[discuss] global cyber sovereignty [was discuss Digest, Vol 3, Issue 67, etc.]

JFC Morfin jefsey at jefsey.com
Sat Feb 22 19:35:29 UTC 2014


I think this issue is the only one where this list can really help 
the Govs. that will meet in Sao Paulo. It concerns what we could call 
"global cyber sovereignty". I will try to gather some elements for 
common consideration.


1. Past situation

Up to now, sovereignty was associated with the territory and the 
acknowledged capacity to use force up to the violence of war. This 
has led to the notion of Westphalian nation states, related to the 
territories that they then negotiated and acknowledged, and we keep 
respecting through the notion of fixed borders.


2. Advent of Cyberspace

With the advent of cyber space, it was naturally decided in 1978 and 
accepted (cf. ICP-1) that the source of national cyber authority was 
the ISO 3166 table of *territories* (not of sovereign states). The 
rationale by then was either to divide the world:
- on the basis of the international operator's network access (which 
led to ".uk"),
- business interests (which three years later led to .com [Tymnet], 
.net [Telenet], and .org [misc.])
- or of the international operator servicing the territories, within 
the constraints of the communication national regulations (what led 
to the ccTLD system).

When Vint Cerf, also in 1978, introduced the Internet project, he had 
a similar vision about the interneting of local networks: " The term 
"local" is used in a loose sense, here, since it means "peculiar to 
the particular network" rather than "a network of limited geographic 
extent." "


3. Notion of Relational Space

The term we used in order to name these virtual territories, the 
people being connected and their rights/motivations to be connected 
was "relational spaces". This had the advantage:
- to not presuppose links among its participants (like a community 
would do) and apply to everything (multi-stakeholders and equipment) 
that can be related in any digital manner.
- to match the parallel explanation of Vint Cerf: "A satellite-based 
network such as the ARPA packet satellite network therefore has 
"local" characteristics (e.g., broadcast operation) even though it 
spans many thousands of square miles geographically speaking".
- to be independent from the notion of state, of territory, of size, 
of importance, etc. and, therefore, apply to everything autonomous 
enough to be authoritative in regards to its relations.

Now, we observe that a territory (i.e. a part or the entire national 
space) and a "state relational space" have many similarities. The 
same for a territorial domain and a private relational 
space.  Mokapetris who documented the DNS, called them "domains", a 
TLD being a territory's general domain. So, we observe that the 
Tymnet/PTT, the Internet, the DNS, and the general common practice 
converge toward relational spaces that can be identified by domain 
names, gathering people and machines that accept that "domain name" 
for the domain of their structured relational space. In terms of 
sovereignty, it means that sovereignty is attached to the space 
supported by a relational support system/management structure. This 
is what Jon Postel documented as a "NIC", network information center.


4. Jurisdiction on relational spaces

If we consider the US Justice position, it says exactly that. It 
decided that ".com" is a virtual extension of the US territorial 
space, it physical and legal support system structure being in the 
US, and that the .com relational space belongs to its jurisdiction, 
without caring about the location of the considered relational 
occurrence (host) in a physical territory.

This decision that ".com" is a virtual extension of the US territory 
reflects that ".com" is managed on US soil and can be enforced by the 
US police. This raises the question of a multinational management of 
a TLD in the cloud, using a master-master system such as 
Apache.CouchDB. "CouchDB is a database that completely embraces the 
web. Store your data with JSON documents. Access your documents with 
your web browser, via HTTP. Query, combine, and transform your 
documents with JavaScript. CouchDB works well with modern web and 
mobile apps. You can even serve web apps directly out of CouchDB. And 
you can distribute your data, or your apps, efficiently using 
CouchDBs incremental replication. CouchDB supports master-master 
setups with automatic conflict detection."

This is a case we recently observed on Wikipedia in France. As a 
result of Google's enforcement of its global rules, the French 
privacy protection agency has been designated by the other European 
agencies as their leader to study the resulting legal cases. The 
French NSA equivalent summoned the President of MediaWiki France and 
asked him to remove a page they considered as violating military 
secrets. This was a test to understand (without lawyers interference) 
how multinational structures would react. He explained to them how to 
do it and removed the page. There was an uproar in the MediaWiki 
community, and three hours later a Swiss lady restored the page.

We observe two things here:
- the relational space is made of the relations between its 
participants (not "members", for example the experience of IETF: 
there is no legal bondage between participants). This means that the 
space is in full (multi-location) where each of its participants are.
- sovereignty is independent from the importance, weight, money, 
international status, etc. it is only linked to technical capacity, 
and can even be anonymous. Code is law, sovereignty is capacity.


