Mapping power and jurisdiction on the internet through the lens of government-led surveillance

Facing the fragmentation of digital space in the aftermath of the Snowden revelations, this article considers regulatory models available to avoid the balkanisation of the internet. Considering government-led surveillance in particular, available strategies are investigated to create a trustworthy and universal digital space, based on human rights principles and values. After analysis and discussion of salient aspects of two relevant proposals, it is submitted that the lack of a common understanding of concepts makes global regulation unlikely. Nevertheless, a possible alternative to universal frameworks and national regulation might be the creation of ‘blocs of trust’, established through international conventions.


INTRODUCTION
On 6 June 2020, seven years passed since Edward Snowden commenced his revelations on governmental misuse of surveillance capabilities (Edgar, 2017, p. 75). The impact and meaning of his actions are still subject to vivid discussion. Snowden has recently refuelled this discourse with the publication of a memoir entitled Permanent Record (2019), but despite considerable echo in the press and civil society campaigns, not much seems to have changed (see e.g., Stoycheff et al., 2019, pp. 613-614). At first glance this is surprising since actors such as the United Nations and the Council of Europe have undertaken several efforts to support human rights, democracy and the rule of law in the digital age (De Hert & Papakonstantinou, 2018, pp. 526-527;Terwangne, 2014, pp. 118-119). Furthermore, the United Kingdom (UK) and South Africa admitted bulk surveillance in court (Privacy International, 2019). Observing more closely, however, Snowden's activities might unintentionally have catalysed a process which leads to more fragmentation of the digital space.
In a section entitled 'The dark side of hope' in his 2018 book on the culture of surveillance, David Lyon describes the ex-employee of a contractor of the United States National Security Agency (NSA) as a thoughtful technical expert, who believes in the potential for democratic and human development through the internet. In addition, Lyon points out that Snowden revealed some of the secret mechanisms contributing to creating a world in which the majority of humans remain poor and dependent. First and foremost, underlying Snowden's revelations is the fact that 'today's surveillance undoubtedly contributes to and facilitates this world' (Lyon, 2018, p. 143). From this perspective, it is not surprising that many societies and states choose to reduce exposure of 'their' data to a multilateral setting with complex and hard-to-control implications.
Rather, they shift the focus onto immediate political and economic interests. This is probably not the reaction that Snowden and his supporters might have hoped for, since it will most likely not result in more protection for human rights in the short term. However, it is the easiest answer to a myriad of complex questions.
The motives of states vary as they engage in this process of reassurance. Some focus on strengthening internal security and stability, which typically takes the form of creating legal frameworks with the objective to facilitate access to personal data for law enforcement agencies.
Concrete examples are the e-evidence package of the European Union (EU), or the United States' Clarifying Lawful Overseas Use of Data Act (CLOUD Act). Whereas e-evidence tries to make investigations across EU member states easier by removing the requirement for review by local national authorities as 'middlemen' (Buono, 2019, pp. 307-312), the CLOUD Act enables the US administration to sign agreements with states like the UK and Australia to make crossborder data access quicker and easier (Galbraith, 2020, pp. 124-128). Both of these legal frameworks aim at circumventing the complex and time consuming mutual legal assistance procedures enshrined in traditional international mutual legal assistance treaties (MLATs) (see also Vazquez Maymir, 2020, this issue).
Other countries have started to focus increasingly on maintaining external security and national sovereignty. For example, the Russian Federation has enacted regulation to strengthen the autonomy of the Russian part of the internet (Sherwin, 2019), which follows an earlier law requiring that servers containing personal data of Russian citizens must be located on state territory (Anishchuk, 2014). If one reacts sceptically to this type of decisions, one should take into account that discussions on 'digital sovereignty' are not only taking place in seemingly 'inward looking' countries, but also seemingly in 'open-minded' ones such as Germany (Fox, 2018;Gräf et al., 2018). At the same time, the People's Republic of China seems not to distinguish between political and economic power, and pursues regulation that also limits the international exchange of economic data flows (Yang, 2019).
