THE REALITY OF INTERNET GOVERNANCE

Ian Brown, Oxford Internet Institute

Outline

• Legitimacy in global governance• Three sites of global Internet governance

• NSA: Pretty Good Privacy and encryption controls• WIPO: “The answer to the machine is in the

machine” – copyright and Technological Protection Mechanisms

• ICANN: the travelling governance circus• Technocracy vs democracy; realpolitik vs

rhetoric• Regulating technology; technologising

regulation

Legitimacy and Internet governance• Source, process or results-oriented?

Mandates, accountability, consensus and technocracy

• Constitutional review – whose constitution? US, ECHR, UDHR, IETF? Code as constitutional law

• Rhetorical framing – ‘When I use a word,' Humpty Dumpty said, in rather a scornful tone, `it means just what I choose it to mean – neither more nor less.'

National Security Agency

• Lead US Signals Intelligence and Cryptology agency

• Multibillion $ budget• Highly secretive (No

Such Agency 1952-1964): SCIF policy

• Key driver of US and international policy on encryption

Encryption control timeline

1976: New Directions in Cryptography, Diffie & Hellman

1978: A Method for Obtaining Digital Signatures and Public-Key Cryptosystems, Rivest/Shamir/Adleman: c = me mod n; m = cd mod n

1990: PGP software released via Usenet. Author Phil Zimmerman pursued through courts for 3 years

1977-: NSA attempts to ban publication of cryptographic publications; to control funding of cryptography research; and to ban export of cryptographic software

1993: Al Gore leads US attempts to mandate key escrow

1992: AT&T announce DES phone

Matt Blaze

Encryption rhetoric

• “They have computers, and they may have other weapons of mass destruction.” –AG Janet Reno (1998)

• "Terrorists, drug traffickers and criminals have been able to exploit this huge vulnerability in our public safety matrix.” –FBI Director Louis Freeh (2002)

• “Many people also choose to use readily available encryption programmes to encrypt their email, files, folders, documents and pictures. These same technologies are also used by terrorists, criminals and paedophiles to conceal their activities.” –Home Office (2009)

Encryption realpolitik

• “Law enforcement is a protective shield for all the other governmental activities. You should use the right word – we’re talking about foreign intelligence… The Law enforcement is a smoke screen” –David Herson, SOGIS (1996)

• “We steal [economic] secrets with espionage, with communications, with reconnaissance satellites” –James Woolsey, CIA (2002)

• "Encryption is no more prevalent amongst terrorists than the general population. Al-Qaeda has used encryption, but less than commercial enterprises.” –Juliette Bird, NATO (2006)

Encryption control unravels

1995: Netscape adds encrypted links, enabling e-commerce boom

1997: OECD rejects attempts to mandate key escrow in its Guidelines for Cryptography Policy

1996: IETF declares: “Cryptography is the most powerful single tool that users can use to secure the Internet. Knowingly making that tool weaker threatens their ability to do so, and has no proven benefit.”

1997: European Commission declares key escrow should be limited to that which is “absolutely necessary”

2001: US essentially abandons export controls

NSA summary

• Encryption policy was driven by a small number of executive agency stakeholders (largely excluding legislators) with very little transparency, and widespread contention from Internet community – lack of source, process and results legitimacy

• Differing stakeholder positions meant multilateral fora rejected US demands & bilateral negotiation failed

• Effective regulation extremely difficult given global availability of cryptographic knowledge, programmers, distribution channel, open PC platform and user demand

WIPO

• Part of UN system responsible for “developing a balanced and accessible international IP system, which rewards creativity, stimulates innovation and contributes to economic development while safeguarding the public interest”

• Spent much of 1980s and 1990s “updating” global © treaties

© rhetoric

• “the VCR is to the American film producer and the American public as the Boston strangler is to the woman home alone.” –Jack Valenti (1982)

• “The answer to the machine is in the machine” –Charles Clark (1996)

• “If we can find some way to [stop filesharing] without destroying their machines, we'd be interested in hearing about that. If that's the only way, then I'm all for destroying their machines.” –Senator Orrin Hatch (2003)

Technological Protection MeasuresWIPO Copyright Treaty §11“Contracting Parties shall

provide adequate legal protection and effective legal remedies against the circumvention of effective technological measures that are used by authors in connection with the exercise of their rights under this Treaty or the Berne Convention and that restrict acts, in respect of their works, which are not authorized by the authors concerned or permitted by law.”

