30 May 2017

VPN reviewer sees Internet Borders

While researching possible consumer VPN offerings, I was pleasantly surprised to find a candid acknowledgment that borders apply to the Internet.

Although I have used employer supplied VPNs, I was recently encouraged to re-consider the role of consumer VPN services. I'm especially interested in making it harder for "casual" hackers to interrupt communications when I connect to various cloud services via public WiFi. It's been a few years since I've looked at the state of the consumer VPN market, so I started with typical review articles aimed at consumers.

In reading VPN selling materials and third party reviews, I was slightly surprised to discover the very strong and common emphasis on the ability to use a VPN to mask one's geolocation - the ability of an end user in Country A to use a VPN for the purpose of pretending to be in Country B and thereby circumvent content distribution controls. In the past, I have described this as "online smuggling" or "internet smuggling".

What surprised me more was the express acknowledgement (by some) that internet smuggling is sometimes against the law - and not just the laws of "repressive" regimes. I was especially struck by this comment in a review article discussing the use of VPN to access Netflix and streaming media content generally:
Can I Use a VPN for Netflix?
Borders still exist on the web
. New, major-release films and television shows are often available on Netflix outside of the US yet only available for purchase via Amazon, iTunes, or on the Windows Store within the US. But if you were to select a VPN server in a country with rights to the show, your computer's IP address would appear to be in that country, allowing you to view the content. Of course, you might find Netflix in other countries to be even more restrictive.
The trouble is that Netflix and similar streaming services are getting wise to the scam. In my testing, I found that Netflix blocked streaming more often than not when I was using a VPN. There are a few exceptions, but I also have Netflix is actively working to protect its content deals. What works today may not work tomorrow. 
You'll note that I said "scam," above, and that is more or less true. Just because you paid for Netflix in one place does not mean you're entitled to the content available on the same service but in a different location. Media distribution and rights are messy and complicated. You may or may not agree with the laws and terms of service surrounding media streaming, but you should definitely be aware that they exist and understand when you're taking the risk of breaking them. 
- Eddy, "The Best VPN Services of 2017", PCMag UK (retrieved May 30, 2017) (emphasis added)
Reportage of Internet infrastructure has moved gradually over the years from "the Internet is borderless", to "it is impossible to apply borders to the Internet", to "it is difficult to enforce borders on the Internet".

Now we see "Borders still exist on the web". Furthermore, this author has helpfully tested the border circumvention technology as applied to a group of persons who are trying to enforce borders - online streaming media services - and found that anti-smuggling technologies are getting better.

Rather than wasting time saying silly things like "I told you so", I shall instead congratulate the growing number of people who are beginning to internalise and appreciate the reality of Internet Borders.

Oh, why not. I told you so!

18 January 2017

Why the EU Has Issued Relatively Few Data Protection Adequacy Determinations: A Reply

A January 2, 2017 commentary by Ariel Teshuva raises an intriguing question. While the European Commission is vested with the authority under Article 25(6) of the Data Protection Directive to issue data protection adequacy determinations—a declaration that a given jurisdiction outside the EU provides adequate legal protection for personal data—why have so few been adopted?

In reviewing this question, Teshuva finds the content of the current list of 12 adequacy decisions difficult to explain. She also wonders how it is that large technology and banking firms based in countries without an adequacy determination remain able to continue significant trading relationships with Europe.

In this post, I will suggest that while the list of 12 territories that benefit from adequacy decisions is heterogeneous, the membership list remains easy to explain. I will also suggest that it is understandable that many other jurisdictions remain absent from the list. Finally, I will provide some thoughts on how multinationals from third-party jurisdictions that do not benefit from adequacy determinations nonetheless maintain healthy European operations.

28 July 2016

Fraud prevention: tell me “where” this email came from

Online fraud is a major problem. Many of these frauds cross international borders. Criminals “over there” steal money from victims “over here”. But there’s a relatively simple change that email software and service providers could make that could have a significant impact on this type of fraud: let’s tell end users when an email was transmitted from a foreign mail server.

Last week, the UK Office of National Statistics released its first-ever estimates of fraud and computer crime. The numbers are sobering. In the 12-month period ending March 2016, the ONS estimates that 2 million computer crimes and 3.8 million frauds were perpetrated on victims in England and Wales. A staff member at ONS familiar with the survey expressed the (informal) view that approximately one half of these frauds were conducted using some form of online communication while the remainder used other methods such as telephone or traditional post.

The police face enormous challenges trying to enforce the law against criminals who commit fraud at a distance. Keeping in mind that more than 90% of these frauds produce a financial loss of less than £1,000 (67% produce losses of less than £100), there are limited circumstances in which a full investigation is practical.

Even when an official investigation can be justified, many of these investigations quickly encounter a barrier: an international border. Many fraud attempts directed to UK-resident victims originate from criminals who appear to be located outside of the UK.

18 July 2016

US court reminds us that Internet borders matter

A US Court of Appeals in New York confirmed again last week that regular old physical borders drawn on maps by cartographers continue to apply to the Internet and cloud services.

