International Law and Order in Cyberspace—Cloud Computing and the Need to Revisit the Foundations of “Jurisdiction”

Introduction

The time when the Internet was merely a playground for nerds is long gone. Today, many, if not most, aspects of our daily life are carried out via, or at least impacted by, the Internet. Furthermore, all aspects of a country’s wellbeing—its cultural and political influence, its financial position, and, indeed, its security and military capabilities—depend on its engagement with the Internet. In light of this, it is hardly surprising that cyberspace is becoming an increasingly competitive environment; and as in any other competitive environment, we need rules to regulate rights and responsibilities.

Unfortunately, such rules are largely missing at the moment. As between states, cyberspace is rather like a game of the well-known strategy board game Risk played without agreed-upon rules—the dice are rolled and positions moved forward without sufficient regard for the other “player” or the overall order. Fortunately, there is, generally speaking, a sufficient degree of goodwill for some level of “fair play” to be recognized. Further, in relying on rules created in, and for, the offline world, some degree of order is maintained. However, we cannot go on playing Risk using the rulebook developed for Monopoly—we need rules specifically tailored for the online environment or, even better, technology-neutral rules capable of being applied sensibly both online and offline.

The rules we need most urgently are rules governing jurisdiction. Such rules determine the reach of both rights and responsibilities between countries. Using a discussion of cloud computing as the canvas, this essay seeks to paint the picture of a bold new thinking on how we deal with jurisdiction in our modern world. In doing so, it will be illustrated that we can no longer ground our approaches in the dated territoriality thinking that has run as a fil rouge throughout large parts of history.

Cloud Computing and International Law

Defining cloud computing is not an easy task. Fortunately, we have now reached a stage of such general familiarity with the term “cloud computing” that strict definitions may be unnecessary. However, in the fewest of words, cloud computing involves storing, processing, and accessing data, processing power, and programs over the Internet instead of, or combined with, your computer’s local capabilities.

At any rate, by its very nature, cloud computing transcends location, geography, and territorial boundaries. Data accessed in one country might be stored halfway across the world, or even on servers in multiple countries.

International law, on the other hand, currently sees the world through the lens of various jurisdictions, which are inherently linked to location, geography, and territorial boundaries. It is fair to say that, in our current paradigm, the territoriality principle represents the core of the international law thinking on jurisdiction—a State has jurisdiction over all that occurs in its territory for the simple reason that it occurs in its territory. But as is well known, it is not always easy—or indeed possible—to determine where (in real space geographical terms) events take place online.

Strict territoriality is clearly and self-evidently ill-equipped for today’s modern society characterized by constant, fluid, and substantial cross- border interaction, not least via the Internet. And when cloud computing and international law interact, sometimes the results can be highly problematic.

For example, in December 2013 the US government served a search warrant on Microsoft under the Electronic Communications Privacy Act of 1986. The warrant authorized the search and seizure of information associated with a specific web-based email account that is stored at Microsoft’s premises in Dublin, Ireland.

Microsoft has opposed the warrant since the relevant emails are located exclusively outside the US in Ireland. Under the US government’s view, international law supports them, since all steps to retrieve the data would be taken on US soil.

In contrast, Europe takes the view that the US would be engaging in law enforcement in Ireland, since that is where the data sits. From this point of view, existing international law seems to support the European claim.

Microsoft holds the position of “the meat in the sandwich”—complying with the US search warrant may have it violate European law, and in abiding by EU data privacy law, it will most likely be held to violate US law.

This situation—where our rules of international law support opposing positions simultaneously—is nonsensical, and the time has surely come to start over. Unsurprisingly, there are increasing calls for innovative ways to solve the considerable problems caused by overlapping claims of jurisdiction on the Internet. For example, former Homeland Security Secretary Michael Chertoff recently said in the Wall Street Journal that “[t]he current free- for-all of competing nations needs to be replaced with an agreed-upon international system for newly designed choice-of-law rules for data in the Internet Cloud.”

Chertoff called for steps to harmonize existing rules in a framework of law for the cyber age. Calls such as this are both reasonable and timely. So what is the problem? What stands in the way of a serious reform?

A Problematic 81-Year-Old

The problem is that real progress cannot be made without desecrating some principles taken for granted by most lawyers, policy-makers, and politicians, and held as holy by the international law community.

The approach international law takes to these matters stems from 1935, when the Harvard Research “Draft Convention on Jurisdiction with Respect to Crime” (the so-called Harvard Draft) was published. It articulated a set of grounds for jurisdiction to varying degrees recognized under international law.

Most importantly, it pointed to the so-called “territorial principle” (which places focus on the geographical location of events, persons, data etc.) as being “everywhere regarded as of primary importance and of fundamental character.”

This might sound pretty straightforward and uncontroversial. But as illustrated by the mentioned Microsoft Warrants case, it is not straightforward and uncontroversial in a world of cloud computing.