Implementations

• DMCA §1201: “No person shall circumvent a technological measure that effectively controls access to a work protected under this title”

• EUCD §5: “Member States shall provide adequate legal protection against the circumvention of any effective technological measures”

• Similar provisions in various US FTAs ever since• All mirror detailed US proposals to WIPO that

were overruled during development of WCT and WPPT

TPM realpolitik

• “Accurate, technological enforcement of the law of fair use is far beyond today's state of the art and may well remain so permanently” –Ed Felten (2003)

• “Legal backing for the right of access is essential in the interests of social inclusion and equitable treatment of people with disabilities” –European Blind Union (2006)

• “Why would the big four music companies agree to let Apple and others distribute their music without using DRM systems to protect it? The simplest answer is because DRMs haven’t worked, and may never work, to halt music piracy.” –Steve Jobs (2007)

WIPO summary

• Consensus reached on TPM policy in UN agency, but implementation was driven by US and EU IP/trade agencies with widespread contention from users of © works – limited process and results legitimacy

• Effective regulation extremely difficult given global availability of TPM circumvention knowledge, programmers, distribution channel for code and unprotected works, existing insecure platforms (CDs), open PC platform and user demand

ICANN

• Internet Corporation for Assigned Names and Numbers

• Private, public-benefit Californian corp (1998) operating under agreement with US Department of Commerce

• Manages DNS, IP address and port allocation

ICANN governance

• Original attempts to elect board abandoned in 2002

• Now focused on process and result legitimacy• “to ensure the stable and secure operation of the

Internet's unique identifier systems”

ICANN rhetoric

• “Burdensome, bureaucratic oversight is out of place in an Internet structure that has worked so well for many around the globe.” –Condoleeza Rice (2005)

• "No intergovernmental body should control the Internet, whether it's the UN or any other.” –David Gross (2005)

• “On Internet governance, three words tend to come to mind: lack of legitimacy. In our digital world, only one nation decides for all of us.” –Brazilian WSIS delegation (2005)

ICANN realpolitik

• Internet governance is “definitely a travelling roadshow, if not a flying circus”-Markus Kummer (2004)

• “The ITU version of [the Internet] blurs…boundaries and takes us a step backwards into a centrally controlled, centrally managed, ‘more than good enough’ network—administered, of course, by the ITU.” –Ross Rader (2004)

• "Using 'talking shop' as a negative suggests communication is a bad thing” –Emily Taylor (2007)

ICANN summary

• Source legitimacy still highly contentious – online board elections abandoned, relies on extreme consensus processes and result legitimacy – limited objectives have been achieved

• Governance has just about held together, partly due to Internet community grudging acceptance of ICANN as least-worst solution. DNS alternatives are possible but so far unpopular

Comparison

Encryption control Anti-circumvention Identifier management

Policy objective

Maintain intelligence and law enforcement intercept capability

Maintain excludability of information goods

Maintain a stable and secure addressing system

Stakeholders

SIGINT agencies, law enforcement (US: NSA, NSC, DoJ), software cos

Copyright holders, trade and IP agencies, consumer electronics firms

Registrants, registrars, trademark holders

Legitimacy

Source; little transparency

Source, some process Multi-source, extreme process, result

Framing Terrorists, paedophiles Piracy is killing music Private-sector innovation

Sites COCOM/Wassenaar, OECD, G8, special envoy

WIPO, US-EU-Japan coordination, FTAs, special 301 procedure

The travelling circus

Counter-framing

Anti-Big Brother, US business interests

Defective by design, anti-innovation, anti-competitive, anti-fair use

Anti-democratic, US-dominated

Main challenges

Open source software, 1st amendment, economic espionage, consumer preferences, campaigners

Open source software, P2P networks, consumer preferences, Apple market power, campaigners

Finding consensus across extreme range of stake-holders; legitimacy

Conclusions

• Internet policy cycle takes decades, not years; it does not provide democratic panaceas nor trivial consensus

• Multi-stakeholder forums can take better account of technocratic expertise and civil society than bilateral and multilateral fora, building process and results legitimacy

• Internet, cryptography and PCs have acted as a powerful constraint on public and private sector power; network effects and sunk cost make change difficult – does some code have a constitutional quality?

• Effective, legitimate global regulation of information is hard; technological regulation is even harder

• legem de machina non dat machina ;-)

References

• W. Diffie & S. Landau (1998) Privacy on the line, MIT Press• L. Lessig (1999) Code: and Other Laws of Cyberspace, Basic

Books• P. Drahos with J. Braithwaite (2002) Information Feudalism,

Earthscan• V. Mayer-Schönberger & M. Ziewitz (2007) Jefferson

Rebuffed: The United States And The Future Of Internet Governance, Columbia Science & Technology Law Review 8, 188—228

• I. Brown (2007) The evolution of anti-circumvention law, International Review of Law, Computers & Technology 20(3), 239—260

• R. Weber & M. Grosz (2008) Legitimate governing of the Internet, In S. M. Kierkegaard (ed.), Synergies and Conflicts in Cyberlaw, 300—313

• A. Adams & I. Brown (2009) Keep looking: the answer to the machine is elsewhere, Computers & Law 20(1)