Notes for a speech at a conference of
The Canadian Institute, "The Internet and Online Services:
Exploring the Legal Implications of Doing Business Electronically"
(based on "Controlling the Uncontrollable: Regulating the Internet")
Dov Wisebrod, March 1995
Thank you... The plan for the next hour is that for about two-thirds of it, I will speak. Professor Janisch will respond to my comments with his own. And then we can answer questions, and hopefully have some discussion, about the issues.
The Internet makes many people very nervous.
For example, two weeks ago, a Toronto radio station had a short talk show about the Internet. The guest said that it couldn't be regulated. I called up and agreed with him. But the host of the show couldn't accept this. We were talking about a person standing on a street corner spreading a hateful message.
"The person standing on the corner," she said, "would be charged with hate. If the police came along and thought that his material was violating Canada's hate laws, that person would be charged on the spot. Why," she asked me, "should the Internet be any different?"
It is an excellent question. Why should the Internet be any different? That's the question I'm going to talk about, but it's also the question I'm not going to answer. I'm not going to answer it for one simple reason. It's not relevant.
The question of whether the Internet should, or should not, be different than a person on a street corner, cannot be answered unless there's a way to regulate the Internet just like there is the person on the corner. And the answer to that question, whether the Internet can be regulated, is "no."
That's why the Internet makes a lot of people very nervous. Because it can't be effectively, and efficiently, controlled.
The reason it can't be controlled is that it's a sort of anarchy. Albeit a very strange sort of anarchy. For one thing, the Internet is anarchy by design. And for another, it is a co-operative anarchy that really works.
Bruce Sterling, a pre-eminent cyberpunk author and Internet guru, wrote that "The Internet is a rare example of a true, modern, functional, anarchy." Rare? Yes, it's probably unique. True and modern? Of course (the thing does exist). But functional? Yes, as well, mainly because it is co-operative, as we'll see later. And anarchy? Surprisingly, the Internet was designed that way from its beginning, in the 1960s.
The precursor of the Internet was meant to survive nuclear attack. It was, basically, supposed to be the telecommunications equivalent of the cockroach. You kill one of the insects, and there are always more hiding in the cupboard. The network was designed so that if one computer node was destroyed, the others could still function adequately.
The strategy chosen was decentralization. The communications network had no hub, so the network couldn't be crippled by a single bomb destroying the central station. There was no central station.
Communication over the network was by a protocol that has since evolved into TCP/IP, or Transmission Control Protocol and Internet Protocol. The Protocol ensures the decentralized nature of the network.
I won't go into detail about its operation, but suffice it to say that it was built with such tremendous capacity for connectivity and communication, that it was hard to stop people from barging in and linking up.
The ease of linking up meant open access, and if anyone could join you quickly got anarchy. Open access and anarchy. These two elements are integral to the Internet, and it is crucial for potential regulators to recognize their effects.
One primary effect, which you couldn't avoid hearing about, even if you hadn't seen last week's Newsweek, is explosive growth. Right now, there are about 5 million computer nodes on the Internet.
In 1994, traffic over the American "backbone" of the Internet, the NSFNet, rose 115%. But that's only the American backbone, right? There's no way of knowing what's going on elsewhere, because, after all, we're talking about anarchy. As Sterling put it, there is no "Internet Inc." In fact, since the backbone itself is in the process of transferring over to a new network, 115% may not even be right for the U.S.
Another effect of combining open access, anarchy, and computer-mediated communication is an emergent culture. Consider Usenet. It is the Internet's bulletin board system. But it's not quite your average cork-and-thumbtack design. Usenet is comprised of well over 10,000 highly specialized newsgroups. Last I checked, I had access to nearly 12,000.
The content of the newsgroups makes the culture very clear. Usenet has its own lexicon, its own etiquette, its own customs and traditions, and even its own art form—the ASCII signature. The culture also includes an emergent co-operation, thus creating a unique co-operative anarchy. This is crucial to the operation of Usenet, because the seeming order of Usenet newsgroups, in the form of a hierarchy, is deceptive.