Unfortunately, we have allowed the Harvard Draft principles to perpetuate a 1930s way of thinking about the world. Eighty-one-year-old principles from a very different world are still governing us, and they are restricting our thinking today. As an unsurprising consequence, the principles found in the Harvard Draft are no longer part of any solution. They have become a part of the problem. And nowhere is this truth more obvious than in the context of jurisdictional claims in relation to the Internet.

The Scale of the Problem

Early debates about Internet jurisdiction centered on the argument that it is difficult, or even impossible, to identify the location of online activities. These remain real concerns, and we need to continue that discussion not least in the context of cloud computing. However, as the debate has matured, an even greater concern is now that many online activities, intentionally or unintentionally, touch upon the territories of states without having neither real substantial connections to those states, nor giving rise to any legitimate interest in the matter by those states.

To prove this point, I need only to ask you what countries’ laws you expose yourself to in your everyday life activities, such as when posting on social media. Imagine, for example, that you do not like this essay and as a result write something defamatory about me on your social media site of choice. Which countries’ laws should you consider then?

In most instances, it seems beyond intelligent dispute that you will have to take account of the law of the country you are in at the time you make the posting. But that is, of course, not the end of the matter. You may also need to consider the law of the country in which you are habitually residing (and/or domicile) and the law of your country of citizenship, where these are not the same. Then you will probably also need to consider US law as most major social media platforms are based in the US.

Given that your hypothetical posting relates to another person (me), you may also need to consider the laws where I am located, residing, domiciled, and where I am a citizen. And you may also need to consider the laws of any country in which I have some form of a reputation to protect. We are here already talking of a few, potentially very different, legal systems supplying laws with which you are meant to comply.

But then, under the law of many, not to say most, countries, focus may be placed on where content is downloaded or read. This means that you will also need to take account of the laws of all the countries in which your Facebook “friends” or LinkedIn “connections” are found, and less predictably, the laws of all the countries in which they may be located when reading your posting. It goes without saying that the number of additional legal systems to be considered grows with the number, and geographical diversity, of your friends or connections and, in light of the mobility of people, may never be fully ascertained at the time of posting.

Then things get really messy. Given that your postings may be re-posted, you also need to take account of the laws of all the countries in which re-posted versions of your posting may be downloaded or read. Here you, the original poster, obviously lose all possibilities of predicting the scope of laws to which you may be exposed.

As if this was not complicated enough, we must also bear in mind that content placed on social media platforms is often stored in “the cloud,” and while we as users may not necessarily be able to find out where our content is stored, we may be legally obligated to consider the laws of the country in which the content is stored. Finally, content posted may, depending on both your settings and on how your social media platform treats those settings, be available to third parties, and you may then need to also let the laws of the locations of those third-parties guide your conduct.

This legal situation, of extraordinary complexity, is what 1.55 billion Facebook users expose themselves to on a daily basis. And, of course, a similar reasoning could be applied to users of other popular social media platforms such as LinkedIn and Instagram, with their hundreds of millions of registered users.

For the absolute majority, their postings will not lead to any legal drama. However, the thought of being exposed to potential legal liability in a large number of countries should be a concern to anyone. And of course, the very idea that you, strictly speaking, should inform yourself of all those laws you are meant to follow is daunting indeed. This may be worth considering next time you are posting something on your favorite social media platform.

As can be imagined, the situation outlined above applies equally for many companies conducting business online.

A New Paradigm

To move forward, we must recognize that the territoriality principle, and the other Harvard Draft principles, are merely proxy principles for the underlying core principles. They were, after all, constructed to reflect the legal practice at the time.

Particularly when we are trying to apply the law to novel phenomena that need to become the subject of clear legal rules, we need to cut away the undergrowth of such proxy principles and identify the core principles that are reflected in them. Only then will we be able to focus on the considerations and values that truly are to be balanced.

It seems to me that the essence of the jurisdictional principles currently used—both in public international law and in private international law—may be distilled into three core principles:

In the absence of an obligation under international law to exercise jurisdiction, a State may only exercise jurisdiction where:

(1) there is a substantial connection between the matter and the State seeking to exercise jurisdiction;

(2) the State seeking to exercise jurisdiction has a legitimate interest in the matter; and

(3) the exercise of jurisdiction is reasonable given the balance between the State’s legitimate interests and other interests.

The proposed paradigm shift from proxy principles to core principles represents an important philosophical and theoretical change. However, it is on the practical level that the main benefits will be seen.

Done carefully and diligently, the shift would see no practical change in non-controversial areas of jurisdiction, since territoriality typically will be associated with both a substantial connection and a legitimate interest. At the same time, the proposed paradigm shift would see us being much better equipped to address what is now a controversial area. It will allow us to think more creatively rather than just mechanically, in binary. It would, for example, free us from the thinking that state A always must have a jurisdictional claim over all aspects of data that happened to be located on a server located in state A – a notion that simply does not fit with the nature of cloud computing.