When I visited mid January 2008 a technology crime police team in
Amsterdam, they told me
about the internet related issues they were
struggling with. One issue was related to the physical location of a server.
They said to have permission to open
someone’s mail box
only if the servers are physically located in the Netherlands.
In any other case they needed permission from the “hosting” state.
Yahoo-mailbox showed an unread e-mail
with a subject that
seemed highly relevant for the case. Not looking at this
e-mail
because the mail is hosted in the US seems to me an
unjust
territorialisation of the internet.
How should this policy be applied to virtual words?
The issue in general has been discussed during the drafting of the Cyber
Crime Treaty (Council of Europe),[1]
but the drafters did not succeed to define under what circumstances
investigation should be allowed on servers located in foreign territories. So,
they decided to not regulate it.
In one recent case, the American producer of a game did not provide
personal data of Dutch citizens (a group of fascists) breaching Dutch Penal Law
because their utterances were allowed under the First Amendment. I can
understand that, but there is a related question that intrigues me: is the
Dutch police allowed to investigate in virtual worlds that are hosted and
produced by, e.g. American companies? Is the Dutch police allowed to follow,
observe, etc. avatars in general, or only if there exists a suspicion of e.g.,
illegal money transfers, hard drugs transactions or the planning of
(terrorists) attacks? As the above e-mail example illustrates, co-operation
with foreign police officers or foreign prosecutors is needed if the servers
are located in other countries.
I am curious what a judge will decide if a suspect argues that the
evidence obtained in a virtual world is inadmissible because the permission of
foreign authorities was lacking. According to the wording of the code the
suspect may be right, but following the spirit of the law would lead to another
conclusion. To me, this would even be so if a citizen was logging into a
virtual world from outside his home country, the servers are hosted elsewhere,
and also the producer is form a foreign state. Just like a country has
jurisdiction over a website indifferent of where the site is hosted, a virtual
world can have impact in any country.
Authorities must be allowed to enter these worlds, just as avatars can, and patrol if necessary. I am not a proponent per se of policing in virtual worlds, but besides the regular national legal safeguards in this respect I see no legal obstacles in doing so if servers are located in other countries.
I don't know dutch law. But I guess it is the general rule of international public law, which should apply: When the foreign country is uncapable or unwilling to prosecute and the crime concerns the international comnunity as a whole, the universal jurisdiction principle allows states to investigate on foreign territory - including servers. Such a crime ist planning of acts of terrorism.
I guess in dutch law, there should be an adoption of this rule in the national code as it is in Germany.
Of course, when it comes to other crimes (like, for example, child pornography) and national specialties like the first amendment in the USA, the situation is much more difficult.
Talking about terrorism, this seems to be an important issue.
Posted by: Hendrik Wieduwilt | Feb 08, 2008 at 11:43
I work for Yahoo and find the irony of this pretty rich:
Mr. Lodder says:
unjust territorialisation?
Did you happen to notice how Yahoo! got it's collective a$$ handed to it for disclosing a dissident's private information to the Chinese government?
One moment people want large companies to defy the orders of local authorities, and the next they want the companies to comply.
It can't be both ways.
Posted by: F. Randall Farmer | Feb 08, 2008 at 13:53
@ Hendrik. Very interesting link, thanks
@ Randall Farmer. My 1st amendment example is similar to the Chinese case you refer to. The e-mail example is different, since for that no co-operation is needed. So my point is whether it should be allowed to act on servers WITHOUT the help of the owner being necessary. So, opening an e-mail on someone's computer who is already logged in. Or, if servers of a virtual world are located on foreign ground, being allowed to watch/follow a (possible) suspect.
Posted by: Arno | Feb 08, 2008 at 16:15
@ Arno:
Are you saying that Dutch law permits police to use website evidence — regardless of where the website server is located — but that email evidence may only be used if the server is located in the Netherlands (or with the permission of the host nation)? [Read: Having jurisdiction (i.e. the power to prosecute or force action) over a foreign company/website is different from being able to use evidence collected from the source in a criminal prosecution under domestic Dutch law.]
Assuming I understand you correctly — how does Dutch law distinguish between a website and email to justify this somewhat contradictory evidentiary stance? Is it based on the difference in the technology or the manner in which police gather the evidence (or neither because I am missing your point)?
Posted by: Candy | Feb 08, 2008 at 20:13
The process involved is a critical component of balancing the ability(and duty!) of a state to protect its citizens and the moral notion that individuals have first amendment rights that both protect free expression and have wrapped in a pragmatic attempt to prevent tyranny that can so often bloom from human polictical and power lust drives.
I would be shocked if there truly was no legal procedure that enabled Dutch authorities to get access eventually to the mentioned email.
But checks and balances would almost certainly evolve through court rulings, laws, and precedent.
There is a difference between authorities eaves dropping at will without a record of them doing so, and having them ask permission from a third party explaining why they believe an infringement is necessary and creating a record of who, when and how such thing would take place and that record might someday be made public.