The long-awaited decision in Microsoft vs United States (2d Cir, July 14, 2016, No. 14‐2985) overturned a lower court decision to issue a warrant under US law that would have required the Microsoft Corporation (resident in the US) to produce emails stored on a server geo-located in Ireland.

The decision of the court ultimately turned on an interpretation of one part of the Stored Communication Act (18 USC 2703). The court concluded that when the US Congress drafted this part of the 1986 law empowering government bodies to compel disclosure of stored email using a “warrant”, that the Congress did not intend to include within the “warrant” authority the ability to compel disclosure of data stored on servers located outside the United States.

Although the case prompts discussion of many issues, there is one aspect I find especially interesting at the outset.

2 November 2014

Facebook is not a "nation" and never will be

I am always amused by the perennial news item that tries to compare an online platform to a nation. Facebook has become a favourite thing for journalists and headline writers to compare to nations. Just last week we were treated to the Huffington Post declaration: "Facebook Could Soon Be The Biggest 'Nation' On Earth" (October 28, 2014) which notes that the number of Facebook users is nearly equal to the population of China.

Of course the Huffington Post did not invent this comparison. Similar stories have been running for years, including this piece in the (British) Independent newspaper from 2012, and this article in the Economist in 2010.

But no matter how attractive the comparison may be, we are left with these unavoidable truths: Facebook is not a "nation"; Facebook is not a "country"; Facebook is not a "state". And it never will be.

In many ways this is obvious. As the Economist article stated in 2010, "[Facebook] has no land to defend; no police to enforce law and order; it does not have subjects, bound by a clear cluster of rights, obligations and cultural signals. Compared with citizenship of a country, membership is easy to acquire and renounce."

6 January 2014

The Internet Police Force

During a conference discussion panel on global cyber threats, a delegate asked if maybe it was time to start an "Internet Police Force". My response? It's already here.

The Internet Police today

We already have Internet police forces. In London we have two. The City of London Police are responsible for most criminal investigations in the relatively small business district known as the City of London. The much larger Metropolitan Police Service (popularly known as "Scotland Yard") is responsible for everyplace else in Greater London. Both of these excellent police services have undertaken numerous criminal investigations, and made many arrests, with respect to perpetrators who used the Internet in the commission of crime.

Looking to the United States, most of the police forces of individual cities, counties, and states, conduct investigations of crimes that - one way or another - involve the use of the Internet. At the US national government level, the FBI investigates crimes falling within their special jurisdiction that might involve use of the Internet, as do the Secret Service, NCIS, etc, etc.

23 December 2013

Good Grief, Charlie Brown! It's Different Community Standards

This Christmas, Charlie Brown helped me learn how community standards can be different in two different communities. This experience helps illustrate why I believe Internet Border enforcement will continue to increase - even between "friendly" countries with similar community standards.

Good Grief! Charlie Brown Rated PG

My wife and I recently ordered some DVDs to watch during the holiday break. When they arrived, we were surprised by the rating given to one of them. A DVD collection of six "Peanuts" animated children's specials from the 1960s arrived - rated PG by the British!

"How is this possible?", we wondered. The Peanuts animated television specials (aka Charlie Brown and Snoopy) were the quintessential "family viewing" television of our youth. Many were classics repeated every year on a cycle linked to major holidays, especially "A Charlie Brown Christmas" (1965). These almost served as the definition of "rated-G" entertainment in the USA.

DVD Cover

5 November 2013

Daily Show Enforces Borders

The Daily Show with Jon Stewart, a bastion of political liberalism, enforces geographic sovereign borders on the cyber frontier. This border enforcement, on behalf of a well known defender of free speech and democratic values, helps to illustrate the reality of internet borders that exist today.

For those of you who do not follow it (shame on you), the Daily Show is a spirited satire of current US political news with a progressive point of view. As a fan, I am often frustrated that the show's main web site and associated video content are not available from within the UK. The show itself is broadcast on UK television and the UK-localised version of Comedy Central has (what seems to be) a reduced online library of Daily Show videos.

Daily Show videos are often used by US political campaigners to highlight current issues. When my US-resident friends upload a reference to, or attempt to embed, a Daily Show video I often find myself blocked from seeing that video because I am physically in the UK.

So it came as no surprise after I clicked a social network post linked to Upworthy, when I encountered the following all-too-familiar notice:

As you can see, the embedded content is inaccessible to those of us who are physically present in the UK.

28 October 2013

Cyberwar lawyers endorse sovereignty

A major work on the application of public international law to the Internet supports the emerging picture that geographic sovereign borders apply to the Internet.

Earlier this year at Chatham House, I attended the London book launch of The Tallinn Manual on the International Law Applicable to Cyber Warfare (Schmitt, Michael, ed.; Cambridge University Press, 2013). This is a fascinating work written by an independent group of expert international lawyers at the invitation of the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) in Tallinn, Estonia.

20 October 2013

Online "smuggling"

In the many years that I have spoken to audiences about Internet Border enforcement, I always enjoy receiving the comment from an audience member that usually goes something like this: "But these enforcement efforts are not effective. I can simply use [a VPN] / [a proxy server] / [the TOR network] / [whatever] to get around the restriction."

