In the physical realm, the concept of a citizen is backed by a human being who lives in, contributes to, and is governed by their nation. The traditional model of the internet matches up well with this model as distinct users can store their information on machines which they own or rent. In the cloud, on the other hand, a user is represented by nothing more than a bucket of data with a unique identifier labeling it. As Paul Jaeger points out in his report “Where is the Cloud?”, the “centralization of information and computing resources in data centers [raises] the specter of the potential for corporate or government control over information.” This means that all users of a particular service centralized under a cloud effectively hand their data over to the governance by that service. The cloud user can no longer claim ownership over their data, which creates a power dynamic that before could only be ascribed to governments and not corporations. Thus, users becomes subject to the actions of the corporations that store their data. Data can be elided, erased, sold, used for ad targeting, and more; the logic is that the servers belong to the company, not the user. Consequently, companies are given full reign over data held in their servers, provided they operate inside the law of their jurisdiction. But in a space that is structurally rhizomatic and multilateral like the internet, conventional jurisdictions are muddled.
It’s hard to talk about the breadth of international jurisdictions and how they pertain to the internet without starting with the United States. The US has established a very unique position for itself with regards to internet governance. Due in part to the stark contrast between American and European privacy laws, the US has managed to devise a set of practices that allow virtual free reign over the internet (and by extension cloud services). For example, the USA Patriot Act, passed in 2001, not only brings all data stored on US soil but all data stored by US-based companies under US jurisdiction, regardless of where in the world data servers are located. This law constitutes nothing short of cyber-imperialism. While US companies and citizens are already under US jurisdiction, the user base of cloud services like Facebook, Google, Twitter, Dropbox, Amazon, Apple, and Microsoft (all US-based) is international and not at all confined to US citizens. Another technique employed by the US government in order to extend its jurisdiction over the majority of the internet is the National Security Letter (NSL). NSLs, which are typically issued to Internet Service Providers (ISPs) or cloud providers, are issued directly by the FBI and demand specific information about a user. Troublingly, these letters contain built-in gag orders that automatically prevent the service provider from notifying the client of the investigation. Not surprisingly, the number of NSLs issued after the Patriot Act passed experienced a staggering jump; while only 8,500 were issued in 2000, that number rose to 39,346 in 2003 (source). As a result of these techniques, in conjunction with the fact that personal data storage is now being handled primarily by cloud providers, the legal constraints on US surveillance are conveniently and severely relaxed.
The same goes for evidence-gathering in the law enforcement realm; In addition to The Patriot Act and National Security Letters, grand juries can subpoena a cloud provider to release information on an individual with less than probable cause. Subpoenas were originally intended to be issued to third parties who might be in possession of a document needed for investigative purposes. Previously, the power of a subpoena was naturally constrained because third parties were stakeholders in the information and the investigator had to know where to look. Now, the use of the cloud provider as a third party points to the outdatedness of the policies governing the use of the subpoena. In the cloud, everything is saved, sorted, archived, and kept in a central location. Investigators need not know where to look; they can take an educated guess. Nevertheless, the rise of the cloud in conjunction with artful interpretations of US legislation has resulted in a US super-jurisdiction over the majority of the internet.