All those Internet Governance pundits who track ICANN the way paparazzi track Paris Hilton are barking up the wrong tree. They've mistaken the Department of Street Signs for the whole of the state. The real action involves words like rbldnsd, content filtering, and webs of trust.
Welcome to the Internet! What's on the menu today? Spam, with some phish on the side! We've got email spam, Usenet spam, IRC spam, IM spam, Jabber spam, Web spam, blogs spam, and spam splogs. And next week we'll have some brand new VoIP spam for you.
Now that we're a few years into the Cambrian explosion of messaging protocols, I'd like to present a few observations around a theme and offer some suggestions.
Just so you know where I'm coming from, the foremost concern in my mind is this: The final solution to the phishing problem requires that people use a whitelist-only, default-deny paradigm for email. Many people already subscribe to default-deny for IM and VoIP, but there is a cultural resistance to whitelist-only email — email is perceived as the medium of least reserve. I believe that we must move to a default-deny model for email to solve phishing; at the same time we must preserve the openness that made email the killer app in the first place. The tension between these poles creates a tremendous opportunity for innovation and social good if we get things right, and for shattering failure if we get things wrong. Can you imagine a Balkanization of messaging, where if you want to talk to someone you have to first join their BBS? I'm an idealist: I care deeply about the future of free communications. I don't want to screw this one up.
The following points help me develop my argument.
1. Every open medium can be abused.
2. Emigrating from a hostile environment and jailing violators are two sides of the same coin.
3. Extradition only works when governments agree.
4. National borders don't work online; we need new kinds of boundaries.
5. DNSBLs are the prisons of Internet email.
6. Let's create a world where the consensus reality is as inclusive as possible.
One: Every open medium can be abused.
The abuse comes in a hundred different forms, but deep down they're all, somewhat tediously, the same: bad guys telling lies for profit. (Do you remember the one exception, the kook looking for a time machine?)
Why do closed media suffer less abuse? Because closed media have centralized architectures, built-in authentication, real-world identities, prerequisites for access, well-defined usage guidelines, and short paper trails. Of course they're better at kicking offenders off the network. They have staff paid to do just that!
Open systems, by design, are more of a free-for-all.
So why don't we just build one big closed system? Many youngsters have given up on email, and prefer to communicate over Myspace and AIM. If you want to talk to them, you have to sign up with Myspace and AIM. If you cause trouble, Myspace and AOL reserve the right to kick you off the system. The economic costs of signing up — the time it takes to sign up, pass CAPTCHA, and learn how to use the system — are analogous to other economic costs that have been proposed, such as "penny per email". And enforcement can be much more effective.
Just as the free market has voluntarily chosen a monopoly regime for desktop operating systems, maybe the free market will eventually choose a monopoly regime for messaging systems. We may simply find that it's cheaper to pay one vendor to manage spam for everyone.
But I doubt it; just as the Microsoft mainstream fuels the Linux and OS X countercultures, any messaging mainstream will fuel alternative modes of communication. Why?
Because I might not want to live in your country. If World of Warcraft — a very complex messaging system — declares itself a gay-free zone, where will gay gamers (gaymers?) go? They'll go elsewhere. Time and again we have seen governments declare a uniform standard for behaviour: time and again we have seen people get up and walk away.
Now we're getting into politics and governance. You might want to go make a cup of tea: this argument is about to detour down the scenic route.
Two: Emigrating from a hostile environment and jailing violators are two sides of the same coin.
Much of mankind's political history can be traced to the idea of voting with your feet. If you don't like the way things are done in one place, you go someplace else.
When the Mennonites left Europe for America in the 18th Century, they were simply implementing "no thanks, I'm leaving".
Emigrating away from a hostile domain is a bottom-up approach. Symmetrically, this pattern has a top-down version. Mennonites enforce community standards by shunning. In every society, people who don't play by the rules get sent to prison or exiled. And that's society implementing "no thanks, you're leaving."
(Populating Australia with criminals implements both approaches at once.)
At the G2G level, when countries get mad at one another, the first thing they do is break off diplomatic relations and pretend the other country doesn't exist.
But that only works to a limited degree. One man's free speech is another man's blasphemy. And, as certain Danish cartoonists and European newspapers have recently discovered, globalization makes it real hard to ignore the sins of your neighbours. Some societies are not content to apply their values locally — "we don't keep dogs as pets, but we don't mind if you do" — but wish to apply them globally — "we don't draw certain kinds of pictures, and nobody else may either."
But online, the feet are virtual, and every place is, in some sense, everyplace else. This means that, online, we need to come up with new ways for people of one mind to "migrate" away from people of another.
Three: Extradition only works when governments agree.
Most developed countries in the West generally want to help catch one another's criminals. But, as we noted above, community standards differ. Governments get particularly touchy in matters of jurisdiction and sovereignty. So Roman Polanski lives in France, unmolested by the United States.
If you sue spammers in Tampa, they pop up again in Taiwan. Extraditing skript kiddies just doesn't scale. National borders don't work online.
That's what makes it so hard to police the Internet. The very idea of policing goes hand in hand with the idea of jurisdiction. And jurisdiction ultimately goes back to the idea of a state.
