Internet Governance – The Cybersecurity Lawyer

Bot Code, Norms, and Law

There’s a good post on Dark Reading by Ido Safruti about norms and etiquette for bot code. According to Imperva’s most recent bot traffic report, bots comprise the majority of Internet traffic. May bots are intentionally disruptive or misleading — for example, bots that create comment link spam on blogs. Others are useful — for example, they, allow a search engine to index web pages. Even useful bots can be disruptive, such as by using up site capacity, and the robots.txt standard has been developed so that site owners can limit or exclude bot traffic.

Safruti provides the following guidelines for ethical bot code:

1. Declare who you are;
2. Provide a method to accurately identify your bot;
3. Follow robots.txt;
4. Don’t be too aggressive.

These are sound guidelines, but my lawyer Spidey sense wonders how they might translate into legal norms, or whether they should become legal norms. The most immediate way in which guidelines like this can become part of legal norms is through a contractual terms of use. I’m not sure a terms of use would be enforceable either as a legal or practical matter against unwanted bots, not least because the measure of contractual damages would be unclear. There’s an interesting 2001 case in the First Circuit finding a Computer Fraud and Abuse Act violation for bot use, but the facts are quirky and it seems to me perhaps wrongly decided. Perhaps guidelines like Safruti’s provide a standard of care for a tort claim if an unwanted bot causes a business interruption, though in states where the economic loss doctrine applies this would produce an difficult question about whether slowing a website is a kind of compensable property damage. Guidelines like this could also be incorporated into a regulatory regime, which the Internet community as a whole might not find palatable.

Microsoft and the Law of the Cloud

Microsoft is waging a multi-front legal war over control of the “cloud.” The Second Circuit recently handed Microsoft a battlefield victory in a case captioned In the Matter of a Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corporation, — F.3d —, 2016 WL 3770056 (2^nd Cir. 2016).

The case concerns the Stored Communications Act (SCA), which is part of the Electronic Communications Privacy Act (ECPA), 18 U.S.C. §§ 2510 et seq., 18 U.S.C. §§ 2701 et seq., and 18 U.S.C. §§ 3121 et seq. The SCA was enacted in 1986. Microsoft Corp., 2016 WL 3770056 at *6. The SCA limits the circumstances under which a service provider can disclose to third parties, including the government, information about an electronic communication or the contents of an electronic communication. See id. at 7. The government can obtain non-content information about a communication, such as subscriber and transactional information, through an administrative subpoena or court order on a showing lower than probable cause. See id. at *7 (citing 18 U.S.C. §§ 2703(c)(2), (d)). For content information, the government must obtain a warrant on probable cause or, under some circumstances, under a court order with notice to the subscriber. See id. (citing 18 U.S.C. §§ 2703(a), (b)(1)(A)). When a warrant is required, the SCA states that the warrant must be issued “using the procedures described in the Federal Rules of Criminal Procedure (or, in the case of a State court, issued using State warrant procedures) by a court of competent jurisdiction.” See id. (citing 18 U.S.C. §2703(a)).

The dispute in this case arose when Microsoft moved to quash an SCA warrant served on Microsoft in Washington for the contents of customer emails stored on a Microsoft Outlook server located in Ireland. Outlook is part of Microsoft’s “’enterprise cloud service offerings.’” See id. at *2. Emails sent and received through Outlook are stored on servers located in one or more of over 100 data centers owned or leased by Microsoft in over 40 countries. See id. The “cloud” is simply a network of dispersed data centers such as Microsoft’s Outlook server network. Microsoft explained to the court that a customer’s emails usually are stored in a data center located in the country of residence given by the customer. Id.

In its motion to quash, Microsoft argued that a search warrant cannot have extraterritorial effect. Microsoft admitted, however, that it can access and collect email content from any of its data centers using a database management program in the U.S. See id. at *3. The Magistrate denied the motion to quash, and the District Court affirmed. Id. at 4. The Second Circuit reversed.

As the Second Circuit noted, the “Internet” barely existed in 1986, and the World Wide Web was not created until 1990. Id. The SCA therefore was adopted in a very different technological context than today’s networked world. In particular, there was no universally accessible email, and what we today call the “cloud” was only a gleam in the eyes of some science fiction writers thirty years ago. The court noted that there is a presumption against extraterritorial application of statutes. Id. at *9. Since the SCA specifically referred to search warrants under the Federal Rules of Criminal Procedure, the court held, the territorial limits on such search warrants should apply to warrants under the SCA. Id. at *11-12. Although a “subpoena” can have greater extraterritorial reach than a “warrant,” the Second Circuit rejected the government’s argument that a “warrant” under the SCA is more like an administrative subpoena than a search warrant. Id. at *12-14.

