AG Holder Calls for Rule of Law in Cyberspace

June 11, 2011 | By William C. Snyder

The US Department of Justice has released this text of a speech given by Attorney General Eric Holder at the Northwest Indiana Cyber Security Summit in Hammond, Indiana on Thursday, June 9, 2011.

The speech reviews the immediacy of problems in cyberspace and various Department of Justice initiatives – all good work, in my personal view. (Full disclosure: I was a long-time DOJ employee.) AG Holder also emphasized the need for international cooperation and the Obama Administration’s “new International Strategy on Cyberspace.”  Included in the speech is this paragraph:

Today’s summit sends a resounding signal that – together – we can, and will continue to, fight back. And it proves our unwavering commitment to preventing terrorists and other criminals from exploiting the Internet for planning, financing, or executing attacks; to engaging with an expanded network of partners across government and the private sector; and to strengthening our efforts to establish the rule of law in cyberspace. (emphasis added)

The speech contains no other mention of the rule of law.

The Attorney General has side-swiped an enormously important and difficult issue: the rule ofwhose law in cyberspace?  The network of networks that comprises the Internet surely is not immune from national borders and legal jurisdictions. (See, GoldsmithWho Controls the Internet? ) Yet, the Internet is surely international.  Is the United States to make the law that rules the Internet?  On what authority?  Should all countries with interests in cyberspace impose their commercial, property, and criminal laws on any actor in cyberspace of whose body or assets that can physically obtain jurisdiction? Should the United Nations – hardly a democratic institution – make the laws that rule cyberspace?  If international in effect, shouldn’t the laws be made internationally?  How – by international consensus?  What is the International consensus defining, much less proscribing, “terrorism” in any domain, much less cyber?  Even aside from the problem of “one person’s terrorist is another person’s freedom fighter,” close allies often do not agree on the definitions for criminalizing terrorist activity on the Internet.  For example, members of the European Union routinely attempt to stop websites from posting content whose dissemination is protected by the First Amendment to the Constitution of the United States.

There is very little agreement on a definition of “rule of law.”  Indeed, some argue that the phrase is so overused that it is meaningless.  Assuming that the rule of law is a necessary antecedent of democracy that all U.S. officials such as the Attorney General justifiably support, its definitions tend to be either ends-based or institutional and to include some variation of the following elements:

  • supremacy of the law over government and arbitrary power;
  • equality before the law;
  • known, public, and certain law;
  • predictable and efficient law enforcement;
  • guarantee of certain basic rights;
  • legitimate and uniform procedure for making law.

What law is supreme over all of the governments and actors in cyberspace?  Or is it just sufficient that all are subject to some law?

Given the difficulties of attributing acts in cyberspace to particular human actors, how can the law be enforced – and enforced equally – in cyberspace?

If the United States claims criminal jurisdiction over any “computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States,” (18 U.S.C. 1030) how can it make U.S. law known to all actors in cyberspace?

If each country can enforce its laws in cyberspace, how can enforcement be sufficiently predictable for individuals to conform their behavior or for corporations to plan and organize economic activity?

What are those basic rights?  Equal access for all?  Freedom of speech, even for Nazis and Jihadists?

Again, what is the procedure for making the law that governs cyberspace, and who or what has legitimate authority to do so?

Has the Attorney General and the Department of Justice thought about and planned for these elements of the rule of law before calling for “establish[ing] the rule of law in cyberspace?”  If not, how do they defend against a cynic’s claim that such a call is just self-serving effort by a bureaucracy to extend the territory, reach, and power of that bureaucracy?

Whose law will control cyberspace?  The time to address this question is now.