Presentation on theme: "Jurisdictional Arbitrage for Risk Management Ryan Lackey HavenCo, Ltd. RSA Conference 2002 San Jose."— Presentation transcript:
Jurisdictional Arbitrage for Risk Management Ryan Lackey HavenCo, Ltd. RSA Conference 2002 San Jose
Introduction Uncertainty is risk Risk is cost Overall costs should be minimized Politics and legislation are constantly evolving, in a feedback loop with public opinion, and are thus highly uncertain It is hard to completely eliminate exposure to political and legislative risk, but it can be managed
History Examples from jurisdiction-sensitive non-hosting activities might be informative Examples from the early adopters of jurisdiction-sensitive hosting can be generally applicable, even if they are unique business environments
General Hosting Background Hosting in-house vs. colocation Primary factors: bandwidth, computation (either shared or rent space and hardware), support Big market – by definition, anything available on the Internet is hosted somewhere, even if without conscious thought Various concerns: convenience, maintenance, upfront and continuing cost…legal issues and security are often low
Introduction: What Characterizes Controversial Data? Potentially unpopular: with governments, corporations, or influential groups Often on legally uncertain ground; new media applied to older laws Must have a critical mass of interest before people really bother; either really objectionable (kiddie porn) or really widely publicized (napster)
Determining Jurisdiction Relatively complex and not very well tested “Substantial nexus” rule, tax was an early way Highly general; if you have presence or customers in a jurisdiction, assets in that jurisdiction could be at risk Fundamentally any assets in a jurisdiction or a jurisdiction with treaties with that jurisdiction are at risk to legal action in that jurisdiction or its allies
Examples of Controversial Data Online gambling/gaming Pornography Email/subpoena Patent/IP issues Cryptography and security Privacy information Financial transactions Anything in a regulated industry
What is essential to hosting in general Reliability Costs (monthly and upfront) Network bandwidth availability Physical security Good quality support
Technical Taxonomy Static sites with low bandwidth requirements High-bandwidth media objects, static Interactive low bandwidth (transactional) Interactive high bandwidth (multimedia)
What kinds of hosting are possible? Onshore: Hosting in home jurisdiction, or a jurisdiction closely allied; most major nations are a unified regime Offshore: Hosting in specialized offshore jurisdictions Online: Using cryptography, replication, distribution, and other techniques to obfuscate where data is hosted, or make it technically infeasible to censor
Onshore Exemplified by traditional colocation and managed hosting – exodus, rackspace.com, etc. Has high-quality technical infrastructure, support staff Low cost/high efficiency; very developed markets Very substantial regulatory overhead; existing regulations, and constantly-added new regulations (DMCA, CALEA, etc.)
Offshore Specialized providers which are based in smaller markets/jurisdictions, offering jurisdictional/regulatory advantages Examples: Offshore Information Services (AI), HavenCo (SX, etc.), and for some people, CA, US or NL carriers are “offshore” (pornography, cryptography mainly) Physical security and trust are important issues, as legal remedies are virtually nil Works best with actual support from local regulatory authorities; otherwise laws can be changed on a whim or election Often used in conjunction with offshore corporate structure, payment processing, etc.
Online “p2p” systems, like mojonation, gnutella, etc. Generally, only capable of static hosting; incapable of secure computation Highly unreliable in in microstructure, but in the aggregate, theoretically highly robust; able to withstand damage without being destroyed In practice, most systems have some central avenues of attack, even if mostly distributed
Success Stories Onshore – most sites on the Internet Offshore – PublicData.ai, offshore gaming all over, payment systems with HavenCo Online – music trading
Horror Stories Onshore: publicdata got forced out of the US, napster was effectively emasculated, casinos have been prosecuted Offshore: lots of casinos have had low security and reliability Online: software development debacles with no real user-useful applications
Jurisdiction Shopping Various companies shop for jurisdiction as just another checklist item – either specific regulatory compatibility, or favorable tax regime, or proximity to customers Popular jurisdictions change with time
Technical Concerns Network performance and reliability to these locations Geo-location based reverse DNS systems blocking access based on location Dropping of routing by international transit providers Trust with machines you never see, exposure to risk
Business/Legal Concerns Even if your server is offshore, if you’re onshore, you can face contempt, civil lawsuits, public scorn, etc. If you operate a subsidiary in a country, you may face pressure on global operations
A Possible Model “Digital offshore information trust”, where access is restricted so exceptional actions require confirmation by a trustee offshore (or online) who can verify lack of duress Most easily tested for email May validate the ASP model
Enhancements Separating business functions out into effectively independent agencies, operated in individually-suited jurisdictions, communicating via the Internet Replication/distribution across jurisdictions – although in most cases the “any” rule will apply rather than “all”
Open Questions Will onshore laws continue to get worse? How far can offshore hosting go without either getting shut down or causing onshore laws to change? Will online systems get better? Can they do secure transactions and add payment?
Summary The next 5-10 years will be very interesting A few major cases will definitely be able to change the course of history; important to choose the right battles
Your consent to our cookies if you continue to use this website.