Framework for Regulating the Internet

INTRODUCTION
MODES OF REGULATION
A SUGGESTED FRAMEWORK FOR REGULATIONCONCLUSION

INTRODUCTION

In attempting to regulate the internet, it must be asked: where do we begin? This chapter aims to answer this question. It looks at the various forms regulations can take and then draws up a framework within which these regulations operate. Here, the term “regulation” refers not only to black-letter laws but also to the entire regulatory mechanism, from the formulation of rules to their enforcement and compliance to the monitoring of their effectiveness. Ultimately, rules must be backed up with sanctions that bite and rewards that encourage compliance. Sanctions and rewards are important because without them, it is impossible to distinguish law-abiders from lawbreakers; eventually regulation fails.

It is often assumed that because the internet is such a personal medium, it is impossible to use law against it: how can the authorities pin me down if I can be anonymous, if I cannot be traced and if what

I do cannot be stopped. Such thinking is actually not very far from offline traffic offenses such as speeding or illegal parking. No country in the world can enforce its speeding or parking laws with one hundred percent efficacy. The car is a personal transport medium. Perhaps the biggest difference between on- and offline traffic is that cars in the offline world have a physical presence that makes them noticeable. Still, the point is that no police force enforces traffic rules with one hundred percent efficacy.

Law enforcement does not work so much by punishing offenders—although that is certainly important—but by preventing the offense from happening. That is, they are less effective in focusing on punishment rather than the threat of punishment. Does this work on the internet? Evidence suggests that it does. When the US Naval Academy punished 85 trainees for downloading copyrighted movies, music and computer software, the volume of downloads shrank dramatically.¹ The key was the threat of sanctions by the Naval Academy.

As this chapter will show, it is possible to apply the law to the internet, albeit limited results.

MODES OF REGULATION

Lawrence Lessig suggests that there are four modalities of regulation that could be applied to the internet:

• markets (by price and availability)
• social norms (by expectation, encouragement or embarrassment)

¹ Nelson Hernandez and Amy Argetsinger, “Midshipmen Disciplined over Downloads,” Washington Post, April 16, 2003, B3. http://www.washingtonpost.com/wp-dyn/articles/ A34564-2003Apr15.html (accessed December 29, 2003).

• architecture (what technology permits, favors, dissuades or prohibits)
• laws (by government and private sanctions and force)²

These are broad modes, for example, law can also encompass self-regulation. These modes are not mutually exclusive and in fact can and do overlap. A combination of modes may be necessary to address a problem. Spam and privacy concerns are two classic examples. A mix of social norms, technology and laws would be needed to ensure that such concerns are addressed.

With the internet, there is an additional level of complexity: the need for international cooperation. For example, Australia, one of the countries at the forefront of regulating the internet, is looking at mobilizing international support for spam.³

Market Mechanism

“Market mechanism” refers to the use of market forces as a regulatory or disciplinary device. If the business terms and conditions of one merchant are not favorable, find another who offers better terms. The market mechanism mode works in many, but not all, situations. For example, using such a mode assumes that consumers are informed in a competitive market. Where these conditions are not met, there is market failure.

Arguably, there is no pure market mechanism regulatory regime in the world. At the very least, one needs a contract to seal a deal and contracts are agreements enforced by the courts. So, in this mode, internet regulation relies predominantly on market discipline. The market can be a disciplining force if a firm that violates the rules, say,

² Lawrence Lessig, Code and Other Laws of Cyberspace (New York: Basic Books, 1999).

³ Declan McCullagh, “Australia Mulls Global Antispam Effort,” CNET News.com, April 16, 2003. http://zdnet.com.com/2100-1105-997131.html (accessed December 29, 2003).

of fairness, is exposed to other buyers. The fear of loss of reputation (and thus business) keeps the seller in check.

Because such a check requires the dissemination of information to the market, self-regulatory codes can be used in a market mechanism mode where there is information asymmetry, a state that exists where one party, typically the seller, has more information than the other. The seller gives information about his goods and services and hopes to differentiate himself from the rest of the field. It is then up to the consumer to decide if the information is important enough to sway his decision. An example of the market mechanism at work is Platform for Privacy Preferences (P3P). Although it could also be categorized as an example of “regulation through technology,” this technical standard treats privacy as a negotiable commodity instead of a human right. Websites that use P3P inform visitors of their privacy policies and it is then up to the visitor to accept or reject them.

