugate the cyber domain to existing political-legal jurisdictions. It is about superimposing the authority of territorial states over the global virtual space created by the Internet. This happens through various technical and legal measures designed to confine services and information flows to national territories; e.g., by filtering or blocking access to content from outside the country (e.g., the Chinese Great Firewall); through data localization laws; and through geo-blocking. Most of these things are bad – they undermine or destroy the value of the Internet.
But those who think they are re-establishing “national sovereignty” by means of alignment face a major problem. Alignment creates a profound jurisdictional conundrum. When governments seek to assert sovereignty over globalized information they have two basic choices. Either 1) isolate themselves completely by requiring every Internet service to keep all of their facilities and data in their jurisdiction and completely regulating all cross-border movements of data; or 2) extend their jurisdiction beyond their territory and try to regulate services globally. The first option, taken to its extreme, ends the Internet – it destroys the network effects and efficiency of the global Internet and creates a set of national walled gardens. The second option destroys the whole model of national sovereignty, and opens up Internet services to a welter of conflicting jurisdictional requirements.
Currently, we see both sides of this conundrum being played out. In Microsoft v. USA, alignment was the underlying issue.
Under the Stored Communications Act of 1986, the U.S. government claimed that it can direct a company to disclose records within its “possession, custody or control,” anywhere in the world if that system is operated by a US-based company – even when disclosure would violate the laws of the country where the data was located. The USA Patriot Act of 2001 relaxed and broadened the standards under which the US government could request information. This is an example a government reacting to the jurisdictional paradox by making their laws globally applicable. A great deal of the momentum for “data sovereignty” came from other countries reacting to these U.S. assertions of extraterritorial jurisdiction.
In its current dispute with Microsoft over a customer whose records were stored in Ireland, the U.S. Justice Department argued that the Stored Communications Act does not “limit the ability of law enforcement agents to obtain account information from domestic service providers who happen to store that information overseas.” Microsoft, on the other hand, argued that data stored in Ireland is not subject to US jurisdiction and that it may be contravening Irish law if it hands over the requested data.
The same problem is posed by a proposed change in Rule 41 of the Federal Rules of Criminal Procedure. Under Rule 41’s current incarnation, federal magistrate judges can only authorize searches and seizures within their own jurisdiction, with a few exceptions. The amendments promoted by the U.S. Justice Department would allow a magistrate judge to issue a warrant to hack into and seize data stored on a computer anywhere in the world if the computer’s actual location “has been concealed through technical means.” Civil liberties groups complained that the rule change would be a license to “get a warrant locally, hack globally.” A judge complained that the Justice Department’s interpretation of Rule 41 would effectively “permit FBI agents to roam the world in search of a container of contraband, so long as the container is not opened until the agents haul it off to the issuing district.”
Thus we see how the U.S. government has chosen to respond to the uniquely globalized character of Internet services by asserting global authority, a major deviation from traditional notions of sovereignty.
The court decision confines governments to their territorial jurisdiction – which is appropriate – but does not in any way confine the Internet to a territorial jurisdiction.
There is a tendency to view this problem narrowly as an example of the overwhelming power of the US government. But the problem is not confined to the U.S.; it is a structural feature of the clash between cyberspace and political space. Microsoft v. USA should also be a wakeup call for European “right to be forgotten” advocates. In their attempt to enforce the “right to be forgotten” (RTBF), French and European Union data protection agencies have asked Google to de-link all search engine results, in all countries, if they violate RTBF mandates in one or two countries. This would mean that some European governments are demanding global applicability for their local law. They are demanding it even where RTBF-mandated delinking is considered a violation of fundamental constitutional rights such as freedom of expression recognized by other states.
Clearly, the attempt to align Internet services with jurisdiction does not lead to a predictable, well-ordered world, a world in which traditional notions of Westphalian sovereignty are restored. It leads to a jurisdictional war of all against all.
Superficially, Microsoft’s argument that the U.S. government had no authority to compel disclosure of data located in another jurisdiction seems to rationalize data localization. In reality, Microsoft v U.S.A. was a great victory for the global Internet. The court decision confines governments to their territorial jurisdiction – which is appropriate – but does not in any way confine the Internet to a territorial jurisdiction. Thus, data can move wherever it needs to move or wherever it is most efficient to be held. This means that Governments have to accept the procedural and substantive limitations of their own law. It would be great if European courts showed the same respect for the legitimacy and territorial scope of their laws.
If governments want to be sovereign, then they have to be limited in their authority to their own territory, because sovereignty and territoriality are inextricably linked. If governments want to be extraterritorial, then they have to completely abandon notions of sovereignty and allow new institutions for global governance to develop, in which the multistakeholder community can govern themselves in a transnational environment.