Judge Gerard Lynch wrote a separate opinion concurring in the judgment. Judge Lynch believed “the government’s arguments are stronger than the Court’s opinion acknowledges” and further wished “to emphasize the need for congressional action to revise a badly outdated statute.” Id. at *19. Judge Lynch noted that there was no dispute about the government’s showing of probable cause or about Microsoft’s ability to access the records in the U.S. Id. at *20. He also was concerned that the choice of data center location was based on the customer’s self-reported location, which could be inaccurate or even intentionally misleading to evade law enforcement. Id. Contrary to some of Microsoft’s arguments, Judge Lynch did not believe the case presented any substantive privacy issue because the “’records’ are electronic zeros and ones that can be moved around the world in seconds, and will be so moved whenever it suits the convenience or commercial purposes of the company.” Id. at 21. Nevertheless, Judge Lynch felt bound to agree with that court’s statutory interpretation in light of the presumption against extraterritoriality. Id. He concluded by suggesting that Congress can and should amend the SCA to extend the reach of SCA warrants to data accessible to U.S. companies in the U.S. even if stored in cloud servers located outside the U.S. Id. at 26.

Microsoft is presently litigating a separate case in the District of Washington, joined by the American Civil Liberties Union, challenging the constitutionality of parts of the SCA that allow the government to obtain subscriber and content information from Microsoft without notice to Microsoft’s customer. See Microsoft v. U.S. Dep’t of Justice, No. 2:16-cv-00538-JLR (D. Wash.), filed April 14, 2016. In its Complaint in that case, Microsoft states that “Cloud computing has spurred [a] profound change in the storage of private information” and that the government, using the SCA, “has exploited the transition to cloud computing as a means of expanding its power to conduct secret investigations.” Id., Complaint for Declaratory Judgment, ¶ ¶ 2-3. For Microsoft, and some other Silicon Valley companies, the cloud should become a domain in which service providers have a kind of jurisdiction to safeguard consumer privacy against governments. But governments, including the U.S., argue that individuals who store their data with commercial cloud providers have already given up their privacy and that a handful of large information service providers cannot dictate national policy about criminal investigations and terrorism prevention. This dispute will undoubtedly continue to work its way through the courts and Congress in coming years.

[google-drive-embed url=”https://drive.google.com/file/d/0BzS0leqU862xbHlmR2pJa2dra0U/preview?usp=drivesdk” title=”microsoftcertified.pdf” icon=”https://ssl.gstatic.com/docs/doclist/images/icon_12_pdf_list.png” width=”100%” height=”400″ style=”embed”]

[google-drive-embed url=”https://drive.google.com/file/d/0BzS0leqU862xQUs4S3Z6dkg5SEk/preview?usp=drivesdk” title=”microsftdj.pdf” icon=”https://ssl.gstatic.com/docs/doclist/images/icon_12_pdf_list.png” width=”100%” height=”400″ style=”embed”]

Internet Law and Governance: Some Materials

I’m teaching a module on Internet Law and Governance at Seton Hall Law School again this semester. Here is some of the introductory material for this week, including a video lecture I created:

For our first class, we will discuss some basic principles of Internet “governance.” I put “governance” in quotes here because, as you will see, there is no single source of legal norms for the Internet. Much of the “law” of the Internet is what we call “soft law” — that is, a relatively loose collection of principles and standards held together mostly by contractual relationships.

My experience teaching this material to law students over the past few years has shown that it can be a bit frustrating for you to get a handle on what you are supposed to be learning. By now, you are used to areas of law governed by a somewhat coherent set of Constitutional, common law, and/or statutory and regulatory principles, from which you can derive legal tests for liability or compliance that can be applied by courts. That is not, usually, how Internet governance works. Internet governance is fuzzy. If you continue on and take any of the other modules in our “Cybersecurity” or “New Media” sequence, however, you’ll see that having a sense of the contours of this fuzziness is important to the more specific legal issues arising from things like copyright in YouTube videos or government e-mail surveillance. So, for now, enjoy the ride.

ICANN’s Transition Proposal

You may have heard of “ICANN” in connection with procedures for resolving domain name disputes. What you may not realize is that ICANN is at the heart of “Internet governance,” and that even today there is a heated dispute about whether the United States government should retain any ongoing oversight of ICANN’s functions.

“ICANN” stands for the Internet Corporation for Assigned Names and Numbers. Every device connected to the Internet is assigned a unique Internet Protocol (“IP”) address. Under a standard first developed in 1983 (called the Internet Protocol Version 4, or IPv4), long before the Internet was commercially available and long before there was a World Wide Web, an IP address consists of a 32-bit (4-byte) number comprised of four blocks (1 byte per block). Because the available number space was becoming exhausted, a newer standard, IPv6, was adopted, which increased the address to 128 bits comprised of 16 blocks, but IPv4 is still the most widely used protocol.

