space picture bastion_logo picture

space picture




Present

Past

Subjects

Projects

Misc
space picture

THE COMING JURISDICTIONAL SWAMP

The Coming Jurisdictional Swamp of Global Internetworking
(Or, How I Learned to Stop Worrying and Love Anonymity)


Draft, Presented 11/16/94
Douglas Barnes, Austin Cypherpunks

The Babel Fish

It used to be that a lot of my net friends thought the growth and global spread of the Internet was an unmitigated Good Thing. "Global communication is the key to world peace," I used to hear. "High bandwidth connections between nations will create a global sense of community."

And this has really come to pass in pockets of the net. I count many people around the world, people I've never met as, "friends," and feel a strong sense of community on certain mailing lists.

But you don't hear the boundless optimism anymore, thanks mostly to fine folks like Canter and Seigel and the hordes of Delphi and AOL. Like many barbarian invasions, the invaders are assimilated quickly -- but with each wave there are fewer illusions about Internet growth leading to peace, love and baby ducks. As the net expands it seems to increase the opportunities for conflict faster than the opportunities for togetherness and world understanding.

Some of you may be insulated from this sort of thing -- as recently as last year I attended a talk based on the premise of "more Internet nodes will lead to world peace." It turned out the speaker's experience for this conclusion was based on hanging out on the Well, which is about as peaceful, insulated and self-selecting as an online community can get.

After he gave the talk, I invited the speaker to come sample some of the more "full contact" Internet services. I spent most of an afternoon showing him the seamier underside of Usenet and IRC, which is easy to ignore on the Well. We talked.

"I bet you've never heard of the Babel Fish, have you?" I asked. He hadn't.

"It doesn't really exist," I told him. "It was made up by a science fiction author named Douglas Adams, a very silly person, but with some insight in this matter. See, if you put a Babel Fish in your ear, you can understand anything spoken to you in any language. Talk about increasing your global bandwidth!"

"A fish? In your ear?"

"I did say he was silly. But listen, here's what he says about it." I read to him:

... the poor Babel fish, by effectively removing all barriers to communication between different races and cultures, has caused more and bloodier wars than anything else in the history of creation.

"Now that's just science fiction, but that's what we're going to be faced with as the Internet grows, only substitute 'flame wars' for 'wars.' People aren't going to be throwing virtual flowers to each other, they're going to be mixing full-color animations of aborted fetuses crying 'mommy... mommy' into their abortion flamewars. They're going to burn each other in virtual effigy. Christians will dangle fantastically well-rendered 3-D pork chops in front of Moslems, Moslems will dangle 3-D T-bones in front of Hindus. And those are just the interpersonal problems... just wait until governments get involved."

The Swamp

The Internet is like a multi-media Babel Fish. It lets us communicate with great immediacy and little forethought. In a matter of seconds we can send our ill-considered opinions, our home videos, our get-rich-quick schemes, even scanned images of our genitals, racing around the world, impacting hundreds if not thousands of legal jurisdictions, evoking amusement, boredom or offense in tens of thousands of communities... each with its unique set of community standards.

Now a swamp is a place that doesn't look so bad from the outside until you go into it and find yourself hip-deep in muck and alligators. Then the alligators chew your legs off.

The swamp of global jurisdiction is already beginning with the war between smut and anti-smut. More and more countries and cultures, with radically different community standards, obscenity hot buttons and sacred cows WILL get actively involved in the net. Whether the topic is bondage in Bangladesh, pubic hair in Peoria or spankings in Singapore, the local citizenry are going to be outraged, and the net WILL draw the attention of the authorities. Communities will demand that the authorities Do Something. It's only a matter of time. Here in the US one can hardly pick up a newspaper or magazine without being treated to another dose of handwringing about irresponsible content on the Internet -- as the net spreads globally, so will the commotion.

But so what? It's just commotion, right?

A Tennessee court recently convicted a pair of California sysops for making sexually explicit images available by modem to the whole world, which, unfortunately for them, includes Tennessee. No matter that the images didn't violate Los Angeles community standards. In Tennessee they did, and since the images could be retrieved in Tennessee through the phone system, that was good enough to convict them on charges of interstate trafficking in obscenity. While it's still not clear how this case will be resolved on appeal, it is an early and so far successful attempt to judge globally available information by the standards of an arbitrary, far-removed jurisdiction. At least for the purposes of determining obscenity, digitized pictures placed on a computer, with a modem, were considered a shot fired across a frontier.

