Asaf Lubin (Indiana University Maurer School of Law; Berkman Klein Center for Internet & Society; Yale University – Information Society Project; Federmann Cybersecurity Center, Hebrew University of Jerusalem Faculty of Law) has posted “The Prohibition on Extraterritorial Enforcement Jurisdiction in the Datasphere” (Handbook on Extraterritoriality in International Law (Austen L. Parrish and Cedric Ryngaert eds., forthcoming, 2022)) on SSRN. Here is the abstract:
The omnipresent and ever-fluid nature of the datasphere complicates the work of our cyber constables. Our conventional understanding of a sovereign’s right to exclude others—the prohibition on extraterritorial enforcement jurisdiction that was reaffirmed in the famous Lotus case—may start to feel somewhat anachronistic in the face of new emerging technologies for remote searches and seizures. Modern law enforcement agencies are further bolstered by a data ecosystem which centers around powerful corporate intermediaries who may, on occasion, be coopted or coerced to collaborate in incidents of extraterritorial enforcement overreach.
Consider, for example, the following non-exhaustive list of cyber enforcement activities. Which of these techniques might you deem tolerable when employed against a target abroad without the consent or knowledge of the foreign state? Which of these might you consider to be crossing a threshold, and what factual and legal factors might influence your determination?
(1) Data scraping from social media platforms, other websites, and open-access databases located on servers abroad to import information.
(2) Subverting the command-and-control server of an anonymized botnet operating from one of the corners of the “dark web.”
(3) Electronically tracing and restoring cryptocurrency payments that were paid to a foreign criminal cyber gang involved in a crippling ransomware attack.
(4) Compelling a domestically registered company to release certain data concerning a national involved in a domestic crime, where the data is stored abroad.
In this chapter I explore each of these four scenarios. Each scenario ties to a different aspect of the datasphere which frays at the edges of traditional doctrine. These four aspects are: (1) consent, (2) anonymization, (3) piracy, and (4) data un-territoriality. For each of these aspects I try to demonstrate how jurisdictional rules may evolve, as a matter of lex ferenda, to better balance territorial integrity and cyber stability. My analysis thus attempts to provide a preliminary taxonomy of certain categories of cyber policing activity that could serve as a roadmap for future rule-prescribers and rule-appliers. Given the rise in cybercrime in recent years the paper ultimately challenges the normative validity and factual sustainability of the current doctrinal tradeoffs between external sovereignty and cyber stability.