These observations create the impression that the interest in investing in further development of a multi-stakeholder mechanism for internet governance is limited. This mechanism gathers Mapping power and jurisdiction on the internet through the lens of government-led surveillance states/governments, the private sector, civil society, intergovernmental organisations, international private organisations, as well as the academic and technical communities to shape the global internet through interactive discourse (Hill, 2014, p. 29). Organisations such as the Internet Corporation for Assigned Names and Numbers (ICANN), the Internet Governance Forum (IGF), or the International Telecommunication Union (ITU) take prominent roles in this process. They differ considerably when it comes to democratic anchorage, legitimacy, representation, as well as regulatory authority, which results in undeniable tension with institutions of traditional governance. While some national administrations fear loss of sovereignty, several groups of civil society feel under-or non-represented (Ewert et al., 2020).
Hence, the decentralised and universal nature of the internet, which are both paradigms that the multi-stakeholder mechanism traditionally supports (Hill, 2014, pp. 16-46), has become subject to scrutiny. Scholars such as O'Hara and Hall argue that there are already four internets: a heavily regulated European 'bourgeois' version that prides itself on its dedication to human rights and ethics; the US version with its strong focus on monetisation and economic activity; the authoritarian internet of China where social cohesion and surveillance mean the same thing; and the internet of misinformation and hacking associated with the Russian Federation, North Korea and other 'rogue states' (O'Hara & Hall, 2018).
If anything, this makes it clear that the nature of the internet is still developing. Since John Perry Barlow published the 'Declaration of the Independence of Cyberspace' (1996) the digital sphere has evolved considerably. The internet has become an important layer of social interaction which also means it has become more than a mere passage for data flows. While the idea to regulate it in a similar way to what Hugo Grotius suggested for the High Seas in 1608 seems appealing (Hildebrandt, 2013, p. 211) -particularly to those primarily concerned about the free passage of data packages -the technical infrastructure that constitutes the internet cannot be qualified as res nullius. In contrast to the High Seas, the internet does not lend itself neutrally to any kind of activity. In this context, Melvin Kranzberg's first law is not the only thing that comes to mind ('technology is neither good nor bad; nor is it neutral' (Kranzberg, 1995, p. 5)). As inhabitants of industrialised and more developed countries face the looming threat of being replaced by 'superintelligent' autonomous machines (West, 2018, pp. 19-41), the rushed and under-reflected adoption of 'digital identities' might further widen the inequality gap with less-developed areas of the world (Gstrein & Kochenov, 2020). Hence, as the rapid massadoption of information technology and autonomous systems continues, this urgent question emerges: is it possible to create a trustworthy and universal digital space, based on human rights principles and values, which might be able to prevent a dystopian future with limited opportunities for information exchange and undignified data-driven economies whose purpose is to fuel fantasies of political hegemony?
The objective of this article is to identify potentially useful regulatory strategies that at least mitigate or avoid (further) balkanisation/fragmentation of the digital space. This process of fragmentation has also been described as movement towards a 'splinternet'. Once it is completed, the remaining digital information networks will have turned away from the three central principles of openness in terms of universal cross-border data transfer, trust in terms of faith in other users, and decentralisation which supports resilience and freedom (Ananthaswamy, 2011, p. 42). The lens through which the regulatory strategies will be identified is government-led surveillance as defined in the Methodology section. After analysis of two proposals for the regulation of government-led surveillance from a universal perspective, available strategies to manage power and jurisdiction on the internet will be discussed. At the end of this exercise it will be concluded whether regulatory frameworks that respect, protect and promote the internet as one global space are feasible under current circumstances.
Mapping power and jurisdiction on the internet through the lens of government-led surveillance

METHODOLOGY
Before starting to map out salient issues, a few brief remarks on the selection of proposals and the methodology of this submission are necessary. The topic of surveillance is immensely complex with much historic context to consider (Galič et al., 2017). Additionally, surveillance as a phenomenon is not only purely government-driven. Much has been written about the profiling of individuals for commercial gain, the impact of 'surveillance capitalism' (Zuboff, 2019) on individual and collective autonomy, and how new technologies such as artificial intelligence influence democracy and the formation of the public (Nemitz, 2018). Other scholars propose the consideration of surveillance 'as cultural imaginaries and practices' which makes surveillance a subject of everyday life (Lyon, 2018, p. 127).
