|
A child and an adult are both inside a glass box. The adult is starting deliberately at the child as the glass fades to black.
Rather discomforting, right? This is the image the UK government wants to be engraved into the minds of every British citizen. According to an article published by the Rolling Stone magazine, the government plans to launch a campaign with the aim to “mobilize public opinion against Facebook’s decision to encrypt its Messenger app”. And, to make sure it captures the public’s opinion, the government is deploying tactics of sensationalism, exaggeration and emotion. This scaremongering is not a first for the UK government, which has been fighting against encryption for quite some time. Back in 2015, former Prime Minister David Cameron, pledged to ban online messaging applications that offer end-to-encryption. Although the ban never happened, since then, the UK has been on a steady course to ensure the government and law enforcement have access to encrypted communications. And, the Online Safety Bill, a legislation aiming to address content moderation practices and platform responsibility, appears to be encryption’s death sentence. One cannot help but wonder why the UK is so insistent to break encryption. Is it about power; is it about control? What is certain is that by intercepting encrypted communication, the UK government will have a front seat at the most intrinsic, intimate and personal conversations of its citizens. Imagine having knowledge of how your citizens say when they think they are alone, then imagine controlling it, and then imagine the possibilities of manipulation and abuse. I think you can get the picture of how expansive the powers of a government can suddenly become. This is surveillance at its most basic level and, in moving in this direction, the UK will soon be living Orwell’s 1984 nightmare. And, if this comparison is not compelling enough, then think that by doing this, the UK will be joining the company of countries like China in terms of user surveillance. The UK government’s argument is that encryption is an obstacle to ensuring the safety of children. Law enforcement agencies and charities have rallied behind this argument, suggesting that encryption hides millions of reports of child abuse and that end-to-end encrypted communication services are the main vessels for child grooming, child exploitation, sex trafficking and other child-related crimes. These claims create awe and one would hope that they are supported by strong, hard evidence; unfortunately, this is not the case. Although we all suspect that at some level encrypted communication services are used for illegal acts, but so is every technology. It is the nature of humans to use any technology for good and bad. And, the worrying part of the UK’s approach is that it appears disinterested or unwilling to take into consideration the good things that encryption brings. Privacy, security, trust – these are things that encryption achieves effortlessly. Encryption allows an LGBTQI kid to communicate without fear of bullying or, in many cases, persecution; it ensures that a domestic abuser is able to reach out for support and seek help; it helps activists and whistleblowers to come forward with information that holds governments and businesses accountable, which is the basis of every democracy; it helps all of us to exercise our freedoms and rights without the fear of someone snooping around. Of course, the safety of children is very important, but so is the safety of everyone else. And, without evidence to support that the ‘problem’ will be fixed by just banning encryption, is it really worth it? The UK government insists it is and for this purpose it has hired M&C Saatchi, involved in a controversial campaign during Brexit, to carry out its campaign. According to reports, the campaign will cost UK tax payers half a million pounds and, according to Jim Killock, Executive Director at the Open Rights Group, it is a “distraction tactic” seeking to manipulate the British public opinion. However, the truth about encryption is unequivocal: it is a necessary foundation for the internet and for societies. In many ways, encryption is the technical foundation for the trust on the Internet – it promotes freedom of expression, privacy, commerce, user trust, while helping to protect data from bad actors. Regulating encryption in order to hinder criminals communicating confidentially runs the significant risk of making it impossible for law-abiding citizens to protect their data. The main objective of security is to foster confidence in the internet and ensure its economic growth. In this regard, it becomes a valid question what such a ban will mean for the UK’s economic growth and innovation. In Australia, the Telecommunications and Other Legislation Assistance and Access Act (TOLA) 2018, which mandated tech companies to break encrypted traffic so law enforcement could get a peek at the online communication of Australians, is said to have resulted “in significant economic harm for the Australian economy and produce negative spillovers that will amplify that harm globally”.” There is really no reason why things will be different for the UK. It is important to note that, any technique used to mandate a communications’ provider to undermine encryption or provide false trust arrangements introduces a systemic weakness, which then becomes difficult to rectify. The fact of the matter is that once trust in the Internet is broken, it becomes very difficult to restore it. And, trust is what ultimately drives the use, consumption and creativity in the Internet. Ten years ago this week, the United States Congress proposed the Stop Online Piracy Act (SOPA) which drew a great deal of criticism about its impact on the internet and human rights. Stakeholders from around the world, civil society, the technical community, businesses and academia, all joined forces against a piece of legislation that would undermine our trust to the internet and our ability to express ourselves without fear. What the UK proposes to do with encryption is no different; it will change the relationship users have with the internet for the worse. The UK may want to keep children safe, but by banning encryption, it will end up making everyone, including children, unsafe and vulnerable, while turning the UK into one of the most inhospitable internet and innovation hubs in the world. It is time for all of us to rejoice and fight for what is right: our right to a secure and private internet experience.
0 Comments
This week, the Internet and its governance experienced a significant accountability failure. This failure had two faces: the first one concerned the Australian government’s choice to put pressure on tech companies to strike a deal with traditional publishers, led by NewsCorp. The second one was Facebook’s drastic move to block news’ content, essentially preventing the ability of its users to see and share news on its platform.