5. Sovereignty on the top zone

Up to now there is de facto a unique mainly known VGN [virtual global 
network], in the global catenet, i.e. the internet governed by the 
INTERNIC). The possibility is to escalate impracticable decisions 
(e.g. multinational master/master management) to the root file 
manager. This means that even if "com" was managed in the cloud by 
multiple masters or processes, or is foreign, the root could be used 
to block a ".com" name. The plaintiff (here ICE) is, therefore, 
entitled to ask an US Judge to impose VeriSign to load the name 
associated to an ICE address in the root-file.

The case did not occur yet. But nothing prevents it from being 
raised. Except if extraterritoriality was granted to the root file.

1. I fully understand that extraterritoriality could only be granted 
by a treaty, like the one discussed at the WCIT. Until then, the 
root-file remains under US jurisdiction.

2. we can observe that globalizing ICANN and IANA, whatever it may 
mean (cf. Strategy Panel, Feb 20,2014), has no impact on the root 
file US sovereignty. This is because what counts is not the location 
or the dissemination method of the root-file, but its content. This 
content will stay US VGNIC (INTERNIC), i.e. NTIA, copyrighted. This 
copy is only stored on the Alpha machine at VeriSign, published by 
the IANA and distributed by the ICANN Root Server System.


6. Is this real?

The very concept of a root-file is confusing the map and territory. 
Code is law. The so called "root file" is a map of the top zone.

Nothing prevents:

1. A solution where the top zone would be multi-managed in the cloud 
on a master/master MS basis. This would provide extraterritoriality.
2. top zone maps to be produced and published by anyone. And the most 
trusted complete and accurate ones to be mostly used. Multiplicity 
permitting to expose possible tampering.

Everyone can draft a top zones (multiple classes) map, use it (except 
Inquisition) and disseminate it (except censoring). Moreover, these 
maps can be drafted through a multinational master/master work and/or 
by an automated process

Now why would stakeholders do it?
- Snowdenia and metadata protection are a possible motivation.
- more likely by self-security strategy. To prevent attacks by DNS pollution.

- Possibly to support VNN (virtual national networks) to stay within 
a national infrastructure (e.g. Merkel and Hollande discussions)
-more generally by the simple need to support VGNs.

One has to understand that the acceptation of a single VGN (actually 
aside ORSN, Chinese extensions, Newnet, the open-roots and alt-roots) 
and a single class was based on simplicity in the absence of 
presentation layer six. Trade VGNs will progressively deploy (cf. 
demands expressed on this very list). It will probably be the same 
for linguistic, religious, and cultural VGNs.

  On may expect three trends:

- commercial VGNICs permitting to obtain a broad set of predetermined 
information on the catenet along with various 
security/protection/precaution strategies. This is a market for 
ICANN/IANA and possible competitors.
- private, trade, corporate, associative open/closed VGNICs managed 
on an MS basis.
- private top-maps that people will want to tailor to their own needs.

my long 2 cents.
jfc


At 23:14 21/02/2014, Don Blumenthal wrote:
>Jefsey,
>
>I worked on an online case for the first time in 1994 (online service, not
>Internet). A lot more investigators, lawyers, and judges understand system
>operations than back then, but still not nearly enough. To paraphrase you
>in a note today to Milton, we have to deal with the reality of what is,
>not what theoretically should be.
>
>I¹m not sure what technical question will be solved by explaining how ICE
>could try to take a foreign-based site down. It¹s a matter of how
>jurisdiction is interpreted. In Rojadirecta, which is the only instance
>that I can think of concerning a non-US site, ICE argued and a judge
>agreed that a US-based registrar for the domain was sufficient. That was a
>very bad case for many reasons in my opinion and what has been lost for
>the most part is that the government ultimately dropped it.
>
>Censorship is too loaded a term for me to get into. I have no problem with
>LE actions that remove harmful or illegal content from the Internet. Of
>course, my definition of those terms might differ from others¹.
>
>FWIW, I am on the ICANN Security and Stability Advisory Committee and was
>a member of the work party that wrote SAC 056, SSAC Advisory on Impacts of
>Content Blocking via the Domain Name System,
>http://www.icann.org/en/groups/ssac/documents/sac-056-en.pdf. Yep, a
>lawyer and a geek. :)
>
>Dpn
>
>
>
>
>On 2/21/14, 1:14 PM, "Jefsey" <jefsey at jefsey.com> wrote:
>
> >Don,
> >
> >you said that things did not happen in a certain technical way. You
> >will accept that beliefs are not the way computer works, and Judges
> >should know the way the things they judge does work. The technical
> >question will be entirely solved if you can explain how an US Judge
> >can order, and how is performed, the seizure of site hosted outside
> >of the USA.
> >
> >If your forte is, as it seems, in the legal field, would you have
> >considered (or someone else) how such a seizure (which consists in
> >replacing an authoritatively published text) compars with censoring.
> >
> >Thank you!
> >jefsey
> >

