[discuss] Time to be more precise about Internet Governance

[John Curran]

On Dec 29, 2013, at 8:18 PM, Brian E Carpenter <brian.e.carpenter at gmail.com> wrote:

> Hi,
> 
> Rather then shooting off further random comments, I decided to write
> up my thoughts in a somewhat coherent way:
> 
> https://www.cs.auckland.ac.nz/~brian/CrossBorderInfoGovernance.pdf

Brian - 
 
  Thank you for taking the time to provide this summary of your views
  (I wish that mine were sufficiently well-formed to allow the same! :-)

  I find myself in agreement of many of the points therein, and I will attempt 
  to identify those below (and ask that you excuse my rough paraphrasing of some
  of your points):
 
> 'Internet governance' is an ambiguous phrase that has led to confused thinking. 

  I agree with part of the above (ambiguous phrase) but feel that the phrase may 
  be redeemed if some consideration was given to what exactly should be considered
  within scope of "Internet Governance" and what lies outside.  Note that there 
  exists similar phrasing in common use in other fields (those fields that have 
  significant 'cross-border' implications, for example "Climate Governance", 
  "Arctic Governance", etc.)  It is my assertion that the existence of the phrase
  "Internet Governance" is not causal to the confusion, but does much to sustain 
  the existing confusion due to a lack of a principled basis for its definition
  and use.  Internet Governance is probably better defined as a subset of the
  WSIS definition - "Internet governance is the development and recognition
  of globally shared principles and norms applicable to the Internet."  We do
  desperately need more work in Internet Governance, specifically because we 
  will not be able to keep the Internet held together unless progress is made.

> There are serious societal issues that result from the existence of a pervasive data network and these issues call for multi-stakeholder debate and governance. 


  Full agreement on above.

> By contrast, there are mundane issues of technical coordination of Internet technology that function well today and need no new form of governance.

  Agreed, but note that the fact that there exists mundane issues of technical 
  coordination does not preclude there also being _other_ issues of technical 
  coordination which do need additional consideration of the society implications,
  and thus intersect with the realm of "governance". (i.e. I don't believe that 
  you are trying to argue that all issues of technical coordination are mundane, 
  if that's the case, we are likely to disagree as I see that many matters of 
  technical coordination have significant implied societal implications)

> The best way to avoid the present confusion of thought and argument is to use more precise language, to carefully distinguish technological from societal issues, and to focus on the societal issues individually.


  Surprisingly, I strongly agree with much of this (noting that the technology sector 
  should participate, as one of many stakeholders, in the consideration of the societal 
  issues)  Where we likely disagree is that I see far fewer technical matters as being 
  purely mundane, and believe that there needs to be a common understanding of the 
  principles by which technical coordination is performed to minimize any coercive 
  societal impact, whether accidental or intentional.

  Also, where you see the need to focus on "societal issues individually", I will note
  that such discussions focus on people, organizations, countries, and jurisdictions, 
  and there is no reason for folks to have such discussions with respect to Internet
  issues because all they have to work with is IP addresses, networks, and DNS names.

> There are a long list of matters (consumer protection ... unwanted surveillance) where legal and regulatory governance, as well as steps to educate and protect the public, are appropriate.

  Also agreed.

> Technological issues – how data packets are formatted, how Internet nodes are named and addressed, how images and human-readable characters are encoded, how hypertext messages are constructed, and even which cryptographic algorithms are used, just to name a few items – need technical principles, standards, administration, and operational arrangements.

  Agreed.

> To allow smooth network operations, these mundane matters need to be agreed on an open global basis, with a broad technical consensus among manufacturers, operators, and user groups. These are not matters for which the word 'governance' is helpful. An appropriate phrase is 'technical coordination'. This coordination has been in place since the 1980s. It spread long ago to be world-wide and it works well.

  Agreed, but only to the extent that such technical coordination matters truly 
  are "mundane".   In the ideal world, these decisions (much like the decisions
  done in any segment of industry) would be done based on coordination which 
  allows the continued growth of evolution of the Internet industry, while 
  meeting the needs of all concerned (manufacturers, operators, users, etc.)
  (Some may object to the phrase "Internet industry", but it is the phase which
  appears to be most applicable given that it takes quite a bit of economic  
  enterprise to build and maintain today's Internet.)