While these are valid approaches, this submission will predominantly leave out major corporate and non-government related aspects. For this piece the term 'surveillance' is defined as 'any monitoring or observing of persons, listening to their conversations or other activities, or any other collection of data referring to persons regardless whether this is content data or metadata'; furthermore, government-led is to be interpreted as 'surveillance [that] is carried out by a state, or on its behalf, or at its order' (Cannataci, 2018a, p. 9). These definitions emphasise the relationship between the citizen/resident and the state, which is typical for international human rights law. Furthermore, this concentration makes the topic more manageable in volume, and allows distilling the essence of available regulatory strategies. However, this does not suggest that regulation is all that is required to create a trustworthy and universal digital space.

GENERAL NATURE OF THE PROPOSALS
Both proposals are based on the premise that the internet is an independent and universal/global space which should be accessible and open to all individuals on the planet regardless of where they come from. By emphasising this enabling and empowering dimension from an individual perspective, the proposals call on states to overhaul the international legal framework in order to address government-led surveillance in more detail and more effectively (Cannataci, 2018b, p. 22;Smith, 2017). Smith starts with the observation that cyber-attacks, cyber-espionage and cyber-warfare have become widespread and dangerous (see also Thumfart, 2020). Since many of these are directly or indirectly led by state powers that carry out Mapping power and jurisdiction on the internet through the lens of government-led surveillance surveillance, he proposes to address this new reality with the development of a DGC to protect private citizens and entities, or in other words 'non-combatants' (Smith, 2017). His proposal relates to the Fourth Geneva Convention for the protection of civilians in warfare from 1949 (Mansell & Openshaw, 2010, p. 23). Since the appropriateness, effectiveness, and timeliness of the Geneva Conventions of 1949 is being questioned due to the emergence of asymmetric warfare and international terrorism in today's conflict scenarios (Gordon 2010, pp. 95-96;Ratner, 2008), it might be surprising to see such a concrete demand spearheaded by one of the presidents of one of the most influential technology corporations. Smith (2017) suggests enshrining six principles in a novel instrument of public international law: (1) No targeting of tech companies, private sector or critical infrastructure; (2) Assist private sector efforts to detect, contain, respond to, and recover from events; (3) Report vulnerabilities to vendors rather than to stockpile, sell or exploit them; (4) Exercise restraint in developing cyber weapons and ensure that they only allow for limited and precise use; Additionally, they should be nonreusable; (5) Commit to non-proliferation activities relating to cyberweapons; and (6) Limit offensive operation to avoid a mass event. In terms of impact, the DGC has not gained traction within the community of states at the time of writing. However, it was followed up with the signing of a 'Cybersecurity Tech Accord' by 34 technology and security companies in 2018 (Smith, 2018).
The principles of the DGC have to be evaluated critically, keeping in mind that Smith is associated with a corporation that has strong relationships with some of the most powerful states. On the one hand, this scepticism vis-à-vis Smith's intention was recently supported with the award of a US$ 10 billion contract by the United States Pentagon which allows Microsoft to provide an advanced cloud infrastructure for the United States Army that might also be used for surveillance (Conger et al., 2019). On the other hand, when focusing on the substance of his proposal one can also discover aspects that support openness, trust and decentralisation of the internet by making the internet less dependent on traditional governance mechanisms and institutions. Hence, the DGC is potentially able to support the creation of a digital space which is universal and safe(r) for its users. For example, the United States NSA recently shared the discovery of a major security vulnerability in Windows systems that could have facilitated large scale surveillance if kept secret (Newman, 2020). In this sense the agency delivered on the demands enshrined in principles two and three of the DGC. Furthermore, it seems fair to assume that corporations focus predominantly on the relationship with their users/clients who do not only consist of governments. Their business opportunities increase with the ability to act in stable and universal legal frameworks across the globe, independent from territorial restraints. This also means there is an interest in having checks and balances that control public institutions as they carry out surveillance, since the independence of the private sector is strengthened. This also means that aspects like citizenship or residency do not matter as much for corporations as they do for states, and in traditional human rights/civil liberties law when it comes to applicability and enforcement (Nowak, 2018, pp. 273-275).
