[discuss] Time to be more precise about Internet Governance
John Curran
jcurran at arin.net
Mon Dec 30 16:57:54 UTC 2013
On Dec 29, 2013, at 8:18 PM, Brian E Carpenter <brian.e.carpenter at gmail.com> wrote:
> Hi,
>
> Rather then shooting off further random comments, I decided to write
> up my thoughts in a somewhat coherent way:
>
> https://www.cs.auckland.ac.nz/~brian/CrossBorderInfoGovernance.pdf
Brian -
Thank you for taking the time to provide this summary of your views
(I wish that mine were sufficiently well-formed to allow the same! :-)
I find myself in agreement of many of the points therein, and I will attempt
to identify those below (and ask that you excuse my rough paraphrasing of some
of your points):
> 'Internet governance' is an ambiguous phrase that has led to confused thinking.
I agree with part of the above (ambiguous phrase) but feel that the phrase may
be redeemed if some consideration was given to what exactly should be considered
within scope of "Internet Governance" and what lies outside. Note that there
exists similar phrasing in common use in other fields (those fields that have
significant 'cross-border' implications, for example "Climate Governance",
"Arctic Governance", etc.) It is my assertion that the existence of the phrase
"Internet Governance" is not causal to the confusion, but does much to sustain
the existing confusion due to a lack of a principled basis for its definition
and use. Internet Governance is probably better defined as a subset of the
WSIS definition - "Internet governance is the development and recognition
of globally shared principles and norms applicable to the Internet." We do
desperately need more work in Internet Governance, specifically because we
will not be able to keep the Internet held together unless progress is made.
> There are serious societal issues that result from the existence of a pervasive data network and these issues call for multi-stakeholder debate and governance.
Full agreement on above.
> By contrast, there are mundane issues of technical coordination of Internet technology that function well today and need no new form of governance.
Agreed, but note that the fact that there exists mundane issues of technical
coordination does not preclude there also being _other_ issues of technical
coordination which do need additional consideration of the society implications,
and thus intersect with the realm of "governance". (i.e. I don't believe that
you are trying to argue that all issues of technical coordination are mundane,
if that's the case, we are likely to disagree as I see that many matters of
technical coordination have significant implied societal implications)
> The best way to avoid the present confusion of thought and argument is to use more precise language, to carefully distinguish technological from societal issues, and to focus on the societal issues individually.
Surprisingly, I strongly agree with much of this (noting that the technology sector
should participate, as one of many stakeholders, in the consideration of the societal
issues) Where we likely disagree is that I see far fewer technical matters as being
purely mundane, and believe that there needs to be a common understanding of the
principles by which technical coordination is performed to minimize any coercive
societal impact, whether accidental or intentional.
Also, where you see the need to focus on "societal issues individually", I will note
that such discussions focus on people, organizations, countries, and jurisdictions,
and there is no reason for folks to have such discussions with respect to Internet
issues because all they have to work with is IP addresses, networks, and DNS names.
> There are a long list of matters (consumer protection ... unwanted surveillance) where legal and regulatory governance, as well as steps to educate and protect the public, are appropriate.
Also agreed.
> Technological issues – how data packets are formatted, how Internet nodes are named and addressed, how images and human-readable characters are encoded, how hypertext messages are constructed, and even which cryptographic algorithms are used, just to name a few items – need technical principles, standards, administration, and operational arrangements.
Agreed.
> To allow smooth network operations, these mundane matters need to be agreed on an open global basis, with a broad technical consensus among manufacturers, operators, and user groups. These are not matters for which the word 'governance' is helpful. An appropriate phrase is 'technical coordination'. This coordination has been in place since the 1980s. It spread long ago to be world-wide and it works well.
Agreed, but only to the extent that such technical coordination matters truly
are "mundane". In the ideal world, these decisions (much like the decisions
done in any segment of industry) would be done based on coordination which
allows the continued growth of evolution of the Internet industry, while
meeting the needs of all concerned (manufacturers, operators, users, etc.)
(Some may object to the phrase "Internet industry", but it is the phase which
appears to be most applicable given that it takes quite a bit of economic
enterprise to build and maintain today's Internet.)