Let’s take things from the beginning. Earlier this year, the Australian government drew legislation “to level the playing field” on profits between technology platforms and traditional publishers. The Mandatory Code of Conduct would compel technology platforms with significant market power to enter in negotiations with registered publishers that earn over $150,000 AUS a year and are in compliance with the Australian news and media codes of ethics. On Wednesday, the law passed the lower house of the parliament and, with cross-party support, it is expected to pass the Senate next week. Google complied with the law. Facebook decided not to. This is not a first. Last year, the French government, in a similar move, instructed Google to negotiate in “good faith” with publishers, which resulted in Google negotiating a reported $76 million payout deal. The deal was the outcome of France’s attempt to enforce article 11, often referred to as the “link tax”, of Europe’s controversial copyright directive. There are a lot of issues with the “link tax”. Public Knowledge’s Harold Feld provides a very good account of what these are, here. Other sources also have pointed to the concerns over the uncertainty of its effectiveness. But, here, I want to talk a bit about the Internet. Not a lot of people talk about what all this is doing to the Internet. In 1997, Tim Berners-Lee wrote: “Normal hypertext links do not of themselves imply that the document linked to is part of, is endorsed by, or endorses, or has related ownership or distribution terms as the document linked from. However, embedding material by reference (sometimes called an embedding form of hypertext link) causes the embedded material to become a part of the embedding document.” So, the hypertext link is nothing more than a reference. Further down, Berners-Lee continues: “Meaning in contentSo the existence of the link itself does not carry meaning. Of course the contents of the linking document can carry meaning, and often does. So, if one writes "See Fred's web pages (link) which are way cool" that is clearly some kind of endorsement. If one writes "We go into this in more detail on our sales brochure (link)" there is an implication of common authorship. If one writes "Fred's message (link) was written out of malice and is a downright lie" one is denigrating (possibly libellously) the linked document. So the content of hypertext documents carry meaning often about the linked document, and one should be responsible about this. In fact, clarifying the relative status of the linked document is often helpful to the reader.” The reason everything is wrong with the “link tax” is stated above. It treats the hyperlink as something that carries a specific meaning. When hyperlinks are shared through platforms and search engines, they neither “endorse” nor “claim authorship”. The “existence of the link itself does not carry meaning”. This changes fundamentally the meaning and scope of hyperlinks. It ascribes to them a meaning they are not meant to have. This debate not just about Facebook or the Australian government or publishers. This is about the web. And, the implications of the “link tax” go further down the architecture stack. Here’s what Internet Society’s (and my boss) Andrew Sullivan said about the “link tax” in 2018: “The link tax, as described, well, to the extent it's ever been described, is actually impossible. It's technically impossible because nobody will ever deploy it. The only way that it will ever get deployed is if everybody agreed that I really want to be taxed.” That does not seem plausible. “And since it's unlikely that people are going to sign up to be taxed, then they're never going to click on a link that causes them to be taxed. All of the clients will simply not implement the necessary technical requirements to, you know, to cause the tax to take effect. And there are only two possibilities at that point. Either the government authority can say, well, you're not allowed to use a board compatible mechanism in which case the ‑‑ backward compatible mechanism in which case the internet is over. Or, you are allowed to use a backward compatible linking mechanism in which case only the backward compatible mechanism is going to be deployed by clients. Those are the only two possibilities and I've yet to have anybody explain to me how we get out of that. On the internet if you actually want people to deploy things you have to give them a reason to deploy it. “ So, this whole debate is not only about Facebook or governmental policy. It is about the Internet’s goal to be trustworthy, open, secure and global. Conditions like integrity, reliability, availability, accessibility matter for the Internet. They should matter in any policy. And, in the case of Australia, they evidently don’t. The Australia and France cases are not going to kill the Internet. They are deep cuts to its architecture, but they are not fatal. If the Internet dies, it will die of a thousand cuts. The BBC has reported that Scott Morrison, Australia’s Prime Minister, has already spoken with India’s Narendra Modi and is seeking international support. Here’s your thousand cuts – the possibility of the ‘link tax’ exploding as an international policy. So, to sum up: Australia’s Code is a terrible policy. Facebook’s decision was out of self-interest. The Internet is the casualty. Netflix was created in 1997 by Reed Hastings, who is still its current CEO, and Marc Randolph. In its early days, Netflix’s business model was based on DVD rentals, seeking to disrupt Blockbuster Video, which was the dominant actor in the United States. At the time, DVDs were only starting to make their appearance in the US market and offered a much better customer experience than videocassettes. Blockbuster Video was making a lot of money by renting them for a fee for a specific time. The fee would vary, depending on things like the s release date of a movie, late returns, etc. Hastings saw an opportunity to offer a flat monthly rate for all content and, he entered the market.
Netflix’s growth was quite substantial. From 300,000 users in 2000, the company grew double in 2002 and by 2005 it was counting 4.2 million users. In 2002, Netflix made its IPO debut in New York and, although the company had managed to outpace the business practices of Blockbuster, it was not until 2005 that it would adopt the feature that would place it as one of the primary contenders in the entertainment industry: streaming. By 2010, a user would be able to access Netflix via any portable or not device to consume content; the same year, Netflix expanded its operations to Canada. Over the next few years, Netflix would expand and, in 2016, it would end up rolling out its services globally (with the exception of China, N. Korea and Crimea). After adding original content in its services in 2012, Netflix has become a considerable contender in the entertainment industry having been nominated for 112 Emmy awards in 2018. It is currently counting more than 150 million subscribers internationally. Netflix soon realized that it had to find a new angle if it were to survive. Blockbuster Videos were no longer a threat – they declared bankruptcy in 2013 – but a new competitor was emerging as Netflix was adopting a new business model. Although streaming appeared to be a niche market for the company, its dependency on licensing deals by the large Hollywood studios meant that Netflix would need to find a new way to become competitive. That happened with the adoption of a strategy on original content and the company’s conscious decision to invest billions of dollars in original programming, taking advantage of its global reach. This bold move highlights the following disruptive strategy theories. Netflix started as a low-end market disruptor. Taking advantage of some of the policies customers used to find annoying in Blockbuster (mainly the late return fees) Netflix did not seek to offer something better, but something that was performing “good enough”. Netflix also realized that all other DVD rentals were following the same business model as Blockbuster, which meant that consumers were overloaded with similar products and similar business patterns. To this end, it sought to utilize the idea that it could provide the same product but improved. The improvement was ordering DVDs from the comfort of your home by paying a flat fee. No extra charges would be incurred. Netflix’s streaming, however, can also be seen as new-market disruption. What streaming did for Netflix is that it offered existing customers access to content cheaper –in the beginning, the service would offer lower performance for existing consumers (in those early days, Internet bandwidth would severely affect the streaming experience), but higher performance for non-consumers. As Netflix was rolling out its streaming service, Blockbuster considered that there was no incentive to go after the same service, effectively confirming the theory that a business cannot disrupt itself. To this end, Netflix created a whole new market that we only see now emerging and developing, with new entrants like HBO Max, Apple TV+ and Disney+ being amongst the competitors. Almost every time, disruption is an opportunity before it becomes a threat. This opportunity can be seized once the