Nation-states have been around in their modern, governmental form, for a couple hundred years now. The modern Internet has been around for maybe twenty. If nation-states are a horse and buggy, the Internet is a hybrid automobile.
Asking a nation-state to manage Internet crime is like asking a Mountie to pull over a Prius.
Four: Our global village has no borders.
Ten years ago, back when we all thought global villages and information superhighways were just the bee's knees, hordes of breathless futurists proclaimed the Internet has no borders! Borderless was good, hot, fun!
Now we're discovering that organized crime loves the Internet precisely because it has no borders, no jurisdiction, no police.
Well, almost no police. Ten years after we built the information superhighway, you can't spend ten minutes on 101 without seeing a Cisco billboard announcing "trojan horse corralled" or "denial of service denied". (The whole ad campaign feels bafflingly insider, sort of like a postmodern Burma Shave, but authored by mildly autistic types who simply don't care whether anybody else understands what they're saying.) But what does it mean? It means Cisco is beginning to provide infrastructure on the Internet the way Halliburton provides infrastructure in Iraq: they build the roads and they man the checkpoints.
Do we really want a centralized authority integrated into the infrastructure, or do we want the ability to choose which communities we want to live in? We can take power back into our hands and draw our own borders…
Five: DNSBLs are the prisons of the Internet.
Spamfighters like to think of DNS blacklists as a cutting-edge tool for the 21st century, but I would wager that if you went down to Lancaster, PA, flagged down an Amish farmer driving his 18th century horse and buggy, and showed him a DNSBL, he would recognize it instantly: "you're shunning those who can't hold their tongues!"
Just as shunning is a frightfully effective form of Amish social control, DNS blacklists are a frightfully effective form of Internet social control.
The interesting thing about blacklists is that you get to choose which ones you want. Today this just means that if you pick a DNSBL that's a little bit too activist, you get some false positives, some intentional collateral damage. But tomorrow, if we flip the switch from default-accept to default-deny, picking the wrong whitelists, or too few of them, could result in eclipsing whole swaths of the Net.
That would be bad. It would also be dangerously tempting. Most people don't know what they don't know. It's very easy to whitelist all the good people in your addressbook, but it's harder to whitelist all the good people not in your addressbook. If we want to keep email as open as it used to be, we have to be very inclusive. This is where reputation systems come in: just as credit bureaus tell financial institutions if someone is likely not to pay their bills, reputation systems tell mail receivers if someone is likely to be a spammer. Reputation systems are essential to solving the first- contact problem, but that is a topic for a different article.
Crudely but functionally, a consensus reality begins with a group of persons who recognize each other's existence. When we use DNSBLs, we refuse to communicate with the entities listed — we killfile them, but the killfiles are shared. I'm told that Spamhaus covers something like half a billion mailboxes: that's half a billion mailboxes who don't talk to anyone listed on the SBL.
In a default-deny world, we're less interested in the bad guys and more interested in the good guys. I could easily imagine a world where you whitelist everyone in your addressbook, everyone in your family, your company, your industry network, your church, your school, your neighbourhood ... and that might get you good enough coverage that you wouldn't notice the legitimate messages that are getting blocked.
Six: Let's create a world where the consensus reality is as inclusive as possible.
What have we learned?
We counter abuse in open media on the borderless Internet not by bringing antiquated legal instruments to bear, but by collectively agreeing on whom to shun and whom to put on the guest list.
Shunning is what you do when your default rule is "allow" — when you're liberal in what you receive, you expect others to be conservative in what they send. When they're not, you killfile them.
In open media, though, we're discovering that maybe the default rule should be "deny". In big cities, we've learned, tediously, that most strangers who approach us on the street are trying to tell us lies for profit. The Internet has become a big city. When others are liberal in what they send, maybe we should be conservative in what we receive. The opposite of a blacklist is a whitelist. The opposite of shunning is selective introductions — think Victorian social norms. Whole industries are springing up around these ideas: accreditation and reputation are hot topics in the antispam world today, but the ideas behind them are as old as human civilization. If there is nothing new under the sun, then let us learn from history and not repeat it!
We need mechanisms to agree on who's worth talking to and who's not. First-generation, proprietary, integrated approaches like Goodmail will pave the way for next-generation technologies based on open standards. And these technologies will lay the foundations for what I consider to be the meat of Internet governance: rules that determine precisely to what extent my Internet overlaps with your Internet, and whether I let you into my world at all. In short, whether the walled garden I build for myself opens on the walled garden you build for yourself.
After all, if there are no national boundaries on the Internet, then maybe, just maybe, every man is an island, entire of itself. Each of us builds bridges to our neighbours, and we roam on those bridges until we feel uncomfortably far from home.
As a matter of public policy, I want to set a goal: in a world of default deny, let's use all the tools at our disposal to make our walled gardens as big as they can be. Why? Because, as Donne said, "I am involved in mankind"; if you are not in my whitelist, I may not be in yours, and we are both the poorer for it.
|Data Center||Policy & Regulation|
|DNS Security||Regional Registries|
|Domain Names||Registry Services|
|Intellectual Property||Top-Level Domains|
|Internet of Things||Web|
|Internet Protocol||White Space|
Afilias - Mobile & Web Services
Minds + Machines