Smith's proposal is based on a perspective where technology corporations are independent and neutral actors which promote the internet as a universally accessible layer of societal interaction. Whether this is a sincere, desirable or achievable objective can remain for speculation. Regardless, the DGC as a blueprint for a regulatory instrument in itself is a worthy object of study for the purposes of this article. While Smith and Microsoft's intentions might be more or less motivated by economic short-term gains in their day-to-day business, the DGC can be scrutinised as a self-standing set of principles that has its own strengths and weaknesses, which will be outlined below.
Although the DGC and the LI have the common goal of catalysing the evolution of international public law to achieve regulation of government-led surveillance, the process in which the LI emerged differs significantly. In its essence it is a co-production of an EU funded research project (MAPPING i.e. Managing Alternatives for Privacy, Property and Internet Governance) and the initiative of the inaugural UN Special Rapporteur on the Right to Privacy Joseph A. Cannataci (2018a, p. 3). The text itself, which is a sort-of blueprint for an international agreement between states, is based on earlier surveillance-related research carried out in other EU funded projects. Those insights were combined in a first draft with international and Although international human rights law standards of the UN such as Article 12 of the Universal Declaration of Human Rights or Article 17 of the ICCPR underpin the provisions of the LI as well, one might criticise this heavy influence of European standards, regulation, and jurisprudence on a proposal that was developed to potentially become the basis for a global regulatory framework. Nevertheless, the initial idea for this project was to start with a relatively concrete and substantive text that would allow the mapping of salient issues in this area, as well as creating the ability for concrete discussions about them. Furthermore, international comparative research on the development of data protection and privacy law shows that European standards have heavily influenced regulation in those 142 states which did have specific privacy-related regulation at the end of 2019, the majority of which are located outside the EU, the territories of Council of Europe member states, and the United States. Additionally, the relevance of European activity is underlined by the fact that the number of specific laws across the world has risen significantly following the attention that the GDPR and Convention 108+ have received (Greenleaf & Cottier, 2020, pp. 24-26).
The final published version of the LI consists of 18 articles accompanied by explanatory remarks ('memorandum'). Before the LI was presented to the Human Rights Council in March 2018 it went through a process of thirteen substantive iterations which were based on feedback received in ten meetings carried out in different locations in Europe and the United States from April 2016 to February 2018, as well as written submissions and verbal feedback (Cannataci, 2018a, pp. 1, 38). This feedback was sourced from a multi-stakeholder community consisting of corporations, members of the law enforcement and intelligence community, members of civil society organisations, academics and other experts on the topic of government-led surveillance (Cannataci, 2018a, p. 2).

SALIENT ISSUES
Due to the limited amount of space in this article it is not possible to discuss the proposals in their entire breadth and depth. Furthermore, rather than considering them as detailed and sufficient solutions for the complex issue, it might be more appropriate to use them as indicators (or 'maps') which together might be capable of highlighting why it is so difficult to regulate Mapping power and jurisdiction on the internet through the lens of government-led surveillance government-led surveillance. The proposals are probably best understood as attempts to reveal the substantive issues which should be resolved in order to establish the basis for progress.
Although some may claim that it is unlikely that global consensus on these matters is achieved at all given the relevance of cultural differences across and within regions (Vecellio & Segate, 2019, pp. 83-88), it is precisely this audacious aspiration of becoming the basis for a discussion on detailed universal standards which bears the potential to highlight links, gaps and frictions.

WHAT IS (MASS-)SURVEILLANCE?
