| By Douglas Barnes, Austin Cypherpunks |
| Article pulled from Security-Protocols |
|
It used to be that a lot of my net friends thought
the growth and
global spread of the Internet was
an unmitigated Good Thing. "Global
communication
is the key to world peace," I used to hear. "High
bandwidth connections between nations will create a
global sense of
community."
And
this has really come to pass in pockets of the net. I
count many
people around the world, people I've
never met as, "friends," and feel
a strong sense
of community on certain mailing lists.
But you don't hear the boundless optimism anymore, thanks
mostly to
fine folks like Canter and Seigel and
the hordes of Delphi and AOL.
Like many barbarian
invasions, the invaders are assimilated quickly --
but with each wave there are fewer illusions about
Internet growth
leading to peace, love and baby
ducks. As the net expands it seems to
increase
the opportunities for conflict faster than the opportunities
for togetherness and world understanding.
Some of you may be insulated
from this sort of thing -- as recently as
last
year I attended a talk based on the premise of "more Internet
nodes will lead to world peace." It turned out
the speaker's
experience for this conclusion was
based on hanging out on the Well,
which is about
as peaceful, insulated and self-selecting as an online
community can get.
After he gave
the talk, I invited the speaker to come sample some of
the more "full contact" Internet services. I spent
most of an
afternoon showing him the seamier underside
of Usenet and IRC, which
is easy to ignore on
the Well. We talked.
"I bet you've never
heard of the Babel Fish, have you?" I asked. He
hadn't.
"It doesn't really exist," I told
him. "It was made up by a science
fiction author
named Douglas Adams, a very silly person, but with some
insight in this matter. See, if you put a Babel
Fish in your ear, you
can understand anything
spoken to you in any language. Talk about
increasing
your global bandwidth!"
"A fish? In your
ear?"
"I did say he was silly. But listen,
here's what he says about it." I
read to him:
... the poor Babel fish,
by effectively removing all barriers to
communication
between different races and cultures, has caused more
and bloodier wars than anything else in the
history of creation.
"Now that's just science fiction, but that's what we're
going to be
faced with as the Internet grows,
only substitute `flame wars' for
`wars.' People
aren't going to be throwing virtual flowers to each
other, they're going to be mixing full-color animations
of aborted
fetuses crying `mommy... mommy' into
their abortion flamewars. They're
going to burn
each other in virtual effigy. Christians will dangle
fantastically well-rendered 3-D pork chops in front
of Moslems,
Moslems will dangle 3-D T-bones in
front of Hindus. And those are just
the interpersonal
problems... just wait until governments get
involved."
The Swamp
The Internet is like a multi-media Babel Fish. It lets
us communicate
with great immediacy and little
forethought. In a matter of seconds we
can send
our ill-considered opinions, our home videos, our
get-rich-quick schemes, even scanned images of our
genitals, racing
around the world, impacting hundreds
if not thousands of legal
jurisdictions, evoking
amusement, boredom or offense in tens of
thousands
of communities... each with its unique set of community
standards.
Now a swamp is a place
that doesn't look so bad from the outside until
you go into it and find yourself hip-deep in muck and
alligators. Then
the alligators chew your legs
off.
The swamp of global jurisdiction
is already beginning with the war
between smut
and anti-smut. More and more countries and cultures, with
radically different community standards, obscenity
hot buttons and
sacred cows will get actively
involved in the net. Whether the topic
is bondage
in Bangladesh, pubic hair in Peoria or spankings in
Singapore, the local citizenry are going to be outraged,
and the net
will draw the attention of the authorities.
Communities will demand
that the authorities Do
Something. It's only a matter of time. Here in
the US one can hardly pick up a newspaper or magazine
without being
treated to another dose of handwringing
about irresponsible content on
the Internet --
as the net spreads globally, so will the commotion.
But so what? It's just commotion, right?
A Tennessee court recently convicted a pair
of California sysops for
making sexually explicit
images available by modem to the whole world,
which, unfortunately for them, includes Tennessee. No
matter that the
images didn't violate Los Angeles
community standards. In Tennessee
they did, and
since the images could be retrieved in Tennessee through
the phone system, that was good enough to convict
them on charges of
interstate trafficking in obscenity.