I often congratulate the person who makes this comment on having become a successful "Internet smuggler" - someone who breaches a border control for their own purposes. If the mood in the room is especially light, I might even suggest that the person in question probably also knows ways of hiding contraband in their luggage to evade discovery by border officials who otherwise would stop it from entering the country.

14 October 2013

The Babel Fish Paradox

The Hitchhikers Guide to the Galaxy radio, book, and film franchise by the late Douglas Adams is one of the greatest works of science fiction comedy ever created. Part of what makes the series so wonderful is Adams' willingness to satirise social and political issues. One well-known but sometimes overlooked bit in Hitchhikers helps to illuminate an important point about the future of Internet Borders: the "Babel fish".

(Stick with me here. I promise to bring it home.)

11 October 2013

UK cyber defence force

As part of the increasing trend of enforcing State sovereignty online, I note with interest the recent announcement that the UK Ministry of Defence is planning to expand its cyber defence capability by recruiting expert reservists to a Joint Cyber Reserve Unit. The BBC reported the story HERE on 29 September 2013.

I find articles like this interesting because of the (unstated) assumption that there is a delineated British cyberspace that requires defending. Of course I happen to agree with this. It's so obvious that the journalist does not need to explain it. As we look more closely at the idea, we discover that it's not cyberspace (as such) that needs defending - it's the real world infrastructure and people who rely upon it that are being defended.

I do wonder, though, how many journalists will continue to write articles next week and next month about the so-called "borderless" nature of the Internet.

As a final thought for today, I believe that comparisons with "airspace" remain useful when thinking about this subject. We don't talk about the "borderless" nature of airspace - these days we instinctively understand that sovereign states patrol and exercise authority over a given bit of airspace. We also understand that airspace is simply a medium that can be used as a path to damage a state unless that state is able to exercise effective control of that space.

7 October 2013

BBC World Service interview

Now that I have decided to renew my activity on this blog, I remembered that I was interviewed about the Internet Border thesis by BBC World Service Radio last year. The programme that interviewed me is called "One Planet", and they did a very thought-provoking piece about our Bordered World on 23 April 2012. You can hear the programme by CLICKING HERE.

The entire programme is only 17 and one-half minutes long, but if you want to skip directly to the Internet discussion then advance to about 13:00 for the intro. (I get the last word.)

Here is a bit more explanation about my (rather down-beat) comment at the end. I do not believe that the ease of communication provided by the Internet will necessarily lead the world to a single unified global set of shared rules and values. Although there has been a lot of good and effective work to harmonise our global views of important policy issues (especially in the age of the UN), many differences remain and will not be resolved soon. Furthermore, many of these differences can be measured and defined by the geographic borders of sovereign states. While the Internet may aid our understanding of one another, it will not (on its own) lead us to a state of global agreement about fundamental questions of right and wrong. No media, on its own, can do that.

6 October 2013

We're half way there

In 2008, I was invited by my academic colleagues at the Information Security Group, Royal Holloway University of London to speak to a gathering of alumni from our information security graduate degree programme. Having provided 10 years' worth of lectures about the application of the law to the Internet, the challenge was to summarise where I thought we were "now" (in 2008). My lecture presented this conclusion: "The Cyberspace Frontier is Closed".

One of the core themes I presented that day was the idea of a "de-globalising" Internet in which geographic borders are being enforced with increasing regularity. When I say that borders are "enforced" I'm not just talking about direct enforcement by sovereign states. I'm just as much referring to the process of border delineation and enforcement by private parties who find it in their own best interests to shape content or condition access based upon end user geolocation.

It may not have been in that lecture, but about that time I made the following claims about the development path of so-called cloud services:

  1. Due to regulatory and commercial pressures, the geolocation of cloud service offerings will continue to increase in importance.
  2. As customers begin to understand regulatory and commercial pressures, they will increasingly demand that their cloud service providers geographically segregate data and infrastructure, and the ability to exercise control over same.
  3. Customers will increasingly demand this geolocation assurance in service level agreements.
  4. PREDICTION: Any major cloud service provider must be able to provide such assurances within 10 years or they will be out of business (2008+10 = 2018).
When I made this prediction, I was prompted generally by many factors. These include the resurgence of the sovereign state within the international system as a reflection of differing social and community standards (including language differences), as well as the continuing desire of multinational businesses to segment marketplaces. I was not really thinking (too much) about the impact of sovereign state intelligence gathering activity, and I had no idea that a guy hiding out at an international airport would shine a light on practices that also caused people to stop and think about "where" their cloud is located. But they are (in my opinion) all a part of the same meta-trend.

So, it's 2013. We're half way to 2018. How do people feel now about my prediction from 2008? Will it remain possible for cloud service providers to remain truly global and "borderless" in nature? Or will they (as I predicted five years ago) increasingly be forced into a business model that demonstrates that location of, and control over, data is limited by geography?

3 August 2012

London Olympics Strengthen Online Border Enforcement


The London Olympics really insists that I not be allowed to understand their site. And they have employed a next-generation border enforcement technology to make certain that I remain ignorant of the games.