The following graphic shows a typical IPv4 address, with both binary and dotted-decimal notation:

(Graphic source: Wikimedia Commons). In general, the first two blocks specify a network (the network identifier) and the last two blocks specify a host or machine (the host identifier). In the example above, the network identifier 172.16 would indicate a private network such as an intranet, and the host identifier 254.1 would identify a computer or device connected to that local network. If you have ever had to fiddle with your home or office computer network, you have probably seen IP addresses in the dotted-decimal notation representing the addresses of your printers and other devices.

Numeric addresses are difficult for most humans to remember. This is not a problem for things like the printer on your home network — you simply configure the network server to remember such things for you. It is a problem on the World Wide Web, if we want to remember, or conduct searches for, the content that interests us. This is where the where “domain names” come into play. The Domain Name System, or DNS, establishes the hierarchy of words and symbols that relate to numeric IP addresses. For example, the domain name “Google.com” brings you to Google’s home page. It is much easier to remember “Google.com” than the site’s IP address (172.217.1.206, as identified through a “Whois” IP lookup). Obviously, if “Google.com” does not consistently resolve to the IP address 172.217.1.206, the web will cease to function. The DNS is a vital part of how people and organizations identify their “space” in cyberspace.

With over one billion pages on the web today (according to http://www.internetlivestats.com/total-number-of-websites/), the administration and security of the system for registering, recording, transferring and protecting domain names obviously is complex. The question of whether to approve new “Top Level Domains (TLDs)” – that is, the part of a domain name to the right of the last dot, such as .com or .gov – can be contentious because such domains can be used to stake out a new “location” in cyberspace. Until 2012, ICANN strictly restricted the issuance of new “generic” top level domains (gTLDs), but under ICANN’s present rules new gTLDs are much easier to obtain, with about 1,300 new gTLDs now approved and more to come. Here is an amusing ICANN video describing this process:

These administrative and oversight functions are ICANN’s role. It is fair to say, then, that ICANN oversees a core system of protocols that makes the Internet possible. The global information and communication system that underpins every aspect of our global society depends on the governance functions ICANN performs.

But ICANN is not an agency of any national government or international treaty body. ICANN is not an arm of the United Nations, the World Trade Organization, the World Intellectual Property Organization, or any other transnational organization established by agreement of various nation-states. Instead, ICANN is a California non-profit corporation first established in 1998. It operates under a “multi-stakeholder” model that includes input from volunteers serving on numerous working groups, overseen by a Board of Directors comprised of 16 individual voting members. See “A Quick Look at ICANN.”

Why is this vital Internet governance function run by a California non-profit corporation? The name and number functions we have been discussing (referred to as the Internet Assigned Numbers Authority, or IANA, functions) originally were managed by a single individual, John Postel, who was a computer science researcher at UCLA and USC. Postel helped create an early packet switching network, the Advanced Research Projects Agency Network, or ARPANET, funded by the U.S. Defense Department, which was a forerunner to today’s Internet. ARPANET may have been funded by the DOD in part over concerns about maintaining military communications in the event of nuclear war. Although the connection to fears of nuclear war are debated, there is no doubt that the ARPANET was a cold-war era defense project. The U.S. federal government therefore had a vital role in the early development of the Internet.

When Postel decided he could no longer handle the domain name functions himself, the U.S. Department of Commerce’s National Telecommunications and Information Administration (NTIA) instituted a rulemaking for this function that led to the creation of ICANN. From its inception, ICANN operated under a contractual arrangement with the U.S. Department of Commerce. ICANN therefore derives its legal authority from California corporate law and its contract with the U.S. Department of Commerce.

To many participants, particularly outside the U.S., this historical arrangement suggests that ultimately the U.S. government holds too much power over the DNS without adequate checks and balances. In response to these concerns, the Obama administration announced in March, 2014 that it would relinquish control of the DNS to the global multi-stakeholder Internet community. A plan for this transition was developed by ICANN and was submitted to the NTIA on March 10, 2016.

The planning process was coordinated by a group “comprised of 30 individuals representing 13 communities.” Id., ¶ X002. That should be an astonishing statement: 30 people were in charge of planning this core function of Internet governance! This group included executives from companies such as Oracle, Cisco, Verisign and GoDaddy, academics, entrepreneurs, and representatives of country domain registries. Id., n. 2 and http://www.ianacg.org/coordination-group/icg-members/.