company realizes what the “job to be done” is. In the case of Netflix, it was the case of understanding how to help customers consume content any time, at any device. Streaming filled that void by offering customers a catalogue of content that were able to absorb. In a similar vein, Netflix saw an opportunity to address a problem that was at the core of the way audiences used to consume content: removing advertisements in the middle of broadcasting and offering content all in one go. As Netflix grew, the challenge was to ensure they remained faithful to their original business model and not try to emulate traditional broadcasting companies. Once they were dominant in the market, the temptation of adopting the traditional business model of offering content on a weekly basis was present, especially considering the costs associated with creating original content. Netflix, however, retained discipline and continued to integrate their organization to provide the consumption of content with an eye focused on the job to be done. Netflix never stopped offering content from other studios. Since that content is subject to licensing deals, geolocation services would have to apply; what this meant was that, despite being a global service, Netflix could not offer the same content to all of its users around the world. Organizing for innovation, essentially defining how Netflix’s resources could work together to achieve its goals, became very crucial. Netflix had a big choice to make: either stick with the content from the Hollywood studios, a choice that would ensure the company always depended on them, or identify and prioritize the criteria that would allow it to differentiate itself. This was achieved by investing in original content, which Netflix was able to control fully and was able to distribute at the same time to all its customers around the word. Netflix’s big challenge was how to create content that was easily consumable and was able to compete with traditional broadcasting incumbents, including ABC, HBO, Fox, Disney, etc. What is unique about the business model of Netflix is that it commoditized time – what a viewer was able to see on a Saturday at 9am was no different from what they were able to see on Tuesday at 10pm or Thursday at 3pm. Unlike traditional broadcasters, there is no ‘prime time’ on Netflix, and this allows Netflix the freedom to get rid of the advertising model, which has proven to limit the customer experience by breaking it in multiple segments. By adopting this business model, Netflix was able to demonstrate that it had moved from its original core competence: it was no longer about providing DVDs to its customers, but rather about connecting content creators and content consumers in order to ensure a more efficient relationship in the way content would be conceived, created and, finally, absorbed. Up until Netflix emerged as a disruptor, content was consumed based on a variety of factors: users, advertisers, studios, broadcasters. In disruptive strategy language, these factors of creating and consuming content created a series of interdependencies that provided for an ecosystem that was inflexible and quite bureaucratic. A lot of shows would be created and, if they could not generate enough advertising revenue, they would be cancelled, often at the dissatisfaction and frustration of consumers. In essence, there were additional extenuating circumstances, beyond consumer demand, that were able to determine the future of a given production. Netflix saw a great opportunity. Based on the data that it had generated from viewers’ habits, Netflix could integrate forward and offer personalized content to account for the interdependency. This is essentially what they did by partnering with various studios to produce original content. This collaboration included the interdependency of using Hollywood studios and content creators and the personalized information regarding customer content preferences, while letting go completely of advertisers. It is, however, logical to assume that over time this interface will become modular. At some point, Netflix needs to start looking for opportunities to have its own studios for the production of content. Based on all this, there are a number of things we could extrapolate. Netflix can either be positioned as a low-end disruption or new market disruption. In either case, there is an asymmetric motivation being created because incumbents are motivated to move up a market. For traditional studios, this would mean focus on the content they have exclusive rights to. It also means that current incumbents, given their relationship with telecommunications providers, might start considering how best to offer their service as part of package deals with mobile phones. This is an advantage Netflix does not have. According to the theory of disruption, Netflix will need to start moving up in the market offering more convenient and niche services in order to withstand the competition. You can easily imagine Netflix creating its own studios in order to cut the costs or start making more deals with actors and creators that tend to be popular with viewers, which it currently does. The same theory also suggests that incumbents, like HBO or Disney, will abandon low-end services and will start depending more on their niche products – HBO on shows like Friends and Disney on its massive catalogue of Marvell and Star Wars characters for instance – which can offer a higher margin to their businesses. In order to achieve all this, strategy will be key. When it started, Netflix was operating under a deliberate strategy, a conscious and organized action aimed at disrupting the business model of Blockbuster Videos. Over time, Netflix moved into a more emergent strategy, one that saw some unplanned actions, i.e. the basis for original content, to emerge out of the initiatives of parts of the organization. Now, it appears to be the case that Netflix is operating under a more deliberate strategy again. In order to survive what appears to be an increasing competitive market, Netflix will be required to again re-invent itself by moving into a more emergent strategy process.  The internet, as it exists today, is an artifact of a time in which global cooperation seemed reasonable, even inevitable. While the process of building the internet required difficult trade-offs—trading security for simplicity, for example—as a world we produced a system that, more or less, works together.
But the free flow of information online is now under threat by growing fragmentation across national borders. This internet fragmentation is both as a driver and a reflection of growing fragmentation in the world order. The effort by the U.S. government to ban the Chinese viral video app TikTok is a reflection of this reality: a response by the U.S. government to growing Chinese influence manifested online, resulting in a splintering global internet. Internet policy and international affairs move together. Throughout the internet’s history, its major stakeholders have made trade-offs around how different social and technical systems interoperate. Security is one such trade-off. Contrary to popular belief, security was indeed considered in the internet’s original design; however, deploying a decentralized, open architecture was difficult to balance against security requirements. Erring on the side of creating interoperable building blocks, a trade-off emerged: make simple, fundamental elements and address security issues as they emerged. The system’s interconnectedness served as a shared incentive, and the internet as we knew it grew—though not without bumps along the road—to become global. But the global internet is now under existential threat from fragmentation. And the problem with fragmentation is that it puts global cooperation at risk, as differences in the internet across borders are predictive of international trade and military relations, according to research conducted as part of the University of California, Berkeley Daylight Security Research Lab. Such findings should recast discussions about internet fragmentation. Internet fragmentation does not concern narrowly the “free” movement of information (an ideal that has never been fully accomplished), nor does it merely challenge the internet’s “distributed” design, another ideal whose implementation has only ever been partial. Rather, a fragmenting internet is representative of and has the possibility of contributing to a fragmenting world order. Such analysis of a fragmented internet looks at different layers of the internet “stack”—the building blocks that cobbled together comprise the internet—to quantify, for example, how similar France’s internet is to that of Germany, Canada, or Thailand. Using these country-to-country comparisons, we produce a network graph, with each country related to every other in a web of national internets that are, more or less, interoperable with one another. The graph reveals clusters that correlate with everything from military alliances to trade agreements—even to political principles such as freedom of speech. For example, content blocking patterns in European Union countries are significantly more similar to one another than they are to non-EU countries. The same is true of NATO countries. Notably, these