In general, I believe that industries should be open, transparent, and inclusive
in their discussions (to allow confirmation of no anti-competitive behavior), but
otherwise left to their own devices. A group of vendors that develop a new type
of technology (whether it be new interconnection technology, a new device plug
and socket, or new type of storage media) should be free to coordinate, encourage
others to adopt, and reap the rewards or risk failure of the marketplace. That
is an approach that is known to work, allows innovation, and allows the user
community enormous say in what happens based on their buying decisions.
The problem is that this approach now actually fails when it comes to the Internet
Protocol (IP) technology itself due to the most ironic of all reasons: its success.
While it is true that customers can choose different service providers, and decide
which connection technology to use, the fact is that they ultimately have to agree
to use IP standards and related coordination (such as uniqueness from the Internet
registry system) in order to participate in the Internet. There is no "choice" if
one wants to participate, you have to effectively "take it or leave it". Aside
from specious arguments that "they can always create their own alternative", the
fact of the matter is that the technical coordination done with respect to the
Internet Protocol results in mandatory implications on those who wish to be part
of the Internet, and there is an imperative to participate in the Internet today
due to its dramatic social and economic impact.
For example, if the only option for IPv6 autoconfiguration is to have a publicly
visible IP address which imbeds your unique hardware address into it, then IPv6-
based use of Internet results in some very challenging privacy issues. Now, it is
true that the folks working in the IETF are not operating in a vacuum, and realized
this potential issue and created an solid alternative, but it is clear that this
otherwise "mundane" technological issue of protocol standardization had the potential
for posing a serious societal issue and crossing readily into the land of "governance"
Going in the other direction, the recent IETF discussion regarding pervasive
surveillance appears heading towards recognizing that a consensus exists within
the IETF that such activities are "a technical attack that should be mitigated
in the design of IETF protocols, where possible." This not an governance-neutral
outcome (e.g. to the extent that RFC 2804/Raven could have been considered to
be agnostic with respect considering governance-based technology requirements),
but it likely the correct outcome in light of developing global consensus on
such matters. It would be helpful if the IETF were able to formally reference
some sort of global recognition of right to privacy against arbitrary or unlawful
surveillance, as that would make the perpass decision a more mundane technical
coordination activity rather than an IETF consensus decision on a topic which
clearly has societal implications.
i.e. I agree that many technical matters are mundane and relatively free from
governance-implications, but the success of the Internet does effectively limit
choice in alternatives, and creates a circumstance in which results could be seen
as coercive with respect to any social values embedded in the protocols or
processes necessary for their use. This isn't a problem where the underlying
principle is based on areas of very broad regional or global consensus (e.g. in
regional address policy development there is now nearly reflexive attention to
privacy of personally identifiable information due to data privacy directives),
but if you truly want to keep "technical coordination" to be mundane and free
of serious societal issues, care is needed not to get too far ahead of globally
recognized rights, standards and norms.
> A corollary of this is that ICANN has little or nothing to do with governance. ICANN administers technical resources, in coordination with other technical organisations – an important job, but a different job from governance.4 (ICANN itself needs good corporate governance, but that is another discussion entirely.)
>
> Societal issues – what is considered appropriate or inappropriate use of the network, what counts as criminal use, what counts as invasion of privacy, what consumer protection is needed, economic impact, again just to name a few items – need societal principles, rules and so on. These are matters where, although there is considerable cross-border impact, we can expect every country to make its own rules. These are indeed matters of governance. But they are not governance of the Internet. They are governance of, say, pornography, child protection, fraud, personal or commercial privacy, truth in advertising, anti-trust law, etc. The primary resolution of these matters will mainly be national. Some matters certainly need to be discussed between many stakeholders; the issues cross borders when data cross borders, and so multi-stakeholder agreements will be needed.
The societal issues are not simply "cross border"; they occur at many levels
of a complicated hierarchy of governance (e.g. town, county, state, federal;
city, region, state, union; etc.)