While it's still not clear how
this case will
be resolved on appeal, it is an early and so far
successful attempt to judge globally available information
by the
standards of an arbitrary, far-removed
jurisdiction. At least for the
purposes of determining
obscenity, digitized pictures placed on a
computer,
with a modem, were considered a shot fired across a
frontier.
The swamp
is just beginning to fill, and truly international examples
are still sparse. But one of the early flashpoints
will certainly be
the widely varying international
standards regarding sexual images.
The laws are
all over the map: in Saudi Arabia, distributing Sports
Illustrated Online Swimsuit Edition would likely
be grounds for
involuntary amputation without
anesthetic; in Amsterdam, pretty much
anything
goes, including what most of the world considers child
pornography. In Japan genitalia are OK, but displaying
pubic hair can
get you thrown in jail; in the
US, even the tamer skin mags show pubic
hair,
with special censure reserved for the actual genitalia
--
depending, of course, on community standards.
We already have
convictions resulting from differences
in standards just within the
US; there is growing
pressure here and elsewhere to punish those who
electronically publish offensive materials, regardless
of what country
they're in or what nationality
they are.
A key question, then, is on
what basis, and through what mechanisms,
will
countries be able to punish those who violate faraway
local
ordinances through their participation in
global internetworks? I
believe that as the Internet
grows in importance, both socially and
commercially,
nations will be more and more motivated to extend
jurisdiction to the very source of what they perceive
as offensive or
illegal content. Moreover, it
won't just be naughty gifs, but insider
trading,
espionage, libel, anti-trust, blasphemy, sedition, breach
of
contract, money laundering, and violation of
patent, trademark,
copyright and trade secrets
law -- a grab bag of offenses with wildly
varying
treatment on the international scene.
There is a popular notion among many netters that "If
it isn't a crime
in the country where I'm logged
in, I can't be extradited, convicted
or punished
elsewhere." Unfortunately for those who will get to be
the
test cases, countries have a variety of handy
legal doctrines to
prosecute extraterritorial
behavior, and a variety of ways of
effecting that
jurisdiction.
The relevant doctrines are:
* Objective jurisdiction.
Your basic shot fired across a frontier.
Alice,
standing in Mexico, shoots Bob, who is standing in the
US.
Alice can (and probably will) be prosecuted
in the US, since the
object of her crime was
in the US. A good example for us is a
Supreme
Court decision in 1916, Lamar v. United States[1], where
the Supreme Court held that a telephone fraud
could be prosecuted
where the call terminated
instead of where it was placed from.
* Effects doctrine. It's like objective jurisdiction,
but fuzzier;
it became established in US law
through enforcement of anti-trust
measures.[2]
In the ALCOA case, the US successfully pursued an
anti-trust action against a foreign aluminum cartel
based on the
effect their restraint of trade
had on the US.[3] The effects
doctrine weakens
the requirement for directness of the effect as
well as reducing the need for a "temporal nexus" to bridge
cause
and effect.[4]
* Active personality
This covers jurisdiction
over crimes committed by nationals abroad
and is implemented in many different ways in different
countries.
It's most widely used against diplomatic
personnel (who generally
have immunity where
the crime is committed). Rumor has it Germany
is now using this doctrine to prosecute Germans who deal
drugs in
Amsterdam or have sex with child
prostitutes in Thailand. While
both activities
are nominally illegal where the crime is
committed,
the relevant laws go largely unenforced there.
* Passive personality
Crimes committed
against nationals. The US will, for instance,
actively pursue and attempt to extradict or otherwise
punish
terrorists who commit crimes of violence
directed against
Americans "because they are
Americans," regardless of where the
crimes
take place.[5]
* Protective principle
Used against spies, would-be saboteurs, racketeers
and their ilk,
as the behavior must only potentially
or indirectly affect the
national interest.
