How can the US seize a "Hong Kong site" like Megaupload?
The Megaupload takedown, and the arrest of its key employees, might seem to vindicate late 1990s worries about the Internet and jurisdiction. Does putting a site on the 'Net, though it might be hosted anywhere in the world, subject you simultaneously to the laws of every country on earth? Why would Megaupload, based in Hong Kong, be subject to US copyright laws and to the Digital Millenium Copyright Act?
"Because events on the Net occur everywhere but nowhere in particular," wrote law professors David Johnson and David Post in a 1996 Stanford Law Review article, "no physical jurisdiction has a more compelling claim than any other to subject these events exclusively to its laws." The flip side was that every jurisdiction might make a claim—after all, Internet publishing is "borderless," right?
But there were some principles useful for thinking through questions of jurisdiction. For instance: where did the actual harm occur? As law professor Jack Goldsmith countered in another well-known law review article from the time ("Against Cyberanarchy"), Internet issues aren't unique from traditional international harms. "Both involve people in real space in one territorial jurisdiction transacting with people in real space in another territorial jurisdiction in a way that sometimes causes real-world harms," he wrote. "In both contexts, the state in which the harms are suffered has a legitimate interest in regulating the activity that produces the harms."
Surely there must be limits, though. It would be absurd for some resident of Australia to build a perfectly legal site for other Australians but to be arrested and extradited to the US for violating US law. But it's not so absurd once a "nexus" has ben established between our mythical Australian and the US. Say the site advertises in the US, or accepts payments in US dollars, or splashes a big banner on its front page saying, "Welcome, Yanks!" All are evidence of a US "nexus" that goes beyond incidental and unintentional contact, and all might weigh against the Australian's plea that the US has no jurisdiction over his actions.
Which brings us to Megaupload. Several readers asked under what basis the site could be taken down and its employees hauled from New Zealand to a federal court in Virginia. The indictment provides answers. We'll let a judge rule on the merits, but it's worth understanding the government's position here, which is: Megaupload purposely did business in the US and with US residents, and it targeted its sites (in part) toward the US. You generally can't gain the benefits of doing business in a jurisdiction without complying with its laws, and being subject to its enforcement efforts (assuming that the jurisdiction can physically gets its hands on you).
The indictment makes these points repeatedly. Megaupload wasn't just some Hong Kong enterprise that "happened" to be used by US residents. The site had leased more than 1,000 servers in North America alone; 525 were at Carpathia Hosting and were located in Virginia. Between 2007 and 2010, Carpathia received $13 million from Megaupload. (Cogent Communications in the US supplied a few additional US servers and bandwidth.)
The money was mainly routed through US-based PayPal, which is how Megaupload collected subscriptions from users looking for premium accounts. This wasn't chump change; the government claims that the Megaupload PayPal account has "received in excess of $110,000,000 from subscribers and other persons associated with Mega Conspiracy."
Megaupload also made money through ads, using services like Google's AdSense (until 2007) and the AdBrite network. Both are based in the US. AdBrite alone paid at least $840,000 to Megaupload.
Payments were made to top uploaders, including those who lived in Virginia. The indictment describes one:
Starting as early as February 11, 2008, a member of the Mega Conspiracy made multiple transfers in and affecting interstate and foreign commerce through PayPal Inc. to ND, a resident of Falls Church, Virginia, which is in the Eastern District of Virginia, as part of the Mega Conspiracy's “Uploader Rewards” program. ND Received total payments from the Conspiracy of $900.
By sending the money to a US address, the indictment suggests that Megaupload had actual knowledge that it was doing business in the US and exposing itself to US jurisdiction. Megaupload also received money from US users through PayPal.
The indictment also alleges that members of the conspiracy themselves infringed copyright in the movies Thor and Bad Teacher by making them available on Carpathia servers in Virginia.
The government is following Goldsmith's principle: the harm of copyright infringement took place in Virginia, from servers in Virginia, and the company made and sent money to people in Virginia. Why should it not be subject to federal law in Virginia?
No doubt the jurisdiction question will be litigated by the Megaupload defendants and will get its day in court, but it's worth pointing out that this is not a case about some totally foreign company just minding its business in Hong Kong before being randomly swept up to answer to US law. Like it or loathe it, countries have been going after foreigners who violate local ordinances at least since the famous French case against Yahoo in 2000. And it's not going to change anytime soon.