I agree that the issues are not matters of "Internet governance" per se; they
are simply governance matters. There are already well-established mechanisms
for handling such governance matters in the real-world; the dynamic that the
Internet adds is that parties that never before had interactions with one
another may suddenly find themselves in dispute and operating in two entirely
different governance realms. In the US, there's very clear rules for how and
when a matter is a state or federal matter, and how to determine the appropriate
venue between two states, but none of the that is applicable when the other
party is halfway across the globe and potentially in an entirely different
legal framework. The existing governance structures completely lack ability
to deal with such, and the ubiquitous nature of the Internet means that any
solutions generally must be done locally, and are quite limited based on whatever
tools are available in the Internet's single technological framework. Hence,
what is included in that framework can have significant societal implications.
> - A good example is the recent commotion in Britain about Web content filters. Their technical aspect is relatively unimportant. The transparent (unencrypted) nature of user requests to connect to a web site means that several techniques could be used to block requests for sites that are disliked by some people. Is this a good thing or a bad thing? This has nothing to do with Internet technology and everything to do with social attitudes and social constructs (political, religious or legal as the case may be). Whether it is good or bad for parents to be able to prevent children from getting certain information is a matter of opinion. The opinion may vary between families and between the members of each individual family. It will certainly vary between cultures and countries, and it will certainly vary across generations. It is not a technical matter.
Excellent example. If a country wished to do the same thing at a country-wide
level, and asked for assistance by including a standardized DNS identifier space
that would be used for all such websites, that would clearly be a governance
question (i.e. its not technical, as the DNS protocol can support that today)
This was a question which effectively was discussed within ICANN, thus raising
the confluence of present technical coordination entities with "governance"
(particularly when the response indicates that blocking DNS won't work...)
Similarly, if there were a technical request to the IETF to add a standard field
to all email which indicated whether it was "unsolicited and/or commercial", the
discussion on whether to include such would have significant social implications
I can't imagine that the decision with the IETF to proceed within the IETF would
be purely on technical basis (even though any mandatory use of such a field would
obviously require governance discussions outside of the IETF...)
> It's confusing, because the way in which societal issues arise has been changed by the use of the Internet. At one point in Western history, the argument was about whether the general population should be allowed to read the Bible for themselves. For more recent generations, the argument was about where dirty magazines or sex manuals were displayed in a shop. Today, the corresponding argument is about who controls the content filters. But it isn't the Internet in itself that needs governance, it's each individual issue. When we recognise this, and we remember that technological coordination isn't governance, we discover that, at its heart, the phrase 'Internet governance' is uninformative.
>
> A point that's often missed is that the societal problems we see are not a consequence of the specific technology of the Internet: spam is not caused by the details of the Simple Mail Transfer Protocol; surveillance is not caused by the details of the Internet Protocol or the Transmission Control Protocol; pornography is not caused by the details of the HyperText Transfer Protocol. The problems are intrinsic to any open data network enabled by cheap computing power and cheap telecommunications. They cannot be fixed by twiddling with protocols. As the Snowden revelations have shown, for example, surveillance is not prevented by encryption.
As noted above, the phrase "Internet governance" is quite vague in its present usage;
effectively, it is used today for discussion of any topics which have the potential to
create governance implications due to parties interacting over the Internet. When those
topics are discussed at the IETF (e.g. RFC 2804, perpass), W3C (privacy/DNT/cookies), or
ICANN (.xxx, geographic TLDs), then they are going to be labelled as Internet governance
discussions simply because their outcome has society and economic impact, and they are
taking place outside of the classic intergovernmental frameworks.
If you are saying that these topics will be discussed entirely based on their technical
merits, and create no societal or economic implications to parties using the Internet
aside from those recognized in as globally acceptable rights, standards, and norms,
then perhaps such discussion would indeed be "mundane technical coordination."
If you want such discussions of their social implications to take place entirely within
topic-specific contexts, e.g. spam within international fora regarding direct ads and
consumer choice, then there has to be mechanisms so that outcome from those forums can
actually be relevant to Internet operations and usage.
