In two recent debate events I participated in, on iFreedom and privacy in the online world, mistrust of government and government's intentions and motivations on and towards the Internet were abundantly present with more than just a few people in the audiences. The emotions were not new to me, no, it was the rationality that surprised and sometimes almost shocked me. Why? Well, should these sentiments get the support of the majority of people, it would undermine all legitimacy of a government to govern. Let's try and take a closer look. More to start a debate, than to explain. True to this blog, I limit myself, mostly, to cyber security and crime, but to set the stage I start with the role of government in security in general and work towards the question whether the "contract" between government and citizens needs a renewal for the digital age?
The role of government
In everyday life government has many roles. Here we limit ourselves to security. (In short) citizens expect their government to uphold the rule of law and protect them, its citizens, to the best of its abilities in a general sense and where necessary individually. The same goes for institutions, economic interests, the environment, air traffic control, etc., etc. Citizens on their end are supposed to know and uphold the law. The government is given special tasks and powers to do so even up to the exclusiveness on the use of violence in order to protect and/or prevent harm. As a next best citizens expect to have law breaches investigated and enforced. All this is written down and specified in laws. After a judicial process governments by way of trials can punish in the form of penalties or a prison sentence.
If there is a downside, this is it. Government institutions investigate breaches of the law or take preventive measures to provide security, which always infringe on someone's basic, individual rights or privacy; which are wavered for the common good. The level up to which and the context within these sort of measures are taken, depends on the society one lives in. This is a sort of "social contract" that a government and its citizens have signed. In the analogue life the present "contract" between government and citizens is seen as normal in a constitutional democracy. It is safe to say that it is the digital environment that worries people the most. It's new and unknown. For all concerned.
The digital environment
There's a few angles I want to focus on, free speech advocates, government and the Internet, the dark side of the Internet and the role of governments and finally the tendency to move forward into the digital realm just because it's possible.
– Internet free speech advocates
Is the "contract" working in the digital world also? It appears not to be. The Internet freedom advocates fight for free speech and non-governmental interference on the Internet. And I can not agree more on free-speech. This is the greatest good in a democracy, something, by the way, a lot of people seem to forget sometimes.
Lately it appears that "rightist elements in western governments", as they are called somewhat conspiratorial here and there, are working hard on making freedom of speech and privacy less common, through drafting and accepting "reactionary" laws. The stirring of fright caused by terrorist actions, although the mere threat is enough, religious biases, populist's demands and the general uncertainty of the economic crisis are all used to draft or amend these laws. (If you like to read more, I suggest Nick Cohen's excellent 'You can't read this book'.)
Yes, a lot of people are frightened or are made to feel frightened and some laws are passed as a result, which downplay individual rights. These are but a few examples of what Internet freedom advocates warn for and up to a certain extend I can see why. Other causes for concern have to do with storage and joining of databases, insecure storage, etc. by governments. Quite often these concerns are expressed in a more general sense, despite the fact that some accumulation of data is the result of the above mentioned laws. I come back to this shortly under the sub header 'Don't do something because you can' below.
– Who "owns" the Internet
On the other hand Internet critical infrastructure is not owned by governments for the most part. It's in private hands. It was private investments and innovations that brought all the positive excitement on and around the Internet. As a consequence the role of governments in Internet security, protocols and governance is more limited than one would expect. They can play a significant role in their own infrastructure and seem to do so at present, but what can they do in the private realm? If, on top of that, we take into effect the borderless nature of the Internet, an individual government's role is even downplayed more. One government('s institutions) have no say in another government's jurisdiction, leaving it powerless and subjected to the good intentions of its colleagues. (see below)
In a more abstract sense this is different, as a government wants to protect the nation and its interests. It is here where the discussion of Internet freedom and Internet governance converge and clash. The question is how big the role of an individual government is or can be on the borderless Internet. It may just not be as big as some want and can't be without stopping the way the Internet works. Its a brave new world, but also a little like the 1880′s Wild West. We are all experimenting here, including governments. What works they ask themselves? Laws? Regulating the Internet? Influencing private Internet organisations? Surveillance? Counter-hacking? Impinging fundamental freedoms? ??? What will not work for the West, if not for all, is cutting yourself of the Internet and develop your own in splendid isolation.