findings do not indicate that blocking policies cause, for example, freedom of speech to decline. Nor that restrictions on free speech cause a country to block websites. Rather, they indicate that website blocking patterns—the types of websites a country blocks—reveal information about a country’s position on the global stage. China’s blocking patterns are relatively unique, though they share similarities with Hong Kong and Lichtenstein.In one sense, the strength of that relationship is unsurprising. The internet is, and has always been, both a product and a driver of political realities on the ground. From the role it played during the Arab Spring in 2012 to the way it has been used as a tool to interfere with the U.S. elections in 2016, the internet is a powerful tool for driving political change. Internet fragmentation has always existed, but the fact that the internet has evolved the way it has, becoming global, is evidence that interoperability is more than just aspirational. World-scale collaboration, while difficult, is possible. It is as possible now as it was in the late 20th century. Interoperability opens doors to participation and invites collaboration. To this end, the internet, and the threats to its operation as a global system, are a continuous invitation to work together. Not to agree, per se, but to agree to continue talking. To continue speaking the same proverbial language. Interoperability is not an end in itself. It is a means toward achieving shared goals. As cross-border goals emerge, from containing COVID-19 to battling climate change, interoperable ways of observing and discussing the world become more crucial. Moving forward, policymakers must safeguard the fundamental interoperability of the global internet. Rules and legislation should prevent fragmentation, enshrining the principles of a decentralized network made from open, interoperable components. As our research shows, the rewards for doing so come in trade, military alliance and social freedoms. To get to these regulations, policymakers must understand the internet’s ecosystem. Climate change provides an illustrative example: Cooperation is necessary, but action is impossible without understanding. Our ongoing research serves a part—a small part—in making the interoperable internet more understandable, and immediately relevant, to policy. Dr. Nick Merrill directs the Daylight Lab at the UC Berkeley Center for Long-Term Cybersecurity. His lab produces tools for understanding and addressing critical security issues. Dr. Konstantinos Komaitis is the senior director for Policy Strategy and Development at the Internet Society. Note: this post was originally posted at: https://www.brookings.edu/techstream/the-consequences-of-a-fragmenting-less-global-internet/ The Internet could be reasonably claimed to be the global endurance champion of 2020. Not only did it manage to stand resilient and stay operational during one of the worst pandemics in modern history, but it also allowed societies to continue functioning. In fact, one could say the Internet was ready for COVID19; governments, for the most part, were not.
The Internet’s enduring value is a fact that has been repeatedly acknowledged by European legislators, even as they set out their rationale for the Digital Services Act and the Digital Markets Act, new legislation that commissioners are comparing to “traffic rules” designed to regulate content and business online. Internet regulation has been at the top of every government’s policy agenda, from the United States to Europe to Africa and the Asia Pacific. The Internet has been integrated so much in the political machinery that regulation is now an inevitability. Only last week , the President of the United States, Donald Trump, tweeted that he would veto the National Defense Authorization Act, a significant piece of American legislation related to military funds, unless Section 230 of the Communications Decency Act, the law that shields internet service providers from legal liability for content posted online, is repealed. In the meantime, France is working towards tougher rules for social media companies both domestically and at a European level in light of the terrorist attack on a schoolteacher in November. And, the UK’s Prime Minister, Boris Johnson, recently committed to fighting “disinformation” via “Online Harms” legislation, which is expected to be ready in early 2021. The concerns are, for the most part, legitimate: disinformation has pushed democracies close to a breaking point and, in some ways, it could determine the success or failure of the COVID19 vaccine. A renewed conversation around competition is long overdue as is the question on whether some of the existing legal rules are enough to address monopolies and market concentration online. Finding a balance between security and safety needs fast resolution. Regulation promises to fix all this. But as clear as it is that something must be done to address all these current challenges, it is equally clear that it must be done in a way that is fit for purpose for the Internet and the digital age. A recent global survey conducted by YouGov on behalf of the Internet Society has shown that over two thirds of people (67%) are not confident that politicians have a good enough understanding of how the Internet works to create laws to regulate it. That this legitimate concern exists does not mean that regulation should not happen. But it does indicate that regulation cannot go ahead on a basis of sensationalist arguments or unfit tools. Too often, Internet regulation is presented as a panacea for all ills, from abusive language to online fraud. But the Internet is an ecosystem and, just like any ecosystem, it is diverse, complex and dynamic. It is based on some fundamental design principles that have underpinned the Internet since its original inception. Regulation must uphold these principles and ensure that it does not create any unintended consequences for the way we communicate online. For its part, the Internet Society has created the Internet Impact Assessment Toolkit that we believe will help legislators create laws without causing damage to the ecosystem. The Digital Services Act may or may not contain elements that could harm the Internet; we will need to wait for its release to see. What we know is that the DSA promises to do for competition and intermediaries what the GDPR did for privacy: set rules that would then establish a global standard for platform regulation. It is expected to affect businesses around the world and require some drastic changes in their business models. This could also affect the Internet’s underlying architecture. How will the new rules be enforced? And what measures companies will be required to take will be key in determining the levels of participation and compliance. If there is one lesson to be learned from the GDPR, it is how lack of clarity and compliance costs can complicate and make implementation hard. The EU has admitted as much. Bearing this in mind is crucial as companies will start deploying tools to comply with the rules of the DSA. We should remain conscious as to how such tools may be created, who by and how effective they ultimately can be. Consider, for instance, the use of algorithmic tools for content moderation, which was a policy objective of last year’s copyright directive and has since then been implemented for other forms of illegal content. The DSA will require some form of content moderation on behalf of platforms. Algorithmic tools pose challenges, including , but not limited to, how they can negatively affect the Internet as an open, interoperable and general purpose network. Users could potentially be denied access to content that is needed for educational or research purposes. Automated filters have been responsible for taking down perfectly legitimate content that relates to war crimes or even legitimate speech. This could affect innovation and creativity, which is one of the main objectives the DSA aims to accomplish. The DSA has set the bar very high for itself. When it is released, it will become the first official attempt to articulate a legal environment for technology companies. But, the question of how well it manages to account for the Internet persists. It will be essential for the DSA to conduct an impact assessment analysis for the Internet as soon as the implementation phase kicks in. The Internet has held up and helped society get through a traumatic period. We owe it respect for its extraordinary service. Editor's note: this is a guest post contributed by Dr. Konstantinos Komaitis, Senior Director of Policy, Strategy and Development at the Internet Society.) Europe is marching towards a dangerous and, potentially, irreversible trend that could see the world’s second largest economy alone and alienated. The trend is: digital sovereignty. Europe’s obsession with digital sovereignty is not new, but in the last year it has become more prominent and is the driving force behind many of the policy and technology frameworks of the bloc. In February, 2020, then newly elected President of the European Commission, Ursual von der Leyen, wrote: “I sum up all of what I have set out with the term 'tech sovereignty'. This describes the capability that Europe must have