At 23:25 21/02/2014, Don Blumenthal wrote:
>A caution that we should be careful to terms when discussing these issues.
>Relevant technical, legal, and political issues will vary.
>
>A domain name "seizure" involves a court order that transfers ownership of
>the domain. All services under the domain are affected insofar as someone
>tries to use them via the DNS. A ³takedown² or ³block² involves denial of
>access to given content sources.  Other services still may be available
>via the domain name.
>
>
>Don
>
>On 2/21/14, 2:09 PM, "S Moonesamy" <sm+1net at elandsys.com> wrote:
>
> >Hi Christian,
> >At 02:35 21-02-2014, Christian de Larrinaga wrote:
> >>Is there a general principle in the US that a court should make an order
> >>as specific to the LE target as possible? Is that what keeps this in the
> >>box you describe?
> >
> >Please note that I am using a ".com".  If I argue that ".com" is bad
> >the argument would lack credibility [1].
> >
> >There are some articles about domain name seizures at:
> >
> >http://www.techspot.com/news/42456-us-government-mistakenly-shuts-down-840
> >00-websites.html
> >https://www.europol.europa.eu/content/690-internet-domain-names-seized-bec
> >ause-fraudulent-practices
> >http://techyum.com/2010/10/official-vb-ly-link-shortener-seized-by-libyan-
> >government/
> >https://news.ycombinator.com/item?id=3597821
> >http://gnso.icann.org/en/meetings/minutes-dow123tf-01mar05.shtml
> >
> >I don't think that it is possible to keep this in the box.
> >
> >>LE action is not an issue that is specific to the US. Any root server
> >
> >Yes (see above links).
> >
> >>located around the world  could potentially be subjected to some kind of
> >>local LE action.  Any Root Server falling out of sync is going to impact
> >>the entire Root Server Network if the aim is to keep domain names unique
> >>and resolvable over the whole Internet.
> >
> >I don't think that a (DNS) Root server problem would have an impact
> >on every network.  A (DNS) Root server issue in a country can have an
> >impact on networks in other countries [2].
> >
> >Any root server in the world can be subject to legal action from the
> >relevant government(s).  Would the government carefully consider the
> >potential collateral damage before taking that action?  A few years
> >ago, I might have said "yes".  Nowadays, it is an "unknown".  The
> >trust has been broken.
> >
> >Regards,
> >S. Moonesamy
> >
> >1. the quality of being believed or accepted as true, real, or honest
> >2. See the case of i.root-servers.net
> >
>
>
>_______________________________________________
>discuss mailing list
>discuss at 1net.org
>http://1net-mail.1net.org/mailman/listinfo/discuss