The swamp is just beginning to fill, and truly international examples are still sparse. But one of the early flashpoints will certainly be the widely varying international standards regarding sexual images. The laws are all over the map: in Saudi Arabia, distributing Sports Illustrated Online Swimsuit Edition would likely be grounds for involuntary amputation without anesthetic; in Amsterdam, pretty much anything goes, including what most of the world considers child pornography. In Japan genitalia are OK, but displaying pubic hair can get you thrown in jail; in the US, even the tamer skin mags show pubic hair, with special censure reserved for the actual genitalia -- depending, of course, on community standards. We already have convictions resulting from differences in standards just within the US; there is growing pressure here and elsewhere to punish those who electronically publish offensive materials, regardless of what country they're in or what nationality they are.

A key question, then, is on what basis, and through what mechanisms, will countries be able to punish those who violate faraway local ordinances through their participation in global internetworks? I believe that as the Internet grows in importance, both socially and commercially, nations will be more and more motivated to extend jurisdiction to the very source of what they perceive as offensive or illegal content. Moreover, it won't just be naughty gifs, but insider trading, espionage, libel, anti-trust, blasphemy, sedition, breach of contract, money laundering, and violation of patent, trademark, copyright and trade secrets law -- a grab bag of offenses with wildly varying treatment on the international scene.

There is a popular notion among many netters that "If it isn't a crime in the country where I'm logged in, I can't be extradited, convicted or punished elsewhere." Unfortunately for those who will get to be the test cases, countries have a variety of handy legal doctrines to prosecute extraterritorial behavior, and a variety of ways of effecting that jurisdiction.

The relevant doctrines are:

  • Objective jurisdiction.

    Your basic shot fired across a frontier. Alice, standing in Mexico, shoots Bob, who is standing in the US. Alice can (and probably will) be prosecuted in the US, since the OBJECT of her crime was in the US. A good example for us is a Supreme Court decision in 1916, Lamar v. United States[1], where the Supreme Court held that a telephone fraud could be prosecuted where the call terminated instead of where it was placed from.

  • Effects doctrine.

    It's like objective jurisdiction, but fuzzier; it became established in US law through enforcement of anti-trust measures.[2] In the ALCOA case, the US successfully pursued an anti-trust action against a foreign aluminum cartel based on the EFFECT their restraint of trade had on the US.[3] The effects doctrine weakens the requirement for directness of the effect as well as reducing the need for a "temporal nexus" to bridge cause and effect.[4]

  • Active personality

    This covers jurisdiction over crimes committed by nationals abroad and is implemented in many different ways in different countries. It's most widely used against diplomatic personnel (who generally have immunity where the crime is committed). Rumor has it Germany is now using this doctrine to prosecute Germans who deal drugs in Amsterdam or have sex with child prostitutes in Thailand. While both activities are nominally illegal where the crime is committed, the relevant laws go largely unenforced there.

  • Passive personality

    Crimes committed against nationals. The US will, forinstance, actively pursue and attempt to extradict or otherwise punish terrorists who commit crimes of violence directed against Americans "because they are Americans," regardless of where the crimes take place.[5]

  • Protective principle

    Used against spies, would-be saboteurs, racketeers and their ilk, as the behavior must only potentially or indirectly affect the national interest. This was cited, along with the effects doctrine, by US prosecutors in the Noriega[6] case. Look for this principle to be invoked against international software piracy rings.

  • Universal jurisdiction

    It will probably be a long time before we start seeing war crimes (flame war crimes?) on the net, but this handy principle is used for sufficiently heinous crimes such as genocide which are considered "universally abhorrent" and can be prosecuted anywhere.

These principles, particularly the effects doctrine and the protective principle, allow a country to justify prosecution of almost any behavior on a global internetwork that they would care enough about to want to prosecute.

The next trick is how nations get their hands on and/or punish the possibly far-removed offenders.

The underlying principle in the US and many other countries is, "mala captatus, bene detentus," or, "bad capture, good detention".[7] This is illustrated in a variety of cases, including quite recently United States v. Alvarez-Machain, in which the DEA paid bounty hunters $20,000 to kidnap from Mexico a suspect in the slaying of US DEA agent Enrique Camarena.[8] The Supreme Court held that "United States sponsored abduction of a fugitive criminal suspect from foreign soil does not prohibit his trial in a US court, notwithstanding an official protest by the offended nation.[9]" So how a suspect is brought into a given jurisdiction is largely irrelevant in an attempt to overturn a conviction (with some exceptions; for instance, the Toscanino case, where the accused was kidnapped, tortured for seventeen days, and then illegally extradited from Brazil.[10])