There are several advantages to using the market mechanism mode. First, it costs very little for the market to take care of regulating and compliance. Second, market mechanism allows companies and consumers to exercise maximum freedom of choice and action. Third, it is dynamic in allowing rules to change to suit preferences over time.

The disadvantages are first that it does not protect the individual consumer. Consumers as a group can better protect themselves because they can stand up to the seller. But as an individual, the consumer is in a much weaker bargaining position. Second, the market mechanism mode does not work when there is market failure. This can be a definitional problem in that the same set of facts may be interpreted to mean market failure to some and something else to others.

Social Norms

A norm that is widely accepted on the internet is that posts to Usenet groups should be on topic, that is, relevant to the group. As the husband and wife team of lawyers, Canter and Siegel, learnt when

they advertised their immigration services on more than a thousand Usenet groups, the internet community can punish egregious breach of that norm. The more traditional methods included sending pizzas and magazine subscriptions to their office. Others sent the Bible (because of the size and contents) to their email box. More high-tech efforts included the development of a software program to seek out and remove the Canter and Siegel posts from the Usenet. In the end, various ISPs terminated their accounts.⁴

Sysadmins have also banded together to apply the “death penalty” to ISPs whom they feel have not done enough to combat Usenet or email spam. In both instances, the death penalty consists of denying service.⁵

Technology

The nature of the internet is such that technology is always considered as one of the options to be explored in solving online problems. Of course, not every problem can be solved through the use of technology but some can.

An early use of technology was the deployment of cancelbots that removes unwanted postings on Usenet groups. The use of cancelbots, however, is limited because there are few widely-accepted norms on the internet in the first case.

However, organizations may have their own norms, and here, technology can be more easily deployed. The University of Florida

⁴ Charles Arthur, “A Spammer in the Networks,” New Scientist 144 (1994). http://www.kkc.net/cs/new-sci1.txt (accessed September 2004).

⁵ In other instances, the self-appointed SubGenius Police Usenet Tactical Unit Mobile (SPUTUM), in collaboration with system administrators, has exacted the “Usenet death penalty” on service providers that allow their customers to post unsolicited bulk advertisements known as “spam”. The death penalty bars all messages sent by any subscriber of the recalcitrant service provider. Similarly, the managers of the “Realtime Blackhole List” and other anti-spam activists identify ISPs who, in the activists' opinion, have not done enough to prevent spammers from using their email relay systems to send spam to third parties.

developed a program that scans students' computer hard drives to detect if peer file-sharing has occurred. If the program detects that file-sharing6⁶ is taking place, it cuts off network access for thirty minutes and issues a warning to the computer. If students commit the offense a second time, their network access will be denied for five days; a third offense leads to indefinite suspension of network access and the case will be sent to the university's disciplinary body. With the implementation of this program, university officials reported a dramatic drop in peer file-sharing. The University of Nevada, Reno, credits its success in avoiding copyright problems to its close monitoring of network traffic.⁷ In the US,an increasing number of ISPs are scanning email attachments to reduce the spread of viruses.⁸

In the area of online privacy, there have been a number of creative proposals, but each seems to face the limitation of not being able to effectively address the problem. For example, certain software, such as Zero-Knowledge (before the company went defunct), disguise the user. In effect, this bypasses the privacy issue because the merchant still collects information about the end-user albeit a “made-up” end-user. This approach is not satisfactory because businesses would find it difficult to gather information about the consumer. The costs of acquiring and serving customers increase and they will eventually be passed to the consumer.

Another creative use of privacy technology, P3P, faces the problem of not being able to sufficiently protect privacy without offline laws in the first place. A website owner is supposed to rate his site on a privacy scale. A visitor would set his or her privacy

⁶ “Automated Tool Enforces Student P2P Restrictions,” Wired News, October 3, 2003. http://www.wired.com/news/digiwood/0,1412,60613,00.html (accessed December 29, 2003).

⁷ “Network Monitoring at UNR,” Reno Gazette Journal, September 13, 2003. http://www.rgj.com/news/stories/html/2003/09/13/51606.php (accessed December 29, 2003).

