The challenge of borders lies at the very heart of cyberlaw. Most observers have long argued that the Internet presents lawmakers with a jurisdictional dilemma: The Internet is viewed as "borderless," but law is best characterized as "bordered" because national laws typically stop at the border.
Last year, I suggested that the borderless Internet was gradually growing into a bordered Internet, with new geo-identifying technologies emerging that allow Web sites to identify the geographic location of their users. Today, it is increasingly clear that a second trend is developing — as the borderless Internet is fast becoming the bordered Internet, borderless laws are replacing bordered laws.
The implication of the second development is particularly dramatic because it suggests that Internet policy-making power lies primarily in the United States and the European Union, leaving smaller countries such as Canada unable to effectively develop independent policy.
While the bordered Internet may attract increasing attention, borderless laws deserve even greater scrutiny. Consider recent developments in three of the most contentious legal areas — copyright, domain names and privacy.
As Canada debates digital copyright reforms (with many fearing the introduction of a Canadianized version of the U.S. Digital Millennium Copyright Act), the reality is that the DMCA may already be applicable in Canada. Prosecutors in California, who are pursuing a DMCA criminal action against Elcomsoft, a Russian software firm, have argued that the U.S. Congress explicitly drafted the copyright law in an extra-territorial manner so that it could be applied to activities that originate in Russia. If true, the same logic could easily be applied to Canadian firms that run afoul of the U.S. statute.
In fact, at a Canadian copyright consultation in Ottawa the past spring, direct-to-home satellite provider DirecTV lamented that "only" 43 per cent of Canadian Internet service providers were responding to their DMCA notices that require ISPs to take down alleged infringing content. Of course, many Canadians may find it problematic that even 1 per cent of ISPs, much less 43 per cent, would respond to legal requests that do not reflect Canadian copyright policy.
Similarly, U.S. legislation on domain name cybersquatting explicitly applies outside the country. Recognizing that millions of domain name registrants do not live in the United States, the U.S. Congress added an in rem jurisdictional clause to the Anticybersquatting Consumer Protection Act that allows complainants to sue the domain name rather than the domain name registrant. This enables U.S. courts to assert jurisdiction over domain name disputes even where traditional standards for personal jurisdiction are not met.
The impact of the clause was experienced last year by the Toronto-based registrant of the technodome.com domain. The registrant faced the prospect of a lawsuit in Virginia after the Canadian owner of the technodome trademark (Heathmount A.E. Corp, which is developing entertainment projects in Montreal and New York) sued there rather than in Canada. Heathmount was able to sue in Virginia because that was the location of the root server. This resulted in two Canadian parties battling in a U.S. court. Although some Canadian policy makers have raised the prospect of Canadian anticybersquatting legislation, it would appear that Canada already has such a statute — the U.S. Anticybersquatting Consumer Protection Act.
Meanwhile, Canada may have its own private sector privacy legislation, but it is not the only privacy law to which Canadian firms need to answer.
The U.S. Children's Online Privacy Protection Act, which applies to the collection of personal information from children under the age of 13, provides that any Web site that targets U.S. children is subject to the law, regardless of the site's location.
The EU recently adopted the same privacy approach when, earlier this month, its data protection working group released a decision on the applicability of European privacy law to Web sites in non-member states, concluding that the law applies to everything from software "cookies" to downloads.
Interestingly, the Internet jurisdictional challenges created by borderless laws actually mirrors the early — and misguided — approaches adopted by courts.
In the mid-1990s, several courts in the United States and Canada asserted jurisdiction over Web sites merely because they were accessible within the jurisdiction, an approach that critics rightly noted would allow every court everywhere to stake a similar claim.
However, courts gradually set limits on their jurisdictional reach, first by assessing whether a site was active or passive and more recently by considering whether the site targeted the jurisdiction.
The aggressive extra-territorial approach to Internet lawmaking indicates that we are back to square one, where every country everywhere can theoretically lay claim to regulating the same on-line activity.
While a borderless Internet and bordered laws may have been challenging, the thorny combination of a bordered Internet and borderless laws may be even tougher to tame.
