Lest someone call me out in comments for not mentioning it, I should mention HavenCo out on the Republic of Sealand, too. He wanted to be the first extra-national-ish Data Vault like the protagonists of Neal Stephenson’sCryptonomicon.

Simson Garfinkel wrote a long story about HavenCo in Wired back in 2000. It’s a fun and interesting read, a nostalgic romp through the days when bandwidth and crypto were all that were needed to transform the world.

This summer, with $1 million in seed money provided by a small core of Internet-fattened investors, Lackey and his colleagues are setting up Sealand as the world’s first truly offshore, almost-anything-goes electronic data haven - a place that occupies a tantalizing gray zone between what’s legal and what’s … possible. Especially if you exist, as the Sealanders plan to, outside the jurisdiction of the world’s nation-states. Simply put: Sealand won’t just be offshore. It will be off-government.

The startup is called, fittingly, HavenCo Ltd. Headquartered on a 6,000-square-foot, World War II-era antiaircraft deck that comprises the “land” of Sealand, the facility isn’t much to look at and probably never will be. It consists of a rusty steel deck sitting on two hollow, chubby concrete cylinders that rise 60 feet above the churn of the North Sea. Up top there’s a drab building and a jury-rigged helicopter landing pad.

Soon, Lackey believes, powerful upgrades will transform Sealand into something amazing. The huge support cylinders will contain millions of dollars’ worth of networking gear: computers, servers, transaction processors, data-storage devices - all cooled with banks of roaring air conditioners and powered by triple-redundant generators. HavenCo will provide its clients with nearly a gigabit per second of Internet bandwidth by year’s end, at prices far cheaper than those on the overregulated dry land of Europe - whose financial capitals sit a mere 20 milliseconds away from Sealand’s electronic nerve center. Three speedy connections to HavenCo affiliate hubs all over the planet - microwave, satellite, and underwater fiber-optic links - will ensure that the data never stops flowing.

Unless people can’t quit messing with the routers, that is. In 2003, however, Ryan Lackey, HavenCo’s CTO, resigned citing mismanagement and self-incurred network instability:

Lackey, who said HavenCo owes him $220,000 in cash and additional money in stock, said another problem was the Sealand family’s tinkering with the network connection, which caused extended outages and occasionally left it dependent solely on a slow satellite link.

“The key lesson on this is if you’re going to put a ‘co-lo’ facility somewhere, political and contract stability in that jurisdiction is very important,” Lackey said, referring to co-location setups, or virtual site-hosting facilities. “Customers want stability. They don’t want the network to be down for two months.” The 24-year-old Lackey spoke to an audience of about 600 at the DefCon hacker convention here.

Currently, HavenCo says they offer Collocation for $1,500 per server per month and managed services for $3,000 per server per month. Compare that to approximately $100 per server per month for hosting somewhere in Dryland.

While this may close off the “Hosting Provider” branch of the attack tree, the options available to criminals, cops, secret agents, lawyers, or other nefarious types trying to seize your data by going after you (the data owner) directly still exist.

The piece of this that has never made sense to me is that while your data might be secure against physical seizure, your person is still subject to the same physical and legal threats as it ever was. This means that the risk of being forced to disclose under duress has now been transferred from your hosting provider onto your person.

I’m not a lawyer, but from what I’ve observed over the years, if you think that you can now say, “Sorry, it’s not here,” in response to a search warrant or discovery request, then you’ll probably get to learn first-hand what terms like “Conspiracy,” “Contempt of Court” and “Summary Judgement” really mean. Hopefully it won’t go so far as Rendition, but depending on who’s asking, you never know.

I’m not sure that’s a Risk Management option I’d be comfortable with.