⁸ “ISPs Plan to Scan All E-Mail Attachments,” Washington Post, August 27, 2003. http://www.washingtonpost.com/wp-dyn/articles/A54406-2003Aug27.html.

preference at a certain level. If the website visited has a lower privacy threshold, the user is alerted. He or she is then given sight of the policy and can then decide whether to visit or transact on the site. In P3P, the website owner holds out a standard of privacy on his site. If the site owner still breaches the standard promised, the visitor has no immediate recourse. A supporter of P3P, the Center for Democracy and Technology, has said that “P3P cannot protect the privacy of users in jurisdictions with insufficient data privacy laws” and “cannot ensure that companies follow privacy policies.”⁹ What P3P hopes to achieve is accountability through transparency. The technology makes it easier to locate and compare privacy policies. It is then up to the consumer to decide whether to transact based on their understanding of the policy.

In 2001, a Dutch-led consortium announced that they had been awarded a three-year €3.2 million (about US$3 million then) contract from the European Community and the Netherlands' Ministry of Economic Affairs to create a Privacy Incorporated Software Agent (PISA) that would meet the requirements of the European Union (EU) data protection directives. PISA plans to develop a privacy enhancing technology (PET) architecture by 2002 and to develop a test version of the program by 2004.¹⁰ As if to demonstrate the difficulty of the project, although the final report is titled “Building a Privacy Guardian for the Electronic Age,” it talks much more about security than privacy.¹¹

⁹ D. Mulligan, “P3P and Privacy: An Update for the Privacy Community,” March 28, 2000, Center for Democracy and Technology. http://www.cdt.org/privacy/pet/p3pprivacy.html (accessed January 31, 2001).

¹⁰ TNO-FEL, “Fast and Safe Internet Work with PISA,” January 17, 2001. http://www.tno.nl/instit/fel/pisa/press_release_start_pisa_17012001.html (accessed January 31, 2001).

¹¹ K. Cartrysse and J.C.A. van der Lubbe, “Building a Privacy Guardian for the Electronic Age,” January 1, 2004. http://www.pet-pisa.nl/dsegi/ds.py/Get/File-289/PISA-D15-WP3-TUD information theoretic approach on mobile software agents.pdf/ (accessed December 30, 2004).

Experience suggests that PISA would more likely play a supplementary role to the law. But as the EU has a data protection law,¹² PISA would enter an environment in which it may have a chance to succeed.

Government Legislation

The most commonly understood mode of regulation is government legislation, which is essentially government decrees. Its advantage is certainty—clear rules and certain enforcement. Such certainty is not to be lightly dismissed because the lack of certainty hampers business activity, which in turn hinders the growth of the economy.

But there are major drawbacks in applying government legislation to the internet, the most significant being that the net is still in its developmental stage. Laws, however, tend to be rigid and slow to change; in fact they need to be so for the sake of certainty. Locking in laws that regulate an industry in its nascent stage will hinder its development. Second, there is the cost of compliance. Depending on what is required, the costs can be high. The US Children's Online Privacy Protection Act, which came into effect in April 2000, has forced some sites to close those sections that cater to children because of compliance costs.¹³

As will be argued in this book, which mode of regulation to use depends to a great extent on the context in which the regulation is intended to apply. In other words, some modes are better suited than others depending on what is being regulated. In offline advertising, for example, a combination of industry self-regulation and government legislation applies; there is no reason to think that in the

¹² H. Burket, “Privacy-enhancing Technologies: Typology, Critique, Vision,” in Technology and Privacy: The New Landscape, eds., P. Agre and M. Rotenberg, 125-42 (Cambridge, MA: MIT Press, 1997).

¹³ “Net Privacy Law Costs Children's Sites,” USA Today, September 14, 2000. http://www.usatoday.com/life/cyber/tech/cti526.htm (accessed Janaury 31, 2001).

online world, there should be a wholly different approach. In other cases, the law has been shaped through iteration, with those first in the market suffering the disadvantage of being pioneers. Thus laws that exempt network providers from liability for content they merely carry have evolved. Chapter 6 traces the evolution and highlights the needs for industry input to formulate internet regulations. Further, the mode of regulation will depend on the severity of the problem. Thus the problem of spam has grown to such proportions globally that there is an outcry for government legislation, as opposed to industry self-regulation.

