Why Data Havens Don’t Work

Seven miles off the English coast in the North Sea stands a steel and concrete platform that was, for a time, the world’s most impractical data center. A pair of American entrepreneurs launched HavenCo in 2000 as a “data haven”–a place for gamblers, freethinkers, and dissidents to put their bits far beyond the reach of censorious governments. They set up shop offshore there because since 1967 the platform’s occupants, a former pirate radio broadcaster and his family, have called it the independent Principality of Sealand; they promised to uphold HavenCo’s right to take on the rest of the world’s governments.

It didn’t work–and the reasons it didn’t tell us something important about the Internet. In a pair of recent articles in the popular Ars Tecnica and the scholarly Illinois Law Review, I explore the history of Sealand and HavenCo and conclude that “HavenCo failed not from too much law, but too little.” A remote island “nation” with a single-digit population can’t offer the kind of security and legal stability that a serious business venture requires. HavenCo, by its very nature, couldn’t turn to any other legal system in the world for protection without conceding the very point on which its existence depened: the sovereignty of Sealand.

HavenCo is long gone, but the dream lingers on. Napster clones, the Pirate Bay, and even WikiLeaks have talked about putting servers on Sealand, in the hopes of escaping from what they see as repressive national law. But freedom doesn’t come from some farcical aquatic ceremony. It comes from building institutions resilient enough to stand up to power, and self-restraining enough not to misuse the power they themselves posess. That requires engagement in politics, social movements, legal processes, and society–everything that HavenCo rejected.

In addition to its larger lessons, the Sealand/HavenCo story is also a ripping good nautical yarn. Roy Bates, Sealand’s founder and Prince, is a scalawag of the first order, and Sealand has always reflected his charismatic scheming. He seized it by force in 1967, then defended it with molotov cocktails against competing pirate broadcasters. He’s held on to his de facto independence for decades thanks to a native genius for working the press. HavenCo’s founders were a bunch of libertarian computer geeks, but in their love of liberty, fondness for firepower, and prowess at publicity, they were very much kindred spirits. As Bates put it when talking to a reporter in 1978, “We may die rich, we may die poor. But we certainly shall not die of boredom.”

And no, this post is not an April Fool’s joke.

3.75 Million Lawbreaking Parents

The Department of Justice would like the authority to put millions of American parents in prison. Don’t believe me? Read on.

A House Judiciary Committee hearing today considered the federal computer crime statute, the Computer Fraud and Abuse Act, known to its friends as the CFAA. Among other things, the Act punishes anyone who “exceeds authorized access, and thereby obtains . . . information.” The penalty for a first-time offense is a fine and up to a year in prison.

This provision has been used to prosecute people whose only misuse of a computer was violating a website’s terms of service. Most famously, when Lori Drew helped her daughter create a fake MySpace profile under the name “Josh Evans” to flirt with and then disparage a 13-year-old neighbor, Megan Meier. After “Josh” told Megan, “Have a shitty rest of your life. The world would be a better place without you,” Megan killed herself. When Drew was prosecuted, it wasn’t for homicide, but for exceeding authorized access to MySpace’s servers. Drew herself deserves no sympathy, but the theory that her crime was complete when she created the fake profile would make a criminal out of anyone who fails to comply with every last term in the fine print in a website’s terms of service.

Orin Kerr, the leading academic authority on the CFAA, has pointed out the absurdity of this reading of the CFAA. At the hearing today, he explained that it would make him a criminal because he lives in Arlington, Virginia but lists “Washington, D.C.” on his Facebook profile. In his written testimony, he pointed to simple statutory fixes that would draw a more sensible line between routine computer use and real computer crime.

But Richard Downing, the Deputy Chief of the the Computer Crimes and Intellectual Property Section of the Department of Justice, was having none of it. In his testimony, he explained:

We believe that Congress intended to criminalize such conduct, and we believe that deterring it continues to be important. Because of this, we are highly concerned about the effects of restricting the definition of “exceeds authorized access” in the CFAA to disallow prosecutions based upon a violation of terms of service or similar contractual agreement with an employer or provider.

Here’s an example of the severe criminal computer misuse that Downing would like the CFAA to prohibit: parents helping their children get on Facebook. Not just getting on Facebook with fake profiles to harass classmates, like in Drew. No, getting on Facebook at all.

Facebook doesn’t let users sign up unless they’re 13 or older. Facebook does this in order to comply with a 1998 law, the federal Children’s Online Privacy Protection Act. It puts stringent limits on the personal information websites can collect from children under 13. Some websites comply by going through the hard work of getting and verifying parental consent. But many others, including Facebook, comply by prohibiting children under 13 from using their site at all.

The prohibition is honored mainly in the breach. According to Consumer Reports, 7.5 million children under 13 use Facebook. One academic study found that 46% of 12-year-olds used Facebook, and other research is consistent with these findings. Pre-teens are on Facebook, notwithstanding its policies.

A recent paper by danah boyd, Eszter Hargittai, Jason Schultz, and John Palfrey examined the motivations of parents whose underage children were on Facebook. Some misunderstood the minimum age, or thought it was only a recommendation, but a substantial fraction understood that it was a genuine requirement. Over three quarters of the parents they surveyed agreed there were circumstances under which they’d let their child violate a site’s age restrictions, particularly for school-related reasons or to communicate with family members. And of the half of the parents in the survey (roughly 50%) with children who had Facebook accounts, over half had helped create the account.

Facebook’s terms of service leave no room for doubt:

4. … Here are some commitments you make to us relating to registering and maintaining the security of your account: …

1. You will not provide any false personal information on Facebook, or create an account for anyone other than yourself without permission.

5. You will not use Facebook if you are under 13.

Parents who create accounts for their children violate section 4.1 by “creat[ing] an account for anyone other than yourself.” On the Department of Justice’s theory of “exceeds authorized access,” that means the parents have directly violated the CFAA. But even parents who merely help their underage children create accounts (for example by explaining how to enter a false birthdate) are in trouble. Their children “exceed[] authorized access” by violating section 4.5. That makes the parents guilty of aiding and abetting a violation of the CFAA. The punishment is the same.

boyd and her coauthors focus mainly on the failure of COPPA’s regulatory strategy, and on the moral lesson parents teach their children when they show that lying online is acceptable. But there is another, even more frightening point implied by their findings. A mother in Ohio who helps her son sign up for Facebook to keep in touch with his cousin in Arizona is exposing herself to criminal liability, if the CFAA means what the Department of Justice claims it does. Worse still, the Department of Justice wants it to make a criminal of the mother.

This ought to be a scandal. A high official in the Department of Justice is endorsing a law that could be used to put millions of parents in prison. Do something to tick off a federal prosecutor and even if you’ve otherwise lived a blameless life, they can lock you up for helping your kid use Facebook. While the Department has started to walk back from this extreme position, its mushy-mouthed disavowals would be a lot more persuasive if it hadn’t already brought a prosecution based on just such a theory. This one should be easy. Prosecutors don’t need this kind of abusive power over parents, and they should say, openly and clearly, that they don’t have it.