to make its own choices, based on its own values, respecting its own rules”. Like any other country, Europe should feel free to impose its own rules and laws in the Internet. But, a strict Hobbesian view of a single hierarchy of authority does not work for the Internet because the Internet does not or rather cannot – obey to any such authority. The Internet is made of independent networks that connect to one another through a voluntary set of of open standards that ensure interoperability. This allows the interconnections to work efficiently without much prior arrangement. As a result of this voluntary interconnection, the Internet does not have a center of control. This lack of central authority means that each and every actor - state or non – can participate in the Internet and reap the benefits of innovation and global connectivity. Any attempt to impose any sort of authority over it would not only affect these benefits, but could also have unintend consequences for governments, and for the Internet. In the last year alone, Europe has made headway in achieving its goal of digital sovereignty through different ways. GAIA-X, a Franco-German initiative on behalf of Europe seeks to create a “federated cloud architecture.” Similarly, in a recently released communication from the European Commission on the Union’s security strategy, the intention to “[limit] dependency on infrastructures and services located outside of Europe” was reasserted, echoing similar rationales put forth by the Russian sovereign law. Moreover and, despite some strong criticism on the unintended consequences created by the General Data Protection Regulation (GDPR), Europe continues to act as the de facto global regulator for the Internet. As part of its digital sovereignty strategy, Europe will release later this year its Digital Services Act (DSA) package, a mammoth piece of legislation meant to tackle the behaviour and business models of online platforms. The DSA, combined with the GDPR, are aimed at ring-fencing data from Europe in an effort to give a competitive advantage to European firms enabling them to compete on the world stage. Through the DSA, Europe has a unique opportunity to address, what are effectively, some of the biggest challenges in the Internet to date. One of the main reasons for the Internet’s success is that its architecture was not an outcome of politics. The Internet’s original design was never the expression of a hegemon and its order to the people building the Internet. Instead, it was a democratic attempt at consensus amongst a variety of contributors, including the government, the private sector and the technical community. This consensus is reflected in the way the Internet was designed and has performed ever since. The main question is how far is Europe willing to go and upset this consensus in order to support its vision of technological or digital sovereignty. The Chinese example has demonstrated that if this consensus is stretched far enough, it leads to a version of the Internet that departs significantly from its original incarnation as a free, open and inclusive space. Europe has certainly a big choice to make and, so far, it appears to be disregarding how its obsession for digital sovereignty may be affecting the Internet. Because, if we want to preserve it, then its architectural values are as equally important as the European ones. Note: this post originally appeared at https://tech.eu/features/32780/europe-digital-sovereignty/ By Martin Banks
August 25, 2020 SUMMARY: The EU’s interest in its Gaia-X infrastructure is just one example of what could become an international rush towards national interest-driven, inward-looking towards parochial centralisation of the Internet, which would fracture as a global entity and become a set of state-bordered and state-governed Wide Area Networks. Discussions about the growing relevance of data economics to the way businesses re-architect themselves over the next few years may inevitably hinge on the day-to-day cost of moving, processing and storing data anywhere around the globe, but it should not ignore the wider issues of politics, national cultures and attitudes and views on regulation that exist in different countries. It is an old dilemma - a country may be cheap to operate in, but be overly woefully under-regulated when to comes to the protection of data or, perversely, over-regulated in a biased manner. The cheapness of operating cost may mask the paucity of investment in its infrastructures or its political self-absorption may seriously prejudice its ability to work with international businesses in a sensible way. A conversation with Dr Konstantinos Komaitis, Senior Director of Policy, Strategy and Development at the Internet Society, an American non-profit organization founded in 1992 to provide leadership in Internet -related standards, education, access, and policy, cast some light on the stumbling blocks data economics may well come up against over the next few year. It is a task that Komaitis sees as important, not least because of the central role that data, its costs and its potential profitability, now plays for every business: "I am going to use an expression that I really hate, but it's no accident that we have been referring to data as the new oil. It's everything, especially when it comes to the Internet, everything is about data. So to the extent that you are able to control your data, it gives you an advantage, whether that is a competitive advantage, or whether this is an advantage over control. At the same time, if you are a state actor you also want the data, from designing your own government services to actually being able to manipulate the way you interact with your users in the case of non-very democratic countries." He sees Europe as one of the most advanced areas of the global marketplace when it comes to working with and managing data, citing the driving force behind GDPR - to fix the data privacy issue by providing a framework that would allow users to understand how their data is being used, and at the same time force businesses to alter the way they treat the data of their customers. The result has been that everything that Europe has done since GDPR in terms of either policy or infrastructure has also been centred around data. It has also played an important part in the development of Gaia-X, the Franco-German infrastructure project, which is linked to the wider subject of digital sovereignty that is an on-going hot topic in Europe. The objective here is to provide a services infrastructure that favours data localisation, and he talks about how the GDPR will be able to encourage that. Why my Internet’s better... Gaia-X comes from a place where Europe feels the need to be competitive, and in particular to compete with the likes of AWS. The issue with AWS is that it can now be seen as a level of consolidation that demonstrates a failure in the market to self-regulate. Komaitis sees Gaia -X as a partial answer to creating some sort of competition against the context of a hugely consolidated model: "The problem with Gaia-X, is that it seeks to create a closed system that is hugely federated and based on data localisation, and that is quite top down. Even in the context of interoperability, which is key for the Internet's present and future, that interoperability is also quite questionable. We don't really know the technical specifications of Gaia and the talk about interoperability doesn't appear to conform with the organic way that interoperability works in the Internet. So if we're talking about a centralised system of interoperability, rather than this whole idea of a decentralised system of interoperability where the Internet is based." This does put Gaia-X at risk of going down the wrong alley for the wrong reasons, potentially becoming very parochial and looking predominantly inwards, not outwards. It is a view that Komaitis has sympathy with: "The missed detail in all these conversations is that the Internet, for better or worse, is now part of the traditional geopolitics. So the geopolitical shifts that we're seeing happening outside of the Internet, inevitably will move into the Internet because it's so integrated in societies and the way we work and experience everyday life. The problem now is that nobody really is paying very much attention to the impact that all this has on this global network of networks." His fear is that people will take the Internet for granted, something that should not be allowed to happen. The danger, he argues, is that we start losing the benefits generated by the Internet’s critical properties, such as its global cohesion. An unintentional consequence of Gaia-X may be the beginnings of Internet fragmentation, higher barriers to entry, and less interoperability – all fundamental to making the Internet what it is today. Brexit is likely to be another contributor, especially as a worked example of a country becoming inward-looking and parochial, something he sees appearing all round the world now, with many Governments questioning globalisation and how far it has already extended. Unfortunately, the Internet really is at the middle of this because one of the key things about the Internet is this whole idea of global reach. We were all celebrating this for the idea