For example, rules for the creation of newsgroups don't exist. What if something possessed me to create a newsgroup called alt.fan.budget95? I'd have to convince system administrators to carry the new group. There's no higher authority to petition if they refuse—only the users of the Internet.
There are guidelines to help people who want to create new newsgroups. (One hopes they'd be a bit more interesting than alt.fan.budget95, but after reading Usenet for a while, you realize that people have strange tastes.) Anyway, there are guidelines.
But that's all they are—not laws, regulations, or rules. There isn't even an accepted standard for what qualifies as a true newsgroup. On the Internet, anarchy reigns, but widespread co-operation makes it work—making the Internet a functional anarchy.
The big problem is that anarchy and authority do not interact well. That the anarchy is a functional one doesn't change this. Depending on your perspective, in the case of the Internet, being functional makes the interaction with outside authority either worse or better. It depends on what you think about making authority irrelevant.
John Gilmore, a Net pioneer and one of the founders of the Electronic Frontier Foundation, said: "The Net interprets censorship as damage and routes around it." This is the effect functionality has on the anarchy of the Internet. It makes it an extremely powerful force that is virtually impossible to control.
Nothing in Canada better demonstrates the truth of this than the publication ban in the Homolka trial. I assume everyone here knows, more or less, what happened, but in a nutshell here's the story.
Karla Homolka was charged with two counts of manslaughter. Her estranged husband, Paul Bernardo-slash-Teale was charged with two counts of first-degree murder and several other offences.
Homolka's trial was first, and Mr. Justice Kovacs decided that media coverage of her trial could infringe Teale's right to be presumed innocent, and hurt the integrity of the judicial process. So he made the order that I set out at page 11.
Hard-copy Canadian news media didn't report the banned details. But that was just about the only medium that observed the ban. Hard Copy, the American TV show, broke it, but the broadcast was blocked from cable reception in Canada. Similarly, foreign newspapers and television shows were blocked.
But the information in those articles, even the articles themselves, got onto the Internet. And, once the information is on the Internet, the story's over. It was out, and it was digital. That means it could be read or downloaded from anywhere in the world. Even within Canada. And it couldn't be stopped.
About a week after the ban, a Usenet newsgroup called alt.fan.karla-homolka was created. Five months later, a warning was sent over the Net about the forum. This led many sysadmins to cut their newsfeeds to it.
No problem... other newsgroups were created. The first of this next generation appeared only a week after alt.fan.karla-homolka was yanked. Now, there are at least a dozen. Some of them... [read list of newsgroups from FAQ].
Besides Usenet, the information is available by FTP, Gopher, and the World Wide Web. That means you can download files containing the details of the Homolka trial, you can read them online by menu, and you can view a graphical hypertext page with links to the foreign media articles. On the Web page, you can even download an audio spoof of the way the trial is being handled.
The futility of the attempt to censor Usenet only gives you a hint of the irony.
An issue of Wired, the "neon magazine," was pulled from some Canadian news-stands because of an article that revealed Homolka's plea. Every issue of the magazine is available over the Net, so this didn't matter a whole lot.
But the editors felt so strongly about the ban that they made all the information available—not just the banned article. The effort to ban the information actually enhanced it's availability.
And, finally, there's the judgment I quote from on page 13. I wish I knew more about how this happened. I can only speculate about why Mr. Justice Lesage revealed the same information that led the RCMP to censor Wired.
I think that when an estimated quarter of Canadians know something, it's fairly difficult to conclude that the information they know is banned. Perhaps, then, he simply failed to refer to Mr. Justice Kovacs' order and presumed that the information is free. But that's only a guess.