Rather than pondering legal niceties, a more important factor to consider is
how badly someone irritates a given country and what treaties and resources
said country can bring to bear. Popular methods for effecting extraterritorial
justice include:

  • Formal and informal extradition

    We all know about formal extradition -- this is where people get it stuck in their heads that the offense must be illegal in both places, because that's a clause in most extradition treaties. Note that even this doesn't require a very exact match; for instance, there is no crime of "wire fraud," in the UK, but extradition is successful from the UK to the US in a wire fraud case because the equivalent crime in the UK is "theft."[11]And while the sense of global community may be eroding on the Internet, it can be quite strong between law enforcement officials, leading to "informal" extraditions by simply grabbing someone and putting them on a plane to the requesting country or rerouting a flight. In a few countries, such as the UK, the informal approach can be grounds for a successful appeal, but not in the US, or in most non-common-law countries.[12]

  • Opportunistic seizure

    If someone is selling kiddie porn over the net from Amsterdam or making virtual book in Belize, I wouldn't recommend they go home to visit Mom in Los Angeles for Thanksgiving, or take any flights with stopovers in the US. Flight lists ARE checked for international fugitives, and this is a great way to catch suspects who aren't quite worth the trouble of extraditing.

    Both electronic and print authors carefully consider their travel plans, especially if they've been potentially offensive. For instance, science-fiction writer William Gibson is probably steering clear of Singapore for the next decade or so.[13] As the net expands globally, Usenet posters, web page editors and archive maintainers may find themselves in an unexpected legal pickle while travelling abroad.

  • Kidnapping by governments or other interested parties

    While a few spectacular cases make the news, one author estimated in 1991 that the US was abducting two people A DAY from Mexico alone.[14] The US is clearly the biggest offender in this regard, but Israel and France have also demonstrated few qualms about abducting suspects.[15] This is probably not a big fear for US citizens in the US, but rather anyone committing "crimes" (no matter how legal in the host country) outside the US with perceived effects inside the US. With the greatly increased penalties for copyright infringement in the US, along with RICO laws, it will be interesting to see whether any of the anti-piracy groups get involved in this sort of activity -- they already maintain worldwide networks of investigators and lawyers to try to combat piracy and counterfeiting.

  • Military invasion (Noriega)

    An unusual and highly controversial approach that we used against our friend Manuel.

  • Assassination and other terrorist measures

    Whether at home or abroad, I think this is one very likely way American and other citizens in their home countries will be affected when they deliberately or unwittingly violate laws or community standards in faraway jurisdictions. A good example for this is the Salman Rushdie case, even though Rushdie is British and he published a book, not a Usenet post.

    Six months after the publication of Satanic Verses, the Ayatollah Khomeini issued a fatwa, or death sentence, on everyone involved in its publication who was aware of its content.[16] Twenty people have been killed so far in connection with the fatwa, including the Italian and Japanese translators; Rushdie is still in hiding, with a $1 million bounty on his head.[17] What is less well known is that Rushdie is merely the best-known and certainly one of the luckier Arab writers to face this treatment; in the introduction to For Rushdie, the publisher lists five other authors who have recently faced fatwa, only two of whom are still alive.[18]

  • Individual retaliation

    Just as we're starting to see the occasional stalking or other person to person crime on the major online services, expect this to take on an international character with the global spread of the net.

Hip Boots, Canoes, and Draining the Swamp

A great many real benefits that are anticipated from global internetworking are going to be lost, if users, information providers and online merchants become mired in this swamp of overlapping jurisdictions, conflicting regulations and variable community standards.

One possibility is that network participants will just have to suffer. They will be forced to shoulder the burden of avoiding entanglement with hundreds of sets of national and provincial laws -- or get off the net. As the net becomes more global, the possibility of foreign legal entanglements will act as an increasingly substantial barrier to entry. Furthermore, it will limit economic activity and free speech on the net due to fear of unexpected international consequences.

To counter this, one can imagine various schemes to limit distribution. Certain publications or information products might be available only to residents of certain countries, along the lines of the ftp sites used for distributing cryptography in the US. To be secure, this would require, for starters, a global standard for authenticating individuals as to their citizenship -- an electronic passport. Companies would then have to hire experts to screen materials, and only then could controversial materials be made available, based on the consumer's nationality. Alternatively, publishers and merchants could use these same experts to assist them in reducing their offerings to a pablum-like least offensive denominator. Individuals would likely be on their own, unless they could afford a legal staff.

