In a heated panel discussion at the International Forum of Cybersecurity (IFC) in Lille, France, four varied panellists attempted to answer the question, "what is a national cyberspace?"
Cécile Doutriaux, a prominent lawyer on the subject of cyber security with legal firm Doutriaux-Vilar & Associates, argued that the legal definition of cyber territory is a severely questionable concept.
Here's what she had to say.
What are the problems with exercising a state's control over the Internet?
Inside a state's national territory, a state can exercise all its powers in a non-limited way. The layers of physical infrastructure in a state can be located in a specific jurisdiction, and even at the layer of software, we should be able to cover it in the nation's legal framework.
But in the realm of data, which can be copied and transferred across national boundaries with no effort, the question becomes much more difficult.
Is the cloud part of national territory?
Cyber infrastructure is in theory subject to the national territory where the infrastructure is based. In practice, it's much more difficult than that. Sometimes you have other vendors, or other conduits, and this creates a lot of problems. A lot of subcontracting happens, whereby data can pass many different national boundaries.
Since the Patriot Act brought in after the 9/11 attacks, many US intelligence agencies were given the capability to spy on data that passed through the national territory of a country without being legally subject to that nation. This allowed the American intelligence agencies to spy on people who are not their own citizens.
Could governments do anything to change this?
Many people put a lot of their data onto cloud computing servers, and they don't even know which servers. it's the same with the idea of private data being available online. The thing is that if you want to be visible on the Internet, you have to take the risk.
We have to protect European citizens against this loss of data. Nobody's sure whether that could be implemented or not, but organisations have to put infrastructure in place to protect corporate data before we can talk about personal data.