This was cited, along with the effects
doctrine,
by US prosecutors in the Noriega[6] case. Look for this
principle to be invoked against international
software piracy
rings.
* Universal jurisdiction
It will probably
be a long time before we start seeing war crimes
(flame war crimes?) on the net, but this handy
principle is used
for sufficiently heinous
crimes such as genocide which are
considered
"universally abhorrent" and can be prosecuted anywhere.
These principles, particularly the
effects doctrine and the protective
principle,
allow a country to justify prosecution of almost any
behavior on a global internetwork that they would care
enough about to
want to prosecute.
The next trick is how nations get their hands on and/or
punish the
possibly far-removed offenders.
The underlying principle in
the US and many other countries is, "mala
captatus,
bene detentus," or, "bad capture, good detention".[7]
This
is illustrated in a variety of cases, including
quite recently United
States v. Alvarez-Machain,
in which the DEA paid bounty hunters
$20,000 to
kidnap from Mexico a suspect in the slaying of US DEA
agent
Enrique Camarena.[8] The Supreme Court held
that "United States
sponsored abduction of a fugitive
criminal suspect from foreign soil
does not prohibit
his trial in a US court, notwithstanding an official
protest by the offended nation.[9]" So how a suspect
is brought into a
given jurisdiction is largely
irrelevant in an attempt to overturn a
conviction
(with some exceptions; for instance, the Toscanino case,
where the accused was kidnapped, tortured for
seventeen days, and then
illegally extradited
from Brazil.[10])
Rather than pondering
legal niceties, a more important factor to
consider
is how badly someone irritates a given country and what
treaties and resources said country can bring
to bear. Popular methods
for effecting extraterritorial
justice include:
* Formal and
informal extradition
We all know about formal
extradition -- this is where people get
it
stuck in their heads that the offense must be illegal
in both
places, because that's a clause in
most extradition treaties. Note
that even
this doesn't require a very exact match; for instance,
there is no crime of "wire fraud," in the
UK, but extradition is
successful from the
UK to the US in a wire fraud case because the
equivalent crime in the UK is "theft."[11]And while the
sense of
global community may be eroding on
the Internet, it can be quite
strong between
law enforcement officials, leading to "informal"
extraditions by simply grabbing someone and putting
them on a
plane to the requesting country
or rerouting a flight. In a few
countries,
such as the UK, the informal approach can be grounds
for a successful appeal, but not in the US, or
in most
non-common-law countries.[12]
* Opportunistic seizure
If
someone is selling kiddie porn over the net from Amsterdam
or
making virtual book in Belize, I wouldn't
recommend they go home
to visit Mom in Los
Angeles for Thanksgiving, or take any flights
with stopovers in the US. Flight lists are checked for
international fugitives, and this is a great
way to catch suspects
who aren't quite worth
the trouble of extraditing.
Both
electronic and print authors carefully consider their
travel
plans, especially if they've been potentially
offensive. For
instance, science-fiction writer
William Gibson is probably
steering clear
of Singapore for the next decade or so.[13] As the
net expands globally, Usenet posters, web page
editors and archive
maintainers may find themselves
in an unexpected legal pickle
while travelling
abroad.
* Kidnapping by governments
or other interested parties.
While a few spectacular
cases make the news, one author estimated
in 1991 that the US was abducting two people a day from
Mexico
alone.[14] The US is clearly the biggest
offender in this regard,
but Israel and France
have also demonstrated few qualms about
abducting
suspects.[15] This is probably not a big fear for US
citizens in the US, but rather anyone committing
"crimes" (no
matter how legal in the host
country) outside the US with
perceived effects
inside the US. With the greatly increased
penalties for copyright infringement in the US, along
with RICO
laws, it will be interesting to
see whether any of the anti-piracy
groups
get involved in this sort of activity -- they already
maintain worldwide networks of investigators
and lawyers to try to
combat piracy and counterfeiting.
* Military invasion (Noriega)
An unusual and highly controversial approach that
we used against
our friend Manuel.
