Presentation by Ian Brown, Oxford Internet Institute in Indonesia Information Security Forum 2012

1. Sovereignty in
Cyberspace
Ian Brown, Oxford Internet Institute

2. Outline
• Legitimacy in global governance
• Three sites of global Internet governance
• NSA: Pretty Good Privacy and encryption controls
• WIPO: “The answer to the machine is in the
machine” – copyright and Technological
Protection Mechanisms
• ICANN: the travelling governance circus
• Technocracy vs democracy; realpolitik vs
rhetoric
• Regulating technology; technologising
regulation

3. Legitimacy and Internet
governance
• Source, process or results-oriented?
Mandates, accountability, consensus and
technocracy
• Constitutional review – whose constitution?
US, ECHR, UDHR, IETF? Code as
constitutional law
• Rhetorical framing – ‘When I use a word,' Humpty
Dumpty said, in rather a scornful tone, `it means just
what I choose it to mean – neither more nor less.'

4. National Security Agency
• Lead US Signals
Intelligence and
Cryptology agency
• Multibillion $ budget
• Highly secretive (No
Such Agency 1952-
64)
• Key driver of US and
international policy on
encryption

5. Encryption control timeline
Matt Blaze
1978: A Method for Obtaining
Digital Signatures and Public-Key
Cryptosystems, 1990: PGP software released via 1993: Al Gore leads US
Rivest/Shamir/Adleman: c = me Usenet. Author Phil Zimmerman attempts to mandate
mod n; m = cd mod n pursued through courts for 3 years key escrow
1976: New Directions 1977-: NSA attempts to ban publication 1992: AT&T announce
in Cryptography, Diffie of cryptographic publications; to control DES phone
& Hellman funding of cryptography research; and to
ban export of cryptographic software

6. Encryption rhetoric
• “They have computers, and they may have other
weapons of mass destruction.” –AG Janet Reno
(1998)
• "Terrorists, drug traffickers and criminals have
been able to exploit this huge vulnerability in our
public safety matrix.” –FBI Director Louis Freeh
(2002)
• “Many people also choose to use readily available
encryption programmes to encrypt their email,
files, folders, documents and pictures. These
same technologies are also used by terrorists,
criminals and paedophiles to conceal their
activities.” –Home Office (2009)

7. Encryption realpolitik
• “Law enforcement is a protective shield for all the
other governmental activities. You should use the
right word – we’re talking about foreign
intelligence… The Law enforcement is a smoke
screen” –David Herson, SOGIS (1996)
• “We steal [economic] secrets with espionage, with
communications, with reconnaissance satellites” –
James Woolsey, CIA (2002)
• "Encryption is no more prevalent amongst
terrorists than the general population. Al-Qaeda
has used encryption, but less than commercial
enterprises.” –Juliette Bird, NATO (2006)

8. Encryption control unravels
1996: IETF declares: “Cryptography
is the most powerful single tool that
users can use to secure the Internet. 1997: OECD rejects attempts to
Knowingly making that tool weaker mandate key escrow in its
threatens their ability to do so, and Guidelines for Cryptography
has no proven benefit.” Policy
1995: Netscape adds 1997: European Commission
encrypted links, enabling declares key escrow should be 2001: US essentially
e-commerce boom limited to that which is “absolutely abandons export controls
necessary”

9. NSA summary
• Encryption policy was driven by a small number of
executive agency stakeholders (largely excluding
legislators) with very little transparency, and
widespread contention from Internet community –
lack of source, process and results legitimacy
• Differing stakeholder positions meant multilateral
fora rejected US demands & bilateral negotiation
failed
• Effective regulation extremely difficult given global
availability of cryptographic knowledge,
programmers, distribution channel, open PC
platform and user demand

10. WIPO
• Part of UN system
responsible for “developing a
balanced and accessible
international IP system,
which rewards creativity,
stimulates innovation and
contributes to economic
development while
safeguarding the public
interest”
• Spent much of 1980s and
1990s “updating” global ©
treaties

11. © rhetoric
• “the VCR is to the American film
producer and the American
public as the Boston strangler is
to the woman home alone.” –
Jack Valenti (1982)
• “The answer to the machine is in
the machine” –Charles Clark
(1996)
• “If we can find some way to [stop
filesharing] without destroying
their machines, we'd be
interested in hearing about that.
If that's the only way, then I'm all
for destroying their machines.” –
Senator Orrin Hatch (2003)

12. Technological Protection
Measures
WIPO Copyright Treaty §11
“Contracting Parties shall
provide adequate legal
protection and effective
legal remedies against the
circumvention of effective
technological measures
that are used by authors in
connection with the
exercise of their rights
under this Treaty or the
Berne Convention and that
restrict acts, in respect of
their works, which are not
authorized by the authors
concerned or permitted by
law.”

