Territoriality and the Cloud

I have an op-ed in tomorrow’s New York Times explaining why I think we’re at a critical moment in the regulation of the global Internet. States are increasingly asserting territorial control over the Internet—often because doing so is the only way to get access to data in which the state has a legitimate interest—and this has a number of troubling consequences. For example, if law enforcement in one country cannot get access to criminal evidence held by American Internet companies, they might: 1) demand that data be held on local servers, where it can more easily be accessed (and surveilled); 2) deploy covert surveillance efforts to access the data (and perhaps demand a way around the service provider’s encryption); and/or 3) assert extraterritorial jurisdiction over the foreign-held data, throwing Internet companies in an unfortunate conflict of laws.

Each of these problematic policies is the result of many states’ frustrations with the existing regulatory and technological framework for Internet data, whereby most of the data is held by American firms and therefore out of foreign government hands (I can’t say how much data, but we know that 90% of world’s Internet users are outside the US, and their most common web destinations are websites provided by American firms like Facebook and Google). My friends in the tech world agree that forced data localization and bulk Internet surveillance are problematic. But they do not yet see them as part of a broader crisis of state attempts to control the global Internet.

In my view, privacy advocates and Internet companies should be pushing hard -- much harder then they are currently pushing – to address this larger crisis. States must be allowed to exercise local regulatory control over the Internet in ways that are consistent with their legitimate government interests – like getting access to data critical to a criminal investigation – but without compromising the Internet’s ability to act as a global platform for communication, commerce, and speech.

Jen Daskal and I have drafted a framework for cross-border data requests that we think strikes just such a balance. This framework is consistent with basic conflicts of laws principles as well as international norms of due process and human rights. In the end, it should not be controversial to say that states ought to have a swift mechanism to access particularized data when it relates to a local crime and an independent body like a judge has deemed it necessary to a criminal investigation. There will be disagreements at the margins about what kinds of cases qualify for this kind of access -- the US may disagree with France about speech crimes, for example, and US firms may resist French hate speech laws – but those disagreements should not stand in the way of meaningful reform. (I reviewed the procedural options for implementing such reform here.)

Of course, international struggles over the Internet are not really new. Jack predicted much of this back in 1999; he and Tim Wu, Peter Swire, and others showed that states would not shy away from asserting territorial control over Internet. Those scholars were largely concerned with the Internet as a platform for speech and commerce, rather than a global repository of personal data. In particular, they examined the jurisdictional problems that arise when someone in Country A does something online that has real world effects in Country B. The problem today is typically different: someone does something in Country A, and it has real world effects in Country A, but data related to the event is held in Country B (or in any case, not in Country A). That is a different and in many ways much bigger problem. But it springs from the same source: a globally connected network that is vulnerable to local assertions of territorial control.