Probably the most discussed issue in the aftermath of the Snowden revelations is what government-led (mass-)surveillance is, could be, and should be (Buono & Taylor, 2017). The use of 'Big Data' to support national security, law enforcement and the public order requires adjusted and new safeguards to protect individuals and their rights (Broeders et al., 2017, pp. 311-321). The DGC principles do not explicitly provide a conceptual definition of masssurveillance. Reading principles one, three, four, five and six together and attempting to combine their content in one statement, surveillance seems to be based on the use of cyberweapons which exploit security vulnerabilities. Furthermore, cyberweapons should not be used to target the private sector, and their use results potentially in mass events.
Article 2 paragraph 1 of the LI defines surveillance as 'any monitoring or observing of persons, listening to their conversations or other activities, or any other collection of data referring to persons regardless whether this is content data or metadata.' It goes on to add that 'surveillance is carried out by a state, or on its behalf, or at its order' (Cannataci, 2018a, p. 9). To understand this broad definition better it should be added that the LI uses a distinction between 'surveillance data' and 'non-surveillance data' which stems from the understanding that data is produced either by systems that are predominantly operated to carry out surveillance, or systems which have another primary purpose. The obligations stemming from the use of these different kinds of data differ in the LI, and it remains open whether it is always possible to make such a categorical distinction in practice. There might be cases in which repurposing historical surveillance data or reinterpretation/-combination of openly available data with confidential data are not covered by the provisions of the LI. Potentially, it is too strongly focused on the generation and initial processing of data, therefore underestimating the amount of usable information already available. In this regard, it might also be interesting to consider how the trend towards open source intelligence (OSINT) impacts the work of states when carrying out surveillance (Hassan & Hijazi 2018, pp. 341-345).
Article 3 paragraph 6 exempts the surveillance of military personnel from the scope of the LI.
Hence, this is the only area in which the LI does not mandate that states create a dedicated law for the authorisation of surveillance which also comes with the obligation to install corresponding oversight institutions, safeguards, and remedies (Cannataci, 2018a, pp. 9, 11). An important consequence of this exemption is that all other surveillance activities -those carried out within a state through law enforcement agencies, those carried out externally through security and intelligence services, as well as those carried out through (private) mandated entities working in both domains -are subject to the same principles and rules according to the

LI.
This very broad definition of surveillance covers many activities, which makes a clear distinction between 'targeted' and 'mass'/'bulk' surveillance potentially less relevant. Indeed, it might be more useful to focus the discussion on the concept of surveillance as such, since the emphasis of 'bulk' or 'mass' capabilities often seems to add little in substance. Ultimately, such narrowing of the focus could transform the public dialogue into a mock debate that is predominantly held to Mapping power and jurisdiction on the internet through the lens of government-led surveillance capture attention. Especially when considering the rich case law encapsulated in the ECtHR's factsheet on 'mass surveillance' (2019), it needs instead to be decided on a case-by-case basis whether any kind of surveillance is legitimate (i.e. proportionate and necessary). The relevant substantive criteria to decide whether 'bulk surveillance' measures are compliant with human rights law also need to be as strict and coherent as for targeted surveillance measures.

SUBSTANTIVE SCOPE
While it has already been established that both proposals transcend territorial borders -which might support making progress on otherwise very complex problems relating to data localisation and differing regulatory requirements due to incompatible standards and fragmentation as highlighted in particular through the CJEU Schrems case (Kuner, 2017, pp. 917-918) -this feature in turn results in the requirement to define the substantive scope of the instruments more granularly. Since the kind of actions they target is less clear, it is more important to define them in principle. Smith's DGC attempts to resolve this issue by embedding the proposal in a description or narrative of a constantly ongoing hostile conflict in the digital domain, which results in a predominantly negative and almost implicit definition of the substantive scope. This comes with the consequence that one has to share the underlying assumptions and worldview of Smith before being able to substantively engage with the content.