that we're able to exchange information and provide a global platform where everybody can participate. "I think that the main question in this context is what sort of an Internet do you want, because there can only be one way for the Internet to work and that is to have networks that are able to interoperate with one another throughout the world and able to exchange information." His unstated corollary, of course, is that if you can’t do that, because you are inward-looking, then the Internet ceases to exist. You just have state-bordered WANs. It is only if it becomes truly global that the full power of data economics will then come into play. There is another discussion to be had on how many nations and major businesses would prefer to see state-bordered WANs as the better solution. Regulations need regulating One potentially important suggestion he offers here is that impact assessments are conducted on regulatory actions in much the same way we accept environmental impact assessments or health and safety assessments. We regulate all the time, so he sees a place for it in the development of the Internet. Without it, he fears, there could be continued growth in the trend towards data sovereignties, centralisations and other trends that would be dangerous to the Internet. There is certainly a danger that the act of regulation could be used by a nation state to exercise its particular political or cultural biases, but he sees an independently-conducted impact assessment as both a possible brake, and as a fall-back position: It is their prerogative and they are legitimised to do that. But should a wrong decision be made and you have an impact assessment in place, then you can revert back to it and actually say, `okay, why didn't you follow these? Because if you were to follow these recommendations, then some of those things would have been avoided’. Komaitis feels that the EU has a great opportunity here, not least because the one thing Europe is an expert in is how to regulate. He sees the EU on a long and important journey with its Digital Services Act package, which seeks to create rules for platforms as well as rules for the competition and how the competitive economy is going to work within Europe. This gives Europe the opportunity to set the standards of how this can be done, and done in a way that respects and adheres to the design of the Internet: "We're talking about what the Internet is. We never thought that we would have this tool and suddenly there it is. It's transformative and it really has had a huge impact on all aspects of society. And we are taking it for granted. And because there is clearly a need for governments to address some of the issues, we need to bring the Internet into the consideration process. So I am hoping that they you will see this as an opportunity. I am hoping that we will learn lessons from GDPR – such as that well-intentioned regulation can also create some unintended consequences." My takeIt is time for business managers to step outside of the straight-jacket of arguing the toss about which technology to use, and then which technology should be used to manage that technology, and then what technology should be used to monitor the technology managing the technology you are using but are starting to have doubts about – and onward into nano-granularity of technologies. If you feel that the Internet is a `good thing’ and using it to exploit all the data that is available to you is a possible fast track to a bigger profit and more sustainable business then forget about the technology per se: whatever you want to do there is now an off-the-shelf service that can deliver it. But that opportunity for business – how data economics and the wider aspects of the overall data economy can be the basis for huge and largely beneficial developments across the world – is getting ever-closer to being under serious threat. The Internet is already being eyed up as the next plaything of the geo-politicians and geo-commercialists, and the signs are it may not fit with their increasingly parochial purview. I, for one, feel that would not be a good thing. Note: This post originally appeared on https://diginomica.com/my-internets-better-your-internet-danger-slide-towards-state-bordered-wans On Thursday the president of the United States signed an executive order that aims to address the liability regime of social media companies. A wide variety of reports have highlighted the problems with this move, but there is one problem that we find especially troubling: the danger of politicizing what is fundamentally a legal debate around party lines.
The president needs to stay out of this debate. The Internet and politics have always had an awkward relationship. There have been numerous attempts to bring the Internet into mainstream politics over the years, most of which have been unsuccessful. The main reason is that the Internet is not a static “thing,” but a model for how networks and computers can interconnect through voluntary collaboration. A key characteristic of this model is that it’s decentralized, which means it doesn’t have a central point of control that dictates how the Internet should evolve. There is no switch that one can turn on and off, and as soon as policymakers or regulators try to impose one they inevitably chip away at the Internet itself. This characteristic has always been its most powerful asset, and the reason it has been an infinite source of innovation and growth - from the Web to ever-evolving smart devices, homes, etc. This lack of central control is a feature of the Internet, not a bug! Most of the early legal frameworks that have been implemented in the Internet reflect this apolitical premise, albeit at different levels and to different degrees. But there is really no other law that does this as gracefully as Section 230 of the Communications Decency Act in the United States, which undergirds “intermediary liability” online. Online intermediary liability protection first emerged in the United States in 1995 as a policy discussion regarding the scope of responsibility intermediaries should have. At the time, there was no Facebook or Twitter, so the law was aimed at services like CompuServe, Prodigy and AOL. However, it set the tone for all future services and would later be exported to the world as one of the most positive Internet legal developments. The question was simple: should intermediaries be liable for content posted using their services or for actions performed by third parties, i.e. their users? This question would fundamentally shape the future of the Internet. It discouraged attempts of centralized control because it did not force providers to perform functions they were never originally supposed to do. Similar to how telecommunications services are not responsible for the things phone users say over the phone, it was clear that online intermediaries and service providers would need similar commonsense restrictions on what they could be liable for. Immunity from liability ensures a level playing field and provides autonomy to a diverse set of actors to perform their intended functions. In this context, Section 230 provided predictability in the Internet’s highly unpredictable environment. No one can predict the next innovation; the Internet is designed this way. The Internet’s highly unpredictable environment can only unfold to its full potential if it operates within a legal framework that is obvious in its intention and unsurprising in its outcomes. Section 230 does this. Politicizing it would reverse years of such predictability and could place the Internet’s future potential in jeopardy. With this in mind, one can see how the executive order is problematic, setting in motion a dangerous precedent both for the Internet and speech. The problem is that a lot of the provisions in this order appear to be what Stanford’s Director of Intermediary Liability, Daphne Keller, calls “atmospheric” – politically driven questions that should not be part of the legal debate related to the scope of intermediary liability protections. They constitute a distraction, which could cause a series of unintended consequences for the evolution of the Internet. While conversations about the evolving scope of Section 230 are healthy, they should not be based on fashionable political motivations. Section 230 has a historical track record of promoting innovation and creativity online. By separating it from partisan politics, we can ensure that these benefits are retained. Note: this post originally appeared on The Hill On January 28, the UK government was set to announce whether it would allow Huawei, the Chinese information and communication technologies provider, to develop its 5G infrastructure. Given Brexit and its need to form new alliances, the decision was marked as a significant moment for the UK’s trade future. Leading up to the day of the decision, the UK was subjected to a significant amount of pressure from the United States government to reject any deal with Huawei. (Similar pressure was exercised towards any other US ally considering to use Huawei’s 5G infrastructure). In a tweet sent by US Secretary of State, Mike Pompeo, the day before the decision was due, he made the claim that Britain’s decision would effectively be one of sovereignty.
