17 August 2010

What is this Internet thing and how do we shut it down?

One failed attempt to control the entire Internet in the 1990's sheds some light on why enforcing state borders on the Internet is an achievable goal.

In the mid-1990's I was a junior lawyer in the technology law group at the world's largest international law firm, based in London. A senior partner telephoned me from our litigation department. He came straight to the point:

"I understand that you know something about the Internet. Well, a client of ours has had a bit of a disaster. Some disgruntled former employee has walked out with a number of confidential documents and has published them on the Internet. Now, what is this Internet thing and how do we shut it down?"

In the time that I was with this firm, I learned a few lessons. One of the most important is that junior lawyers must avoid making senior partners feel uncomfortable. I choked back my instinctive reply of "that's impossible", and instead decided to work the problem. Using all of our resources as private-sector lawyers based in more than 20 countries, what would happen if we tried to shut down the Internet?

The two of us spent some time talking about persons we could serve with court orders. We discussed the role of ISPs, server operators, the distributed nature of the Internet, the distributed nature of the Usenet, the nature of mirrored content, and (critically) the international nature of content distribution and the jurisdictional limits of any single court order.

After about 10 minutes the senior litigation partner said, "Hmmm. Perhaps the practical answer here is that although we could take some court actions, they simply won't achieve the client's goal." I agreed, and that was the end of it.

The reason we reached that conclusion was simple: from a legal perspective there is simply no such "thing" as the Internet. It is not a monolithic structure; it is not operated by a single person or company; it is not even controlled by a collective of persons who agree with one another about its use or purpose.

This critical observation - "there is no such thing as the Internet" - is the first step in understanding how laws apply to the Internet.

(The second observation is "there is no such place as cyberspace". I wrote about that here. The third and final observation is: "generally speaking, law and regulation applies to people and not technology".)

The litigation partner was not asking to sue "the Internet". He wanted to sue the people who make the Internet work. In order to "shut it down" we would need to identify, locate, and sue an impractical number of people in an impractical number of jurisdictions. Our chances of success in many of the lawsuits was indeterminate, and our fees would have been outrageous. So not absolutely impossible, but practically unachievable with the methods at our disposal. (Hey cryptographers! Does this remind you of "computationally infeasible"?)

Our client faced a hopeless task: trying to recover from the entire world each and every copy of stolen documents.

Today sovereign states and non-state actors are working on a goal that I believe is much easier to achieve: enforcing Internet content distribution restrictions based on some state borders that can be enforced with respect to most of the people in a given state, most of the time.

Sovereign states have a series of advantages over our client in the 1990's. First, they have a lot more money to spend. Second, they are not trying to shut down the entire Internet. They simply want to enforce law and policy within their sovereign territory. Third, they are not trying to achieve "perfect" enforcement of their borders. They are presumably doing what states have done for centuries - trying to insure that borders can be enforced against most of the people, most of the time. Fourth, these states don't need to enforce their laws against people all around the world. They can achieve a lot by enforcing against persons within their sovereign territory. Fifth, they can change the law and demand compliance. Most people usually want to comply with the laws of the places where they live, most of the time.

At the other end of the network, content distribution businesses are also trying to achieve a more modest goal. They want territorial restrictions they place on their content distribution to work most of the time. Less-than-perfect compliance is usually good enough.

Internet borders, like every other state border in human history, are not perfectly enforceable and they never will be. But perhaps that doesn't matter.