> An analogy worth thinking about is with the road system. We have traffic regulations, many of which are virtually identical in every country, to directly protect lives and property on the roads. We have engineering standards to ensure that cars and roads are as safe as possible. But we don't consider that customs and immigration rules, laws against bank robbery, or laws about any other activity that may incidentally make use of the roads, constitute 'Road governance'. We have learned to clearly distinguish the road system from the uses society makes of it. We need to learn how to do this for the Internet.
When cars can fly at 2000 miles per hour and thus create airspace and safety issues
between entities of different nations thousands of times per hour, I think that there
may be quite a bit of global "Airspace Governance" discussions, including implications
on vehicle safety, inspections, immigration controls, customs issues, criminal flight
risk, operation under the influence, and dozens of other topics which previously were
previously discussed within the context of a single country and how it should best
establish its own rules... I'd love it if our "cross-border" approach of the last
dozen centuries can adapt just fine to the realities of the Internet, but that's
proving not to be the case.
> At the moment, discussing 'Internet governance' has practically become a profession in itself. There is indeed a need for multi-stakeholder debate about cross-border information issues, but they should no longer be lumped together under a single phrase. Discuss 'cross- border surveillance' or 'cross-border fraud' or 'cross-border pornography' or whatever the real topic is. That might get somewhere.
If there were uniform attribution of parties involved in activities the Internet,
and a framework for discussion of mismatched expectation between parties, then
what you suggest above might be possible. The mechanisms that are used to address
these matters in a single country (e.g. intellectual property enforcement, fraud,
cybercrime, "pornography") can't be deployed against anonymous parties in other
countries (and that presumes that such activities are even criminal in the other
jurisdictions.)
If a party has no way to address their grievances [occurring over the Internet]
via a meaningful cross jurisdictional legal process, then they have no recourse.
When Governments are put in this situation, then naturally begin to look at other
means for addressing their concerns (e.g. ICANN and the DNS)
Since we lack a global framework for attribution of parties and for discussion
of mismatched expectation between parties, there isn't a lot of desire for having
issue-specific discussions outside of the Internet context... (i.e. why meet and
agree that extortion is a crime even over the Internet, when it doesn't help you
in the least with enforcement since you want to pursue people or organizations
and all you have is a domain name which content-free registration?)
> Discussing 'Internet governance' will continue to go nowhere fast. Worse, it will allow those who really don't want to discuss cross-border surveillance to obfuscate the issue. It also puts the Internet's highly successful technical coordination at risk of interference caused by confused thinking.
If the Internet's highly successful coordination can be put at risk in this manner,
then I'd suggest taking positions are socially agnostic, or waiting until there are
clear statements of global principles and norms from true governance entities on
which to base actions that would otherwise enshrine specific social/human/economic
values. If the Internet technical community is going to independently make decisions
or set direction which effectively creates mandatory societal or economic implications,
then it is only fair that it enjoy ample views from any and all interested parties
(and I would suggest calling such as simply "input" rather than "confused thinking")
> My personal suggestion to the IGF and to those upset by recent revelations about widespread surveillance, by cross-border fraud, etc., is simple: change the dialogue. Redefine the topic as 'cross-border information governance', unhook the debate from technological details, and focus on identifying the cross-border and multi-stakeholder consensus needed on each societal issue. The first step is to identify the specific societal issues and characterise the problems that they raise, without reference to specific technology. There is a preliminary list in the first paragraph of this document.
>
> The Internet technical community has a part to play, but it is a secondary part and should not be driving the primary multi-stakeholder debate, which should be about society and information, not about technology. Nevertheless, the set of technological issues requiring coordination between the technical community and other stakeholders, including government bodies, should also be identified, and clearly labelled as 'technical coordination', quite separate from the societal issues that truly require governance.
To the extent that Internet technical coordination can truly be agnostic with respect
to societal values (or based upon widely accepted or global statements of rights,
standards and norms), then I believe that keeping technical coordination separate
from the societal issues that require governance is indeed possible.
Unfortunately, we don't have much widespread recognition of globally shared social
principles and norms applicable to the Internet, so governments increasingly look
to the technical coordination tasks as a means for accomplishing their public policy
objectives.
FYI,
/John
Disclaimer: My views alone.
More information about the discuss
mailing list