The crux of the matter is that the issue isn't normative, it's practical. The question to ask doesn't start with "Should we...", but rather with "Can we...". Should we ensure the presumption of innocence by restricting freedom of the media? Maybe. Can we? No.
Like the Wired article stated: "...the question is no longer whether certain information is too sensitive to be made public. The real question becomes whether it is even possible to keep certain information out of cyberspace. In the Teale-Homolka case, the ban was not so much broken as rendered irrelevant..."
Some have called the result an "underground information economy." In the U.S., a proposal called the Escrowed Encryption Standard, or EES, was developed as an answer. It was supposed to ensure privacy, but also enable authorized wiretapping of digital transmissions. This was intended to thwart criminals by making their communications available as evidence.
The Clipper Chip was part of this initiative. I'm speaking in the past tense, but there's no reason for anyone who opposed Clipper to rest easy. Even if it is long gone—and whether it is or is not is in dispute—new proposals still concern many people.
For example, there is now a Cyber Rights Campaign run by CPSR, Computer Professionals for Social Responsibility. This is a highly respected organization, and it opposes proposed changes to the telecommunications regulatory framework in the States. Among the changes, is the Communications Decency Act of 1995, that would make all service providers responsible for the communications passing through them.
But let's consider the Clipper chip for what it says about the ability to control the Internet. The scheme itself was fairly straightforward. The chip would be installed in all telecommunications devices: phones, fax, modems, etc.
On the chip is Skipjack. Skipjack is an encoding program, or encryption algorithm, that automatically scrambles all data, or voice, passing through the device. Only the authorized recipient of the transmission can descramble it, with a special software key.
The American government saw two authorized recipients. The first was the person the sender knew was receiving it, and the second was the authorities. They could get the key to decode the transmissions they wiretapped. To ensure this ability, the government said it would, and I quote, "discourage the development and sale of alternative powerful encryption technologies."
Many Internet users routinely encrypt their messages. They stiffened at the word "discourage," even though the government promised not to outlaw other programs. This is because the electronic community is greatly concerned about privacy, and I expect we'll hear about this after the break.
Right now, I just want to flag this as the reason for most of the opposition to the Clipper chip. It's the other reason to oppose Clipper that I'll consider in detail.
The other reason is that, on the Internet, it just wouldn't work. The Escrowed Encryption Standard required two things to work. One was the security of Skipjack, and the other was acceptance of the Clipper chip by consumers.
Let's consider the first condition, that Skipjack remain secure. The security of two encryption algorithms, DES and RSA, were called into question last year. A way to crack DES was discovered, and a message coded by RSA was cracked. RSA is still considered very strong, but these two experiences made people question the confidence the government had in Skipjack.
But the best argument was that even if Skipjack itself wasn't cracked, it could be made irrelevant. That's why consumers would never accept it.
The first way to make it irrelevant was to hack it. To descramble something transmitted through a given Clipper chip, authorities needed to match the chip to its key. The chip was designed to transmit an identifier to enable them to know which one it was. But this identifier could be falsified so that the right key wouldn't be found.
Without the right identifier, they couldn't get the right key. Without the right key, they couldn't descramble the transmission. And without the ability to descramble the transmission, the wiretap was useless.
The chip could also be made irrelevant by encrypting data before sending it through Skipjack. With this strategy, you may as well invite the FBI into your house to hookup their equipment to one of the phone jacks. Even if they get the key to your Clipper, after they descramble the transmission, they'll be left with something scrambled. And this time, they won't have the key.
The alternative encryption methods are cheap, simple, and readily available. Consumers, including criminals, can easily scramble their data before it's scrambled by Skipjack.
For example, PGP, or Pretty Good Privacy, is a public domain encryption algorithm by Phil Zimmermann. He put it on the Internet, and it's now available anywhere. [Show disk containing PGP and windows interface.]
Just how available it is is one of my favourite stories. In the U.S., exporting PGP is illegal. There was a hearing on this issue before a subcommittees of the Foreign Affairs Committee, and at the hearing witnesses explained why the restrictions on export were useless.
