Lawfare‘s Andrew Keane Woods worries about the legal future of what is basically an extra-legal entity:
States are increasingly asserting territorial control over the Internet—often because doing so is the only way to get access to data in which the state has a legitimate interest—and this has a number of troubling consequences. For example, if law enforcement in one country cannot get access to criminal evidence held by American Internet companies, they might: 1) demand that data be held on local servers, where it can more easily be accessed (and surveilled); 2) deploy covert surveillance efforts to access the data (and perhaps demand a way around the service provider’s encryption); and/or 3) assert extraterritorial jurisdiction over the foreign-held data, throwing Internet companies in an unfortunate conflict of laws. …
In my view, privacy advocates and Internet companies should be pushing hard — much harder then they are currently pushing – to address this larger crisis. States must be allowed to exercise local regulatory control over the Internet in ways that are consistent with their legitimate government interests – like getting access to data critical to a criminal investigation – but without compromising the Internet’s ability to act as a global platform for communication, commerce, and speech.
Jurisdiction is key, of course, and jurisdiction depends on physicality – that is, the tangible location of some chunk of data key to an investigation. If a crime is committed in one country and the key chunk of data is in another, well, alacrity is not a populous member of this literary landscape. From Woods’ New York Times editorial piece:
This cross-border process is notoriously slow. Requests take an average of 10 months — an eon in a criminal investigation — and many languish for years.
This leads to some alarming trends, again from Woods:
I recently attended a conference for purveyors of surveillance software — an event unofficially known as the “Wiretappers’ Ball.” I asked one vendor if he was aware of law enforcement’s frustrations with American tech firms. The salesman grinned and told me that police departments now buy his malware precisely because they’re tired of waiting for evidence through established diplomatic channels. This is alarming: Making it harder for the police to get criminal evidence lawfully may actually incentivize them to seek that data by snooping.1
This aside, though, there’s a hidden assumption – that data is atomic. It’s not. It’s often treated that way, of course, even when it’s replicated for such things as Internet management. Data can be distributed, such that any particular chunk is not usable, but only in combination with the rest does it become useful. A careful, intelligent criminal could partition critical data and save it in 100 countries – if he knew the server physical locations. And then the police would have a nightmarish administrative problem.
I’m not familiar with the dark net, so it’s certainly possible that just such a service already exists, just like sales of credit cards and other critical data. And while I doubt the technical expertise of most criminals, the Internet means it only takes one morally challenged programmer …
1 As an aside, SF author Jack Vance described, purely as background, an analogous situation having to do with the essence of outer space and how travel times would affect policing efforts, resulting in the creation of the Interworld Police Coordinating Company (IPCC), an entity not necessarily under the control of any local government, almost a private entity
