My interest in Internet governance has grown and evolved over the past few years. Motivated by frustration with reactive security practices, it has led to the realization that if we want to change the game, we need to change the rules.
Once I dug into the issues, I realized the concept has many dimensions and requires definition. Fortunately, the Internet Governance Project (IGP) from the Georgia Tech School of Public Policy gives us one: “Internet governance refers to the rules, policies, standards, and practices that coordinate and shape global cyberspace”.
When we consider this definition, it is clear that Internet governance is not just laws. It is not just privacy. It is an ecosystem with participants that respond to forces and each other. The Contract for the Web by Tim Berners-Lee provides an authoritative enumeration of the problem and a call-to-action for all stakeholders.
Before diving into our cyber-specific concerns, let’s expand our perspective with lessons from the automotive industry. In the 1960’s Ralph Nader, a consumer activist, started a consumer movement on automotive safety. The movement started as product safety for the Chevrolet Corvair. Over decades it spawned sweeping state, national and international regulations on issues like seat belts and safety bags. It resulted in billions of dollars of legal settlements. It gave rise to new companies that developed technical solutions and remedies.
We’re not trying to be a consumer movement. We’re not a think tank. And we’re not trying to build a database of state, national and international laws. Rather, our aim is to illuminate with relevant data, issues that we have some insight on for the purpose of informing policymakers. We’re just one link in a chain. So, with that, here’s a list of four issues we plan to follow.
NGO (Non-Governmental Organization) Authorities
The NGO category encompasses the non-governmental and international organizations with responsibility for setting policy and enforcement on issues that affect Internet standards, operations and security. At the top of this category is ICANN (Internet Corporation for Assigned Names and Numbers). ICANN is effectively responsible for oversight of the critical systems described in Internet Mechanics™: DNS, BGP (delegated to ICANN subsidiary IANA) and Whois. The dire state of Internet security is a reflection of ICANN’s ineffectiveness. In our opinion, the fundamental issue is not just that ICANN is lax, but rather it is a source of insecurity. This is evident in the problem of malicious new domain registrations as previously referenced by Vixie, who noted conflicts of interest with ICANN’s business model and oversight of Domain Registries and Registrars. ICANN’s unresponsiveness to law enforcement stakeholders regarding Whois raises the specter of government regulation.
Splinternet
The early ‘utopian’ days of one free and open global Internet under US influence are long gone. Censorship is ascendant. The Internet has splintered into a group of national Internets. China, Russia, Iran, India are just 4 of 50 countries that have passed laws in recent years to gain greater control over how their people use the web, according to The New York Times.
Privacy
Privacy is an overarching issue affecting individuals, companies and governments, each in different ways. For individuals, the issues are loss of privacy, freedom, and censorship. For companies; compliance – keeping up with a complex array of state and national laws. For countries; passing legislation to protect their citizens, enable law enforcement and ultimately their national interests. These are competing interests, and each interest has arguments with merit. The magnitude of the problem is measured in the billions of dollars fines being assessed and the hundreds of millions of dollars in new venture funding being raised by start-ups developing solutions for privacy and international regulatory compliance.
Platforms, Hosters, ISPs
One consequence of the many state and federal proposed legislative initiatives is that the cost burden of security may be shifted from the users to platform providers, hosting companies and ISPs. Providers may be forced to be more proactive and assertive in managing exposures, vulnerabilities, and threats on their networks. Akamai makes this point in regard to phishing.