One witness pulled out a laptop computer. He plugged in a modem, called up an Internet file server in Germany, and downloaded PGP. He got precisely the same software that the U.S. wants to keep from getting out of the country!
It's just like the banned Homolka information: Once it's on the Internet, regulation is useless. And, also like Homolka, debates about what I call "should issues"—like privacy, security, and the prevention of crime—are interesting, but not really relevant until you explain the "can problem": Can it be regulated? Can it be controlled? Can it be enforced?
Apart from regulation, another way of imposing law on the Internet is to apply existing law. This strategy has been suggested for bulletin board systems, or BBSs. Each function of a BBS is segregated and matched to a real-world function. And then the law of the real-world function is applied.
On the Internet, the strategy would fail. The Internet is not simply a gigantic BBS. At best it is a distributed network of thousands of BBSs. This structure leads to emergent characteristics of the Internet that make it very different from a run-of-the-mill BBS.
One difference is the lack of authority. It is decentralized, so it is seldom clear where legal sanctions can be imposed. Let's assume, though, that this can be done. For instance, assume that the sys-admin of the rogue file server that's providing PGP to the world can be found and stopped.
So what? There are thousands of other servers. They are spread around the globe in dozens of jurisdictions. Can they all be controlled? Probably not.
And for effective control, they all have to be covered, because if a single one is excluded, the regulation of the rest is useless. Anyone can simply contact the one free file server and get what they want. As long as the information is available somewhere, it may as well be available everywhere. The best example is, again, the Homolka ban.
Another problem with the application of conventional law is the role to be played by the culture of the Net. Will Netiquette, the table manners of cyberspace, be considered at all? In other words, will the functional anarchy of the Internet receive legal endorsement as a capable means of self-control?
One ongoing saga is the story of Lawrence Canter and Martha Siegel. You may have heard of them as the "Green Card lawyers." They spammed Usenet with an off-topic, blatantly commercial message, not once, but twice.
A "spam" is the single most rude activity on Usenet. It's acceptable to cross-post, which means copying a message into many newsgroups. Because once I read a cross-posted message in one newsgroup, my software realizes this and stops the message from appearing as "unread" in others. So, I only have to come across it once. A spam, however, appears as a unique, non-cross-posted message in every newsgroup. So it's very hard to get rid of.
The Canter-Siegel post wasn't only a spam, but it was also off-topic in the newsgroups (another breach of Netiquette), and an unsolicited commercial ad (strike three). They received so much mail flaming them for doing this that their service provider's computers crashed over 15 times.
Their account was terminated. The lawyers weren't too pleased with this, so they threatened to sue for a quarter-million dollars. If the lawsuit had progressed, two sets of principles would be battling it out: well-established legal principles, and cultural Internet principles—the so-called Netiquette.
On following Netiquette, Canter and Siegel had this to say. In a book called How To Make a Fortune on the Information Superhighway, which should have been called "How to Become Roadkill," they wrote:
...some starry eyed individuals who access the Net think of Cyberspace as a community, with rules, regulations and codes of behaviour. [Can you see the stars in my eyes?] Don't you believe it! There is no community. ... Along your journey, someone may try to tell you that in order to be a good Net ‘citizen', you must follow the rules of the Cyberspace community. Don't listen. The only laws and rules with which you should concern yourself are those passed by the country, state and city in which you live.
About four weeks ago, the lawyers followed their own advice and spammed the Internet a second time. This was a breach of an agreement they had signed with their service provider, so their access to the Internet was terminated.
The problem with their advice was that you need access to the Internet, and to get access you need a service provider. No service provider will give you Net access if your activity puts their computers in danger of crashing. It will be interesting to see whether Canter and Siegel are ever seen on the Internet again.
