jurisdictional arbitrage for risk management ryan lackey havenco, ltd. rsa conference 2002 san jose
TRANSCRIPT
Jurisdictional Arbitrage for Risk Management
Ryan Lackey
HavenCo, Ltd.
RSA Conference 2002 San Jose
Introduction
Uncertainty is riskRisk is costOverall costs should be minimizedPolitics and legislation are constantly evolving, in a feedback loop with public opinion, and are thus highly uncertainIt is hard to completely eliminate exposure to political and legislative risk, but it can be managed
History
Examples from jurisdiction-sensitive non-hosting activities might be informative
Examples from the early adopters of jurisdiction-sensitive hosting can be generally applicable, even if they are unique business environments
General Hosting Background
Hosting in-house vs. colocationPrimary factors: bandwidth, computation (either shared or rent space and hardware), supportBig market – by definition, anything available on the Internet is hosted somewhere, even if without conscious thoughtVarious concerns: convenience, maintenance, upfront and continuing cost…legal issues and security are often low
Introduction: What Characterizes
Controversial Data?Potentially unpopular: with governments, corporations, or influential groups
Often on legally uncertain ground; new media applied to older laws
Must have a critical mass of interest before people really bother; either really objectionable (kiddie porn) or really widely publicized (napster)
Determining Jurisdiction
Relatively complex and not very well tested“Substantial nexus” rule, tax was an early wayHighly general; if you have presence or customers in a jurisdiction, assets in that jurisdiction could be at riskFundamentally any assets in a jurisdiction or a jurisdiction with treaties with that jurisdiction are at risk to legal action in that jurisdiction or its allies
Examples of Controversial Data
Online gambling/gaming
Pornography
Email/subpoena
Patent/IP issues
Cryptography and security
Privacy information
Financial transactions
Anything in a regulated industry
What is essential to hosting in general
Reliability
Costs (monthly and upfront)
Network bandwidth availability
Physical security
Good quality support
Technical Taxonomy
Static sites with low bandwidth requirements
High-bandwidth media objects, static
Interactive low bandwidth (transactional)
Interactive high bandwidth (multimedia)
What kinds of hosting are possible?
Onshore: Hosting in home jurisdiction, or a jurisdiction closely allied; most major nations are a unified regime
Offshore: Hosting in specialized offshore jurisdictions
Online: Using cryptography, replication, distribution, and other techniques to obfuscate where data is hosted, or make it technically infeasible to censor
Onshore
Exemplified by traditional colocation and managed hosting – exodus, rackspace.com, etc.Has high-quality technical infrastructure, support staffLow cost/high efficiency; very developed marketsVery substantial regulatory overhead; existing regulations, and constantly-added new regulations (DMCA, CALEA, etc.)
Offshore
Specialized providers which are based in smaller markets/jurisdictions, offering jurisdictional/regulatory advantages
Examples: Offshore Information Services (AI), HavenCo (SX, etc.), and for some people, CA, US or NL carriers are “offshore” (pornography, cryptography mainly)
Physical security and trust are important issues, as legal remedies are virtually nil
Works best with actual support from local regulatory authorities; otherwise laws can be changed on a whim or election
Often used in conjunction with offshore corporate structure, payment processing, etc.
Online
“p2p” systems, like mojonation, gnutella, etc.Generally, only capable of static hosting; incapable of secure computationHighly unreliable in in microstructure, but in the aggregate, theoretically highly robust; able to withstand damage without being destroyedIn practice, most systems have some central avenues of attack, even if mostly distributed
Success Stories
Onshore – most sites on the Internet
Offshore – PublicData.ai, offshore gaming all over, payment systems with HavenCo
Online – music trading
Horror Stories
Onshore: publicdata got forced out of the US, napster was effectively emasculated, casinos have been prosecutedOffshore: lots of casinos have had low security and reliabilityOnline: software development debacles with no real user-useful applications
Jurisdiction Shopping
Various companies shop for jurisdiction as just another checklist item – either specific regulatory compatibility, or favorable tax regime, or proximity to customers
Popular jurisdictions change with time
Technical Concerns
Network performance and reliability to these locations
Geo-location based reverse DNS systems blocking access based on location
Dropping of routing by international transit providers
Trust with machines you never see, exposure to risk
Business/Legal Concerns
Even if your server is offshore, if you’re onshore, you can face contempt, civil lawsuits, public scorn, etc.
If you operate a subsidiary in a country, you may face pressure on global operations
A Possible Model
“Digital offshore information trust”, where access is restricted so exceptional actions require confirmation by a trustee offshore (or online) who can verify lack of duress
Most easily tested for email
May validate the ASP model
Enhancements
Separating business functions out into effectively independent agencies, operated in individually-suited jurisdictions, communicating via the Internet
Replication/distribution across jurisdictions – although in most cases the “any” rule will apply rather than “all”
Open Questions
Will onshore laws continue to get worse?How far can offshore hosting go without either getting shut down or causing onshore laws to change?Will online systems get better? Can they do secure transactions and add payment?
Summary
The next 5-10 years will be very interesting
A few major cases will definitely be able to change the course of history; important to choose the right battles