Cyber-jurisdiction and the cloud: the smartphone case

A short commentary to share (again) some doubts and ideas about what I could define… the separation of the Cyber-church and the State.

If you read most of the commentary published online after Saudi Arabia and other countries announced that later this year mobile e-mail services will not be available, it sounds more like the usual querelle about which “jurisdiction” has the precedence.

In Europe, we have over 1000 years of experience on the issue, but when I read some comments from my fellow e-oriented cyber-citizens, sometimes it really sounds like material that I was reading in high school, in the early 1980s.

The latest outrage is the smartphone- and, with more of an innuendo of “riding the racist tiger”, some commentators used the smartphone issue as a Trojan horse to talk about a “clash of civilizations”.

My own political ideas are posted on my website- look at the “pro bono” CV.

I think that we have already a “fluid” legal framework (albeit often ignored) to avoid this “clash”, called “right of asylum”.

The way it is seen see from those demanding asylum? It allows each country to express different choices within its own boundaries.

And extend these choices to anybody who asks to be entitled to the same basic rights given to its own citizens in the country granting asylum.

Some of those advocating a different approach in cyberspace are actually feeding the debate with the XXI century equivalent of anarchist themes.

Personally, I think that on the issue of electronic communications nobody can claim a clean bill of health: each country is checking what is transmitted, and the only difference is the level of access to the unencrypted information.

I remember a funny commercial dispute reported on newspapers, involving Pakistan and Motorola on this issue- not about snooping, but about access to the mobile snooping, i.e. backpack-mounted.

For obvious security reasons, having a system that allows encrypted messages to be bouncing back and forth outside the country, also if the communication is between two locals, with no practical possibility of checking potential illegal activity, is something that no country can afford right now.

My point being: if marketeers at your local supermarket can cross-check your grocery bill with your credit card and your online activities, to build a profile about you and (try to) influence your spending habits, why should that be less invasive or disruptive of your privacy than, say, the State asking you to have with you a valid ID card- or accessing the same information?

So, to get back to the religious analogy from European history: cuius regio, eius religio- different countries, different systems.

I wrote repeatedly about the “new Internet”, that allows to trace each communication flow, so I will not repeat that discussion- search my blog.

You can read on the website the original papers proposing satellite communication and discussing widespread use of e-mail and their consequences, as well search to read the history of the Internet 1.0.

The basic idea was: without a central “head”, there was no single point of failure, and therefore, if one of the dozen or so “exchange points” disappeared, the network could still be alive by re-routing through other points.

The cyber-jurisdiction grew in a “grey area” between State boundaries and a kind of “international cyberspace”.

With Internet 2.0, and the recent initiatives, States are applying what was done from the 1950s on for space- extending their jurisdiction to sea, land, air, space, and cyberspace.

The difference being- sea, land, air, even space are physical jurisdictions: how do you define “boundaries” in cyberspace?

My answer? Shifting from the “binary” concept of boundaries that was associated with physical “territories” (you are either in or out, tertium non datur), to the “fuzzy” concept of data association, i.e. the nationality of all the parties involved, with the degree of “data ownership/access” linked to the specific role played in the data exchange.

I have some experience in outsourced activities (look at my detailed CV), both for technical and non-technical activities (or read my old online magazine).

What always puzzled me was how the obvious quest to maximize profits by reducing costs created some loopholes- as witnessed by the recurring discussion about the SWIFT system, storing all the details about international financial transactions through the banking system outside the countries involved in those transactions.

Cloud computing is an extension of both outsourcing and the international jurisdiction.

If you store in the US data concerning transactions between citizens of, say, Germany and Serbia, which authorities should have access to the data? And which rules should the cloud computing company apply?

Following my answer to the question on cyberboundaries: the legislation of the (physical) host country, i.e. US, with a kind of “fast path” for both Germany and Serbia to access the data concerning their citizens, managed according to the country of origin.

It is fine on paper: but, if you are a company, it sounds like the “streamlining” that was originally involved in the EU-wide VAT registration for non-EU companies, as you ended up having to apply the specific VAT rules of the country of residence of your customers- not the most practical choice.

Move that to cloud computing: it implies that any company providing services should have a legal office able to cover each jurisdiction- in effect, forcing cloud computing companies to have a physical office in each country where they have customers.

And what is the point of setting up something that can benefit both from economies of scale (adding more disk space or memory costs next to nothing for Google) and being a virtual company, and then having to work as a traditional one (i.e. brick-and-mortar-based)?

Google is large- but while it would be able to comply with this requirement now, would it have been able to when it was founded? Certainly not.

The market could be forced to build a two-tiered structure, with “access companies” with physical offices in each jurisdiction managing the transfer of data to/from the “cloud” company, where the data are stored in a way that allows the “access companies” from each jurisdiction to be able to answer locally to the demand of the authorities.

At the same time, this arrangement could reduce the incentive for locals to innovate- why should you, if some larger entity can offer a lower price, and you need anyway to have a local “access company” in each country to benefit from this trend?

In my experience in supporting Internet-based startups and services, really few can benefit from thinking in terms of “country boundaries” from day 1.

Another obvious side-effect: reducing competition, as the incumbent would have a significant advantage, and no new entrants would be able to create a viable service.

If the “access company” model will be the prevailing one, we will get back to the way the banking system was organized centuries ago: few players that knew each others, doing more than providing a service- setting also the rules (well, until a king here or there was unable to pay his war debt, and found an excuse to take over their assets).

We will see “national boundaries” somehow enforced (e.g. by forcing routing through a national server, allowing “data mining” to be done by country), but eventually a kind of global cyber-jurisdiction will be needed.

If you want- a way to re-create the “greenfield” of the 1990s’ Internet (somebody would call it “Far West”), but within a framework that allows to balance security (and taxation) needs with continuous technological and social innovation.


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s