
   
   
           THE COMING JURISDICTIONAL SWAMP OF GLOBAL INTERNETWORKING
                                       
   
   
(Or, How I Learned to Stop Worrying and Love Anonymity)

   
   
   
   
   Draft, Presented 11/16/94
   
   Douglas Barnes, Austin Cypherpunks
   
   
   
   
   
   
   
   
   
   The Babel Fish
   
   It used to be that a lot of my net friends thought the growth and
   global spread of the Internet was an unmitigated Good Thing. "Global
   communication is the key to world peace," I used to hear. "High
   bandwidth connections between nations will create a global sense of
   community."
   
   And this has really come to pass in pockets of the net. I count many
   people around the world, people I've never met as, "friends," and feel
   a strong sense of community on certain mailing lists.
   
   But you don't hear the boundless optimism anymore, thanks mostly to
   fine folks like Canter and Seigel and the hordes of Delphi and AOL.
   Like many barbarian invasions, the invaders are assimilated quickly --
   but with each wave there are fewer illusions about Internet growth
   leading to peace, love and baby ducks. As the net expands it seems to
   increase the opportunities for conflict faster than the opportunities
   for togetherness and world understanding.
   
   
   
   Some of you may be insulated from this sort of thing -- as recently as
   last year I attended a talk based on the premise of "more Internet
   nodes will lead to world peace." It turned out the speaker's
   experience for this conclusion was based on hanging out on the Well,
   which is about as peaceful, insulated and self-selecting as an online
   community can get.
   
   After he gave the talk, I invited the speaker to come sample some of
   the more "full contact" Internet services. I spent most of an
   afternoon showing him the seamier underside of Usenet and IRC, which
   is easy to ignore on the Well. We talked.
   
   "I bet you've never heard of the Babel Fish, have you?" I asked. He
   hadn't.
   
   "It doesn't really exist," I told him. "It was made up by a science
   fiction author named Douglas Adams, a very silly person, but with some
   insight in this matter. See, if you put a Babel Fish in your ear, you
   can understand anything spoken to you in any language. Talk about
   increasing your global bandwidth!"
   
   "A fish? In your ear?"
   
   "I did say he was silly. But listen, here's what he says about it." I
   read to him:
   
   
   
     ... the poor Babel fish, by effectively removing all barriers to
     communication between different races and cultures, has caused more
     and bloodier wars than anything else in the history of creation.
     
   
   
   "Now that's just science fiction, but that's what we're going to be
   faced with as the Internet grows, only substitute `flame wars' for
   `wars.' People aren't going to be throwing virtual flowers to each
   other, they're going to be mixing full-color animations of aborted
   fetuses crying `mommy... mommy' into their abortion flamewars. They're
   going to burn each other in virtual effigy. Christians will dangle
   fantastically well-rendered 3-D pork chops in front of Moslems,
   Moslems will dangle 3-D T-bones in front of Hindus. And those are just
   the interpersonal problems... just wait until governments get
   involved."
   
   
   
   The Swamp
   
   The Internet is like a multi-media Babel Fish. It lets us communicate
   with great immediacy and little forethought. In a matter of seconds we
   can send our ill-considered opinions, our home videos, our
   get-rich-quick schemes, even scanned images of our genitals, racing
   around the world, impacting hundreds if not thousands of legal
   jurisdictions, evoking amusement, boredom or offense in tens of
   thousands of communities... each with its unique set of community
   standards.
   
   Now a swamp is a place that doesn't look so bad from the outside until
   you go into it and find yourself hip-deep in muck and alligators. Then
   the alligators chew your legs off.
   
   The swamp of global jurisdiction is already beginning with the war
   between smut and anti-smut. More and more countries and cultures, with
   radically different community standards, obscenity hot buttons and
   sacred cows will get actively involved in the net. Whether the topic
   is bondage in Bangladesh, pubic hair in Peoria or spankings in
   Singapore, the local citizenry are going to be outraged, and the net
   will draw the attention of the authorities. Communities will demand
   that the authorities Do Something. It's only a matter of time. Here in
   the US one can hardly pick up a newspaper or magazine without being
   treated to another dose of handwringing about irresponsible content on
   the Internet -- as the net spreads globally, so will the commotion.
   
