Dark Clouds Over the Internet

The Internet is routinely described as borderless, and that is often how it feels. Tweet a photo or post a comment, and it is instantly viewable in nearly every country in the world. But a global Internet unbounded by territorial limits is pure fantasy.

Down where the cables lie and the servers spin, territory still matters.

Take user data. While 90 percent of the Internet’s users are outside the United States, the web is dominated by American firms. As a result, a great deal of non-American data is held on American servers. This was tolerable when trust in the United States was high. But after Edward J. Snowden peeled back the curtain on the National Security Agency’s Internet surveillance efforts, that trust withered.

In response, other nations are increasingly exercising their territorial control over the Internet, often in ways that mimic America’s worst practices.

Earlier this month, the British Home Secretary introduced a bill known as the Snoopers’ Charter that would broadly expand the government’s ability to collect user data — from authorizing the police to hack into phones and computers, to mandating that Internet companies decrypt encrypted communications. The bill goes too far and privacy advocates are right to oppose it.

But governments do have legitimate reasons to seek user data beyond their territorial reach, and privacy advocates ignore that need at their peril.

Ask a police officer anywhere outside of the United States and he’ll tell you that evidence for routine crimes — murder, theft, burglary — is very often stored in the cloud, typically in another jurisdiction. Last year alone, British law enforcement agents made nearly 54,000 requests for data from just five American firms: Facebook, Google, Microsoft, Twitter and Yahoo.

These requests often go nowhere because America’s 1986 Electronic Communications Privacy Act only allows technology firms to release American-held data in response to orders from an American judge. So if a British cop is investigating a murder in London, and he has good reason to believe that Google or Facebook has evidence about the crime, he must satisfy an American judge using an American constitutional standard to obtain the evidence. This cross-border process is notoriously slow. Requests take an average of 10 months — an eon in a criminal investigation — and many languish for years.

Exasperation with this process was a key motivation behind the Snoopers’ Charter, and Britain is hardly alone.

Because American law has made it nearly impossible to obtain digital evidence through legitimate channels, foreign police are turning to illegitimate ones. I recently attended a conference for purveyors of surveillance software — an event unofficially known as the “Wiretappers’ Ball.” I asked one vendor if he was aware of law enforcement’s frustrations with American tech firms. The salesman grinned and told me that police departments now buy his malware precisely because they’re tired of waiting for evidence through established diplomatic channels. This is alarming: Making it harder for the police to get criminal evidence lawfully may actually incentivize them to seek that data by snooping.

Read more: Dark Clouds Over the Internet