Montrose Journal Winter 14
Governing the Web: Regulating the Right to Be Virtual
Until this point the world’s emerging markets have been encouraged and coerced to adopt the norms of the more mature economies, built around a largely Western understanding of governance and institutions, underpinned by the rule of law.
The on-line world may be likened to such an emerging market, offering new opportunities for entrepreneur and established player alike, enjoying rapid expansion accompanied by explosive population growth. The question is: how far can the established conventions of the physical governed space be expected to apply to an environment which is not only global but virtual?
The underlying issue is not the physical versus the on-line, but a challenge to the very assumptions and values on which the existing conventions are based. Economic wealth and military power enabled the West to assert the primacy of its view.
Those same attributes made Western values, in particular the market economy, aspirational. The intervention in Iraq and its aftermath, followed by the global financial crisis, is causing China and others to question why they, now in the ascendant, should be bound by a set of rules and expectations established by those whose tenets are, they would argue, demonstrably flawed?
Nowhere does this apply more than in the context of the internet and its governance. From the Internet Governance Forum of the UN, now in its ninth year, through the London launch in 2011 of the annual International Cyberspace Conference, various attempts have been made to define the rules applying to engagement with, and governance of, the internet. Cooperation between Russia and China in the UN has typically framed the argument in terms of ‘information security’ referring to content that might be politically destabilising or otherwise harmful. The US for its part has favoured ‘cyber security’, which refers specifically to technology that protects computer networks from physical threats or viruses. One further response, led by former Swedish Prime Minister and Foreign Minister Carl Bildt, is the Global Commission on Internet Governance. Established in 2014 ‘to articulate and advance a strategic vision for the future Internet Governance,’ the Global Commission was prompted on the one hand by concerns at the efforts by some authoritarian states to impose greater control over the internet, and on the other by the allegations of NSA whistleblower Edward Snowden relating to government surveillance.
China in turn has now hosted its own first World Internet Conference, under the slogan ‘an interconnected world shared and governed by all’. As a country with 50% of the globe’s internet users, and with its rising economic power and international profile, China would appear in a strong position to set the new internet agenda. Its vision describes a ‘safe, healthy and clean’ internet. While a common understanding of ‘safe’ and ‘clean’ can be easily imagined, a shared definition of ‘healthy’ may not be so readily achieved. Whose health? And according to what benchmarks?
Nailing the Cloud to the ground
Speaking on the 25th anniversary of the world wide web, Internet founder Sir Tim Berners Lee spoke of the need to fight to keep the internet as a platform without central control. Even with its claim to the greatest proportion of users, China is unlikely to achieve a wholesale capture of the system; sitting behind a Great Firewall appears, at present, a different matter from imposing constraints worldwide. Indeed, the countervailing arguments may sit not with the established Western players but with those smaller countries that have been prepared to take the leap and make themselves open to all that the internet has to offer, risk and dividends alike.
But fragility remains. Rather than the risk of sole ownership, the continued understanding of the internet by some governments in terms of national boundaries and control aggravates the likelihood of so-called Balkanisation of the internet.
For its part the EU has undertaken reform of its 1995 data protection legislation, revisions which were first proposed in 2012. Heralded with the bi-lines: ‘protecting your personal data – a fundamental right!’ and ‘the free flow of personal data – a common good!’ the inherent contradictions are readily apparent. And, beneath this EU-wide umbrella, national variations persist. These range from how individuals’ data are controlled and managed, through who might be allowed access to that information under what circumstances.
New rules regarding the ‘right to be forgotten’ in which an individual can ask for irrelevant or erroneous data to be removed (or, more accurately, lie undiscovered) in the course of an on-line search, extend the notion of what it means to be virtual. EU rules apply to any search engine operator that has a branch or subsidiary in a member state that promotes the selling of advertising space offered by the search engine – even if the physical server of the company processing the data is located outside Europe. Yet other governments are keen to ensure tight control over servers built on their territory. To what extent can any one country claim sovereignty in an environment known, perhaps tellingly, as the Cloud?
In the wake of Snowden, the debate has focused on privacy. Yet the greatest differentiator between on-line interaction and conventional social discourse is anonymity. Anonymity enables the circumvention of conventional social constraints, including fear of penalty. In their every-day use of the internet, individuals show themselves willing to consider the on-line lothario as a potential marriage partner, the bogus investment as their key to riches, or the distressed mugging victim in Nigeria as worthy of their bank details, all of them sight unseen.
Conversely, the first inkling of government or corporate interest in that same individual’s personal information, however rudimentary, causes hackles to rise. What data is being collected? To what ends? And what recourse is available in the event that the data is wrong?
Such questions are, of course, legitimate. They mark the difference between a life that is personal and a life that must, at key points, be made visible. They are also a response to institutions that may or may not be regarded as properly accountable regarding their handling of those key points. There is an inevitable discomfort when the Director of GCHQ challenges social networking providers about the potential facility they provide to individuals associated with terrorist groups. Across the Atlantic, the Pentagon has now made public its Cyber Doctrine. But ultimately the issues relating to internet usage are personal and, if not exactly private, certainly intimate to the way in which we conduct our daily as well as business lives.