Another possibility, the one I'm going to focus on, is for individuals, commercial publishers and online merchants to operate anonymously. This is a big step for large corporations with strong brand names, and their first step in this direction might be to use online distributors who are anonymous, rather than taking the whole corporation behind an electronic veil. With time though, as information companies begin life with a pseudonymous identity, brands and customer loyalty can be built up around network pseudonyms. There is already a long history, both in print and on the net, of individuals creating and using strong pseudonyms; the federalist papers, for instance, were written pseudonymously, and historians are still trying to sort out who actually wrote which ones.

If carried out effectively, and if users are careful not to give away their identity, robust anonymity handily solves the problems of surprise legal jurisdiction, fatwa, and individual retaliation. Users would pay for anonymizing services with anonymous digital cash, of course -- and it makes no difference how their packets get on the net in the first place, if they're all processed through a packet laundry in Jamaica or Finland.

Sometimes, though, network participants will be motivated to make their "true names" knowable. For instance, participants who wanted to inspire confidence could escrow their true names with their local government or a commercial arbitration agency. As part of a transaction, participants would exchange true name escrow certificates. If the transaction goes sour, the injured party could seek a remedy with the cooperation of the escrow government or agency. This provides a mechanism for resolving commercial disputes while limiting the dispute resolution process to a particular set of laws or an agreed-upon arbitration process. True name escrow certificates could also be used by publishers, indicating their willingness to be accept actions for libel in a given jurisdiction, potentially enhancing their credibility.

This anonymity approach enjoys a competitive advantage over the more cumbersome "national authentication" or "pablum" schemes because:

  • A much greater variety of content could be provided to more people without fear of retaliation. For instance, the Sports Illustrated Online Swimsuit Edition, Cosmopolitan Online, or their equivalent, that would be considered pornographic throughout much of the world.

  • Online speech, publishing and commercial transactions would be subject to a strictly limited number of legal jurisdictions .

  • Information could be made available more quickly, without a lengthy review process prior to release.

  • Anonymization would be substantially cheaper than legal review of the impact of each work on hundreds of legal jurisdictions.

  • Users' privacy would be optimally protected.

Whenever the subject of anonymity comes up, however, many people begin to fear a breakdown of the already tenuous civility on the net. Not that there is a firm link from real name to Internet access account right now, but there is still a comforting illusion, and for some users there is enough information to take complaints to school officials, postmasters, and their ilk. As we have seen with Canter and Seigel, however, the current system does little to deter the hard-core disrupter, even a well-identified one.

So I will briefly mention one way a degree of order can be maintained among participating spheres of activity (such as a newsgroups, mailing lists or IRC channels), while preserving anonymity, through the voluntary applicaton of Chaumian credentials.[19] In this type of system, each real user receives an "is-a-person" credential through their local government or a notary public, which is used to generate a unique pseudonym within each sphere of activity (what Chaum refers to as "organizations"). Credentials issued within one sphere of activity could be securely transferred to another without anyone except the user being aware of a link between the two pseudonyms. For instance, each sphere might have a credential of "is not a spammer," and implement a mechanism requiring that all submissions come with "is not a spammer" credentials. Then they might get really organized, and have someone issue "meta is-not-a-spammer" credentials, representing the is/is-not a spammer status in a large number of spheres.[20]

The net probably needs to experiment with these and other automated forms of moderation regardless of whether there is a link between a username and a true name. But such systems are complex, and very much require the consent of the governed -- if someone sets up a mailing list or a newsgroup with this type of restriction, and people don't like it, they can stay away in droves. If people like the effect, they'll get involved and participate. In any event, I don't see anonymity as being any more disruptive to civility on the net than the existing situation -- if anything it evens out the playing field -- and anonymity does not add much to the inherent complexity of automated moderation and similar approaches for weeding out disruptive participants in a public or semi-public forum.

But this sort of voluntary social control is not what law enforcement is concerned with.

The bottom line is, your typical computer cop wishes he or she could track every packet on a global internetwork and pin it on a particular individual. Anything that gets in the way of this is Not Good. Not only that, but it would sure be nice if the packet was encrypted only with government-approved cryptography, and didn't have any subtext lurking in the low-order bits. While there are many arguments from a law enforcement perspective on why all this would be desirable, it is not realistic or necessary for effective law enforcement on the net.

Indulge me in a quick analogy.

Suppose you've got a problem with some dude robbing 7-11s. How do you catch the guy? Do you:

  • Stake out 7-11s with cops posing as clerks?

  • Use informants to see who's bragging about ripping off 7-11s?

  • Wait for the perpetrator to screw up (if he's going for 7-11s, he can't be that smart...)?

  • Or do you:

  • Ban the sale of ski masks?