13. Implementations
• DMCA §1201: “No person shall circumvent a
technological measure that effectively controls
access to a work protected under this title”
• EUCD §5: “Member States shall provide
adequate legal protection against the
circumvention of any effective technological
measures”
• Similar provisions in various US FTAs ever
since
• All mirror detailed US proposals to WIPO that
were overruled during development of WCT

14. TPM realpolitik
• “Accurate, technological enforcement of the law of
fair use is far beyond today's state of the art and
may well remain so permanently” –Ed Felten
(2003)
• “Legal backing for the right of access is essential
in the interests of social inclusion and equitable
treatment of people with disabilities” –European
Blind Union (2006)
• “Why would the big four music companies agree
to let Apple and others distribute their music
without using DRM systems to protect it? The
simplest answer is because DRMs haven’t
worked, and may never work, to halt music

15. WIPO summary
• Consensus reached on TPM policy in UN
agency, but implementation was driven by US
and EU IP/trade agencies with widespread
contention from users of © works – limited
process and results legitimacy
• Effective regulation extremely difficult given
global availability of TPM circumvention
knowledge, programmers, distribution channel
for code and unprotected works, existing
insecure platforms (CDs), open PC platform
and user demand

16. ICANN
• Internet Corporation for
Assigned Names and
Numbers
• Private, public-benefit
Californian corp (1998)
operating under
agreement with US
Department of Commerce
• Manages DNS, IP address
and port allocation

17. ICANN governance
• Original attempts to elect board abandoned in 2002
• Now focused on process and result legitimacy
• “to ensure the stable and secure operation of the
Internet's unique identifier systems”

18. ICANN rhetoric
• “Burdensome, bureaucratic oversight is out of
place in an Internet structure that has worked
so well for many around the globe.” –
Condoleeza Rice (2005)
• “No intergovernmental body should control the
Internet, whether it's the UN or any other.” –
David Gross (2005)
• “On Internet governance, three words tend to
come to mind: lack of legitimacy. In our digital
world, only one nation decides for all of us.” –
Brazilian WSIS delegation (2005)

19. ICANN realpolitik
• Internet governance is “definitely a travelling
roadshow, if not a flying circus”-Markus
Kummer (2004)
• “The ITU version of [the Internet] blurs…
boundaries and takes us a step backwards
into a centrally controlled, centrally managed,
‘more than good enough’network—
administered, of course, by the ITU.” –Ross
Rader (2004)
• "Using 'talking shop' as a negative suggests
communication is a bad thing” –Emily Taylor

20. ICANN summary
• Source legitimacy still highly contentious –
online board elections abandoned, relies on
extreme consensus processes and result
legitimacy – limited objectives have been
achieved
• Governance has just about held together,
partly due to Internet community grudging
acceptance of ICANN as least-worst solution.
DNS alternatives are possible but so far
unpopular

21. Comparison
Encryption control Anti-circumvention Identifier management
Policy Maintain intelligence and Maintain excludability of Maintain a stable and
objective law enforcement intercept information goods secure addressing system
capability
Stakeholder SIGINT agencies, law Copyright holders, trade Registrants, registrars,
s enforcement (US: NSA, and IP agencies, trademark holders
NSC, DoJ), software cos consumer electronics firms
Legitimacy Source; little transparency Source, some process Multi-source, extreme
process, result
Framing Terrorists, paedophiles Piracy is killing music Private-sector innovation
Sites COCOM/Wassenaar, WIPO, US-EU-Japan The travelling circus
OECD, G8, special envoy coordination, FTAs,
special 301 procedure
Counter- Anti-Big Brother, US Defective by design, anti- Anti-democratic, US-
framing business interests innovation, anti- dominated
competitive, anti-fair use
Main Open source software, 1st Open source software, Finding consensus across
challenges amendment, economic P2P networks, consumer extreme range of stake-
espionage, consumer preferences, Apple market holders; legitimacy
preferences, campaigners power, campaigners

22. Conclusions
• Internet policy cycle takes decades, not years; it does
not provide democratic panaceas nor trivial
consensus
• Multi-stakeholder forums can take better account of
technocratic expertise and civil society than bilateral
and multilateral fora, building process and results
legitimacy
• Internet, cryptography and PCs have acted as a
powerful constraint on public and private sector
power; network effects and sunk cost make change
difficult – does some code have a constitutional
quality?
• Effective, legitimate global regulation of information is
hard; technological regulation is even harder
• The answer to the machine is often elsewhere

23. References
• W. Diffie & S. Landau (1998) Privacy on the line, MIT Press
• L. Lessig (1999) Code: and Other Laws of Cyberspace, Basic
Books
• P. Drahos with J. Braithwaite (2002) Information Feudalism,
Earthscan
• V. Mayer-Schönberger & M. Ziewitz (2007) Jefferson
Rebuffed: The United States And The Future Of Internet
Governance, Columbia Science & Technology Law Review 8, 188—
228
• I. Brown (2007) The evolution of anti-circumvention law,
International Review of Law, Computers & Technology 20(3) 239—
260
• R. Weber & M. Grosz (2008) Legitimate governing of the Internet,
In S. M. Kierkegaard (ed.), Synergies and Conflicts in Cyberlaw,
300—313
• A. Adams & I. Brown (2009) Keep looking: the answer to the
machine is elsewhere, Computers & Law 20(1)