I'd imagine the laws for getting access to information in virtual worlds would more or less track rules concerning wiretaps and searches of property. The rules on searches are quite intricate (emegerncy, theat, probable cause, admissablity of such evidence in a trial etc)
Posted by: shander | Feb 08, 2008 at 21:22
Using real-world geography to decide issues of net jurisdiction is, ultimately, untenable. Some day in the I-might-live-to-see-it future, we'll have distributed servers that are so devolved that you won't be able to tell whereabouts in the real world the code you're actually running is, or indeed the storage. If you can't tell, you can't prosecute.
States already have some laws that prevent their citizens from engaging in activities in other countries that are legal in those countries but not in their own country (eg. in some parts of the world it's legal to have sex with 14-year-olds, but if you go there and do that and you're British or German then you're going to jail upon your return). It's a much smaller step to say that you can use as evidence anything your citizens do wherever they do it and wherever the evidence is stored; it only becomes a matter of international relations if you have to ask a non-citizen not based on your territory to release the information you require.
Richard
Posted by: Richard Bartle | Feb 09, 2008 at 07:21
Is the disciplinary gaze of the Authoritarian something we would actually encourage in virtual spaces. Particularly if we argue that any damage done is merely virtual anyway.
If in the final analysis 'virtual' freedom is more tangible than 'virtual' harm, would we be better off asking 'the cop' to show the warrant or get the hell out?
Posted by: dmx | Feb 10, 2008 at 18:35
For the legal eagles here, with the Guttnick vs Dow Jones decision in Australia, that basically held that a web page is 'published' where its viewed , applicable here, considering it was a civil defamation case that refered to Australias view that a publisher is also liable for defamation, is that applicable to this sort of thing?
Posted by: dmx | Feb 10, 2008 at 18:38
Goonswarm's.
Posted by: Reggie Jackson | Feb 10, 2008 at 19:53
eh? Not sure I get yr drift there Reggie.
Posted by: dmx | Feb 11, 2008 at 08:39
Seems to me there's a difference between, as you say, "Not looking at this e-mail", and asking for "permission from the hosting state", receiving said permission, and then, presumably, looking at the email after all.
Did the authorities in the Netherlands ask for permission through appropriate channels yet? If so, did they receive it? Or is this case still being resolved, or did they not ask?
I think a law where they could coerce cooperation from a foreign company when they want access to its records isn't the ideal solution to this problem. It's unenforcable, as they can't threaten fines or imprisonment for non-compliance the same way they could to ensure cooperation with the laws of their own local citizenry. And if it were enforcable, it's excessively disruptive and violates the notion of sovereignty. If the government of the other country cooperates sufficiently with your country to handle matters of acquiring evidence, extradition, etc. etc. there's no need to go poking holes in sovereignty to solve a problem you're not even having yet.
Are they having problems getting at info like this once they ask? Or is this an entirely speculative, hypothetical problem?
Posted by: | Feb 11, 2008 at 09:42
@ dmx
This gets at my earlier question. There is a difference between having jurisdiction (like I can sue you in the U.S. if your website establishes enough contacts with the jurisdiction) and being able to use the evidence in court (like when U.S. police execute a bad Fourth Amendment search and the evidence is not admissible). I thought that Arno was talking about the latter (under Dutch law) with regard to viewing the emails based on server location.
Gutnick (if I remember it correctly) was about the former — hauling nationals of other States into a domestic court to answer for a tort. Australia, Netherlands, U.S. — whatever country — could, conceivably, set any jurisdictional guidelines it finds suitable. As noted by others, without physical power or some type of financial leverage over the defendant, such jurisdiction is useless.
Universal jurisdiction, discussed by Hendrik, applies to so-called erga omnes offenses like crimes against humanity, slavery, torture, piracy, genocide, etc. (Crimes that are so bad that countries have a moral duty to prosecute them — even without a treaty obligation.) It is a controversial notion of jurisdiction, and it involves heinous acts, which, due to their nature, are unlikely to be prosecuted in the forum where they occur. It is not hard to imagine just how unpopular a country's jurisdiction extension over lesser crimes or civil wrongs would be.
But, again, snooping around in a publicly accessible virtual world to gather evidence is different than trying to coerce the virtual world owner to provide the evidence. The admissibility of the snooping bounty should depend on domestic rules of evidence.
Posted by: Candy | Feb 11, 2008 at 22:40
Thanks to Arno for this post. I also know rather little about Dutch law on this issue, but for a U.S. perspective, you might read: Patricia L. Bellia, Chasing Bits across Borders, 2001 U Chi Legal F. 35.
This is from the first few pages:
I find it very interesting that among those who argue for broad powers of cross-jurisdictional search is Jack Goldsmith, who recently wrote a book about how the notion that the Internet lacks borders is an illusion.
For another point of view, see this by Johnson and Post.
Posted by: greglas | Feb 14, 2008 at 13:41
I conducted research into virtual surveillance during my Masters degree.
My exegesis documents the existence of surveillance in virtual worlds. A panoptical model was used, and its premise tested through extension into these communal spaces. Issues such as data security, personal and corporate privacy were investigated.
Enjoy!
http://adt.lib.rmit.edu.au/adt/public/adt-VIT20080424.100301/index.html
Posted by: Christopher Dodds | May 21, 2008 at 23:31
Thanks a lot for the link!
Posted by: Arno R. Lodder | May 22, 2008 at 04:24