   But so what? It's just commotion, right?
   
   A Tennessee court recently convicted a pair of California sysops for
   making sexually explicit images available by modem to the whole world,
   which, unfortunately for them, includes Tennessee. No matter that the
   images didn't violate Los Angeles community standards. In Tennessee
   they did, and since the images could be retrieved in Tennessee through
   the phone system, that was good enough to convict them on charges of
   interstate trafficking in obscenity. While it's still not clear how
   this case will be resolved on appeal, it is an early and so far
   successful attempt to judge globally available information by the
   standards of an arbitrary, far-removed jurisdiction. At least for the
   purposes of determining obscenity, digitized pictures placed on a
   computer, with a modem, were considered a shot fired across a
   frontier.
   
   
   
   The swamp is just beginning to fill, and truly international examples
   are still sparse. But one of the early flashpoints will certainly be
   the widely varying international standards regarding sexual images.
   The laws are all over the map: in Saudi Arabia, distributing Sports
   Illustrated Online Swimsuit Edition would likely be grounds for
   involuntary amputation without anesthetic; in Amsterdam, pretty much
   anything goes, including what most of the world considers child
   pornography. In Japan genitalia are OK, but displaying pubic hair can
   get you thrown in jail; in the US, even the tamer skin mags show pubic
   hair, with special censure reserved for the actual genitalia --
   depending, of course, on community standards. We already have
   convictions resulting from differences in standards just within the
   US; there is growing pressure here and elsewhere to punish those who
   electronically publish offensive materials, regardless of what country
   they're in or what nationality they are.
   
   A key question, then, is on what basis, and through what mechanisms,
   will countries be able to punish those who violate faraway local
   ordinances through their participation in global internetworks? I
   believe that as the Internet grows in importance, both socially and
   commercially, nations will be more and more motivated to extend
   jurisdiction to the very source of what they perceive as offensive or
   illegal content. Moreover, it won't just be naughty gifs, but insider
   trading, espionage, libel, anti-trust, blasphemy, sedition, breach of
   contract, money laundering, and violation of patent, trademark,
   copyright and trade secrets law -- a grab bag of offenses with wildly
   varying treatment on the international scene.
   
   There is a popular notion among many netters that "If it isn't a crime
   in the country where I'm logged in, I can't be extradited, convicted
   or punished elsewhere." Unfortunately for those who will get to be the
   test cases, countries have a variety of handy legal doctrines to
   prosecute extraterritorial behavior, and a variety of ways of
   effecting that jurisdiction.
   
   The relevant doctrines are:
   
   
   
     * Objective jurisdiction. Your basic shot fired across a frontier.
       Alice, standing in Mexico, shoots Bob, who is standing in the US.
       Alice can (and probably will) be prosecuted in the US, since the
       object of her crime was in the US. A good example for us is a
       Supreme Court decision in 1916, Lamar v. United States[1], where
       the Supreme Court held that a telephone fraud could be prosecuted
       where the call terminated instead of where it was placed from.
       
     * Effects doctrine. It's like objective jurisdiction, but fuzzier;
       it became established in US law through enforcement of anti-trust
       measures.[2] In the ALCOA case, the US successfully pursued an
       anti-trust action against a foreign aluminum cartel based on the
       effect their restraint of trade had on the US.[3] The effects
       doctrine weakens the requirement for directness of the effect as
       well as reducing the need for a "temporal nexus" to bridge cause
       and effect.[4]
       
     * Active personality
       This covers jurisdiction over crimes committed by nationals abroad
       and is implemented in many different ways in different countries.
       It's most widely used against diplomatic personnel (who generally
       have immunity where the crime is committed). Rumor has it Germany
       is now using this doctrine to prosecute Germans who deal drugs in
       Amsterdam or have sex with child prostitutes in Thailand. While
       both activities are nominally illegal where the crime is
       committed, the relevant laws go largely unenforced there.
       
     * Passive personality
       Crimes committed against nationals. The US will, for instance,
       actively pursue and attempt to extradict or otherwise punish
       terrorists who commit crimes of violence directed against
       Americans "because they are Americans," regardless of where the
       crimes take place.[5]
       
     * Protective principle
       Used against spies, would-be saboteurs, racketeers and their ilk,
       as the behavior must only potentially or indirectly affect the
       national interest. This was cited, along with the effects
       doctrine, by US prosecutors in the Noriega[6] case. Look for this
       principle to be invoked against international software piracy
       rings.
       
     * Universal jurisdiction
       It will probably be a long time before we start seeing war crimes
       (flame war crimes?) on the net, but this handy principle is used
       for sufficiently heinous crimes such as genocide which are
       considered "universally abhorrent" and can be prosecuted anywhere.
       
   These principles, particularly the effects doctrine and the protective
   principle, allow a country to justify prosecution of almost any
   behavior on a global internetwork that they would care enough about to
   want to prosecute.
   
   The next trick is how nations get their hands on and/or punish the
   possibly far-removed offenders.
   
   
   
   The underlying principle in the US and many other countries is, "mala
   captatus, bene detentus," or, "bad capture, good detention".[7] This
   is illustrated in a variety of cases, including quite recently United
   States v. Alvarez-Machain, in which the DEA paid bounty hunters
   $20,000 to kidnap from Mexico a suspect in the slaying of US DEA agent
   Enrique Camarena.[8] The Supreme Court held that "United States
   sponsored abduction of a fugitive criminal suspect from foreign soil
   does not prohibit his trial in a US court, notwithstanding an official
   protest by the offended nation.[9]" So how a suspect is brought into a
   given jurisdiction is largely irrelevant in an attempt to overturn a
   conviction (with some exceptions; for instance, the Toscanino case,
   where the accused was kidnapped, tortured for seventeen days, and then
   illegally extradited from Brazil.[10])
   
   Rather than pondering legal niceties, a more important factor to
   consider is how badly someone irritates a given country and what
   treaties and resources said country can bring to bear. Popular methods
   for effecting extraterritorial justice include:
   
   
     * Formal and informal extradition
       We all know about formal extradition -- this is where people get
       it stuck in their heads that the offense must be illegal in both
       places, because that's a clause in most extradition treaties. Note
       that even this doesn't require a very exact match; for instance,
       there is no crime of "wire fraud," in the UK, but extradition is
       successful from the UK to the US in a wire fraud case because the
       equivalent crime in the UK is "theft."[11]And while the sense of
       global community may be eroding on the Internet, it can be quite
       strong between law enforcement officials, leading to "informal"
       extraditions by simply grabbing someone and putting them on a
       plane to the requesting country or rerouting a flight. In a few
       countries, such as the UK, the informal approach can be grounds
       for a successful appeal, but not in the US, or in most
       non-common-law countries.[12]
       
     * Opportunistic seizure
       If someone is selling kiddie porn over the net from Amsterdam or
       making virtual book in Belize, I wouldn't recommend they go home
       to visit Mom in Los Angeles for Thanksgiving, or take any flights
       with stopovers in the US. Flight lists are checked for
       international fugitives, and this is a great way to catch suspects
       who aren't quite worth the trouble of extraditing.
       
       Both electronic and print authors carefully consider their travel
       plans, especially if they've been potentially offensive. For
       instance, science-fiction writer William Gibson is probably
       steering clear of Singapore for the next decade or so.[13] As the
       net expands globally, Usenet posters, web page editors and archive
       maintainers may find themselves in an unexpected legal pickle
       while travelling abroad.
       
     * Kidnapping by governments or other interested parties.
       While a few spectacular cases make the news, one author estimated
       in 1991 that the US was abducting two people a day from Mexico
       alone.[14] The US is clearly the biggest offender in this regard,
       but Israel and France have also demonstrated few qualms about
       abducting suspects.[15] This is probably not a big fear for US
       citizens in the US, but rather anyone committing "crimes" (no
       matter how legal in the host country) outside the US with
       perceived effects inside the US. With the greatly increased
       penalties for copyright infringement in the US, along with RICO
       laws, it will be interesting to see whether any of the anti-piracy
       groups get involved in this sort of activity -- they already
       maintain worldwide networks of investigators and lawyers to try to
       combat piracy and counterfeiting.
       
     * Military invasion (Noriega)
       An unusual and highly controversial approach that we used against
       our friend Manuel.
       
