Cybersecurity LawInternet Governance: The Big Picture

Prof. David W. OpderbeckSeton Hall University Law SchoolFall 2010

© 2010 David W. OpderbeckLicensed Under Creative Commons Attribution / Share Alike

Who Governs the Internet? The Internet’s genesis as a network

using open protocols for university researchers

Much of the “governance” structure arose piecemeal and pragmatically

No coordinated international legal / treaty mechanisms 

Cybersecurity Law

ICANN Internet Corporation for Assigned

Names and Numbers: oversees the Domain Name System (DNS) DNS translates a uniform resource locator

(URL) – e.g., www.cnn.com – into the unique numeric IP address used to route messages over the Internet (for www.cnn.com: 157.166.224.26)

Cybersecurity Law

ICANN Authority over domain name addresses

originally rested with the U.S. Defense Information Systems Agency under the Internet Assigned Numbers Authority (IANA)

IANA now operated by ICANN ICANN is a non-profit corporation (chartered

in California) operating under agreements with the U.S. Department of Commerce

Cybersecurity Law

ICANN Authority over domain name addresses

originally rested with the U.S. Defense Information Systems Agency under the Internet Assigned Numbers Authority (IANA)

IANA now operated by ICANN ICANN is a non-profit corporation (chartered

in California) operating under agreements with the U.S. Department of Commerce

Cybersecurity Law

ICANN ICANN governed by a Board of Directors of

15 voting members Regional Internet Registries, ccTLDs (country

code top level domains), and gTLDs (generic TLDs) have ICANN “supporting organizations”

No direct government participation: a “Governmental Advisory Committee”

Technical advisory committees Security and At-large advisory committees

Cybersecurity Law

ICANN

Cybersecurity Law

Source: ICANN Website

ICANN ICANN’s DOC agreements have moved ICANN closer

to full private governance of the DNS Significant issues remain: e.g. control over the

master root zone file; internationalization of domain names; security protocols for the DNS; WHOIS information about IP address holders; creation of new top-level domains

E.g.: under the U.S. DOC contracts with ICANN and Verisign, no change in the root zone file can be made without DOC approval; and Verisign manages the .com, .net .or, .edu, .gov and .us domain names U.S. blocking of new .xxx TLD

Cybersecurity Law

ICANN At WSIS (World Summit on Information

Society – U.N.-sponsored) meetings, developing and non-western countries have sharply criticized U.S. influence over ICANN

Many of the ICANN Board members are affiliated with Internet businesses

Meaningful participation is time-consuming and difficult – perhaps only 250 people are true opinion-makers

Cybersecurity Law

The Internet Society ISOC: Group of nonprofit organizations

that address technical standards and protocols – international technologists drawn from industry, academia and government Internet Engineering Task Force Internet Engineering Steering Group Internet Architecture Board

Cybersecurity Law

The World Wide Web Consortion W3C: sets standards for the World Wide

Web. Not part of ISOC, but collaborates with ISOC.

Cybersecurity Law

The International Telecommunication Union ITU: UN Agency

Addresses operating standards for telecommunications networks and tariff questions

Often suggested that ITU should take over some of ICANN’s functions

Intergovernmental organization – only governments vote in the ITU

Cybersecurity Law

Council of Europe Convention on Cybercrime Convention on Cybercrime requires

signatories (46 signatories) to adopt minimum standards on cybercrimes; cooperation in investigations and extradition Note: U.S. refused to sign until a

provision that would have required rules banning racist language was removed

Cybersecurity Law

The Yahoo! Case and Internet Governance Facts / Procedural History

Yahoo!’s auction sites include auctions for Nazi memorabilia

French law makes the sale of Nazi objects illegal

Action by public interest groups in France to block access to Yahoo! Auction sites under the French law

The Yahoo! Case and Internet Governance Facts / Procedural History

French injunction: “take all measures at their availability, to dissuade and render impossible all visitation on Yahoo.com to participate in the auction service of nazi objects, as well as to render impossible any other site or service which makes apologies of Nazism or that contests Nazi crimes.”