In short, there is no one mode for regulation. Self-regulation, much touted as the preferred mode for the internet, has its limitations. The trick is to be open to the mode that best suits the situation at hand. If this sounds like the contingent theory of regulation, it is because the regulations are still at their experimental stage. Regulators are still learning how to regulate the internet and academics are still arguing over both the rules and the mode.

The following framework should therefore be seen in that light: it is an attempt to put into a structure that which is hotly debated. This framework was developed some years back with my colleague, Yeo Tiong Min, and has proven to be robust. One source of comfort is that the Internet Act in the US state of Virginia, encompasses the entire framework save for one key area: copyright. And the reason for that is that US federal law applies in that area.

A SUGGESTED FRAMEWORK FOR REGULATION

This framework for regulating the internet is premised on the observation that in many countries, the issue is not whether the internet should be free or not. In many countries, the internet is, by default, free. In contrast, the internet was subject to more regulation when it was introduced in the US than any other country.

The reason is that the components of the internet were invented in the US and they were already subject to US regulation. What is the internet? It is a network (the architecture of which was invented in the US) made up of computers (invented in the US) hooked up to one another through telecommunication links (of which the original was a made-in-the-USA telephone).¹⁴

The place of invention is important. It is likely to be the location for advancement as well as use of the invention. The location would also likely be the place where the rules governing the invention would be most advanced. In this case, the rules governing the use of the components of the internet—telecommunications, networks and computing hard- and software—are certainly the most advanced in the US.

In many instances, the US has had no need to pass laws to prosecute offenders who use the internet as a medium to commit offenses. A classic example is the Love Bug virus case discussed in the previous chapter. Hence, when US users proclaim that there should be no laws for cyberspace, they come from a different social, economic and legal environment altogether. In many developing countries, new laws are required.

The framework is a guide for countries wanting to know how to begin regulating cyberspace. In general, rules concerning the internet should be formulated as the problem is encountered. That is, rules should not be formulated in anticipation of the development of technology. There are many reasons for this course of behavior.

First, it is not easy to anticipate technological development. The US state of Utah, for example, pioneered the world's first digital signature law in 1995. Within a year, half a dozen states in the US

¹⁴ Michael L. Dertouzos in his book What Will Be? credits Tim Berners-Lee with inventing the web. But even so, Dertouzos acknowledged that it was the appearance of browsers such as Mosaic and Netscape that made it a universal phenomenon.

were modeling their digital signature law on Utah's.¹⁵ That law, however, is predicated on the use of certain technology. Today, it is recognized that that law needs to change to keep pace with the advancement of change technology.¹⁶ Its basic flaw is that it was too far ahead of its time, and while it addressed issues current at the time it was drafted, it does not address issues that are current today.

Second, the law is at its best when it serves real-life, practical problems, not some hypothesized scenario. This is the strength of the British common law system, where the law develops through cases instead of legislation. In the short term, there can be vagueness and ambiguity in the applicability and application of rules. But in the long term, the rules that emerge are more robust because they address real-life problems.

Third, because technology changes quickly, it is not possible to predict how a law may stunt and stifle instead of help the development of technology. A classic example is the use of push technology. Around June 1997, a group of students came to the author to look into push technology for their final-year academic project. Within six months, just as they had completed data collection but before they began writing their report, it was clear that push was dead. PointCast, the company that had pioneered the technology, went from US$250 million in valuation to virtually being unsaleable. It was sold in 1999 for US$7 million to investment firm Idealab, then buried as EntryPoint, Infogate.¹⁷

¹⁵ Brad Biddle, “Digital Signature Legislation: Some Reasons for Concern,” 1996. http://www.inet-one.com/cypherpunks/dir.96.02.22-96.02.28/msg00090.html (accessed October 2, 2002).

¹⁶ C. Bradford Biddle, “Digital Signature Legislation: Flawed Efforts will Hurt Consumers and Impede Development of a Public Key Infrastructure,” CPSR News, 13(3) (1995). http://www.cpsr.org/publications/newsletters/issues/1995/Fall1995/biddle.html (accessed October 2, 2002).

¹⁷ Craig Bicknell, “PointCast Coffin about to Shut,” WIRED, March 29, 2000. http://www.wired.com/news/business/0,1367,35208,00.html; “PointCast Fire Sale,” WIRED News Report, May 11, 1999. http://www.wired.com/news/business/0,1367,19618,00.html; Joanna Glasner, “PointCast Feeling Pushed Out,” WIRED, March 6, 1999. http://www.wired.com/news/business/0,1367,18286-2,00.html.