  • Require radio ID leg bracelets for all 7-11 customers?

Now that last suggestion would certainly slow down or stop the rip-offs, but from both an economic and a social point of view it is completely unworkable. It would infuriate the customers. It would hurt 7-11's business. It also overlooks the technological race between police-supplied radio ID bracelets and counterfeit ones, or the possibility of jamming, or...

This is similar to the problem law enforcement would face if they attempted to force authentication for all activity on a global internetwork of meaningful size and scope. It would be a form of censorship, and, to quote John Gilmore, "The Internet interprets censorship as damage, and routes around it." You might end up with a global internetwork with the properties you describe, but it would quite rapidly be replaced with or shadowed by another net that did not have this policy. Users might even get sneaky and route most of their packets as disguised data over your global internetwork. What's more, the technology for creating and extending wide area networks is getting easier to set up every day, and can run over an expanding variety of media (wires, fiber, microwave, spread spectrum RF, laser, meteor bounce and so forth).

One approach that law enforcement might take is to encourage legislation against anonymizing tools, and attempt to marginalize and discredit anonymous services. This is going to be an uphill battle for authorities, at least in the US, as there is strong protection for products and services with substantial legal use. For instance, information companies would dearly love to take action against VCRs and anti-copy-protection software, but these have been determined to have substantial legal use, in addition to the possibility of facilitating a crime.

I think that it is going to be in the best interests of law enforcement to focus on applying conventional law-enforcement tactics directed at their own citizens, rather than trying to take on the whole net or anonymous services in general. They are unlikely to be very successful, and would likely have a "destroying the village in order to save it" effect on the rapid growth of global internetworking.

Anonymizing tools and services on global internetworks can give a competitive advantage to publishers and merchants, and security to individuals from foreign governments and unhinged individuals worldwide. While they can be used to further illegal ends, much as a ski mask or a Halloween mask can, they have substantial legal use in protecting privacy and preventing unforseeable foreign legal entanglements. Some services and transactions may require a disclosure of identity, or at least a potential disclosure, just as many buildings will require you to take off your ski mask or Halloween mask before entering a building, but anonymity per se is not illegal and should not be made illegal. I think I can safely predict that there will be commercial anonymization tools and services available on the net by this time next year. I also predict that they will be used primarily for legal purposes -- at least, purposes that are legal in the home country of the user. I think that rigorous, cryptography-based anonymity is going to the best way out of the global swamp of jurisdiction, and because of this I expect many people will come to appreciate it in the years to come.




[1] 240 US 60 (1916).

[2] United States v. Aluminum Company of America (ALCOA), 148 F. 2d 416 (1945).

[3] Neale and Stephens, International business and national jurisdiction. Oxford University Press, 1988. pp 44-46.

[4] Id. pp 16.

[5] Id. 271.

[6] Ma, Frances, "Noriega's abduction from Panama: Is Military Invasion an Appropriate Substitute for International Extradition?" Loyola, Los Angeles, International and Comparative Law Journal. p. 945.

[7] This principle is rooted in Ker v. Illinois, 119 US 436 (1886) and Frisbie v. Collins, 342 US 519 (1952).

[8] Wing, Michael, "Extradition Treaties-International Law--The US Supreme Court Approves Extraterritorial Abduction of Foreign Criminals--United States v. Alvarez-Machain, 112 S. Ct. 2188 (1992)", Georgia Journal of International and Comparative Law, Vol. 23:435. Note that the case against Dr. Alvarez was subsequently dismissed by the judge for lack of evidence.

[9] United States v. Alvarez-Machain, 112 S. Ct. 2188 (1992).

[10] 500 F.2d 267 (2d Cir 1974).

[11] Choo.

[12] Choo.

[13] Gibson, William, "Disneyland with the Death Penalty", Wired [??].

[14] Moss, "Official Kidnapping," 77 ABA Journal 24 (January 1991).

[15]

[16] Appignanesi and Maitland, The Rushdie File, Institute of Contemporary Arts, 1990.

[17] Pipes, The Rushdie Affair, Birch Lane Press, New York, 1990. p. 28.

[18] Abdallah et. al., Pour Rushdie, George Braziller, Inc., 1994.

[19] Chaum, "Showing Credentials without Identification: Transferring Signatures between Unconditionally Unlinkable Pseudonyms".

[20] This would also assume that Usenet news is fixed so that it is not absurdly trivial to get past moderating mechanisms. space picture


Please report errors to --> errors@alamut.com
This page was first created on --> 7/6/98; 8:14:01 CET
This page was last modified on --> 7/6/98; 10:56:23 CET

space picture