The Yahoo! Case and Internet Governance Facts / Procedural History

Subsequent French ruling: upholds original injunction after hearing expert

testimony that 70-90% of French traffic to Yahoo! could feasibly be filtered through a combination of IP-based and self-identification But note testimony of Vinton Cerf (known as the

“Father of the Internet”) about the problems with self-identification

100,000 Franc per day fine for non-compliance Court notes that Yahoo!’s efforts to comply with

earlier order “for the most part” satisfy that order

The Yahoo! Case and Internet Governance Facts / Procedural History

Yahoo! Then seeks a declaratory judgment in California that the French orders are unenforceable

California district court agrees Appeal to Ninth Circuit; court hears

appeal en banc

The Yahoo! Case and Internet Governance Analysis

8 judges conclude there is personal jurisdiction over the French parties

3 of these 8 conclude the case should be dismissed for lack of ripeness

5 of these 8 conclude the case is ripe for adjudication

3 judges conclude there is no personal jurisdiction Therefore: 6 of 11 judges vote to reverse (3 on

ripeness ground and 3 on personal jurisdiction grounds)

The Yahoo! Case and Internet Governance Analysis – Personal Jurisdiction

Opinion for the judges finding personal jurisdiction: Specific jurisdiction based on D’s forum

contacts and P’s claim Purposeful availment includes cease and

desist letter, service of process in California, and obtaining orders that require compliance in California with threat of substantial penalty

The Yahoo! Case and Internet Governance Analysis – Ripeness

Opinion for the judges finding the case is not ripe The French orders only relate to Internet users in France;

nothing about restricting access to users in the U.S. To the extent the French order requires Yahoo! to take

actions in the U.S., under principles of comity, it could be challenged if “repugnant” to the public policy of the U.S.

The fact that French law may differ from U.S. law does not make it “repugnant” to U.S. public policy

It is unclear even what further actions, if any, the French orders require

No substantial hardship to Yahoo! because it may already have substantially complied with the French orders

The Yahoo! Case and Internet Governance Analysis – Judges who would have found no personal

jurisdiction The French orders directed Yahoo! To perform action in

France, not in Calfornia No evidence of purposeful availment of the California

forum The U.S. court should have abstained from exercising

jurisdiction under principles of comity The French litigation was effectively an act of state “The criminal statutes of most nations do not comport

with the U.S. Constitution. That does not give judges in this country the unfettered authority to pass critical judgment on their validity.…”

The Yahoo! Case and Internet Governance Analysis – Judges who would have the

case ripe for adjudication “the issue before is whether a United

States Internet service provider, whose published content has been restricted by a foreign court injunction, may look to the United States federal courts to determine the enforceability of these restrictions under the United States Constitution’s First Amendment.”

The Yahoo! Case and Internet Governance Analysis – Judges who would have the case ripe

for adjudication Yahoo!’s servers are located in the U.S. The French injunctions therefore represent a prior

restraint on speech in the U.S. The French orders are vague: “[t]hey require

Yahoo! To guess what has to be censored on its Internet services here in the United States, under threat of monetary sanction if it guesses wrong.”

Easily satisfies the “repugnancy” standard for not enforcing a foreign judgment

The Yahoo! Case and Internet Governance Analysis – Judges who would have the

case ripe for adjudication “Under the principles articulated today, a

foreign party can use a foreign court decree to censor free speech here in the United States on any range of subjects it finds objectionable – religion, democracy, gender equality – in the name of enforcing its own country’s laws.”

The Yahoo! Case and Internet Governance What does this case suggest about cyberspace as

a “space?” Is cyberspace “exceptional” or “unexeceptional”? What happens when important public policy values

collide in cyberspace? Can / should cyberspace govern itself? In today’s readings, Kurbalija and Clarke suggest,

to differing degrees, a stronger role for international organizations in Internet governance, either through new treaty obligations and/or WTO and WIPO. What security concerns does this raise?