I live in London, England, and I understand that there is some sort of sporting event taking place in London this week. In common with many of our fellow Londoners, my wife and I decided to use this opportunity to take a vacation - far away from London. So we gave our apartment to an old American friend who is interested in the Olympics (and has event tickets) and travelled to France instead.

Now to our borders story.

28 July 2011

British Court orders ISP to enforce border

A ruling of the High Court of England has just taken us one step further along the path of Internet Border enforcement. Twentieth Century Fox et al vs British Telecommunications has already spawned a large amount of commentary on the subjects of copyright, human rights, free speech, and modern digital society. But I think the more important aspect of this case is the implicit use of sovereign international borders in patrolling the Internet.

This case is (essentially) about copyright owners trying to block copyright infringement. The allegedly infringing activity has been facilitated by a website referred to as newzbin2. But (and here's the point that really interests me) the newzbin2 web site appears to be operating from a server that is "offshore" - which is to say somewhere outside the United Kingdom.

So the copyright owners want to enforce their copyright in the United Kingdom. The website is (effectively) outside the reach of a court order. Suing many thousands of people who download infringing copies is not practical.

The solution? Ask the court to order British Telecommunications to block the ability of UK customers to access the offshore website. And that's what the High Court did. You can read about it on the BBC here.

Put differently, this is an action by the sovereign state of the United Kingdom to enforce an import ban.

So there you have it: an Internet Border enforcement order.

14 February 2011

The Inherently International Fallacy

In the two decades I have listened to debate about regulation of the Internet, one theme comes up again and again: "The Internet", I have been told, "is inherently international".

I disagree.

Consider this. What if the Internet had no international cross-border connections at all? Would we have no "Internet"? I don't think so. What would remain would be a series of 100+ "little domestic Internets" that would all (more or less) continue to function at a technical level.

11 October 2010

Speaking at the London School of Economics 19 October

If you are in London on Tuesday 19 October and want to hear more about my Internet Borders thesis, I'll be speaking at the LSE as part of a series on "staying safe online".

You can find information here.

7 October 2010

Is THIS where you are?

If you are wondering how effective systems are in determining your geo-location, here's your chance to find out. I recently experimented with a few sites that try to determine the answer. You're welcome to give it a go.

30 September 2010

Apple confirms that MY cloud is in the USA

A few weeks ago, I complained that I wanted to know where MY MobileMe cloud was geo-located. You can read my post here. After I posted the article, I decided to do the simple thing and ask Apple.

So I logged on to Apple's technical support page for MobileMe, opened a chat session with one of their support technicians, and asked "Where is my MobileMe Cloud?". I gave her a link to my article to explain the question a little better. The Apple support person was very polite, and freely admitted that my question was very unusual. What followed was about 30 minutes of very little chat while (I assume) she asked around trying to find the answer.

23 September 2010

Google legal chief wants open borders

Earlier this week, the International Herald Tribune (the global edition of the New York Times) ran an interesting Op-Ed piece by Google's chief legal officer, David Drummond. "Roadblocks on the Information Highway" is available here; mobile device users click here.

I love the title. It reminds me of a paper I wrote in the early 1990's that I wanted to call "Law and Regulation: Speed Bumps on the Information Super Highway". Alas, I acquired a more serious-minded (and more senior) co-author who dropped the highway metaphor and re-fitted our published work with a more pedestrian title.

In his well-reasoned piece, Mr Drummond makes what I call an "open borders" argument. This argument says that countries who keep their Internet Borders open tend to benefit from increased exchange of ideas, better trade relationships, etc.

20 September 2010

Cloud Computing discovers the Internet Border

Cloud Computing continues to take centre stage in the Internet Borders discussion, as now we see the New York Times getting the story (mostly) right. The NYT article, titled "Cloud Computing Hits Snag in Europe" is available on big screen here; mobile device users should click here.

The main problem under discussion is Data Protection law. The author mentions that a number of companies are working on technology-based solutions to comply with a blizzard of different rules, but only touches briefly on the number one challenge to Cloud Computing as we know it today: the "internationality" of a given "cloud".

14 September 2010

Hey, Apple, where is my cloud?

In keeping with my opinion that Cloud service providers will one day be required to specify geo-location of customer data, I decided to look through the web pages that describe Apple's MobileMe service.

MobileMe is a truly remarkable consumer cloud computing service. It syncs contacts database, calendar, etc, over multiple user devices. The data on your laptop, desktop, and iPhone all stay in perfect harmony with one another. It's been described as an "Exchange server for everyone". Cool.

But where, exactly, is this server for everyone?

8 September 2010

Birth of "Me Web" leads to "We Web"

Today's Internet is all "me, me, me". But counter-intuitively, the technology that creates this personalised web experience may give birth to a web that reinforces a sense of community based on state borders.

At the dawn of Web 1.0, every one of us who "tuned" to a specified URL experienced the same static web page at the other end of the link. Although the page occasionally changed, all of us experienced the same changed page. A bit like television, but with a theoretically infinite number of "channels". We talked about the advent of micro-communities, marketing to the long tail, etc. It was common wisdom that this divergence of content broke down a sense of community based on physical location.