  In general, I believe that industries should be open, transparent, and inclusive
  in their discussions (to allow confirmation of no anti-competitive behavior), but
  otherwise left to their own devices.  A group of vendors that develop a new type
  of technology (whether it be new interconnection technology, a new device plug
  and socket, or new type of storage media) should be free to coordinate, encourage
  others to adopt, and reap the rewards or risk failure of the marketplace.  That 
  is an approach that is known to work, allows innovation, and allows the user 
  community enormous say in what happens based on their buying decisions. 

  The problem is that this approach now actually fails when it comes to the Internet 
  Protocol (IP) technology itself due to the most ironic of all reasons: its success.
  While it is true that customers can choose different service providers, and decide
  which connection technology to use, the fact is that they ultimately have to agree
  to use IP standards and related coordination (such as uniqueness from the Internet
  registry system) in order to participate in the Internet.  There is no "choice" if
  one wants to participate, you have to effectively "take it or leave it".  Aside 
  from specious arguments that "they can always create their own alternative",  the
  fact of the matter is that the technical coordination done with respect to the 
  Internet Protocol results in mandatory implications on those who wish to be part
  of the Internet, and there is an imperative to participate in the Internet today 
  due to its dramatic social and economic impact.

  For example, if the only option for IPv6 autoconfiguration is to have a publicly
  visible IP address which imbeds your unique hardware address into it, then IPv6-
  based use of Internet results in some very challenging privacy issues. Now, it is 
  true that the folks working in the IETF are not operating in a vacuum, and realized 
  this potential issue and created an solid alternative, but it is clear that this 
  otherwise "mundane" technological issue of protocol standardization had the potential 
  for posing a serious societal issue and crossing readily into the land of "governance"

  Going in the other direction, the recent IETF discussion regarding pervasive 
  surveillance appears heading towards recognizing that a consensus exists within
  the IETF that such activities are "a technical attack that should be mitigated 
  in the design of IETF protocols, where possible."  This not an governance-neutral
  outcome (e.g. to the extent that RFC 2804/Raven could have been considered to
  be agnostic with respect considering governance-based technology requirements),
  but it likely the correct outcome in light of developing global consensus on 
  such matters.  It would be helpful if the IETF were able to formally reference 
  some sort of global recognition of right to privacy against arbitrary or unlawful  
  surveillance, as that would make the perpass decision a more mundane technical 
  coordination activity rather than an IETF consensus decision on a topic which
  clearly has societal implications.

  i.e. I agree that many technical matters are mundane and relatively free from 
  governance-implications, but the success of the Internet does effectively limit
  choice in alternatives, and creates a circumstance in which results could be seen
  as coercive with respect to any social values embedded in the protocols or 
  processes necessary for their use.  This isn't a problem where the underlying
  principle is based on areas of very broad regional or global consensus (e.g. in
  regional address policy development there is now nearly reflexive attention to 
  privacy of personally identifiable information due to data privacy directives),
  but if you truly want to keep "technical coordination" to be mundane and free 
  of serious societal issues, care is needed not to get too far ahead of globally 
  recognized rights, standards and norms.

> A corollary of this is that ICANN has little or nothing to do with governance. ICANN administers technical resources, in coordination with other technical organisations – an important job, but a different job from governance.4 (ICANN itself needs good corporate governance, but that is another discussion entirely.)

>   

> Societal issues – what is considered appropriate or inappropriate use of the network, what counts as criminal use, what counts as invasion of privacy, what consumer protection is needed, economic impact, again just to name a few items – need societal principles, rules and so on. These are matters where, although there is considerable cross-border impact, we can expect every country to make its own rules. These are indeed matters of governance. But they are not governance of the Internet. They are governance of, say, pornography, child protection, fraud, personal or commercial privacy, truth in advertising, anti-trust law, etc. The primary resolution of these matters will mainly be national. Some matters certainly need to be discussed between many stakeholders; the issues cross borders when data cross borders, and so multi-stakeholder agreements will be needed.

  The societal issues are not simply "cross border"; they occur at many levels
  of a complicated hierarchy of governance (e.g. town, county, state, federal;
  city, region, state, union; etc.) 