We can debate the merits of this claim, but the thing that I want to focus on is the often-use of the word ‘sovereignty’ in conjunction to the Internet and technology. It is interesting to observe how in almost every single discussion about the role governments should have in the Internet, the term ‘sovereignty’ pops up. Terms like “digital sovereignty”, “technological sovereignty” or “Internet sovereignty” have become commonplace. But, does sovereignty help advance the Internet governance conversations? The answer is an emphatic ‘no’; sovereignty adds an extra layer of complexity and only pushes states further apart while, simultaneously, it undermines and fragments the Internet. Sovereignty and the Internet are – prima facie – two irreconcilable concepts. Born out of the effort to connect networks with one another, the Internet was originally designed to not recognize any geographical boundaries. Its design embodies a true decentralized structure in the sense that it is both architecturally decentralized – it runs on multiple computers – as well as politically– no central authority has power over those networks. This decentralized nature has further allowed the various autonomous networks to interconnect with one another irrespective of where in the world they are located. In fact, since its inception, one of the Internet’s distinguishable characteristics has been its global reach: “any endpoint of the Internet can address any other endpoint, and the information received at one endpoint is as intended by the sender, wherever the receiver connects to the Internet. Implicit in this is the requirement of global, managed addressing and naming services”. Sovereignty, on the other hand, is all about strict geographical boundaries. It refers to the legal autonomy of the state to act independently and without constraints within its own territory. Under its Rousseaunian tradition it reflects the power of the state emerging from its people and for the people. In the context of geopolitical disputes for transnational communication technologies, sovereignty is currently seen as the construction of a governance system with the ability to coordinate and manage exchanges that may or, may not, address primarily issues of privacy/data protection and security. In this context, its application is one of scale. Historically, countries always sought to impose some sort of domestic legislation to the Internet, but, at the same time, most of them equally understood and respected the need for network autonomy and integrity. Over the past few years, however, there has been a significant shift in this thinking, with an increasing number of countries now actively seeking to centralize control over the Internet. For any country interested in the governance of the Internet, the claim to sovereignty is a claim to power. Such a Foucauldian approach considers sovereign power as a constant negotiation about the validity of claims of knowledge and truth, which dictates the power dynamics within a system. In this context, we can observe countries, like Russia and China, racing to codify their own notions of sovereignty in international law, much in the same way, the West was integrating its ideas of “universal values” when the Internet first emerged and for the best part of the its commercial history. Three distinguishable forms of “Internet sovereignty” have emerged thus far. The first one is China’s vision of sovereignty which is predominantly attached to notions of national security and securitization. (Russia is also part of this thinking, but its vision and technology implementation is not nearly as advanced as China’s.) China’s Internet sovereignty is all about the right of national governments to supervise, regulate and censor all electronic content that passes through its borders – what Bill Bishop has referred to as the “invisible birdcage”. In China, “Internet sovereignty” first appeared in a 2010 White Paper, which indicated that “within Chinese territory the Internet is under the jurisdiction of Chinese sovereignty. […] To build, utilize and administer the Internet well is an issue that concerns national economic prosperity and development, state security and social harmony, state sovereignty and dignity, and the basic interests of the people”. Since then and through a series of laws focusing primarily on cybersecurity, China has increasingly placed chokepoints on its Internet infrastructure, requiring network operators to store data within China and allowing Chinese authorities to conduct spot-checks on the network operations of any company operating out of China. On December 1st, 2019, China rolled out its Cybersecurity Multi-level Protection Scheme (MLPS 2.0), aiming to create a system that is able to monitor every activity in China: Internet, mobile, WeChat type social networks, cloud systems, national and international email – everything. The framework’s goal is not to empower users or even allow companies to make money; it is an attempt to centralize control over key network operations to the Chinese government. With this strategy China does not seek to close itself out of the global Internet but, instead, to strengthen global network integration. For Europe, sovereignty means independence from the dominant US technology companies. Europe started flirting with “digital sovereignty” as a response to the Snowden revelations in 2013. A 2014 research paper by the Global Public Policy Institute (GPPi) and New America’s Open Technology Institute identified around 12 European countries using the term or considering practical policy solutions to its end. These policies ranged from the construction of new undersea cables to stronger data protection rules; they detailed different layers of extreme with some going as far as to suggest forced data localization and routing rules. Although most of these proposals never materialized, Europe has integrated sovereignty in its recent digital strategy. Last year, Ursula Von Der Leyen, Europe’s chief Commissioner stated that “it is not too late to achieve technological sovereignty in some critical areas.” Similarly, her number two and the EU’s competition czarina, Commissioner Margrethe Vestager argued that digital sovereignty can be achieved through “the development of key value chains and technologies that are of strategic importance for Europe” and which should be “open, truly European, innovative and lead to widespread knowledge dissemination”. And, then there is the case of India. India presents a big oxymoron being both the largest democracy in the world and the world leader in deploying Internet shutdowns as a political tool to assert its sovereignty. Since August 2019, India has sanctioned the longest Internet shutdown ever to occur in a democracy, in the disputed Kashmir region. Discretionary and vague legal rules regarding the control the government can exercise over India’s Internet service providers has further enabled the government to restrict or limit access on regional and district levels. But, it is its data localization laws that further indicate India’s direction towards a more sovereignty-based Internet. A series of recent laws require different forms of data, from governmental to heath and financial to be stored in India. Additionally, India’s data protection legislation lays out the conditions under which “critical” and “sensitive” data are to be stored locally; this includes, financial, health and biometric information. An official document by the Committee of Experts on data protection acknowledged that although “laws facilitating cross-border data flows […] greatly foster research, technology development and economic growth”, critical personal data should be