But an infinite number of channels was, it seems, not enough.

24 August 2010

Estonia closes Internet border to gambling

I am grateful to one of my former graduate students who is from Estonia, who first made me aware earlier this year that Estonia had chosen to "close" its Internet border to many international gambling sites. Here's one report of the closing in a casino trade paper.

The method of border enforcement chosen by Estonia is (I believe) the shape of things to come in most countries around the world, because it is less cost-intensive than building and operating a national network gateway.

17 August 2010

What is this Internet thing and how do we shut it down?

One failed attempt to control the entire Internet in the 1990's sheds some light on why enforcing state borders on the Internet is an achievable goal.

In the mid-1990's I was a junior lawyer in the technology law group at the world's largest international law firm, based in London. A senior partner telephoned me from our litigation department. He came straight to the point:

"I understand that you know something about the Internet. Well, a client of ours has had a bit of a disaster. Some disgruntled former employee has walked out with a number of confidential documents and has published them on the Internet. Now, what is this Internet thing and how do we shut it down?"

11 August 2010

The case of the persistent salesman

At our law office in London, we were just given a stunning reminder of how easy it is (sometimes) to know where end-users are located.

A couple of us spent some time earlier today looking online for a particular type of networking equipment. We found multiple references to one specific piece of equipment, including web sites of distributors here in the UK.

A few hours later and the phone rang. It was a sales representative calling us from one of the distributors, who asked to be connected to our IT department. The salesman then said, "We noticed that you have been looking at the [equipment name] on our web site. I thought I would call to see if I could answer any questions or offer you a chance to try one of these devices."

8 August 2010

Where is my Cloud?

Cloud Computing. A brilliant approach for data handling. Want to process a large data set (like client details) accessible in all of your firm's offices without the messy expense of buying and maintaing a data centre? Host it in "the Cloud".

But what, and crucially where, is "the Cloud"?

4 August 2010

Google location data - someone knows where you are

Google faced heavy criticism recently when data privacy regulators discovered that Google Street View survey cars had been surveying with more than just cameras. As we now know, they were also collecting data relating to local WiFi routers - both public and private. A lot was written (and much heat generated) about the possibility that Google might "sniff" content in transit: snippets of emails, or web browsing traffic, or whatever else they could collect in the few seconds that a car was in range of a WiFi point.

But most people missed the bigger story. The (seemingly benign) purpose of the data capture was to get MAC codes of WiFi routers and develop a database of their geo-locations.

2 August 2010

RIM faces more international hurdles

I don't really want this blog to become "the Blackberry Report" but clearly RIM is a hot item in the news right now.

I think it's important to state that again for clarity: "RIM" is a hot item. That is to say Research in Motion, the company that provide the global secure data communication service, is in the news. Like reporters around the world, I have been referring to this story as the Blackberry story. I want to highlight that Blackberry is the device and trade name, while RIM is the "legal person" (i.e., the company) providing a back end service.

1 August 2010

Blackberry problem spreads to Saudi

Earlier today when discussing the problem of RIM/Blackberry vs the UAE, I mentioned that RIM should not ignore this problem because "... the risk here is that other countries could (and I believe will) follow the UAE's lead on this and threaten similar shut-downs."

When I wrote that, I figured that other countries would follow suit in a matter of months. Now it seems that it took less than 2 hours for news to leak that Saudi Arabia is planning a similar move, and for similar reasons.

Reports are sketchy, but here's an interesting source. The Saudi threat put an additional 700,000 subscribers (and 700,000 subscribers' revenue) at risk.

The stakes are now that much higher for RIM.

UAE Blackberry tension rises

Wow. Less that a week after I wrote about the UAE and Blackberry, and they're in the news again. Only this time it looks like the gloves are off.

Reports indicate that the United Arab Emirates (a sovereign federation of seven Emirates including Abu Dhabi and Dubai) has announced they will suspend "messaging, e-mail and Web browsing" services to Blackberry users in the UAE with effect from 11 October 2010 "until a solution compatible with local laws is reached". Here are the reports from the BBC, Bloomberg, and the AP courtesy of Google.

Here is a statement from a service provider in the UAE with their understanding of the shut-down order, which includes helpful added details. They make it clear that domestically managed services, such as voice telephony, SMS, MMS, and carrier-provided web browsing, will continue as normal. The shut-down order relates only to value-added services provided by Research in Motion (RIM), the Canadian company that designs Blackberry devices and operates the back-office service that makes them all work so smoothly. These are the services that really make the device a hit with customers such as Blackberry email and Blackberry system web browsing. Without those services, the device becomes just another web-enbled mobile phone - and not a great one. (I'm a biased iPhone user.)

So here is the problem in a nutshell.

26 July 2010

UAE and Blackberry

I was interested to see this story on BBC online. It explains that the United Arab Emirates may wish to monitor or restrict use of BlackBerry devices inside the country. What really caught my attention, however, was the concern about BlackBerry data being "stored offshore".