If one were to define the substantive scope positively however, there are at least two perspectives which need to be taken into account: the individual/user perspective, and the perspective of the collective/regulatory institutions. When it comes to the user, French sociologist Frédéric Martel (2014, Épilogue) has made the valid argument that even in times of globalisation, users with different cultural backgrounds will continue to use the internet differently, depending on factors such as shared language, shared script, cultural perception, personal interest, etc. From the outset, this has nothing to do with interconnected infrastructure or technological features. Rather, it is the digital expression of Ludwig Wittgenstein's famous quote: 'The limits of my language mean the limits of my world ' (1974, p. 68). In other words, one can complain about the fact that the government of the People's Republic of China puts technical restrictions in place which make it very difficult for its citizens and residents to access censored content from abroad. However, if one were to do so one also has to be consistent to only complain on behalf of those who are able to read the Latin alphabet and have a sufficient command of English, for example. It is very difficult to establish who truly feels limited in one's personal development (Wang & Mark, 2015, pp. 19-20). Certainly, limiting technical capabilities and putting policies in place that aim at restricting the interests of those who crave for accessing censored content will hamper the existence of a truly universal and global internet. Yet it remains uncertain how many users are genuinely interested in using such a network, at least for a significant amount of time, or when it seems reasonable to expect so.
Turning to the institutional/regulatory perspective the issue does not get much easier. As technology is constantly evolving, it makes a difference if the substantive scope is defined as either the 'internet' or the 'digital domain', which might for example also include digital information that is not being transferred through use of internet protocol addresses. One could think of the transfer of digital data using technologies such as Bluetooth, or Near-field Communication (NFC). In Article 1 sentence 1, the LI relates to 'surveillance through digital technology' (Cannataci, 2018a, p. 7) which means it adopts a relatively broad scope. This wording is the result of an attempt to align the substantive scope with the mandate of the SRP that is tied to the UN's work on human rights in the digital age (Cannataci, 2018a, p. 8). Still, one has to question if this substantive scope is precise enough for an instrument that attempts to be of global relevance and have a cross-cultural dimension. Another practical issue that might be Mapping power and jurisdiction on the internet through the lens of government-led surveillance interesting to consider in the context of government-led surveillance is the question of what should happen if 'traditional surveillance' using non-digital means is combined with digital surveillance during a surveillance operation. In such situations it might even be relevant to have universal standards for both the digital and non-digital domains.

NECESSARY AND PROPORTIONATE
Even strong proponents of individual autonomy, privacy and data protection will agree that some form of government-led surveillance is necessary under limited circumstances, which typically include 'the prevention, investigation, detection or prosecution of crime […] increasing public safety or protecting state security' as stated in Article 3 paragraph 3 LI (Cannataci, 2018a, p. 11). It is worthwhile comparing this provision with Article 8 paragraph 2 ECHR where it is stated that the right to respect for private and family life may be limited if it '[…] is necessary in a democratic society in the interests of national security, public safety or the economic wellbeing of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others' (emphasis added). Hence, the LI contains fewer objectives that legitimise surveillance, and notably does not include the economic well-being of the state. In the LI's memorandum this is explained by stating that governments may legislate to punish corresponding criminal offences with an impact on economic well-being if such crimes are serious enough (Cannataci, 2018a, p. 14).
While this discussion on the legitimate objectives making surveillance necessary is interesting, more public attention was dedicated to the proportionality of surveillance measures in the aftermath of Edward Snowden's revelations. As one of the leading US civil society organisations the Electronic Frontier Foundation has developed 13 principles aimed at ensuring proportionality. These include judicial authority, due process, user notification, transparency, oversight, and others (Electronic Frontier Foundation, 2015). While the formulation of such general principles seems helpful, this might be one area where a much more granular understanding of the terms is needed. Although proportionality is a concept that is used often in international public law, there seems to be very little shared understanding of what it means objectively (Newton and May, 2014, pp. 28-32). The LI makes an attempt in this direction by proposing a three-step test in the preamble in paragraph 5 (general usefulness of the measure for the purpose; least invasive measure available used; proportionality stricto sensu, or considering what needs to be sacrificed/affected if feasible and least invasive measure is applied (Cannataci, 2018a, p. 3)).