* Assassination and other terrorist measures
Whether at home or abroad, I think this is
one very likely way
American and other citizens
in their home countries will be
affected when
they deliberately or unwittingly violate laws or
community standards in faraway jurisdictions. A
good example for
this is the Salman Rushdie
case, even though Rushdie is British
and he
published a book, not a Usenet post.
Six months after the publication of Satanic Verses,
the Ayatollah
Khomeini issued a fatwa, or
death sentence, on everyone involved
in its
publication who was aware of its content.[16] Twenty people
have been killed so far in connection with
the fatwa, including
the Italian and Japanese
translators; Rushdie is still in hiding,
with
a $1 million bounty on his head.[17] What is less well
known
is that Rushdie is merely the best-known
and certainly one of the
luckier Arab writers
to face this treatment; in the introduction
to For Rushdie, the publisher lists five other authors
who have
recently faced fatwa, only two of
whom are still alive.[18]
* Individual
retaliation
Just as we're starting to see
the occasional stalking or other
person to
person crime on the major online services, expect this
to take on an international character with
the global spread of
the net.
Hip Boots, Canoes,
and Draining the Swamp
A great many real
benefits that are anticipated from global
internetworking
are going to be lost, if users, information providers
and online merchants become mired in this swamp
of overlapping
jurisdictions, conflicting regulations
and variable community
standards.
One possibility is that network participants will just
have to suffer.
They will be forced to shoulder
the burden of avoiding entanglement
with hundreds
of sets of national and provincial laws -- or get off
the net. As the net becomes more global, the possibility
of foreign
legal entanglements will act as an
increasingly substantial barrier to
entry. Furthermore,
it will limit economic activity and free speech on
the net due to fear of unexpected international consequences.
To counter this, one can imagine various
schemes to limit
distribution. Certain publications
or information products might be
available only
to residents of certain countries, along the lines of
the ftp sites used for distributing cryptography
in the US. To be
secure, this would require, for
starters, a global standard for
authenticating
individuals as to their citizenship -- an electronic
passport. Companies would then have to hire experts
to screen
materials, and only then could controversial
materials be made
available, based on the consumer's
nationality. Alternatively,
publishers and merchants
could use these same experts to assist them
in
reducing their offerings to a pablum-like least offensive
denominator. Individuals would likely be on their
own, unless they
could afford a legal staff.
Another possibility, the one
I'm going to focus on, is for
individuals, commercial
publishers and online merchants to operate
anonymously.
This is a big step for large corporations with strong
brand names, and their first step in this direction
might be to use
online distributors who are anonymous,
rather than taking the whole
corporation behind
an electronic veil. With time though, as
information
companies begin life with a pseudonymous identity, brands
and customer loyalty can be built up around network
pseudonyms. There
is already a long history, both
in print and on the net, of
individuals creating
and using strong pseudonyms; the federalist
papers,
for instance, were written pseudonymously, and historians
are
still trying to sort out who actually wrote
which ones.
If carried out effectively,
and if users are careful not to give away
their
identity, robust anonymity handily solves the problems
of
surprise legal jurisdiction, fatwa, and individual
retaliation. Users
would pay for anonymizing services
with anonymous digital cash, of
course -- and
it makes no difference how their packets get on the net
in the first place, if they're all processed through
a packet laundry
in Jamaica or Finland.
Sometimes, though, network participants will be
motivated to make
their "true names" knowable.
For instance, participants who wanted to
inspire
confidence could escrow their true names with their local
government or a commercial arbitration agency.
As part of a
transaction, participants would exchange
true name escrow
certificates. If the transaction
goes sour, the injured party could
seek a remedy
with the cooperation of the escrow government or agency.
This provides a mechanism for resolving commercial
disputes while
limiting the dispute resolution
process to a particular set of laws or
an agreed-upon
arbitration process. True name escrow certificates
could also be used by publishers, indicating their
willingness to be
accept actions for libel in
a given jurisdiction, potentially
enhancing their
credibility.
This anonymity
approach enjoys a competitive advantage over the more
cumbersome "national authentication" or "pablum"
schemes because:
* A
much greater variety of content could be provided to more
people
without fear of retaliation. For instance,
the Sports Illustrated
Online Swimsuit Edition,
Cosmopolitan Online, or their equivalent,
that would be considered pornographic throughout much
of the
world.