– The darker side of the internet
Let us not forget to look at the use the Internet is put to also. From spam, fraud, extortion, phishing, the spreading of malware, attacks and all the way to espionage or disruption of the functioning of companies, institutions and states. Harming individuals, organisations and, so far luckily only in theory, wrecking a whole society.
Do we not then expect government to play the same role in the digital realm as in our analogue lives? My guess is that we (all) do, however it seems that something has gone wrong in the perception on the how and what governments do, what they are for in the first place. It does seem that people tend to get very disappointed if a government fails to protect, even where a government does not have a role to play. As a conclusion I think I can put here that "we" expect our government to protect us from online criminal or terrorist harm, but I also need to ask: to what extend and can it?
– Monopoly on violence and the Internet
As long as violations of laws on or through the Internet are committed within a country, there is no problem. All empowerment through laws can be used in investigations and subsequent actions against individuals or legal bodies. The hard part is to have another entity cooperate as soon as a violation is or appears to have been, committed from abroad. As De Natris Consult's study into national and international cooperation concerning online threats shows (click here), cooperation is not as simply achieved as might be expected. There's a world to win here.
As an interim wrap up: governments have no ownership of the Internet and run into borders. In the end this tends to make them ill suited to protect an online society. They do not feel comfortable with this situation.
My favourite quote, as some may already know, is: "It's international, we can't do anything"! This is just not true. In the end every violation on the Internet is domestic, unless there is no law against that specific (cyber) crime in a country. But isn't stealing, stealing? Fraud, fraud? Extortion, extortion? Etc.
So governments run into the problem of jurisdiction at borders, where (cyber) criminals do not. Is the solution to have international permission to do digital investigations abroad or better (suited) cooperation programs that take required speed of assistance into account? Or to create an Internet task force with cross border coordinating powers, that can tap into the best suited and equipped organisation to work with in any specific country? My guess is either of the latter two, but that is not for me to decide.
– Don't do something because you can (at least not on impulse)
In the past decade and a half we have entered a brave new world. A world that seems to offer endless possibilities to us and to governments. Let's look at us first. Yes, you and me. "We" seem to dive into every opportunity on offer on the Internet with abandon. Hardly checking consequences. We involve ourselves in illegal activities, that we may not even see as illegal any more, e.g. illegal up and downloading, file sharing, downloading illegal copies of software, ordering illegal substances, etc. We click on anything and give away our most private data because the offer of a free something competition and we share them on social websites. Not very careful, are we?, as most of these actions come with chance of a viral contamination that potentially threatens society as a whole.
But what about entities? Companies have connected their networks and installations to the Internet and so have governments. Why? Just because they could, it seems to save money and such a good idea and the ease of working remotely. Let's call it innocence in the face of progress.
The consequences of these opportunities have become abundantly clear in the past years. Governments are contemplating or are in the process of taking measures. Companies still seem to lag behind. Cost vs. profit? Short term policy and shareholders' primary concerns vs. long term security? It may just be true.
At the enforcement side governments have also entered this brave new world and they are finding out what the possibilities in this world are. And yes, they are starting to use them. Why? Just because they (technically) can, it seems to save money, the ease, because they truly do not see another option in this borderless world, etc. At the same time net neutrality is seen as a great good by some governments, including the Netherlands. A bit at odds? Perhaps, but not necessarily so.
Yes, it is dangerous to just do something because it is possible. Governments and industry are discovering just that in embarrassing and (financially) painful ways and are starting to pay the price. Probably many times over the savings. That goes for connecting critical infrastructure directly to the Internet without thinking through the consequences (for security) first. On clicking on anything that is presented, but also weak protection and losing privacy sensitive data over and over again. The same goes for routinely taking surveillance techniques to the Internet without thinking through the democratic consequences and the innocence presumption first.
The Internet does create a tremendous opportunity to nation states to connect, store and analyse data, to track and follow people. It is very hard not to give in to these possibilities, as it makes enforcement, at first sight, so much easier. Temptation vs. integrity? A good reference question could be: would this technique be used in a dictatorial state to keep track of the population's activities? If yes, then maybe it's a bad choice if you're in a democracy.
