New Yale JREG Online Essay: No Country for Cybersecurity Arbitrage, by Eli Greenbaum
Anti-circumvention technologies were most probably not high on President Trump’s mind when he withdrew the United States as a signatory to the Trans-Pacific Partnership (TPP) last month. The TPP, as with a number of other multilateral and bilateral treaties to which the United States is a party, includes prohibitions on the circumvention of “effective technological protection measures” – in other words, prohibitions on breaking the electronic locks that protect much of our digital materials. These treaties include anti-circumvention bans based on the assumption that, without such international agreements, digital locks could easily be broken (or the tools to break them could easily be acquired) in foreign jurisdictions. In other words, such treaties preclude actors from engaging in international regulatory arbitrage – the exploitation of regulatory disparities across jurisdictions.
Some scholars and digital activists will not be particularly distressed at the loss of the TPP anti-circumvention prohibitions. Anti-circumvention provisions have been widely criticized as thwarting beneficial uses of digital materials that would otherwise be permitted under copyright law. For example, anti-circumvention bans have been denounced as impeding research into the vulnerabilities of technological protection measures – how can the strength of a lock be evaluated if it’s illegal to break it? Such criticism has resulted in permanent domestic statutory exceptions to anti-circumvention prohibitions for purposes of security research, recent regulatory exemptions for the conduct of good faith security research in consumer devices, and a fresh lawsuit from the Electronic Frontier Foundation challenging the constitutionality of these anti-circumvention restrictions.
My recent essay in the Yale Journal of Regulation Online employs the question of cybersecurity research to examine the assumption underlying the TPP and other international arrangements – that international harmonization of anti-circumvention regulations are necessary to prevent legal arbitrage across jurisdictions. The essay looks at the singular case of Israel which, alone among the OECD nations, has staunchly refused to prohibit circumvention activities and devices. At the same time, Israel boasts a world-class cybersecurity industry and, as such, should be in an excellent position to arbitrage its unique legal regime to promote domestic security research. Even so, as I show, the mere existence of international legal differences does not necessarily mean that such differences can be easily exploited. Rather, opportunities to engage in international regulatory arbitrage must be analyzed with attention to the identity and structure of industry players.