In this episode, Kristen Eichensehr discusses the challenge of extraterritoriality in cyber, the concept of "digital Switzerlands," companies acting increasingly like nation-states and running their own foreign policies, and laws and regulations that can create incentives to give up on cybersecurity.
About the guest: Kristen Eichensehr is an Assistant Professor of Law at UCLA. Her work focuses on cybersecurity, foreign relations, separation of powers, and national security law. Prior to joining UCLA, Eichensehr clerked for Justices Sandra Day O’Connor and Sonia Sotomayor of the Supreme Court. Eichensehr received a J.D. from Yale, an M.Phil from the University of Cambridge, and an undergraduate degree from Harvard.
Did you like the show? Please rate, review, and subscribe!
KEY EXCERPTS FROM THE KRISTEN EICHENSEHR INTERVIEW
(the text below has been condensed and edited for clarity)
John Villasenor: You've done some really fascinating work in relation to cybersecurity in a global context. Among other things, you've done some really compelling work on extraterritoriality. I was hoping you could talk a little bit about why extraterritoriality is particularly complex in the cyber context.
Kristen Eichensehr: Extraterritoriality is kind of the flip side of territoriality, which is one of the basic principles of jurisdiction as a matter of international law. Basically a country has authority to regulate things that have happened within its territory.
The challenge with data is determining whether data is in a territory or not in a territory, which sounds like a basic question, if you talk about physical objects. Their physical location is not that hard to determine, but data is different.
In U.S. law, there's a presumption against extraterritoriality. The presumption against extraterritoriality says that of course we'll presume that U.S. laws apply domestically only, unless Congress clearly indicates that they are also to apply extraterritorially. So what's territorial, what's extraterritorial has big implications in matters of domestic and international law.
This came out most recently in the Supreme Court Microsoft Ireland case, which was really fundamentally a question about data stored in Ireland: Was it, as a matter of jurisdiction law, located in Ireland, or was it located in the United States, because it could be accessed from the United States?
So cyber and the flow of data across borders challenges this idea of extraterritoriality because it confuses the old tests for determining where something is. The old test, the legal test for determining territoriality, was pretty simple. Is something inside a state's borders or outside of state borders?
But now you can have data that is located in multiple countries simultaneously, or that moves across borders at the discretion of a private company, often at the discretion of an algorithm run by a private company. So it's not even a conscious decision by a person in a company, but the data can move across borders quickly. It can be in multiple places simultaneously. And a single document can be fragmented and stored different places around the world at the same time.
John Villasenor: Or part of it can be stored in one country and another part could be stored in another country. And then where is it?
Kristen Eichensehr: Exactly. For all of these reasons, it challenges this very old international law and domestic law principle of territory matters. With data, territories kind of matter, but not really.
John Villasenor: How is the global policy dialogue on cyber falling short of fully accounting for extraterritoriality, and what can we do about that?
Kristen Eichensehr: Well, basically every country is going to have to figure out what the answer to this is and there are a lot of, perhaps unintended consequences. So to go back again to the Microsoft Ireland case, what was at issue in that case was U.S. law enforcement wanted to access the contents of an email account that were stored in Ireland. And Microsoft said they couldn't, because the legal provision of the Stored Communications Act that the government was using to access the account, Microsoft said applied only domestically. It only applied to things stored in the United States, and even though the contents of the email account could be accessed from Redmond, Washington, where Microsoft is headquartered, Microsoft said that’s extraterritorial, not territorial, the U.S. doesn't have authority.
So all countries are going to have to figure out what they think about this. Is what matters where the data is stored, is what matters where it can be accessed? Is it some other principle? Does where it is stored not matter at all? And even if you have an answer for one country, so in the United States, the Microsoft Ireland case became moot when Congress passed a statute this spring that clarified that the statute that the government was proceeding under in the Microsoft Ireland case did apply extraterritorially. So there is no longer a problem of U.S. law. It didn't matter that the data was stored abroad.
The fact that the United States has answered that question—U.S. companies can now comply with the legal requirements of the Stored Communications Act and provide data to U.S. law enforcement even if it's stored abroad—doesn't answer the question globally.
Every country is going to have to figure out: Do they care about the storage location or do they not care about the storage location? And you could have competing demands. So, for example, if U.S. law enforcement asks for data from a U.S. company, and it's stored in a country abroad that doesn't think that the United States has authority to access the data, that could present foreign relations problems, and a sort of international conflict.
John Villasenor: That can lead to conflicts, right? Where, you know, Country A and Country B come to conclusions that can't both be followed because they would conflict with one another with respect to data stored in one or the other country, right?
Kristen Eichensehr: Right, exactly. That puts the companies potentially in a very difficult position because they've got two different governments telling them conflicting things about what they can do with data that they hold.
John Villasenor: Another area of your work that I find really interesting is “digital Switzerlands.” First of all, where did that phrase come from?
Kristen Eichensehr: Microsoft president Brad Smith, in a speech at the RSA Conference in 2017, called for the technology sector, the global technology sector, to become “a trusted neutral digital Switzerland.” So he basically made an argument that technology companies need to protect their users from government attack everywhere, no matter which government may be attacking users. And not be complicit with government and enable government attacks on users.
John Villasenor: You wrote that digital Switzerlands “captures the roll that U.S. technology companies have increasingly taken on in respect to cybersecurity and privacy: They are acting like states and running their own foreign policies.” And that's a really interesting observation. Can you explain what you mean when you're talking about companies really acting, in many ways, in the cyber context like state actors?
Kristen Eichensehr: Companies, some of these technology companies, in certain circumstances [are] doing things that we'd think government, are typically the actors that do that.
One thing they're doing, they are sort of tangling with government in a way— calling them out when they see governments doing things that they don't think are acceptable. They are also doing things like engaging in crime control. So if you think about typical government functions, crime control falls in that category and will jump to the top of many people's list.
But one way that the companies are engaging in crime control is dealing with botnets. Botnets are networks of computers that can do all sorts of bad things, like spam and malware. Microsoft has actually pioneered, basically legal action which allows them to take down botnet command and control infrastructure. Microsoft has done some of these by itself. It's done a number of them now in partnership with, in particular, the FBI and U.S. law enforcement.
But the companies are doing these things that we typically think of governments doing and even moved into the public policy space. So they've proposed things like establishing an international agency that would do attribution of government sponsored cyber attacks. Even perhaps cutting governments out of the loop and basically having this non governmental entity accuse government of cyber attacks. In a lot of ways, they're acting like governments.
John Villasenor: That's a really fascinating explanation. Does this conflict with the role and ability of governments to develop and carry out cyber policy? Does it enhance it? A bit of both? Does it depend on the country? Because presumably, governments obviously have a continuing and very strong interest in cyber policy and being able to act on it.
Kristen Eichensehr: I would say it complicates things for government. So governments now aren't the only actors. They have to account for the actions, not just of other states, but also of these very powerful private companies. And in certain ways, the companies are getting ahead of governments. We see this with respect to attribution. There have been numerous instances where a private company will accuse a foreign government of a cyber attack long before, for example, the United States or the United Kingdom actually comes out and essentially attributes the attack.