In contrast, the proposal for a DGC only seems to touch upon this issue by requiring the targeted use of cyberweapons as well as restraint in their development (Smith, 2017). Remaining neutral on which kind of test is 'the right one' to resolve this issue, these considerations highlight that it is paramount to explore what the terms necessary and proportionate objectively/universally mean if any kind of international regulatory framework for this area should be developed. If it is impossible to reach such a detailed understanding through the establishment of clear definitions and detailed procedures, at least an institution needs to be appointed which has the authority to decide this on a case by case basis.

TRANSBORDER ACCESS TO PERSONAL DATA
Since both instruments have a universal scope it is particularly interesting to see how they address the question of transborder access to data. This issue was recently highlighted through the Microsoft Ireland case which developed after the United States government attempted to access data stored on a server located in Ireland, bypassing the use of lengthy traditional mutual legal assistance arrangements. Hence, Smith's corporation was at the centre of the issue, Mapping power and jurisdiction on the internet through the lens of government-led surveillance although a similar case was also pending against Google at the time (Currie, 2017). Before the US Supreme Court decided the case, the situation was resolved by the US legislator with the introduction of the CLOUD Act (Daskal, 2018). Smith proposes in the DGC that technology companies remain neutral in this regard, solely focusing on the relationship with their users (Smith, 2017). Whether Microsoft and other technology corporations truly lived up to this principle during discussion of the CLOUD Act is very questionable however, since Microsoft, Google and others supported the legislation when it was discussed in the United States Congress (Brody, 2018). Furthermore, the DGC does not explicitly address the issue of cross-border access. Hence, the pledge for neutrality remains abstract and weak. In the end, the DGC is set in a landscape where government activities are omnipresent in the digital domain, and high information security standards would allow individuals to enjoy more privacy, regardless of where their data is physically located in the world.
The LI has a whole provision relating to this issue in Article 16. It is envisioned that its signatories would set up a new international institution consisting of experts from all participating states which would also monitor the implementation of the LI more generally.
These experts would have the capacity to respond to cross-border demands in a swift manner and in procedures where the individuals affected would be represented by a 'Human Rights Defender' (Cannataci, 2018, pp. 32-35). While the establishment of this institution is compelling due to its completeness and potential to deliver a valid multilateral solution for the cross-border access problem, it remains highly doubtful whether states would be willing to transfer that much sovereign power to an international body whose actions would have significant implications for the success of criminal investigations, and potentially intelligence service activities. As the discussion within the EU about the e-evidence package shows, even in a structured regional cooperation bloc the establishment of such a central authority is not envisaged, and many gaps and issues remain to be resolved (Biasotti et al., 2018, pp. 375-420).

STRATEGIES FOR REGULATION
While the presented proposals are commendable in that they aim at supporting the ideal of the internet as a universal space dedicated to personal autonomy and individual development, the previous section makes clear that this requires much more detailed substantive understanding of key terms and concepts among the international community. While the LI is certainly more comprehensive and detailed than the DGC, it struggles to set a clear substantive scope, define the subject matter, and deliver solutions on the understanding of terms such as 'necessary and proportionate'. Key topics such as transborder access to personal data are addressed, but the whole document can only claim to be a modest step towards (more) international consensus.
Hence, before universal regulation through institutions like the UN seems realistic, more Mapping power and jurisdiction on the internet through the lens of government-led surveillance coalition led by western countries, mainly due to concerns that repressive regimes might gain too much control over the internet (Glen, 2014, pp. 643-652). Finally, there might also be valid factual reasons to have different standards and concepts as Martel's research highlights, with its focus on the user perspective (2014, Épilogue). Maybe the idea of a borderless internet-driven world was, and remains, an illusion, as Goldsmith and Wu (2006) already proposed more than 15 years ago, emphasising the role of governments and the many layers that enable the existence of the digital space.