     * Assassination and other terrorist measures
       Whether at home or abroad, I think this is one very likely way
       American and other citizens in their home countries will be
       affected when they deliberately or unwittingly violate laws or
       community standards in faraway jurisdictions. A good example for
       this is the Salman Rushdie case, even though Rushdie is British
       and he published a book, not a Usenet post.
       
       Six months after the publication of Satanic Verses, the Ayatollah
       Khomeini issued a fatwa, or death sentence, on everyone involved
       in its publication who was aware of its content.[16] Twenty people
       have been killed so far in connection with the fatwa, including
       the Italian and Japanese translators; Rushdie is still in hiding,
       with a $1 million bounty on his head.[17] What is less well known
       is that Rushdie is merely the best-known and certainly one of the
       luckier Arab writers to face this treatment; in the introduction
       to For Rushdie, the publisher lists five other authors who have
       recently faced fatwa, only two of whom are still alive.[18]
       
     * Individual retaliation
       Just as we're starting to see the occasional stalking or other
       person to person crime on the major online services, expect this
       to take on an international character with the global spread of
       the net.
       
   
   
   
   
   Hip Boots, Canoes, and Draining the Swamp
   
   A great many real benefits that are anticipated from global
   internetworking are going to be lost, if users, information providers
   and online merchants become mired in this swamp of overlapping
   jurisdictions, conflicting regulations and variable community
   standards.
   
   One possibility is that network participants will just have to suffer.
   They will be forced to shoulder the burden of avoiding entanglement
   with hundreds of sets of national and provincial laws -- or get off
   the net. As the net becomes more global, the possibility of foreign
   legal entanglements will act as an increasingly substantial barrier to
   entry. Furthermore, it will limit economic activity and free speech on
   the net due to fear of unexpected international consequences.
   
   To counter this, one can imagine various schemes to limit
   distribution. Certain publications or information products might be
   available only to residents of certain countries, along the lines of
   the ftp sites used for distributing cryptography in the US. To be
   secure, this would require, for starters, a global standard for
   authenticating individuals as to their citizenship -- an electronic
   passport. Companies would then have to hire experts to screen
   materials, and only then could controversial materials be made
   available, based on the consumer's nationality. Alternatively,
   publishers and merchants could use these same experts to assist them
   in reducing their offerings to a pablum-like least offensive
   denominator. Individuals would likely be on their own, unless they
   could afford a legal staff.
   
   
   
   Another possibility, the one I'm going to focus on, is for
   individuals, commercial publishers and online merchants to operate
   anonymously. This is a big step for large corporations with strong
   brand names, and their first step in this direction might be to use
   online distributors who are anonymous, rather than taking the whole
   corporation behind an electronic veil. With time though, as
   information companies begin life with a pseudonymous identity, brands
   and customer loyalty can be built up around network pseudonyms. There
   is already a long history, both in print and on the net, of
   individuals creating and using strong pseudonyms; the federalist
   papers, for instance, were written pseudonymously, and historians are
   still trying to sort out who actually wrote which ones.
   
   If carried out effectively, and if users are careful not to give away
   their identity, robust anonymity handily solves the problems of
   surprise legal jurisdiction, fatwa, and individual retaliation. Users
   would pay for anonymizing services with anonymous digital cash, of
   course -- and it makes no difference how their packets get on the net
   in the first place, if they're all processed through a packet laundry
   in Jamaica or Finland.
   
   Sometimes, though, network participants will be motivated to make
   their "true names" knowable. For instance, participants who wanted to
   inspire confidence could escrow their true names with their local
   government or a commercial arbitration agency. As part of a
   transaction, participants would exchange true name escrow
   certificates. If the transaction goes sour, the injured party could
   seek a remedy with the cooperation of the escrow government or agency.
   This provides a mechanism for resolving commercial disputes while
   limiting the dispute resolution process to a particular set of laws or
   an agreed-upon arbitration process. True name escrow certificates
   could also be used by publishers, indicating their willingness to be
   accept actions for libel in a given jurisdiction, potentially
   enhancing their credibility.
   
   
   
   This anonymity approach enjoys a competitive advantage over the more
   cumbersome "national authentication" or "pablum" schemes because:
   
   
   
     * A much greater variety of content could be provided to more people
       without fear of retaliation. For instance, the Sports Illustrated
       Online Swimsuit Edition, Cosmopolitan Online, or their equivalent,
       that would be considered pornographic throughout much of the
       world.
       