* Online
speech, publishing and commercial transactions would be
subject to a strictly limited number of legal
jurisdictions .
* Information could
be made available more quickly, without a
lengthy review process prior to release.
* Anonymization would be substantially cheaper than
legal review of
the impact of each work on
hundreds of legal jurisdictions.
* Users' privacy would be optimally protected .
Whenever the subject of anonymity
comes up, however, many people begin
to fear a
breakdown of the already tenuous civility on the net.
Not
that there is a firm link from real name to
Internet access account
right now, but there is
still a comforting illusion, and for some
users
there is enough information to take complaints to school
officials, postmasters, and their ilk. As we have
seen with Canter and
Seigel, however, the current
system does little to deter the hard-core
disrupter,
even a well-identified one.
So I will
briefly mention one way a degree of order can be maintained
among participating spheres of activity (such
as a newsgroups, mailing
lists or IRC channels),
while preserving anonymity, through the
voluntary
applicaton of Chaumian credentials.[19] In this type of
system, each real user receives an "is-a-person"
credential through
their local government or a
notary public, which is used to generate a
unique
pseudonym within each sphere of activity (what Chaum refers
to
as "organizations"). Credentials issued within
one sphere of activity
could be securely transferred
to another without anyone except the
user being
aware of a link between the two pseudonyms. For instance,
each sphere might have a credential of "is not
a spammer," and
implement a mechanism requiring
that all submissions come with "is not
a spammer"
credentials. Then they might get really organized, and
have
someone issue "meta is-not-a-spammer" credentials,
representing the
is/is-not a spammer status in
a large number of spheres.[20]
The net
probably needs to experiment with these and other automated
forms of moderation regardless of whether there
is a link between a
username and a true name.
But such systems are complex, and very much
require
the consent of the governed -- if someone sets up a mailing
list or a newsgroup with this type of restriction,
and people don't
like it, they can stay away in
droves. If people like the effect,
they'll get
involved and participate. In any event, I don't see
anonymity as being any more disruptive to civility
on the net than the
existing situation -- if anything
it evens out the playing field --
and anonymity
does not add much to the inherent complexity of
automated moderation and similar approaches for weeding
out disruptive
participants in a public or semi-public
forum.
But this sort of
voluntary social control is not what law enforcement
is concerned with.
The bottom line
is, your typical computer cop wishes he or she could
track every packet on a global internetwork and pin
it on a particular
individual. Anything that gets
in the way of this is Not Good. Not
only that,
but it would sure be nice if the packet was encrypted
only
with government-approved cryptography, and
didn't have any subtext
lurking in the low-order
bits. While there are many arguments from a
law
enforcement perspective on why all this would be desirable,
it is
not realistic or necessary for effective
law enforcement on the net.
Indulge me
in a quick analogy.
Suppose you've got
a problem with some dude robbing 7-11s. How do you
catch the guy? Do you:
* Stake out 7-11s with cops posing as clerks?
* Use informants to see who's bragging
about ripping off 7-11s?
* Wait
for the perpetrator to screw up (if he's going for 7-11s,
he
can't be that smart...)?
* Or do you:
* Ban the sale
of ski masks?
* Require radio ID
leg bracelets for all 7-11 customers?
Now that last suggestion would certainly
slow down or stop the
rip-offs, but from both
an economic and a social point of view it is
completely
unworkable. It would infuriate the customers. It would
hurt
7-11's business. It also overlooks the technological
race between
police-supplied radio ID bracelets
and counterfeit ones, or the
possibility of jamming,
or...
This is similar to the problem law
enforcement would face if they
attempted to force
authentication for all activity on a global
internetwork
of meaningful size and scope. It would be a form of
censorship, and, to quote John Gilmore, "The Internet
interprets
censorship as damage, and routes around
it." You might end up with a
global internetwork
with the properties you describe, but it would
quite rapidly be replaced with or shadowed by another
net that did not
have this policy. Users might
even get sneaky and route most of their
packets
as disguised data over your global internetwork. What's
more,
the technology for creating and extending
wide area networks is
getting easier to set up
every day, and can run over an expanding
variety
of media (wires, fiber, microwave, spread spectrum RF,
laser,
meteor bounce and so forth).