Privacy and web 2.0 use of data
What surprised me, is that the concerns for web 2.0 solutions in the cloud, the terms and conditions of web services like Google, Facebook and all sorts of apps did not concern the audience as much. Some speakers did bring this in, but from the interface level. The ease with which privacy could be protected through a click or not. Not what happens with data behind the interface. The concern for governments as discussed above, all rise from the fear of losing privacy. Isn't the same true here?
An app that comes, unasked for, with an smart phone, announces an update. Reading the terms it says something like: "You consent to the app looking into your contacts list, your e-mail box" and what not. What for? What reason could an app have for browsing my, and by default also my contacts', privacy sensitive data and perhaps even the content of private messages? Isn't this at least as scary as a government snooping around the Internet? In my opinion it is. Who knows what happens with your data, to whom it is shown, sold or handed over to because of investigations in other countries? Still, how many people read the terms and conditions of an app at updating (or before installing) and don't except because of these terms?
This as an aside, but isn't it also governments that the public tends to look at to sort this out? E.g. through privacy laws and the enforcement there of? Yes, it is. A role we accept as normal. Because it doesn't effect us, I add hesitatingly?
Is mistrust a populist trend?
It could be that the distrust of governments, in this context, is a part of the general lack of respect that government officials are shown over the past years. E.g. the attacks on ambulance personnel, police or teachers, aggression in hospitals, project X parties and what not. However, I don't think so. It is at least one layer deeper than this. The people discussing the topics on online privacy seem to have a general distrust of the motivation of government's actions towards them individually and towards society as a whole. A mistrust they may not have off line where drugs or organised crime investigations are concerned (and don't effect them personally?, I add hesitatingly again).
And it certainly does not fall into the "We need to punish harder", "except when I violate a law" trend.
It's also too easy to discard this all as just conspiracy theory thinking. To do so may be very damaging. The same goes for holding up hands in defence and saying: "but you don't understand what governments (don't) do!" That may just be the underlying problem, but not an excuse not to act and address the issue. This could even be very damaging to a government's credibility.
So where must we look then?
A new contract between governments and society
When a government in the face of its actions loses its credibility with a large part of society, it loses its rights and legitimacy to govern. When citizens lose their trust in their government, the result is distrust, frustration, anger and in the end upheaval. (Just look at what is happening in Greece this very moment.) The balance between justified investigations and, unnecessary, infringing basic rights is tender as the discussion on privacy and online freedom at NL IGF suggests.
I see two main questions a government has to ask itself:
1. In how far can we protect you? and
2. To what extend should we go to protect you?
The answer may be all telling: No, we can't always protect you and neither should we want to as it would no longer be democratic and certainly impinge on (your) basic rights and freedom of speech. We all know from the analogue world what these rights are. They are in principle no different in the digital realm.
However, to a lot of people there seem to be major differences and especially because of the way they perceive governments acting on and around the Internet. This gives cause to discuss the boundaries of government's actions on the Internet. The outcome of the questions above on the extend a government can protect its citizens, on and offline, could serve as a starting point. The choices thus made in democratic fashion lead to a renewed set of commitments, that were discussed, decided on and supported by the majority. Let's call the outcome a renewed "contract" between the government and its citizens for the digital age. It may be a good step in the direction to normalise relationships between the two and put an end to experimenting.
A government has an important role in protecting the state, the nation and its institutions, organisations and citizens from harm and attacks; in short "us". In the digital realm it sometimes can't do this, as attacks come from anywhere in the world and sometimes even from people('s ICT tools) who are unaware of their direct role. Still when security fails, often government is directly blamed. For government to be able to play its role towards and on the Internet, it may be very important for governments to explain what they do, why they do it and the results they get. Without overstepping boundaries of the rule of law, protecting individual rights that are part and fundamentals of constitutional states. And protect free speech at the same time.
At present too many people seem to miss the balance between actions, the law and their privacy and freedom. Whether true or false. This sentiment should concern governments deeply, as the balance between the two is very delicate. Only by seeking dialogue and to discuss necessary measures, trust can be found and support gained for a new contract between governments and citizens for the digital age. A government deserves respect, but also needs to make sure it earns that respect through its actions.
|Cybersquatting||Policy & Regulation|
|DNS Security||Registry Services|
|IP Addressing||White Space|
Minds + Machines