Nevertheless, assuming for a moment that there could be more substantive consensus, the crucial question of effective enforcement also remains largely unanswered in the proposals. The DGC does not address this aspect in detail and mostly calls for states to refrain from certain actions, while the LI develops in Article 16 a perspective on oversight of its provisions through the establishment of a powerful international body operating in a centralised manner. How delicate such an attempt of attribution and redistribution of sovereign power can become can be studied by following the ongoing discussion on the 'rule of law' in the EU (Weiler, 2016, pp. 313-326). Furthermore, the German civil society organisation Stiftung Neue Verantwortung has recently presented recommendations to improve intelligence oversight (Vieth & Wetzling, 2019), which is another important element to guarantee individuals' rights and freedoms of individuals.
Hence, it seems that at the time of writing universal regulation of government-led surveillance is predominantly an academic (idealistic?; utopian?) endeavour. It is worthwhile to map the current landscape to potentially pave the way for progress, but due to the complexity of the issue it is unrealistic as a practical solution. States and regional political actors instead seem to prefer to use traditional assets and strategies to shape the internet and claim jurisdiction and power.
Furthermore, restrictions about the use of the Android operating system for companies like Huawei (Afhüppe & Scheuer, 2019), or the struggle to establish trust in the deployment of 5G mobile networks suggest that this is not about to change in the near future (Matsumoto, 2019; see also Cartwright, 2020).
What other alternatives are there, leaving aside the re-territorialisation of the internet which threatens to fragment it? Is it possible to regulate topics such as government-led surveillance with strategies not using extraterritorial effect, or the reinforcement of physical borders? Such a third-way between universal frameworks and national regulation might be the establishment of 'blocs of trust'. One international agreement employing this strategy is Convention 108+ of the Council of Europe, another one the Budapest Convention on Cybercrime. These international treaties allow for a traditional harmonisation of national laws, while being open to non-member states of the Council by either acceding to them or implementing their principles in national regulation autonomously (Ukrow, 2018;Polakiewicz, 2019). Additionally, their provisions entail many useful and detailed principles, but are drafted in a way that avoids too much regulatory detail, respecting the sovereignty of states.
It is unclear how successful this strategy can be. Therefore, it will be particularly interesting to observe the push to establish Convention 108+ as a new global regulatory baseline for data protection, which is less demanding and detailed than the EU General Data Protection Regulation, but more concrete than the abstract provision on privacy in Article 17 of the ICCPR at the UN level. Maybe the areas of data protection and privacy can become pioneers in this regard, which could potentially inspire the regulation of surveillance as well. However, initial research on the requirements to adapt or (re-)model data protection laws finds that it will be difficult enough for Latin American and African countries to join the 47 member states of the Mapping power and jurisdiction on the internet through the lens of government-led surveillance Council of Europe by signing up to Convention 108+. For Asian countries it will be even more difficult. South Korea and Thailand seem to have legal frameworks which are already mostly in line with the treaty (Greenleaf, 2020). However, this is only an analysis of requirements in terms of legal provisions, leaving aside the procedures and dynamics of political negotiation processes, as well as the question why and how countries should develop the political will to accede.

CONCLUSION
Developing blueprints for international instruments that might ultimately help to create a more harmonious and detailed framework for the regulation of surveillance on and through the internet is a commendable effort. However, in the absence of political will to develop overarching multilateral proposals on the matter, other strategies for regulation are needed.
Hence, it seems that the only available alternative to such an unlikely, truly universal international framework is the development of regional frameworks which are open to third states for adoption through accession and ratification, or through modelling national laws after such agreements. The Council of Europe has been successful in developing such texts in the past (Gstrein, 2019, p. 89-90), but also has recently struggled to provide a productive forum for political exchange itself (Rankin, 2019). Certainly, this approach also comes with the danger that instead of falling back to the national level, the internet might become separated on a regional level. Still, if none of the multilateral options gain considerable influence and develop further, the only possible outcome is fragmentation of the digital space, which would also result in the reversal of many achievements made in recent times.

ACKNOWLEDGEMENT
The author thanks Taís F. Blauth for reviewing the manuscript.