One approach that law enforcement might take is to
encourage
legislation against anonymizing tools,
and attempt to marginalize and
discredit anonymous
services. This is going to be an uphill battle for
authorities, at least in the US, as there is strong
protection for
products and services with substantial
legal use. For instance,
information companies
would dearly love to take action against VCRs
and anti-copy-protection software, but these have been
determined to
have substantial legal use, in addition
to the possibility of
facilitating a crime.
I think that it is going to be in the best
interests of law
enforcement to focus on applying
conventional law-enforcement tactics
directed
at their own citizens, rather than trying to take on the
whole net or anonymous services in general. They
are unlikely to be
very successful, and would
likely have a "destroying the village in
order
to save it" effect on the rapid growth of global
internetworking.
Anonymizing
tools and services on global internetworks can give a
competitive advantage to publishers and merchants,
and security to
individuals from foreign governments
and unhinged individuals
worldwide. While they
can be used to further illegal ends, much as a
ski mask or a Halloween mask can, they have substantial
legal use in
protecting privacy and preventing
unforseeable foreign legal
entanglements. Some
services and transactions may require a disclosure
of identity, or at least a potential disclosure, just
as many
buildings will require you to take off
your ski mask or Halloween mask
before entering
a building, but anonymity per se is not illegal and
should not be made illegal. I think I can safely predict
that there
will be commercial anonymization tools
and services available on the
net by this time
next year. I also predict that they will be used
primarily for legal purposes -- at least, purposes
that are legal in
the home country of the user.
I think that rigorous,
cryptography-based anonymity
is going to the best way out of the
global swamp
of jurisdiction, and because of this I expect many people
will come to appreciate it in the years to come.
_________________________________________________________________
[1] 240 US 60 (1916)
[2] United States v. Aluminum Company of America
(ALCOA), 148 F. 2d
416 (1945)
[3] Neale and Stephens, International business and national
jurisdiction,. Oxford University Press, 1988.
pp 44-46
[4] Id. pp 16.
[5] Id. 271.
[6] Ma, Frances, "Noriega's
abduction from Panama: Is Military
Invasion an
Appropriate Substitute for International Extradition?"
Loyola, Los Angeles, International and Comparative
Law Journal. p.
945.
[7] This
principle is rooted in Ker v. Illinois, 119 US 436 (1886)
and
Frisbie v. Collins, 342 US 519 (1952).
[8] Wing, Michael, "Extradition Treaties-International
Law--The US
Supreme Court Approves Extraterritorial
Abduction of Foreign
Criminals--United States
v. Alvarez-Machain, 112 S. Ct. 2188 (1992)",
Georgia
Journal of International and Comparative Law, Vol. 23:435.
Note that the case against Dr. Alvarez was subsequently
dismissed by
the judge for lack of evidence.
[9] United States v. Alvarez-Machain, 112 S.
Ct. 2188 (1992)
[10] 500 F.2d 267 (2d
Cir 1974)
[11] Choo
[12]
Choo
[13] Gibson, William, "Disneyland
with the Death Penalty", Wired [??]
[14]
Moss, "Official Kidnapping," 77 ABA Journal 24 (January
1991)
[15]
[16] Appignanesi
and Maitland, The Rushdie File, Institute of
Contemporary
Arts, 1990.
[17] Pipes, The Rushdie Affair,
Birch Lane Press, New York, 1990. p.
28
[18] Abdallah et. al., Pour Rushdie, George Braziller,
Inc., 1994.
[19] Chaum, "Showing Credentials
without Identification: Transferring
Signatures
between Unconditionally Unlinkable Pseudonyms," .
[20] This would also assume that Usenet news
is fixed so that it is
not absurdly trivial to
get past moderating mechanisms.
|
|