The following framework is intended as a guide to cover the salient issues that a policy-maker will face in drawing up legislation for a country. The order in which the issues are presented is likely to be the order in which countries implement rules for cyberspace. The precise order will likely vary according to the needs of the country in question.

Access and Service Provision

The first set of rules should address the basic: access and service provision of telecommunications services in order to provide internet services. Ideally, there should be competition in this area in order to drive down prices and increase consumer choice. Regulations may be necessary to ensure fair competition if no competition laws exist. For example, the incumbent telecommunications company should not be allowed to exercise its incumbent and, where it exists, monopoly power. It should be compelled to interconnect.

On hindsight, the breakup of the US telecommunications giant AT&T under the supervision of Judge Greene, lowered telephone tariffs and contributed to the telecommunications and internet boom in America. The evidence is compelling that competition in telecommunications, by lowering prices in the short term, will spur the diffusion of the internet.

As far as possible, there should be a level playing field for ISPs. Service providers should also be immunized from liability where it can be shown that they have acted responsibly. This issue is discussed in greater detail later in Chapter 5 on the liability of intermediaries for third-party content.

Issues Relating to Ecommerce

Commercial interests spurred the diffusion of the internet. At one stage, virtually all the words in the English dictionary were being

tagged for dot-coms.¹⁸ Therefore, ensuring that the legal system addresses ecommerce will support leverage and businesses to diffuse the internet. The point about addressing ecommerce issues is not that all activity in cyberspace are commercial. Rather, the point is that by addressing these issues, one also addresses a whole host of other issues that must be resolved in order for cyberspace to thrive.

For example, looking into ecommerce rules necessitates the courts to recognize and accept electronic evidence. As recently as the mid-1990s, in communications with government officials from developing countries, the author invariably encountered countries that had no law to recognize electronic evidence. This means that an email offer is not admissible in court. Without electronic evidence, it is impossible to conclude a contract or to prosecute offenders in cyberspace.

A whole plethora of laws are needed to support ecommerce: authentication, digital signature, privacy, fraud protection, etc. For example, in 2001, identity theft was the number one theft complaint to the US Federal Trade Commission at 86,168, compared with 40,000 in 2000¹⁹

Another area that would require looking into is taxation rules. The US Congress imposed two moratoria on collecting taxes from online businesses. However, traditional businesses are chafing. And rightly so. If the internet is indeed to be a major force for commerce, it will take away business from the offline world that is taxed. The

¹⁸ Joanna Glasner, “Dot Coms? They're for Losers,” WIRED, June 12, 2000. http://www.wired.com/news/business/0,1367,36828-2,00.html; Chris Oakes, “Tip of the dot-com backlash?” WIRED, March 24, 2000. http:// www.wired.com/news/business/0,1367,35154-2,00.html. Michael Schrage, “Night of the Living-Dead Sites,” WIRED, January 21, 1997. http:// www.wired.com/news/business/0,1367,1552,00.html.

¹⁹ US Federal Trade Commission, Identity Theft Complaint Data, http://www.consumer.gov/idtheft/reports.htm (accessed October 3, 2002). See also Jonathan J. Rusch, “Identity Theft: Fact and Fiction,” CNET Tech News, September 18, 2002. http://news.com.com/2010-1075-958328.html.

loss of revenue must be made up somehow. Should the tax be levied at every node where an ecommerce transaction passes? Such thorny issues should be resolved at an international level because some form of harmonization and coordination is probably best. And it is questionable if there are 190 experts (the number of recognized countries in the world) who can tackle the matter with equal aplomb.

Content Regulation

The basic rule for cyberspace is that offline laws also apply to the online world. The major issue with regulating cyberspace content is that the laws that apply online must reconcile, as far as possible, with the offline regime.

A common, but initial, concern is pornography. In many Asian countries, pornography is outlawed. On the internet, however, it is difficult to block such content. Singapore and the United Arab Emirates made a symbolic gesture by blocking 100 high-traffic pornographic sites through a proxy service. Increasingly, there are also filtered services updated monthly that block such sites.