It should not really be that surprising that the UAE has flagged this as a national security issue. With an estimated 140,000 subscribers inside the UAE, they want to know that their legal system can enforce orders that might relate to this data.

I think that the future for BlackBerry (and, by the way, for anyone who provides a "Cloud" computing service) will be to re-architect their system so that it is possible for individual customer data storage and processing to take place in a defined physical jurisdiction. I suspect that the UAE (and others) will increasingly impose laws and regulations that take the form: "All communications data for subscribers who reside in our country, must be processed and stored within our country."

Lesson for business: If you want to run a successful online data business, you should already be designing your online border enforcement strategy.

24 June 2010

Facebook to strengthen geographic borders

I've been interested to read about Facebook's plans to offer "location based services". Like so many other online experiences today (especially embedded advertising), this is part of the meta-trend to customise one's experience of the Internet based upon end-user geo-location.

Wow that's a lot of jargon. Let me try again.

This is another side of how the Internet now "works": what you see on "the" web depends on a combination of what you put into your browser plus where you are physically when you do it. Your physical location has become a significant factor in determining what you see.

So while I am certain that Facebook's roll-out of location based services is being done for the best of business reasons, they are creating one more piece of the infrastructure that will enable better enforcement of sovereign borders upon the Internet.

Think of it like this: now that Facebook will "map" the geo-location of its end-users, how long before the sovereign government of Ruritania issues an order to Facebook to "block" the content of certain FB pages to all persons who are geo-located in Ruritania?

Now that we know the Internet has borders, the race is on to develop technologies that will assist in enforcing them.

22 June 2010

BBC makes money using Internet borders

I have written about this topic before, but it never ceases to amuse me that the BBC News web site includes paid-for advertising. At least it does whenever I'm geo-located outside of the UK.

I was returning from my home town of Dayton, Ohio last week, and was doing some rush client work from my laptop in airports.

Geo-location 1: Dayton airport. Browser pointed at: BBC News web. Appearance: paid-for advertising embedded in my page aimed at US consumers.

Geo-location 2: Toronto airport. Browser pointed at: BBC News web; Appearance: paid-for advertising embedded in my page aimed at Canadian (specifically aimed at Toronto area) consumers.

Geo-location 3: my apartment in central London. Browser pointed at: BBC News web; Appearance: NO paid-for advertising, and this is the right result. After all, if the BBC "broadcast" paid-for advertising to me while I am inside the UK then the BBC is arguably acting in violation of its charter.

I wonder how much money the BBC makes because they were willing to ignore the "standard" advice that the Internet has no borders?

Lesson for businesses: if your tech support team tells you that you can't make money because "the Internet has no borders", then it's time to get a more creative tech support team.

31 May 2010

Pakistan opens door to Facebook after a change

A court in Pakistan has ruled that Pakistan's telecommunications companies should once more allow access to Facebook traffic. Reports can be found in many locations including the Guardian,  CNN, and Al Jazeera.

The reporting is slightly confused about what exactly has happened. Everyone seems to agree that the court has dropped a requirement to block all Facebook traffic, and that the court has made clear that it will order whatever blocking it deems necessary to avoid the importation of illegal content.

20 May 2010

Pakistan tightens its Internet Border

Another day, another Internet Border story. This time Reuters reports that Pakistan (or to be precise the Pakistan Telecommunication Authority (PTA)) has ordered all Pakistan ISP's to disallow domestic access to Facebook. PTA have a history of ordering similar interdictions. For the purposes of my commentary the reason for the blockade is not critical. But for those of you who who want to know and don't want to click the link and read the Reuters report, basically the block has been ordered due to specific content on Facebook that is deemed illegal (to be specific, blasphemous) under the law of Pakistan.

As with the BBC Click news story concerning the UAE that I described here a few days ago, it's interesting to see that the journalist merely reports the circumstances of the site block. No hysterical reporting about how "but the Internet doesn't WORK that way" or anything else of the sort.

16 May 2010

BBC journalist describes online border

I was watching a television show this morning called BBC Click. It's a charming show that does a good job reviewing consumer information technology, mostly online services.  (In a spirit of full disclosure I said some negative things about one of their episodes last year.)

Today's Click programme was a special filmed in Dubai, part of the United Arab Emirates. The presenter, Spencer Kelly, showed us what happened when he attempted to connect to a few well-known web sites. Nothing outrageous. I think he mentioned Flickr and a few others.

The camera focused on Mr. Kelly's screen displaying a friendly-looking cartoon character and a warning in both Arabic and English. I did not get the full text, but the "gist" of it was something like: "The Internet is a wonderful tool for research and communication, but you have attempted to reach a web site which includes content that is forbidden by the law of the United Arab Emirates."

1 March 2010

The Diffie-Carolina non-key exchange

I chose to announce my theory that the Cyberspace Frontier is Closed as part of an alumni program at the Information Security Group, Royal Holloway University of London. In the Q&A that followed, I found myself in a strong exchange of views with fellow part-time staff member, Professor Whitfield Diffie (famed cryptographer and crypto policy expert). Whit was not an immediate believer. After nearly two years I hope that I am wearing him down.

