Court ruling shows the internet does have borders after all

If you spend enough time around tech and policy conferences, you are bound to hear a digital economy truism: the internet has no borders. Starting from the soaring rhetoric of John Perry Barlow’s “Declaration of Independence of Cyberspace” through today’s reality of cloud computing and an increasingly wired globe, the idea that traditional governments have little ability to restrict the flow of data on the internet has never gone out of style.

But is this truism actually true? Does the internet really exist in a realm without jurisdictional boundaries and applicable laws?

In their book, "Who Controls the Internet?", authors Tim Wu and Jack Goldsmith argue that governments around the world have been asserting their authority over the internet for as long as the internet has existed. Indeed, many governments have attempted to reach beyond their national borders to touch data and systems around the world.

And no issue has been more central to this debate than privacy.

A recent privacy case in the US Court of Appeals for the Second Circuit suggests that the pendulum has swung toward recognition that national governments not only enjoy the benefits of their own borders on the web, but (importantly) need to recognize the legitimacy of other country’s borders too. In the case, Microsoft challenged a court order that sought emails held on Microsoft servers in Ireland. Microsoft argued that the data was stored in Ireland, and therefore beyond the reach of US courts. The US government argued that Microsoft could access the data from the United States, so the data should be turned over.

Ultimately, the Second Circuit Court of Appeals sided with Microsoft in the case, finding that the location of the servers put the emails beyond the US government’s reach. Indeed, the court went so far as to recognize that there is a presumption against extraterritorial application of US laws – meaning that it is presumed that US laws should not be applied beyond US borders.

It is notable that Microsoft had many friends on this case. A long list of companies and privacy advocates stepped up with briefs that supported Microsoft. And many have hailed the result as a victory for privacy.

But there is a risk in the decision as well. By recognizing the jurisdictional boundaries of Ireland, it is possible that the Second Circuit Court created an incentive for other jurisdictions to require data to be held within their national boundaries. We have seen similar laws emerge in Russia – they fall under a policy trend towards “data localization” that has many cloud service and global organizations deeply concerned. Which leads to a tough question: what happens if every country tries to assert jurisdictional control over the web? Might we end up with a fractured web, a “splinternet”, of lessening utility?

One thing is clear from this case: this issue is not resolved, and may never find a place of stable and predictable interpretation. Governments will always claim authority over data within their borders (and sometimes, outside of their borders). So the next time you are at a tech conference and someone suggests that the internet has no borders, offer a wry smile. Truisms aren’t always true. And the internet may indeed have some borders after all.

Copyright © 2016 IDG Communications, Inc.

Subscribe today! Get the best in cybersecurity, delivered to your inbox.