The ICAAN plan runs to 210 pages of single-spaced type and 3,115 numbered paragraphs, with an Executive Summary that loosely ties together separately drafted proposals from the “Domain Names Community,” the “Internet Number Community,” and the “Protocol Parameters Registry Community.” It contains many paragraphs that read like this: “Following exhaustion of the foregoing escalation mechanisms, the ccNSO and GNSO will be responsible for determining whether or not a Special IFR is necessary.” See ICANN Plan, ¶ 1303. If all of these sounds like a proposal put together by engineers rather than lawyers – it is. Perhaps that is a good thing, but many questions about representation and accountability remain.

The ICAAN Plan did include some new accountability mechanisms to address concerns about the openness of ICANN’s processes. For example, paragraph 1106 of the Domain Names Community’s part of the proposal states that the mutistakeholder community would have the ability to appoint and remove ICANN Board members, to oversee key Board decisions, and to approve amendments to ICANN’s fundamental bylaws. This part of the proposal was consistent with an Accountability Report released by a different ICANN working group in February, 2016. But, of course, none of this is analogous to a citizen’s rights in a constitutional government. It is more analogous to how shareholders might have some say in the governance of a private membership organization. The ICAAN proposal does not contemplate that any governmental or inter-governmental organization will take on the role previously played by the U.S. Commerce Department. See ICANN Plan, ¶ X028.

On June 9, 2016, the NTIA released an Assessment Report finding that the ICANN plan met the NTIA’s criteria for a working transition plan. In particular, the NTIA Assessment found that the transition plan would satisfy the following requirements:

Support and enhance the multi-stakeholder model;

Maintain the security, stability, and resiliency of the Internet DNS;

Meet the needs and expectations of the global customers and partners of the IANA services; and

Maintain the openness of the Internet.

Most technology industry players also support ICANN’s plan. At the same time, some commentators and U.S. lawmakers are not as willing as President Obama or the NTIA to cede U.S. control over the DNS. On June 8, 2016, Representative Sean Duffy (R-WI) and Senator Ted Cruz (R-TX) introduced the “Protecting Internet Freedom Act,” which would prohibit the NTIA from allowing its contract with ICANN to expire. See S. 3034 and H.R. 5418, 114th Cong., 2d Sess., June 8, 2016. This bill would also require the Commerce Department to secure permanent U.S. ownership of the .gov and .mil domain top-level domains. Id., sec 4. This Bill echoes concerns by commentators such as Kristian Stout, Associate Director for Innovation Policy with the International Center for Law and Economics, stated that under the ICANN plan, “several fundamental governance issues remain outstanding, including ICANN’s ability to thwart threats of foreign government intrusion, its willingness and ability to ensure a basic level of contractual compliance and respect for property rights among registrars and registries, and its avoidance of antitrust risk.” S

Unless some legislative or Executive action is taken, which seems unlikely, the NTIA contract with ICAAN will expire according to its own terms on September 30, 2016. This will mark another milestone, for better or worse, along the path towards the creation of a global critical infrastructure resource that is managed primarily by consensus (social norms) and contracts (private law) rather than by national and international public law.

Sikhs for Justice v. Facebook: Site Blocking

The ability of an ISP or social media site to block access to controversial or inflammatory content is a difficult issue at the intersection of cybersecurity and Internet governance. In a case just decided by Judge Lucy Koh in the Northern District of California, Facebook won dismissal on the pleadings of Sikhs for Justice’s (“SFJ”) claim that Facebook blocked access to SFJ’s page in India.

SJF’s claim was based on Title II of the Civil Rights Act of 1964, 42 U.S.C. § 2000a, which provides that “[a]ll persons shall be entitled to the full and equal enjoyment of the goods, services, facilities, privileges, advantages, and accommodations of any place of public accommodation . . . without discrimination or segregation on the ground of race, color, religion, or national origin.”

The court held that SJF’s Title II claim is barred by the Communications Decency Act (“CDA”), 47 U.S.C. § 230. This holding was consistent with other cases holding that ISPs are publishers entitled to CDA immunity.

Cases like this are important for Internet governance because of the gate keeping role played by large ISPs, search providers, and social media sites such as Facebook. If these gate keepers can arbitrarily block access to sites a government finds objectionable, traditional political sovereigns can exercise significant control over the Internet. On the other hand, if these gate keepers cannot accede to the wishes of governments in territories where they have users without threat of liability elsewhere, users in one country (such as the U.S.) could use local law to thwart the policies of another country (such as India).

[google-drive-embed url=”https://drive.google.com/file/d/0BzS0leqU862xdUhxTWdzYzNjWHc/preview?usp=drivesdk” title=”sikhsforjustice.pdf” icon=”https://ssl.gstatic.com/docs/doclist/images/icon_12_pdf_list.png” width=”100%” height=”400″ style=”embed”]