processed only in India with no cross-border transfer allowed. So, what does this all mean and why should we care? For the state, to view the Internet as nothing more than an extension of its sovereignty right should not come as a surprise. The key role of states is to make more of life ‘legible’ as James Scott has convincingly argued – this means to better record and measure human affairs in an effort to make them easier to manage. However, the drive for ‘legible’ or readable structures that can be easily understood and regulated often comes with a fatal flaw; in the top-down drive to simplify and formalize our understanding of complex systems, we sometimes disregard the local and practical knowledge critical to managing the complexity. To this end, our expectations that the state should – or would for that matter – see the Internet in a different fashion must be moderated. With this in mind, what is the impact sovereignty has on the current state of play? The first point of this consideration is the pressure sovereignty places on the Internet. Although as we said previously, it should be expected that governments apply rules of sovereignty in all aspects of international relations, including the Internet, the stricter the application of those rules, the more danger there is for the Internet to splinter and fragment. And, by this we don’t mean that the global Internet will cease to exist; rather, it will not be neither desirable nor beneficial for people and networks to participate in the global Internet. Its resilience, which depends on the very fact that networks are diversely spread around the world, will diminish and with it any need for interoperation. The other problem is how sovereignty contributes to state actors not being willing to collaborate. States are already split in their views of the Internet – a split that grows bigger. A UN resolution by Russia in the last days of 2019 on cybercrime, demonstrated the increasing division amongst the views of states. The resolution, which was opposed by the US and Europe but backed by China, passed 79 to 60, with 33 abstentions. And, although we should not be sounding the alarm bells yet, still this resolution indicates a clear move towards a more sovereign based approach for the Internet, which does not create any conditions for collaboration. In fact, sovereignty is the antithesis to collaboration and, this constitutes a problem. The Internet’s past is based on collaboration. Its future also depends on it. Why is all this important? Because, whichever nation manages to crack the sovereignty code, will also determine the Internet we will end up using. Will it be an open and global space based on interoperation and mutual agreement? Or, will it be a closed and fragmented model based on geographical boundaries and cultural relativism. By now, are all exposed to the narrative of how the Internet is no longer a safe place. It is full of bots, misinformation, abuse and violence; it is a space that has been overtaken by terrorists and extremists. The Internet is weaponized to influence elections, undermine democracies and instill fear in its users. That’s the story we are told.
No one can deny the swift change that is taking place in global politics. The “brave new world’ that has emerged is, currently, based on isolation and fear. We have officially entered the politics of fear. How true is this though? How real is fear in the Internet? Arguably, fear is as old as life. It is deeply part of all living organisms that have survived extinction through billions of years of evolution. Its roots go deep in our biological and psychological existence, and it is one of the most intimate feelings we get to experience. Demagogues have always used fear as a means to intimidate their subordinates or enemies, while shepherding the tribe by the leaders. Fear is a very strong tool that can blur humans’ logic and change their behavior. Fear has become part of the Internet experience. Every week there is another data breach, another privacy violation, child abusive content proliferates, questionable forums like 8chan are inreasing and people are constantly bullied for expressing – or not expressing – their opinions. The Internet is a dark place. That’s the only story we get to hear. That’s the story world leaders – democratic and not – tell to justify their attempts to control the Internet and turn it into a centralized and restricted space. This is the global trend. But, is it? The past ten days I have been fortunate to spend some time in New Zealand. What a pleasant surprise it has been. I left the European way of Interneting, a way that is based on distrust, individualism and fear, only to be exposed to the Kiwi way, which is based on trust, collaboration and hope. I, myself, had lost hope that such a way still exists. March 15, 2019 is the date New Zealanders - and the rest of the world - will never forget. A gunman, carrying two semi-automatic weapons, two shotguns and a lever-action firearm opened fire indiscriminately at two mosques in Christchurch during Friday prayer. The first attack was livestreamed on Facebook. It was viewed 200 times during its live broadcast and 4000 times in total before it was removed. According to Facebook, the company was notified about the livestream 12 minutes after the video had ended. Over the 24 hours following the attack, individuals attempted to re-upload the video 1.5 million times. New Zealand had a choice to make: succumb to fear or hang on to hope. And, it chose the latter. Post-Christchurch, the government of New Zealand did not order a shutdown of Internet or its services; it did not rush through legislation that sought to regulate the way companies and users interact in the Internet. Its government did not engage in fear mongering. Instead, led by its Prime Minister, Jacinda Ardern, New Zealand turned to the international community asking for collaboration to address what she considered to be a global issue -- how to deal with extremist and violent content online (what would become the “Christchurch call”). In praising this collaborative approach during my panel intervention at NetHui, New Zealand’s version of an Internet governance dialogue, I was told: “this is the Kiwi way of doing things”. Well, the Kiwi way, is also the Internet way. Bringing people together, to collaborate to solve “wicked problems” and address complex questions has been the “Internet way” all along. Without necessarily realizing it, New Zealand was upholding one of the Internet’s most fundamental properties. During her speech at NetHui, the Prime Minister recognized the challenges the Internet is facing and the slow progress post-Christchurch. Yet again, this did not make her move into panic mode. Instead, she reaffirmed and recommitted to an open, secure and free Internet. She mentioned that she still believes in the ability of the Internet to bring positive change; to be the space of expression and creativity; to be the engine of unstoppable innovation. She said she wanted to do the right thing. Let's not miss the significance of this. Without intending, New Zealand has become the example of how we must all approach the challenges we face in the Internet; it has become the Internet's champion. Sure, there are still things that the Kiwis need to learn about the Internet and understand better the way it works. Sure the “Christchurch call” process has its own deficiencies and issues. But, ultimately, it is all about New Zealand’s willingness not to close, shut down, centralize or try to control the Internet that they must be commended. The ‘kiwi way’ of Interneting must not go unnoticed. It must become a lesson for the rest of the world leaders. |