I was happy to find a (moderately blury) picture of that show-down discussion, taken by Bhavin Desai on 23 July 2008 and posted by him to Picasa Web.

I am the short-haired lawyer-guy behind the podium. Whit is the long-haired dude in the cream color suit who has decided to come out to the virtual frontier and "call me out", rather like a cryptographic John Wayne who still believes in a borderless Internet.

So how about it, Whit? Do you believe me yet?

The original picture with copyright information, etc is here.

26 February 2010

"Google will not survive* " (Prediction v2.0)

My post on this topic generated some interesting and thought-provoking feedback. In my post, the asterisk-footnoted qualification said: "* in its current form". An engineering-minded friend wrote to me and asked if there is anything that ever truly survives "in its current form". Having considered questions of entropy, biology, philosophy, and law, I suggested that perhaps a Hydrogen atom might.

This forced me to re-think, so let me re-state my proposition and follow-up with some additional detail. Here, then, is my Google Prediction (v2.0):

     Google will not survive*
          *as a thriving multinational enterprise with global business presence and global business interests unless and until it decides to undertake a major restructure of its corporate assets, its operational methods, and its technical architecture.

Now let me spell out what I predict will happen, unless Google decides to change all of the above.

24 February 2010

"Google will not survive* "

" *in its current form"

I have been speaking publicly about my "Internet Borders" thesis since the summer of 2008. Starting in 2009, I added a concluding slide to my presentation which said, in total,

   Google will not survive*
         *in its current form

When delegates ask me about this prediction, I have explained that it is my opinion that Google's current operating structure will not be able to survive the increasing stresses of Internet de-globalization. Google's basic problem is that its business consists of operating a single massive database of, well, EVERYTHING.

If you want to know anything, then ask Google. Google itself tries valiantly to "do no harm" as they interpret this. So when I ask Google questions using their public interface Google places limits on what I can learn. But sometimes governments of various description ask deeper and more intrusive questions than Google wants to answer. Other times, Google is criticized by governments for answering too many questions and giving up too much information.

This creates a huge regulatory "sheering" force where Google is increasingly caught between conflicting laws and regulations imposed by different national governments.

22 February 2010

Political news - political advertising

Today I tuned into www.fivethirtyeight.com, one of my favourite sources for quantitative analysis of US electoral trends.

What do I see in the top-of-page banner advertising? An advertisement for the British Liberal Democratic Party. Clearly the advertising system has made an (accurate) guess of my geo-location and served up content to match. Although my subject matter interest is US politics, the advertising market is segmented by geo-location of end-user rather than the geography of the subject under discussion.

My point is this: if the Internet is truly "borderless" then this should not be possible.

Conclusion: the Internet has borders.

6 February 2010

Facebook Country Restrictions: Your social network border patrol

Here's a quick observation. I decided to start a Facebook Page for Internet Borders. (It's called Internet Borders. I have very little imagination.)

As I started to play around with the "Edit Page" feature, I found that it was (surprise!) possible to create a list of countries where the Page can be seen. I can, if I wish, make my page viewable only in "Ruritania" thus excluding the remainder of the world.

If you want to see this feature, and you are the Admin for a Page, you can find it within the Page at: Edit Page>>Settings(edit)>>Country Restrictions.

The feature works on an "opt-in" principle. The Admin enters countries that should be allowed to see the Page. It is not a country "exclusion".

Now here's my dilemma: should I enforce borders on my Internet Borders Facebook Page? Stay tuned, and see if I decide to become parochial.

Oh, the new Page is located here.

5 December 2009

Payment refused based on where I am

My wife just encountered an increasingly common example of private sector Internet border enforcement. From our living room in London, England, she decided to purchase a gift for a US-resident family member. She logged into a US retail web site and entered her order. She specified a US shipping address. She then went to "check out" and tried to use her US credit card (i.e., a card issued by a US domiciled bank) to pay. Her credit card address of record is our family address inside the US.

So here she was: sitting in London, visiting a US web site for a US retailer, purchasing a product for shipment to a US address, and paying with a US credit card linked to a US address.

The result: an unhelpful error message stating "Unsuccessful authorization". Payment declined. Frustration ensued.

Deciding to test my "Internet Borders" hypothesis, my better half telephoned the US retailer help line. The help desk person confirmed that her payment had been denied for one reason only: the web server had (correctly) guessed that she was physically located outside the US when she entered her card details and made the payment request.

7 October 2009

Unwelcome Blogger localization


Here's a funny one for you. I have just delivered a speech at the GOVCERT.NL conference on this Internet Borders theme. You can find conference details here.

I decided to log into this blog and post a few thoughts. Working from the speakers lounge here in Rotterdam, I entered the URL for my blog (www.internetborders.com). Not surprisingly, I was directed to this blog. To my surprise, the small "ribbon" above this blog that tells you I am using the "Blogger" system was written in Dutch. On the one hand, you could argue that that this is a value-added service. Blogger clearly understands that I am sitting in the Netherlands and dynamically changes the ribbon language based on a best guess of where I am.

My knowledge of Dutch is non-existent. It took me a moment to figure out a work-around that enabled me to log-in. The quickest work-around was "guess the meaning of this Dutch word".