     * Online speech, publishing and commercial transactions would be
       subject to a strictly limited number of legal jurisdictions .
       
     * Information could be made available more quickly, without a
       lengthy review process prior to release.
       
     * Anonymization would be substantially cheaper than legal review of
       the impact of each work on hundreds of legal jurisdictions.
       
     * Users' privacy would be optimally protected .
       
   
   
   Whenever the subject of anonymity comes up, however, many people begin
   to fear a breakdown of the already tenuous civility on the net. Not
   that there is a firm link from real name to Internet access account
   right now, but there is still a comforting illusion, and for some
   users there is enough information to take complaints to school
   officials, postmasters, and their ilk. As we have seen with Canter and
   Seigel, however, the current system does little to deter the hard-core
   disrupter, even a well-identified one.
   
   So I will briefly mention one way a degree of order can be maintained
   among participating spheres of activity (such as a newsgroups, mailing
   lists or IRC channels), while preserving anonymity, through the
   voluntary applicaton of Chaumian credentials.[19] In this type of
   system, each real user receives an "is-a-person" credential through
   their local government or a notary public, which is used to generate a
   unique pseudonym within each sphere of activity (what Chaum refers to
   as "organizations"). Credentials issued within one sphere of activity
   could be securely transferred to another without anyone except the
   user being aware of a link between the two pseudonyms. For instance,
   each sphere might have a credential of "is not a spammer," and
   implement a mechanism requiring that all submissions come with "is not
   a spammer" credentials. Then they might get really organized, and have
   someone issue "meta is-not-a-spammer" credentials, representing the
   is/is-not a spammer status in a large number of spheres.[20]
   
   The net probably needs to experiment with these and other automated
   forms of moderation regardless of whether there is a link between a
   username and a true name. But such systems are complex, and very much
   require the consent of the governed -- if someone sets up a mailing
   list or a newsgroup with this type of restriction, and people don't
   like it, they can stay away in droves. If people like the effect,
   they'll get involved and participate. In any event, I don't see
   anonymity as being any more disruptive to civility on the net than the
   existing situation -- if anything it evens out the playing field --
   and anonymity does not add much to the inherent complexity of
   automated moderation and similar approaches for weeding out disruptive
   participants in a public or semi-public forum.
   
   
   
   But this sort of voluntary social control is not what law enforcement
   is concerned with.
   
   The bottom line is, your typical computer cop wishes he or she could
   track every packet on a global internetwork and pin it on a particular
   individual. Anything that gets in the way of this is Not Good. Not
   only that, but it would sure be nice if the packet was encrypted only
   with government-approved cryptography, and didn't have any subtext
   lurking in the low-order bits. While there are many arguments from a
   law enforcement perspective on why all this would be desirable, it is
   not realistic or necessary for effective law enforcement on the net.
   
   Indulge me in a quick analogy.
   
   Suppose you've got a problem with some dude robbing 7-11s. How do you
   catch the guy? Do you:
   
   
   
     * Stake out 7-11s with cops posing as clerks?
       
     * Use informants to see who's bragging about ripping off 7-11s?
       
     * Wait for the perpetrator to screw up (if he's going for 7-11s, he
       can't be that smart...)?
       
     * Or do you:
       
     * Ban the sale of ski masks?
       
     * Require radio ID leg bracelets for all 7-11 customers?
       
   
   
   Now that last suggestion would certainly slow down or stop the
   rip-offs, but from both an economic and a social point of view it is
   completely unworkable. It would infuriate the customers. It would hurt
   7-11's business. It also overlooks the technological race between
   police-supplied radio ID bracelets and counterfeit ones, or the
   possibility of jamming, or...
   
   This is similar to the problem law enforcement would face if they
   attempted to force authentication for all activity on a global
   internetwork of meaningful size and scope. It would be a form of
   censorship, and, to quote John Gilmore, "The Internet interprets
   censorship as damage, and routes around it." You might end up with a
   global internetwork with the properties you describe, but it would
   quite rapidly be replaced with or shadowed by another net that did not
   have this policy. Users might even get sneaky and route most of their
   packets as disguised data over your global internetwork. What's more,
   the technology for creating and extending wide area networks is
   getting easier to set up every day, and can run over an expanding
   variety of media (wires, fiber, microwave, spread spectrum RF, laser,
   meteor bounce and so forth).
   