Of more recent concern is rules that are meant to protect national interests. For example, hate sites have been blocked from access in France and Germany. Lessig expresses the concern that the internet would be under siege from such interests. In the author's view, this concern is misplaced because the internet will continue to play host to fringe groups of many kinds. Nevertheless, Lessig's point is valid to the extent that the internet, like any communication medium, thrives best when there is the greatest freedom.

Security and Encryption

Security is a significant issue in cyberspace because of the prevalence of hacking. The issue is not trivial. The author has had the unfortunate experience of having a site hacked down to its root—the

computer could not even be re-booted. It took technical support a whole Saturday to restore the system and secure the site.

Still, the nature of the internet makes it impossible to fully secure websites. Therefore some sanctions are in order to reduce such destructive behavior. There is no reason for anyone to destroy someone else's site unless perhaps as an act of war.

Many countries have set up a group of experts called the Computer Emergency Response Team (CERT) to battle viruses, Trojan horses and phishing scams. The first CERT was set up by the Department of Defense in the Software Engineering Insitute of Carnegie Mellon University after the Morris worm infected 6,000 servers—ten percent of the internet in 1988.²⁰ Today, the various CERTs meet and trade information under a global organization called the Forum of Incident Response and Security Teams (FIRST). Although intended originally to combat viruses, today's CERTs are also expected to handle cyber attacks of the networks, especially in the context of battling terrorism.

Intellectual Property Rights

The basic point here is that intellectual property rights (IPR) must be extended to the realm of cyberspace. In most instances, this means strengthening the rights of rights holders. For instance, an author who used to write for a newspaper will now be paid if his material is posted on the web.

IPR, however, is tricky.

The general trend is that IPR is strengthening in favor of the rights holder. The World Intellectual Property Organization (WIPO) Treaty of 1996 signifies the world's acknowledgement of the significance of

²⁰ Frank Hayes, “The Story so Far,” ComputerWorld, July 14, 2003. http://gaia.ccs.csus.edu/~buckley/The%20Story%20So%20Far%20-%20Computerworld.htm (accessed December 30, 2004).

IPR. A country that refuses to play by those rules will be shut out of the information economy. However, IPR requires a balance—something noted in all literature but is increasingly ignored in the pursuit of financial gain.

A question is whether in the longer term, copyright rules will hinder the development of science. Already books, journals and databases for libraries are getting increasingly expensive.

There is concern that many countries with little intellectual property to sell have little incentive to protect the intellectual property rights of others. The US used to be the biggest violator of copyright. Stories abound of pirates literally rowing out to meet incoming ships so as to beat the competition in running off copies of Charles Dickens' latest book. Now that the shoe is on the other foot, the US is attempting to protect the rights of its citizens and corporations through some not-so-subtle means.

Nevertheless, the basic premise is valid: IPR has to be respected if a country is to develop its own information industry.

Privacy and Data Protection

Although used synonymously, these are related but not quite identical concepts. The idea is that the privacy of users should be respected so that users will come to trust the internet. Data protection is the means to achieving privacy protection.

The issue arises because it is computing power that makes for the heightened possibility of invasion of privacy—the collection of private details of an individual—but the steps were so tedious and expensive that it was just not practical or feasible. But with the computer, it is now possible to find out enough information about people to direct marketing material at them.

Privacy is a relatively new concept to many developing countries for which the word is only a recent invention in their mother tongue—Chinese and Malay come to mind. But with the internet,

there has been the heightened awareness of privacy. It is no longer possible to put the privacy genie back into the bottle.

The author has put privacy last in the framework because, although privacy concerns have increased, in reality a significant proportion of users seem oblivious or indifferent to it. Alan Westin's surveys of privacy indicate that privacy concerns are rising: the percentage of those he calls “privacy unconcerned” has fallen from twenty to ten percent, while twelve percent of the “privacy indifferent” have become “privacy fundamentalist.”²¹

CONCLUSION

The framework is a guide to implementing rules to make cyberspace function better. In developed countries, much of the rules are in place. For the developing countries, implementing the rules will only be playing catch up. Table 2.1 summarizes the policy and legal issues just discussed above.

²¹ Rick Whiting, “Wary Customers Don't Trust Business to Protect Privacy,” Information Week, August 19, 2002. http://www.informationweek.com/story/IWK20020816S0009 (accessed February 19, 2003).