(BTW, yes I know that I can change the HTML of my blog template to get rid of the Blogger ribbon.)

26 September 2009

I can't watch HULU from outside the US

Here's a quick one. While reading Huffington Post, I was referred to a video of Saturday Night Live available via Hulu. Instead of a video, I was given a black "death screen" telling me that this video is not available outside the US. The site's helpful explanation can be found at http://www.hulu.com/support/content_faq#outside_us

This says:
For now, Hulu is a U.S. service only. That said, our intention is to make Hulu's growing content lineup available worldwide. This requires clearing the rights for each show or film in each specific geography and will take time. We're encouraged by how many content providers have already been working along these lines so that their programs can be available over the Internet to a much larger, global audience. The Hulu team is committed to making great programming available across the globe.

What I find interesting is the assumption by HULU that content distribution can be controlled by geography.

Still believe that the Internet has "no borders"?

29 July 2009

I can't order British groceries from Asia

The first time I gave a public lecture about "Internet Borders", one of my former students in the audience shared a story about his recent experience with online borders. He and his wife had been traveling extensively in South East Asia and they were preparing to return to England. They had been away for a long time and knew that their kitchen was empty. They also knew that they would be exhausted after the long-haul flight.

So they had a brilliant idea: they would log on to the web site of their (very well known) UK grocery store, and place an order for some groceries. They could schedule delivery late in the same day that they landed. Anyone who travels long-haul over multiple time zones will see the brilliance of this plan. Here is an opportunity to stay in-doors and recover without the need to go out shopping.

One problem: the UK grocery store web site was strangely inaccessible. The web browser and net connection was working, but it became clear that this specific traffic was being refused. Once my student and his wife landed in England they were able to connect immediately.

I have not been able to confirm this with the grocery store in question (and thus I will not identify them) but my working hypothesis is this: someone who runs the web site reasoned that people outside the UK do not need to order home-delivered groceries from a grocery store in the UK. (Perhaps the traffic was only refused from points originating outside Europe?) Therefore such "foreign" traffic was likely to be a nuisance (at best) or a prelude to fraud (at worst).

WHAT ABOUT YOU? Have you ever tried to order something online "back home" while away on a trip and found that you could not? If so, please place a comment here explaining your encounter.

28 July 2009

There's no such place as cyberspace

Every year I start my course at the Information Security Group, Royal Holloway University of London by explaining how laws (even really old laws) apply to the use of the Internet. There are only three basic rules, and the first of these is: There is no such place as "cyberspace".

This shouldn't be too surprising. The word "cyberspace" was created by author William Gibson in the early 1980's. He explained that "cyberspace" exists in our imaginations. In his fiction he described it as a "consensual hallucination" shared by billions. I'm pretty happy with that as a working definition.

Laws exist in the real world and define relationships between people who live in the real world. Laws also define the relationship between a given state and the people who have an impact on people in that state. Enforcement of law is carried out by people who use varying degrees of force with respect to other people. The common denominator? People. People who live in a real and physical world.

There is no "state" of cyberspace. It has no meaningful existence as a "place".

There is a lot more to say about this, but not today.

27 July 2009

Advertising on the BBC?

Have a quick look at BBC News online. You will find it at news.bbc.co.uk.

Here's a question for you: do you see commercial advertising? The answer will very likely depend on WHERE you are when you look at the web site.

Those of us who live in the UK do not see advertising, and there is an important legal reason that we do not see advertising. Here in the UK every household with a colour television set is required to pay an annual "television license fee" of about GBP145 (about USD240). This money is collected and given to: the BBC! Since we are paying for the BBC anyway, the BBC is (by law) not allowed to sell commercial advertising in its UK broadcasting. The BBC has taken this mandate into its online activity, and so BBC News Online does not advertise. Or does it?

The BBC is not allowed to show commercial advertising in its UK broadcasting, but it is very much allowed to sell its content to international markets - and those international outlets are allowed to charge for commercial advertising broadcast in THEIR market. So I'm very sorry for all of my friends in the US who watch BBC North America. You are not in the UK, you don't pay a UK license fee, so you can struggle through television commercials like everyone else in North America.

But what about the online operation? A few years ago while traveling in the US I noticed something unusual when I logged into BBC News Online: advertising!

So here's the thing: if you look at news.bbc.co.uk while you are located in the USA, you will probably see paid-for commercial advertising. (It doesn't always work. Try it and see what happens. Post your results here as a Comment because I'd like to know what you see.)

SAME URL leads to DIFFERENT content, depending on where you are in the physical world.

Do you still believe there are no "borders" in cyberspace?

24 July 2009

Content not available in your region

Isn't it interesting how often we now encounter this message. What do you mean "my region"? The web site operator means "where you are physically sitting and using a web browser". So when sitting in Europe it is increasingly difficult to obtain video feeds from US television network web sites. For those of you in the USA, you may similarly find it difficult to "see" video posted on the BBC web site here in the UK.

We all type in the same URL: what we actually "see" depends on which country we are in at the time we type.

Internet borders.