I think they were absolutely wrong in advising people to ignore Netiquette. In court, especially, I think that cultural Internet principles should be granted some legitimacy, even if this has to be accomplished by the application of well-established law. We've already seen what the Internet is capable of doing to law it doesn't like. And it's not pretty.
The role traditional law has to play on the Internet isn't decided by policy. It's decided by ability. To the extent that the role of law has changed, it has been supplanted by tools. Howard Rheingold coined the phrase "tools, not rules." To a certain extent, I think, the power of electronic tools will make people a little more comfortable with the functional anarchy of the Internet.
So let's look at the tools and people who use them.
There's a great deal of equality among individuals on the Internet. It's easy to link up, the consumers of information are also it's primary producers, so there's considerable control over the environment and culture. And because it's mostly text-based, you can't see the person who's writing, and the seeds of visual discrimination are eliminated. It's content that matters. Or, as Dave Barry put it, "There are no bad haircuts in cyberspace."
Problems arise, however. For example, megaphones, meaning the ability of an individual, or a small group, to drown out other voices. On Usenet, this can be done either by simply writing a lot, or by using mailing lists.
The first problem is easily fixed by using kill files, and twit or bozo filters. If you don't like what someone has to say, or how much is said about a particular topic, you can instruct your software to block messages from that person, or about that topic, from reaching you. This is one instance of "tools, not rules."
Then there are mailing lists. Moderated mailing lists are supervised by someone who is said to "own" the list. The owner reviews each posting before sending it out to subscribers. The most popular one is the "David Letterman Top-Ten List." Unmoderated mailing lists are simple message resending relays, and can be compared to the average Usenet newsgroup.
Unmoderated lists have potential for abuse. Someone can send a message to all users of the list with little regard for the list's topic, or the interests of its subscribers. This way of abusing a mailing list requires co-operation of Internet users to remedy. And this co-operation routinely happens.
The newsgroup equivalent is what happened to Canter and Siegel. Users of the Internet act independently, but of one mind, to stop activity that is in severe breach of Netiquette. Their power is apparent from the fact that a flood of messages can cause computers on the Internet to crash.
Business is just beginning to realize the potential of the Internet. But those who don't spend some time examining what the Internet is, and thinking about how to best interact with it's users without offending them, will be faced with flames and the prospect of becoming a Net pariah.
The individual user on the Internet is part of an empowering, self-regulating, self-defending, co-operative, and anarchic community. This community is not going to conform to law, regulation, or a corporate strategy. It governs itself.
Yet, when the individuals who are part of this community don't co-operate within it, the gatekeepers act. The gatekeepers are the system administrators of Internet service providers. They have the power to decide who may subscribe to the system, and what degree of access they can have.
Of course, users can always leave one system for another, so there are strict limits on the power of gatekeepers. This hints to a role for a higher authority, as we'll see later.
The gatekeeper's role is, in part, to be arbitrator of disputes among users. Netiquette isn't uniform throughout the Internet. Its basic principles, like "don't spam" and "stay on-topic," are standard, but others are very different.
For instance, the Netiquette of rec.pets.cats is very different from alt.tasteless. Therefore, when the participants of alt.tasteless began to infiltrate rec.pets.cats to have some fun, they did so outside the normal bounds of the Net's co-operative community.
The war between alt.tasteless and rec.pets.cats was ultimately ended by the sysop of one of the primary antagonists. The sysop said, "Knock it off, or else," and rather than search around for another service provider, he did.
The sysop was asked to intervene only after one member of the cats group decided that kill files weren't sufficient. I'm skeptical of this decision. I think that use of tools, like kill files, is better because there's always the chance that the offending user will find other Internet access and continue.
There are some instances, still, where sysop power is insufficient. Let's call this the Mitnick scenario. We've all heard of Kevin Mitnick, the notorious hacker recently caught after an exciting chase through cyberspace.