  I agree that the issues are not matters of "Internet governance" per se; they
  are simply governance matters.  There are already well-established mechanisms
  for handling such governance matters in the real-world; the dynamic that the
  Internet adds is that parties that never before had interactions with one 
  another may suddenly find themselves in dispute and operating in two entirely
  different governance realms.  In the US, there's very clear rules for how and
  when a matter is a state or federal matter, and how to determine the appropriate
  venue between two states, but none of the that is applicable when the other 
  party is halfway across the globe and potentially in an entirely different 
  legal framework.  The existing governance structures completely lack ability 
  to deal with such, and the ubiquitous nature of the Internet means that any
  solutions generally must be done locally, and are quite limited based on whatever
  tools are available in the Internet's single technological framework.  Hence, 
  what is included in that framework can have significant societal implications.

> - A good example is the recent commotion in Britain about Web content filters. Their technical aspect is relatively unimportant. The transparent (unencrypted) nature of user requests to connect to a web site means that several techniques could be used to block requests for sites that are disliked by some people. Is this a good thing or a bad thing? This has nothing to do with Internet technology and everything to do with social attitudes and social constructs (political, religious or legal as the case may be). Whether it is good or bad for parents to be able to prevent children from getting certain information is a matter of opinion. The opinion may vary between families and between the members of each individual family. It will certainly vary between cultures and countries, and it will certainly vary across generations. It is not a technical matter. 

  Excellent example.  If a country wished to do the same thing at a country-wide
  level, and asked for assistance by including a standardized DNS identifier space
  that would be used for all such websites, that would clearly be a governance 
  question (i.e. its not technical, as the DNS protocol can support that today)
  This was a question which effectively was discussed within ICANN, thus raising
  the confluence of present technical coordination entities with "governance"
  (particularly when the response indicates that blocking DNS won't work...)
 
  Similarly, if there were a technical request to the IETF to add a standard field
  to all email which indicated whether it was "unsolicited and/or commercial", the
  discussion on whether to include such would have significant social implications
  I can't imagine that the decision with the IETF to proceed within the IETF would 
  be purely on technical basis (even though any mandatory use of such a field would 
  obviously require governance discussions outside of the IETF...)

> It's confusing, because the way in which societal issues arise has been changed by the use of the Internet. At one point in Western history, the argument was about whether the general population should be allowed to read the Bible for themselves. For more recent generations, the argument was about where dirty magazines or sex manuals were displayed in a shop. Today, the corresponding argument is about who controls the content filters. But it isn't the Internet in itself that needs governance, it's each individual issue. When we recognise this, and we remember that technological coordination isn't governance, we discover that, at its heart, the phrase 'Internet governance' is uninformative.
> 
> A point that's often missed is that the societal problems we see are not a consequence of the specific technology of the Internet: spam is not caused by the details of the Simple Mail Transfer Protocol; surveillance is not caused by the details of the Internet Protocol or the Transmission Control Protocol; pornography is not caused by the details of the HyperText Transfer Protocol. The problems are intrinsic to any open data network enabled by cheap computing power and cheap telecommunications. They cannot be fixed by twiddling with protocols. As the Snowden revelations have shown, for example, surveillance is not prevented by encryption.

 As noted above, the phrase "Internet governance" is quite vague in its present usage; 
 effectively, it is used today for discussion of any topics which have the potential to 
 create governance implications due to parties interacting over the Internet.  When those 
 topics are discussed at the IETF (e.g. RFC 2804, perpass), W3C (privacy/DNT/cookies), or 
 ICANN (.xxx, geographic TLDs), then they are going to be labelled as Internet governance 
 discussions simply because their outcome has society and economic impact, and they are 
 taking place outside of the classic intergovernmental frameworks.  

 If you are saying that these topics will be discussed entirely based on their technical
 merits, and create no societal or economic implications to parties using the Internet 
 aside from those recognized in as globally acceptable rights, standards, and norms,
 then perhaps such discussion would indeed be "mundane technical coordination."  

 If you want such discussions of their social implications to take place entirely within 
 topic-specific contexts, e.g. spam within international fora regarding direct ads and
 consumer choice, then there has to be mechanisms so that outcome from those forums can
 actually be relevant to Internet operations and usage.