The data market : unfit for purpose?
While differing styles of government may battle for their own particular concept of internet health, there is an equal if not greater challenge for the individual who will be profoundly affected by whatever decision is reached. With the advent of the so-called Internet of Things, your fridge will be able to work out when you are running short of milk and to place your on-line grocery order; your car will be able to direct itself, with you in it, to your chosen destination; web-enabled garments will nudge the pedestrian left or right towards their chosen destination without the pitfalls of having eyes cast forever downwards at the map app. Each of these capabilities offers its own benefit. With accompanying trade-offs. It is those trade-offs which are currently least understood, in an environment where a globalising population faces only uncertainties regarding global governance of those same capabilities and the data that they generate.
An open internet may not sit comfortably with an autocratic state. If data is indeed a potentially saleable asset, it does not sit well with current norms of a market economy either. In the UK at least the concept of identity and of its ownership remains vague and does not appear as fully attached to the individual as might at first appear.
Currently the data would seem to sit with the registrar rather than with the registered. By law a child must be registered within 42 days of birth; citizenship is conferred in exchange. For the right to leave the country the child, or guardian, must apply for a passport. Once old enough to drive, they must apply for a license, among myriad other interactions, handing over data at every stage. This does not make the obligation a wrong thing – issuance of an NHS number for access to healthcare, and a national insurance number for tax and benefits are automatically plumbed in. There are plans to simplify interactions with government, both central and local, through the introduction of a single on-line registration scheme. But, in exchange for these facilities, people need to trust that governments and corporate data-gatherers will behave responsibly and respectfully with that data.
Various commentators have observed that Generation Y is content to trade personal data in exchange for free music downloads or the latest limited edition chocolate bar, and is aware of the nature of that transaction. Will the same awareness apply when they buy their first app-controlled household lighting system? What data is being collected and how is it likely to be used – and by whom? Conversely, what is the opportunity cost – for society as much as for profit – in failing to harvest the detail which, in aggregate, could provide a valuable resource to improve the way in which we all live?
These issues would appear straightforward for such governments as assume control of power, if not ownership of their citizens. These same questions present a particular challenge for governments in liberal democracies. Indeed, for Western governments, at what point does the temptation arise to demand the tighter regulation and control advocated by rather different regimes – in the name of consumer protection or citizen (ie voter) demand?
Tim Berners-Lee takes the vision one stage further: “I want to build a world in which I’m in control of my own data. As an individual I should have the legal ownership of that data and should be able to sell it when I see fit”. Currently the trade and transaction sits somewhere else entirely.
Who is the real threat?
The on-line community is no different from society at large, in that it comprises individuals with personal codes of morality that range across the spectrum. The possibility of anonymity is a particular opportunity for the criminal, in a system that was designed to be open rather than to be locked down. Poor practices in software design, lack of awareness of information security (effectively the difference between sending a post card or a sealed envelope through the open post, but through many multiples of hands) and the sheer inconvenience of having to remember numerous, increasingly complicated, passwords all conspire in favour of the skilful malefactor. The less skilled can purchase on-line the viruses or other capability they require.
Life for the less skilled criminal is made the easier by the clever user. Much as the very capable citizens of more autocratic countries have found ways to circumvent government efforts to inhibit their views, so the clever employee, wishing to get on with their daily business without the inconvenience of locked-down systems, quickly identifies ways to circumvent the system. Like any shortcut down a dark alley, the user’s loophole is a criminal’s opportunity.
The very fact of the internet as an open global good makes it vulnerable. While much is made of cyber warfare and governments spying on or even mounting attacks against each other, this is by far the smaller part of malicious activity online.
No government, no business, no person is free from the impacts of cyber-crime even if only indirectly. The effects may not be visible but they are deeply corrosive — in much the same way that conventional shoplifters push up prices for everyone. In its recent report cyber security firm McAfee estimated the cost of cyber crime for the global economy to be $445 billion (�226 billion) annually – shoplifting on a massive scale. Their targets are wide-ranging and inevitably focused on the most precious goods: intellectual property; government planning; and personal information.
Even though it will have direct impact on how our lives are lived on-line, there is little public discussion about internet governance because it is boring, technocratic and obscure. There is, however, fervent debate about data because people recognise that ‘data’ is how they – you, me, your partner and children — are increasingly defined. Having long accepted being reduced in statistics into economic units, people are responding differently to a world in which they are regarded as datasets.
The new order and the accompanying debate about closed versus open styles of governance therefore conceals a deeper shift. For Generation X and above, the concept of self as data is at best uncomfortable, at worst provokes hostility. If Berners-Lee’s vision is right, those born in to the computer age, be it in Chigwell or Chongqing, Carolina or Calcutta, will increasingly demand to know why, in the emerging and ever more populous on-line marketplace, there is no clear means to hold their data as their own marketable, and shareable, commodity.
Louisa-Jayne O’Neill is Senior Executive at Montrose Associates. She works closely with the the cyber community through her role with the Information Assurance Advisory Council.