Document Type


Publication Date



A company’s server is its castle, Richard Epstein once declared. Because of this, anyone sending an email to that server needs permission to enter. Within its own logic, this seems incontrovertible, but it depends on a few logical steps worth unpacking. It begins with the premise that a man’s home is his castle. (The masculine pronoun in the early formulation seems relevant.) Let us accept that premise for the purpose of argument. Combining this premise with the investiture of legal personhood on a corporation, we might then deduce that a company’s home must be its castle. Finally, combining that claim with the assertion that a server is like one’s home, we might conclude that a company’s server is like its castle. Each of the moves above is subject to dispute, as is the premise itself. But the end goal is clear: sole and despotic dominion, now over the metaverse.

Thomas Kadri begins his excellent Texas Law Review article, Digital Gatekeepers, with the evocative image of Facebook as Mark Zuckerberg’s castle. But rather than imagining lords watching over their rightful domains like Epstein, Kadri sees digital enterprises as trolls guarding a bridge. Yet, these digital trolls are not exacting fees from those who hope to cross, but rather are seeking to prevent anyone else from benefiting from the lands that lie across the bridge. Kadri hopes to build ladders to scale the ramparts or battering rams to break down the gates.

Permitting third-party access to enormous datasets, such as the ones held by Facebook, raises concerns about privacy, as Kadri recognizes. In this essay, I suggest that this concern about user privacy finds a real-life example in the case of Cambridge Analytica, which exploited user data gleaned via a Facebook app. I review various legislative solutions to this problem of data-sharing across private parties. Further complicating this problem is the fact that, especially because of the internet, datasets held by today’s companies often include information on individuals from multiple countries. This brings to bear multiple data privacy laws to the question of information sharing. Even if granting access is permitted (or required) under one law, granting such access may still violate another law if that second country’s users are in the database. Companies that have not collected information about a user’s country may now need to do so to ensure that the right set of laws are applied to that data.

This essay proceeds as follows. Part I sets out the digital gatekeeping function of the common law doctrine of trespass to chattels and the federal Computer Fraud and Abuse Act. It observes that defining the extent of gatekeeping power—the precise line-drawing between permissible and impermissible breaches—remains a complicated task. Part II focuses on Facebook’s Cambridge Analytica scandal, which lives on as a warning about giving third parties access to personal data. Parts III then reviews proposals for changes to digital gatekeeping laws in the United States, the EU, and India, respectively.

Publication Citation

Texas Law Review, Online Edition, Vol. 100.