> An analogy worth thinking about is with the road system. We have traffic regulations, many of which are virtually identical in every country, to directly protect lives and property on the roads. We have engineering standards to ensure that cars and roads are as safe as possible. But we don't consider that customs and immigration rules, laws against bank robbery, or laws about any other activity that may incidentally make use of the roads, constitute 'Road governance'. We have learned to clearly distinguish the road system from the uses society makes of it. We need to learn how to do this for the Internet.

 When cars can fly at 2000 miles per hour and thus create airspace and safety issues 
 between entities of different nations thousands of times per hour, I think that there
 may be quite a bit of global "Airspace Governance" discussions, including implications
 on vehicle safety, inspections, immigration controls, customs issues, criminal flight 
 risk, operation under the influence, and dozens of other topics which previously were 
 previously discussed within the context of a single country and how it should best 
 establish its own rules...   I'd love it if our "cross-border" approach of the last
 dozen centuries can adapt just fine to the realities of the Internet, but that's 
 proving not to be the case.

> At the moment, discussing 'Internet governance' has practically become a profession in itself. There is indeed a need for multi-stakeholder debate about cross-border information issues, but they should no longer be lumped together under a single phrase. Discuss 'cross- border surveillance' or 'cross-border fraud' or 'cross-border pornography' or whatever the real topic is. That might get somewhere. 


 If there were uniform attribution of parties involved in activities the Internet,
 and a framework for discussion of mismatched expectation between parties, then 
 what you suggest above might be possible.  The mechanisms that are used to address
 these matters in a single country (e.g. intellectual property enforcement, fraud,
 cybercrime, "pornography") can't be deployed against anonymous parties in other
 countries (and that presumes that such activities are even criminal in the other
 jurisdictions.)
 If a party has no way to address their grievances [occurring over the Internet] 
 via a meaningful cross jurisdictional legal process, then they have no recourse.
 When Governments are put in this situation, then naturally begin to look at other 
 means for addressing their concerns (e.g. ICANN and the DNS)
 
 Since we lack a global framework for attribution of parties and for discussion 
 of mismatched expectation between parties, there isn't a lot of desire for having
 issue-specific discussions outside of the Internet context... (i.e. why meet and
 agree that extortion is a crime even over the Internet, when it doesn't help you
 in the least with enforcement since you want to pursue people or organizations 
 and all you have is a domain name which content-free registration?)

> Discussing 'Internet governance' will continue to go nowhere fast. Worse, it will allow those who really don't want to discuss cross-border surveillance to obfuscate the issue. It also puts the Internet's highly successful technical coordination at risk of interference caused by confused thinking.

 If the Internet's highly successful coordination can be put at risk in this manner,
 then I'd suggest taking positions are socially agnostic, or waiting until there are 
 clear statements of global principles and norms from true governance entities on 
 which to base actions that would otherwise enshrine specific social/human/economic 
 values.  If the Internet technical community is going to independently make decisions 
 or set direction which effectively creates mandatory societal or economic implications, 
 then it is only fair that it enjoy ample views from any and all interested parties 
 (and I would suggest calling such as simply "input" rather than "confused thinking")

> My personal suggestion to the IGF and to those upset by recent revelations about widespread surveillance, by cross-border fraud, etc., is simple: change the dialogue. Redefine the topic as 'cross-border information governance', unhook the debate from technological details, and focus on identifying the cross-border and multi-stakeholder consensus needed on each societal issue. The first step is to identify the specific societal issues and characterise the problems that they raise, without reference to specific technology. There is a preliminary list in the first paragraph of this document.
> 
> The Internet technical community has a part to play, but it is a secondary part and should not be driving the primary multi-stakeholder debate, which should be about society and information, not about technology. Nevertheless, the set of technological issues requiring coordination between the technical community and other stakeholders, including government bodies, should also be identified, and clearly labelled as 'technical coordination', quite separate from the societal issues that truly require governance.

 To the extent that Internet technical coordination can truly be agnostic with respect
 to societal values (or based upon widely accepted or global statements of rights,
 standards and norms), then I believe that keeping technical coordination separate 
 from the societal issues that require governance is indeed possible.

 Unfortunately, we don't have much widespread recognition of globally shared social
 principles and norms applicable to the Internet, so governments increasingly look 
 to the technical coordination tasks as a means for accomplishing their public policy 
 objectives.
 
FYI,
/John

Disclaimer: My views alone.