Information Sovereignty and Data Havens

Overlooked in the news about WikiLeaks and the sexual escapades of its founder  is the fascinating issue of data havens: secure  “places” where data may be stored and accessed  out of the legal reach of any government or plaintiff.  The concept has interested me for over a decade, and perhaps the best presentation of the concept was in Neal Stephenson’s 199 novel, Cryptonomicon, in which the modern day protagonists try to establish a data haven in the fictional Sultanate of Kinakuta with the objective of providing a platform for anonymous  banking, censorship-free hosting of content, and eventually an online “gold” standard for a virtual currency.

Wikileak’s travails in finding a host are well reported, but to recount, the site was booted off of Amazon Web Services. It’s instructional to read Amazon’s explanation for why they dropped the site from its servers:

“There have been reports that a government inquiry prompted us not to serve WikiLeaks any longer. That is inaccurate.

“There have also been reports that it was prompted by massive DDOS attacks. That too is inaccurate. There were indeed large-scale DDOSattacks, but they were successfully defended against.

“…. AWS does not pre-screen its customers, but it does have terms of service that must be followed. WikiLeaks was not following them. There were several parts they were violating. For example, our terms of service state that “you represent and warrant that you own or otherwise control all of the rights to the content… that use of the content you supply does not violate this policy and will not cause injury to any person or entity.” It’s clear that WikiLeaks doesn’t own or otherwise control all the rights to this classified content. Further, it is not credible that the extraordinary volume of 250,000 classified documents that WikiLeaks is publishing could have been carefully redacted in such a way as to ensure that they weren’t putting innocent people in jeopardy. Human rights organizations have in fact written to WikiLeaks asking them to exercise caution and not release the names or identities of human rights defenders who might be persecuted by their governments.”

In sum, AWS invoked its Terms of Service clause in which it reserves the right to not provide common carriage to data of suspect ownership, e.g. the  stolen diplomatic cables,  banking records, emails, etc. that WikiLeaks serves up.

There are precedents for WikiLeaks — Sweden’s The Pirate Bay is a classic example of a service that was disrupted when the site’s servers were seized by police on a judge’s order  (one server is apparently enshrined in a Swedish computer museum). The fact that a judge could order a seizure that would then be executed by police led to the very interesting attempt by The Pirate Bay to purchase The Principality of Sealand — a former WWII  “Maunsell Sea Fort” sitting a few miles off of England’s eastern coast. Sealand was abandoned after the war, then occupied in 1967 by a pirate radio broadcaster who took advantage of the structure’s placement outside of England’s three-mile territorial limits. The Pirate Bay was unable to pull off the transaction, and one has to marvel at the technical logistics of building a data center far from power sources and fiber optic cables. Pirate Bay now has mirrors in Russia and Belgium in the event another seizure takes place.

Another example of digital activity “beyond the law” would be the  Penet “remailer” established in Finland in the 1990s to make one’s email anonymous — a useful concept for whistleblowers, or people concerned about retribution for their content. Anonymizers such as Tor are another case in point of an attempt by users to mask actions which might be grounds for a lawsuit or criminal charges …. including deplorable uses such as child pornography, but also commendable ones such as the exercise of freedom of speech in a repressive regime.

The concept of legal “venue” — the jurisdiction in which a trial is held or suit is filed — must be remarkably complex in a digital age.  I recall one lawyer telling me, during her law school education, that the course that fascinated her the most was the one of venue. The question of which laws apply when, to cite a pre-digital example, a passenger on an airplane commits a crime at 30,000 feet going 500 miles per hour over several states. The notion of cross-border legal venue is complex and is, in the end, why the world used to enjoy anomalies like Lichtenstein and Andorra.

My short unforgettable stint in the world of online private banking in 2001-2003 placed me in Lichtenstein, the tiny principality between Switzerland and Austria renowned for its uber-secret banking laws and the concept of the treuhand, or trust, in which, to seriously simplify matters, an individual or organization transfers ownership or custody of an liquid asset such as cash or intellectual property such as music copyrights to a trusted person or entity for safekeeping or storage outside of the borders of a tax authority or the legal subpoenas of a plaintiff.

The “trust” part is essential. Do you trust that banker in Lichtenstein to safeguard your assets and return them to you when you need them? For some uber-rich or criminal clients, the issue is one of privacy — do you trust the trust officer to keep your assets and their location secret? Banking secrecy is useful when the resident of one country moves money out from under that country’s tax regime into a country such as Lichtenstein where the tax man can’t touch it. This worked for a long time until 2008 when the German government, fed up with German citizens hiding their cash, paid an employee of LGT Bank, one Heinrich Kieber, more than 4 million Euros for a CD holding the names of German account holders.  Combine that scandal with the post-9/11 Patriot Act in the U.S. and it has become very difficult to hide money offshore without getting exposed.

Will the concept of a datahaven ever be truly realized? Some argue they already do, and yes, to an extent, there are many examples of data that is illegal in one country being housed and permitted in another. But the concept of a truly secure haven seems impossibly far away.

If you accept that serving sensitive or illegal data is, inevitably impossible in the long run because that data can be physically seized, shut off, or blocked, then the solution is to go extra-terrestrial — serve the data from space via satellite. Other than a space seizure out of James Bond,  a satellite server could, if privately launched and maintained, cause quite a ruckus. The possibilities have been explored and may, in fact, be already operational.

As for Wikileaks — the site is currently hosted in Sweden by PRQ — who also hosts The Pirate Bay.

Author: David Churbuck

Cape Codder with an itch to write

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: