Something is rotten at the core of our conception of Internet governance. Almost unnoticed, nations are trying to impose – often successfully – sovereign borders and legal demands on a digital realm that is inherently borderless. Left unchecked, this instinct to create sovereign barriers risks fracturing the Web in ways that will jeopardize its economic, political, and social utility.
Consider a few recent examples:
• China is advancing a security law that would require those who do business in its financial industry to disclose the source code of their security measures. Beijing claims the law is "for the protection" of Chinese customers. Vendors would also be required to maintain data about Chinese customers in China; and to build into their products decryption back doors allowing access to private, personal information.
• Moscow has, similarly, implemented a requirement for the domestic storage of data about Russian customers, a requirement that Apple acceded to as a condition of continued sales in Russia.
• Microsoft is contesting a US law enforcement effort to force the company to repatriate data about a non-American citizen to the states from an Irish data center, possibly in violation of Ireland's laws.
• In Britain, under the Regulatory Investigative Powers Act, the government has asserted its authority to extend inquiries to relevant information no matter where it might be held on the globe.
• French authorities are attempting to force Google and other search engines to modify search results, deleting links maintained on servers outside of Europe, that point to truthful information about Europeans who have asserted their newly granted “right to be forgotten.”
You may think these efforts are less about citizen protection and more about citizen control. Or, maybe you are asking, why companies such as Apple publicly resist and vociferously oppose US law enforcement requests for access to data while seemingly acquiescing to Russia.
But the problem is far deeper and more insidious than efforts to monitor or control citizens or corporate willingness to cooperate with troubling government policies. It's more than a “traditional” conflict between governments and a regulated industry. Rather, these disputes are harbingers of a much larger, and portentous debate – will nation states be able to erect borders in a borderless domain, fundamentally altering its nature.
The stakes are not trivial. The Internet makes a significant contribution to global economic growth. Perhaps even more importantly, it serves as a fundamentally transformative engine of social and political change. And conflict over its transnational nature is, to a large degree, “built in” to the system – the nature of network connectivity is inherently globalized. Sovereign nations are trying to “map” borders onto a domain where they don’t naturally occur.
If they succeed, free flows of information and data – and all the economic and social benefit that comes with that connectivity – are at risk because nations are seeking to constrain the network as a way of asserting their own authority.
We're facing an inflection point. Inevitably, the authoritarian nations whose life-blood is citizen control will continue to diverge from the small “l” liberal nature of the digital domain. Western democracies need to offer a better alternative – to reinvigorate the freedom of the network, eschew too great a role for governments, and unite to present the uncommitted world in the middle (South America, Africa, much of Asia and the Middle East) with a more attractive option.
The outlines of that better way are clear. It involves two things – agreement on baseline rules for the limits of extraterritorial law enforcement inquiry and better, more effective cross border cooperation.
As to the first part of the problem, the challenge is that in this new domain nobody knows whose law applies. Since the network defies borders, traditional notions of national jurisdiction evaporate. We need to agree on a set of meta-rules, about how to decide which nation’s laws take precedence.
But even with such an agreement, nations will act unilaterally if they think their legitimate interests won’t be addressed. We need to update existing rules for cross-border investigation of cybercrime – some of which are decades old.
Will that be enough? Hardly. Authoritarian countries such as China and Iran are unlikely to participate – but at a minimum we can reduce, or eliminate, the conflict between Western democracies, and agree on rules that will keep the network open and free. Our governments owe their citizens nothing less.
Paul Rosenzweig is a senior adviser to The Chertoff Group, a global security and risk management advisory, and former deputy assistant secretary for Policy at the Department of Homeland Security. Follow Paul on Twitter @rosenzweigp.