   One approach that law enforcement might take is to encourage
   legislation against anonymizing tools, and attempt to marginalize and
   discredit anonymous services. This is going to be an uphill battle for
   authorities, at least in the US, as there is strong protection for
   products and services with substantial legal use. For instance,
   information companies would dearly love to take action against VCRs
   and anti-copy-protection software, but these have been determined to
   have substantial legal use, in addition to the possibility of
   facilitating a crime.
   
   I think that it is going to be in the best interests of law
   enforcement to focus on applying conventional law-enforcement tactics
   directed at their own citizens, rather than trying to take on the
   whole net or anonymous services in general. They are unlikely to be
   very successful, and would likely have a "destroying the village in
   order to save it" effect on the rapid growth of global
   internetworking.
   
   
   
   Anonymizing tools and services on global internetworks can give a
   competitive advantage to publishers and merchants, and security to
   individuals from foreign governments and unhinged individuals
   worldwide. While they can be used to further illegal ends, much as a
   ski mask or a Halloween mask can, they have substantial legal use in
   protecting privacy and preventing unforseeable foreign legal
   entanglements. Some services and transactions may require a disclosure
   of identity, or at least a potential disclosure, just as many
   buildings will require you to take off your ski mask or Halloween mask
   before entering a building, but anonymity per se is not illegal and
   should not be made illegal. I think I can safely predict that there
   will be commercial anonymization tools and services available on the
   net by this time next year. I also predict that they will be used
   primarily for legal purposes -- at least, purposes that are legal in
   the home country of the user. I think that rigorous,
   cryptography-based anonymity is going to the best way out of the
   global swamp of jurisdiction, and because of this I expect many people
   will come to appreciate it in the years to come.
   
   
   
   
   
   
     _________________________________________________________________
   
   
   
   [1] 240 US 60 (1916)
   
   [2] United States v. Aluminum Company of America (ALCOA), 148 F. 2d
   416 (1945)
   
   [3] Neale and Stephens, International business and national
   jurisdiction,. Oxford University Press, 1988. pp 44-46
   
   [4] Id. pp 16.
   
   [5] Id. 271.
   
   [6] Ma, Frances, "Noriega's abduction from Panama: Is Military
   Invasion an Appropriate Substitute for International Extradition?"
   Loyola, Los Angeles, International and Comparative Law Journal. p.
   945.
   
   [7] This principle is rooted in Ker v. Illinois, 119 US 436 (1886) and
   Frisbie v. Collins, 342 US 519 (1952).
   
   [8] Wing, Michael, "Extradition Treaties-International Law--The US
   Supreme Court Approves Extraterritorial Abduction of Foreign
   Criminals--United States v. Alvarez-Machain, 112 S. Ct. 2188 (1992)",
   Georgia Journal of International and Comparative Law, Vol. 23:435.
   Note that the case against Dr. Alvarez was subsequently dismissed by
   the judge for lack of evidence.
   
   [9] United States v. Alvarez-Machain, 112 S. Ct. 2188 (1992)
   
   [10] 500 F.2d 267 (2d Cir 1974)
   
   [11] Choo
   
   [12] Choo
   
   [13] Gibson, William, "Disneyland with the Death Penalty", Wired [??]
   
   [14] Moss, "Official Kidnapping," 77 ABA Journal 24 (January 1991)
   
   [15]
   
   [16] Appignanesi and Maitland, The Rushdie File, Institute of
   Contemporary Arts, 1990.
   
   [17] Pipes, The Rushdie Affair, Birch Lane Press, New York, 1990. p.
   28
   
   [18] Abdallah et. al., Pour Rushdie, George Braziller, Inc., 1994.
   
   [19] Chaum, "Showing Credentials without Identification: Transferring
   Signatures between Unconditionally Unlinkable Pseudonyms," .
   
   [20] This would also assume that Usenet news is fixed so that it is
   not absurdly trivial to get past moderating mechanisms. 