At 00:17 22/02/2014, Shatan, Gregory S. wrote:
>Content-Transfer-Encoding: base64I agree with Don -- from a lawyer's 
>point of view, this is about proving jurisdiction in the US, if we 
>are talking about direct action by US law enforcement.  In 
>Rojadirecta, US law enforcement bootstrapped the US location of the 
>registry for .com and .net for purposes of jurisdiction in order to 
>get a seizure order from a judge, without showing any other US 
>contacts.  But this case is an outlier, and as Don notes, the 
>government lost (and I don't think they've tried this move 
>again).  There were other weaknesses to the case as well.
>
>It should also be pointed out that ICE did not seize the site -- 
>they only seized the domain names, which were registered with a 
>US-based registry.  Rojadirecta quickly switched to rojadirecta.me 
>and was back in business (and outside US jurisdiction completely at 
>that point).  So no "authoritative text" (
>HÀas replaced -- just a path to that text.
>
>So the direct answer to your question is that a US judge can't 
>order, and therefore no way to perform under US law, the seizure of 
>a site located outside the US.
>
>On your censorship question, in the spirit of full disclosure and 
>open debate, I'll point out that Rojadirecta's lawyers argued that 
>the seizure of the domain names constituted a violation of the first 
>amendment.  This would not work where the "speech" being suppressed 
>was not protected speech (e.g., child pornography) -- as noted, 
>there were weaknesses in the government case that made Rojadirecta's 
>first amendment argument plausible (and recall that their "text" was 
>never seized).
>
>If ICE wanted to be part of an operation where foreign-based sites 
>are taken down, they would need to cooperate and coordinate with 
>authorities in the jurisdiction (e.g., EUROPOL or government law 
>enforcement agencies). See, e.g., 
>https://www.europol.europa.eu/content/690-internet-domain-names-seized-because-fraudulent-practices 
>identified earlier here by S Moonesamy.
>
>As far as I can see, there's no plausible scenario where access to 
>the root would need to be part of LE's activities.  LE is going 
>after illegal activity -- counterfeiting, identity theft, child 
>pornography, IP theft, etc.  They will want to strike directly at 
>the bad actor.  The root would not even be of interest.
>
>Finally, the idea that "Judges should know the way the things they 
>judge ... work" is not consistent with reality or even the way 
>litigation works.  First off, judges are not "expert panelists"; 
>they have to deal with lots of things that they know little about 
>(the market in grain futures, the similarity between 2 heart valves, 
>how shipping containers are secured to a ship, etc.).  It's nice to 
>get a judge with some background and experience to allow him to 
>grasp what you are explaining, but hardly to be expected.  Second, 
>the litigants are supposed to "educate" the judge on the facts of 
>their case (as each side sees it) and to provide admissible evidence 
>to show the facts; this is how facts become part of the case that 
>the judge has to deal with.  There are significant limitations on 
>"judicial notice" (where judges bring their own experience or 
>research to the case), and if a judge takes too much of that into 
>his own hands you risk a mistrial.  While I am no "geek," by 
>comparison with the level of knowledge of things technical that I 
>see in most lawyers (and by extension, judges), I am an 
>ubergeek.  Computers are appliances, the internet is a means for 
>getting content, and ICANN is just another five letter word jumble.
>
>Greg Shatan
>
>
>-----Original Message-----
>From: discuss-bounces at 1net.org [mailto:discuss-bounces at 1net.org] On 
>Behalf Of Don Blumenthal
>Sent: Friday, February 21, 2014 5:15 PM
>To: Jefsey; Christian de Larrinaga
>Cc: discuss at 1net.org
>Subject: Re: [discuss] discuss Digest, Vol 3, Issue 67
>
>Jefsey,
>
>I worked on an online case for the first time in 1994 (online 
>service, not Internet). A lot more investigators, lawyers, and 
>judges understand system operations than back then, but still not 
>nearly enough. To paraphrase you in a note today to Milton, we have 
>to deal with the reality of what is, not what theoretically should be.
>
>I¹m not sure what technical question will be solved by explaining 
>how ICE could try to take a foreign-based site down. It¹s a matter 
>of how jurisdiction is interpreted. In Rojadirecta, which is the 
>only instance that I can think of concerning a non-US site, ICE 
>argued and a judge agreed that a US-based registrar for the domain 
>was sufficient. That was a very bad case for many reasons in my 
>opinion and what has been lost for the most part is that the 
>government ultimately dropped it.
>
>Censorship is too loaded a term for me to get into. I have no 
>problem with LE actions that remove harmful or illegal content from 
>the Internet. Of course, my definition of those terms might differ 
>from others¹.
>
>FWIW, I am on the ICANN Security and Stability Advisory Committee 
>and was a member of the work party that wrote SAC 056, SSAC Advisory 
>on Impacts of Content Blocking via the Domain Name System, 
>http://www.icann.org/en/groups/ssac/documents/sac-056-en.pdf. Yep, a 
>lawyer and a geek. :)
>
>Dpn
>
>
>
>
>On 2/21/14, 1:14 PM, "Jefsey" <jefsey at jefsey.com> wrote:
>
> >Don,
>B‡­÷R6­BF†BF†­æw2F­Bæ÷B†en in a certain technical way. You
> >will accept that beliefs are not the way computer works, and Judges
> >should know the way the things they judge does work. The technical
> >question will be entirely solved if you can explain how an US Judge can
> >order, and how is performed, the seizure of site hosted outside of the
> >USA.
>B„­b­÷W"`orte is, as it seems, in the legal field, would you have
> >considered (or someone else) how such a seizure (which consists in
> >replacing an authoritatively published text) compars with censoring.
> >
> >Thank you!
> >jefsey
> >
>
>
>_______________________________________________
>discuss mailing list
>discuss at 1net.org
>http://1net-mail.1net.org/mailman/listinfo/discuss
>
>
>
>                                                                 * * *
>
>This E-mail, along with any attachments, is considered
>confidential and may well be legally privileged. If you have received it in
>error, you are on notice of its status. Please notify us immediately by reply
>e-mail and then delete this message from your system. Please do not copy it or
>use it for any purposes, or disclose its contents to any other
>person. Thank you for your cooperation.
>
>                                                                 * * *
>
>To ensure compliance with Treasury Department regulations, we
>inform you that, unless otherwise indicated in writing, any U.S. Federal tax
>advice contained in this communication  (including any attachments) is not
>intended or written to be used, and cannot be used, for the purpose of (1)
>avoiding penalties under the Internal Revenue Code or applicable state
>and local provisions or (2) promoting, marketing or recommending to another
>party any tax-related matters addressed herein.
> 
>Disclaimer Version RS.US.20.10.00
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://1net-mail.1net.org/pipermail/discuss/attachments/20140222/89fccc41/attachment.html>


More information about the discuss mailing list