Just as an aside, in reality, much of the damage he allegedly caused should have been impossible to do. For example, why was the file of credit card numbers he stole not encrypted? If I was a user of Netcom, where the file came from, I'd be really angry at the sysops who left the data un-encoded.
Anyhow, let's consider Mitnick for what he represents. That is, a group of users with the ability to break into computer systems. It is at this stage when sysop power is possibly useless. We're talking about sophisticated people with knowledge and desire to break into computer systems and cause damage.
The Computer Emergency Response Team, or CERT, played a key role in capturing Mitnick. It was created by the U.S. Defense Department to protect Internet security. Its members stay on top of all the techniques used by hackers. Tsutomu Shimomura, the computer security expert whose computer Mitnick broke into, said that to catch him they used the same tools he used.
Calls to CERT are increasing greatly. In 1994, 2,241 computer break-ins were reported—68% more than in 1993. Clearly, however, we only hear of a tiny number of those.
Mitnick is the exception. But the media excitement about him is unwarranted. A network security scientist from AT&T said he "thinks there was some element of hysteria in the reaction to him. There is another class of hacker entirely, the professional, whether it's industrial espionage or a foreign agent. They get in, find what they want and get out. Nobody hears about them. Nobody knows how common it was."
John Perry Barlow, of the Electronic Frontier Foundation, said, "I keep waiting for the dark-side hackers to become an obvious problem, but they seem so far not to have emerged. The show-offs are doing it."
Show-offs or professionals, is it at this level of sophisticated abuse of the Internet that the human element, the power of individual users and sysops, is impotent. CERT, however, fulfils a very narrow purpose.
It exists to advise and investigate in cases of potential or actual breaches of Internet security, but it has no legal power to arrest or prosecute. What it does not do is as important as what it does. It does not interfere with the Internet in order to advance some unrelated policy of the U.S. government. That, as we know from Homolka and from Clipper, would be futile.
CERT is an ideal solution to the problem. On page 33 I formulated a principle that I propose is necessary to guide government activity on the Internet:
Government may interfere in the co-operative anarchy of the Internet only to protect the security of its users, only to the extent such interference compensates for the inability of users to do so on their own, and it must not act solely to advance its extraneous policy interests.
Let's see how Canadian governments are doing.
"The Canadian Information Highway" is the federal government's discussion paper. It was produced by Industry Canada and is pretty good at setting out the issues that need to be addressed. However, there are several points in the paper that fail to recognize the nature of the Internet.
One is in the goals the government sets for itself. Among them is the goal to "reinforce Canadian sovereignty and cultural identity." It's hard to define the meaning of this phrase. One thing, however, is certain. To the extent the government wants to enforce cultural content in cyberspace, it will fail. This isn't to say the goal shouldn't be pursued, but only that it can't be achieved by regulation. The Internet will ensure that the policy is irrelevant.
Also, listen to this Implementation Principle in the paper: "...an open network architecture, open access policies and common technical standards...". I read this and think: oh, so the Canadian government wants to build the Internet. That's nice. But it's already there, so they don't have much of a choice if they want the tremendous advantage of international communication.
New Brunswick also came out with a paper. It's metaphorically entitled "Driving the Information Highway" and contains 11 recommendations.
The last one is: "The Task Force recommends that the necessary structures be put in place to influence and monitor the development of the information highway." The words "influence and monitor" aren't words Internet users like to hear from government, but that's beside the point. The question is, quite simply: How? Until New Brunswick answers that question, the recommendation will be nothing more than rhetoric.
But this shouldn't scare government away. I began by talking about how the Internet makes many people nervous. Don't be. There are issues to be concerned about, issues that the Homolka publication ban and the Clipper chip make clear. But online, the Net takes care of itself and benefits its users.
I'll leave you with something from Alexander Graham Bell. He said: "When one door closes another door opens; but we often look so long and so regretfully upon the closed door that we do not see the ones which open for us."
The door to regulating the Internet is closed. Don't miss the ones that are open.