The emergence of the internet has introduced changes in economic and social relations that challenge existing legal and legislative frameworks. Governments, businesses, and private citizens are struggling to create new legal and regulatory schemes that can manage this transformation, and it is not yet clear how the contending – and sometimes conflicting – interests of these parties should be balanced. It is likely that governments, security professionals and individual users are all going to play a role in ‘policing’ the internet.
Internet pioneer, JP Barlow, called attention to the revolutionary fact that a new economy was emerging in which ideas, and not only objects, had value. This revolution has implications for the individual as well because in cyberspace, electronic identity information has an economic value that is disconnected from the person.
In the 27 years since the first .com address was advertised on the internet, data from the Information Technology & Innovation Foundation (ITIF) indicates a vast economic space with more than 80 million .com domains and an estimated $1.5 trillion in transaction activity. This transformation has turned intellectual property and personal identity into real commodities that must be protected, along with physical assets like bank accounts and computer systems.
The internet has also become a military battleground, just as tangible as the traditional domains of air, sea, and land. Military planners are busy mapping the contours of war in cyber space, and Russia has demonstrated an operational cyberwar capability on the field of battle with its invasion of the neighboring state of Georgia in 2008. In August this year, the Pentagon Cyber Command proposed changes in the standing rules of engagement that would authorize offensive actions outside its own computer networks. The proposal represents a major effort to address the jurisdictional paradox posed by the borderless internet. The Washington Post reported former US deputy defense secretary, William J. Lynn, speaking at a global security conference as saying: “The legal and policy entanglement in cyber is far, far more difficult than it is in some other domains of warfare.”
Despite the complex network of military and law enforcement agencies that are active in cyber policing, there is no major debate about whether the government has a role in these domains. Identifying criminals, securing defense and intelligence secrets, prosecuting crimes that occur within or make use of cyber networks, and protecting networks from malicious attack are all classical responsibilities of government.
An Internet without Borders
Less simple to deal with, even in the realm of criminal law, is the problem of jurisdiction over the global internet. The concept of jurisdiction is based on territory and sovereign control of territory, but that traditional premise is shattered by a type of action that can be initiated in a country where it is legal, yet have an effect that is criminal in another country, and be perpetrated by an actor who is resident of a third country. To make matters worse, it is often impossible to prove where the action was initiated, or who really caused it. Legal experts are hopeful that the traditional bases of jurisdiction – such as those listed in the foreign relations law of the US, along with international initiatives such as the Council of Europe’s Cybercrime Convention – will lay the groundwork for ‘re-territorializing’ the internet, at least with regard to criminal laws.
Fundamentally, the debate regarding government police powers is not over roles, but rather how far that authority extends and how to enforce it. The USA PATRIOT Act of 2001 and related anti-terrorist laws expanded government surveillance powers beyond the bounds of traditional wiretap restraints. Recently, legislation was introduced in the US Senate that would roll-back some of those powers, creating uncertainty regarding what US posture should be on this issue.
| "A contradiction has come into play between satisfying the businesses that serve European citizens versus advocating for Europe’s citizens themselves around their concerns about privacy and the growing level of personal data now residing online" |
| Viviane Reding, EC vice president |
The conflict over the extent to which governments may make use of the internet for police activities is not limited to the US. Recently announced plans by the UK government to increase police surveillance power have unleashed controversy throughout the European Union. A newsletter published by European Digital Rights, a civil liberties advocacy, reports that: “If approved, [the] Communications Data Bill (CDB) will place innocent citizens under continuous surveillance having all their communications and online activity monitored, all of the time. The government would store information about who’s messaging whom, who’s a friend to whom on the internet or what people are searching for on search engines. Police and HM Revenue and Customs officers would have the power to access this information without a judicial warrant.”
European Commission vice president, Viviane Reding, countered the UK proposal by pointing to the Treaty of Lisbon, which binds European states to protect the rights of the individual, even at the expense of the security interests of the individual state. Reding has championed a Data Protection Directive in the European Parliament that she believes has the necessary flexibility to balance the rights of the individual with the need to protect society. “This is a balancing act – you cannot make them clash”, she said.
A Crisis of Trust
European concerns over data privacy are rooted in bitter experiences with abuses perpetrated by police during the heyday of the imperial powers, including the Nazi Gestapo and the Soviet KGB. Unlike the US, where markets define who owns identity data, the Europeans look to the state to regulate and control access to data.
British news magazine, The Register, reported that in a meeting with a small audience of internet players and experts, Reding noted “a contradiction has come into play between satisfying the businesses that serve European citizens versus advocating for Europe’s citizens themselves around their concerns about privacy and the growing level of personal data now residing online.” Reding indicated that she will soon be meeting with her US counterparts to discuss the crisis in trust over data privacy in Europe, where more than 70% of citizens are worried that their data might be misused.
Balance is the watchword in this controversy. David Froud, an official with security firm Trustwave, believes that “there is every need for governments to take an active role in policing the internet, and use their powers to ensure that users’ data remains protected and secure. If governments took no role in policing the internet, then protection of user data wouldn’t happen.” He adds that government privacy oversight organizations, such as the Information Commissioner’s Office (ICO) in the UK, “are there to ensure there is some accountability, and that organizations need to protect personal data. Without that, there is little motivation to keep information secure.”
Froud adds, “The idea of governments policing the internet does bring personal privacy into the equation: How can a government ensure that the internet is policed in a way to help protect citizens from criminals both online and offline, without accessing users’ communications? There is a strong need for cooperation between information security professionals and governments, but the question that needs to be asked is: Who is watching the watchers?”
Competing Interests
The fact is that businesses have an interest in the ability to use data about people – identity information – for commercial purposes, and in many ways, the consumer benefits when businesses provide services, identify markets, and introduce products by making use of this information. Businesses in Europe and the US share concerns that privacy regulations will inhibit some of the dynamism in the internet economy.
| "There is every need for governments to take an active role in policing the internet, and use their powers to ensure that users’ data remains protected and secure" |
| David Froud, Trustwave |
The demand for freedom of action can even pit business interests against the law enforcement interests of the government, as was seen in the controversy over the Obama Administration’s effort to pass legislation that would set security requirements for the protection of critical infrastructure. Proponents of the legislation, such as FCC official, James Barnett Jr., argue that, “no one would tolerate this level of criminality, thievery, vandalism or invasion of property if it was done in the physical world, and we can no longer afford to tolerate it in cyberspace”. He argued in front of the US House Energy and Commerce subcommittee that mandatory requirements are needed because industry efforts to protect networks and infrastructure “are not working”. Opponents of the bill prevailed, and the administration has threatened to impose the regulations by executive order.
While business and government sort out their respective roles in policing the internet, the information security professional has been identified as a player by Gen. Keith Alexander, head of the NSA and the US Cyber Command. Speaking at the annual Defcon conference in July, Alexander called the audience of hackers and information security practitioners, “the world’s best cybersecurity community” and went on to say that, “In this room right here is the talent our nation needs to secure cyberspace”.
In a similar way, the Obama administration’s efforts to support ‘do not track’ provisions, which give the consumer the right to control access to their data, are pointing to the role of the individual in policing the internet. That idea is widely supported in Europe and illustrates the importance of the individual citizen in every dimension of the new digital world.
Governments, businesses, information security professionals, and individual citizens; the actors have all been called to the great stage of advocating for internet security – let the curtain rise on the next act of this amazing story.