Memorandum by Jeffrey Cooper and Amy Friedlander,
PhD, Centre for Information Strategy and Policy, Science Applications
International Corporation, on Trust: A Baseline for Future Governanceand
e-Commerce
"Everything comes if a man will only wait."
Benjamin Disraeli (Earl Beaconsfield) Tancred. Book iv. Chap.
viii. (1847.) As found in Barlett's Familiar Quotations, bartleby.com
(http://www.bartleby.com/)
In a White Paper issued in December 1999, Internet
co-inventors Robert Khan and Vinton Cerf drew a critical distinction
between the Internet as a communications architecture and the
Internet as an information system. In the former guise, the Internet
deals with "communications connectivity, packet delivery
and a variety of end-end communications services"all
essentially engineering issues. In the latter, the architecture
concerns "creation, storage and access to a wide range of
information resources" that are "independent of its
underlying communications infrastructure."[30]
Thus, issues that arise from the communications infrastructure,
while technically challenging, have the property that satisfaction
can be measured according to widely accepted engineering criteria:
speed, robustness, reliability, and so on. However, satisfaction
with respect to information, by which we mean content and servicesincluding
all of e-commerce and e-businesscan be much more difficult
to achieve since the benchmarks are largely qualitative and, most
importantly, culturally based. What constitutes satisfactory protection
of personal privacy? What is the nature of the intellectual property
regime, whom does it favor, and how will it be enforced? And what
are the relative roles, responsibilities, rights and privileges
of governments and their citizens in creating and maintaining
the rapidly expanding Internet?
However, a fundamental question from either
perspective is building trust in the system. By this, we mean
trust in the engineering of the system itselfthat it is
secure, robust and reliableas well as trust, or confidence,
in the information and services that rely on the engineering architecturethat
they are authentic and will perform and be used according to our
expectations. To use the language of command and control, that
the system, whether engineering or information, does what we expect
it to do when we expect it to do so, and that it does not do what
we expect it not to do.[31]
Many of the issues that presently dominate the global e-agenda
traverse both the engineering and the content (for want of a better
word) domains. Information security, for example, is both an engineering
challenge and a question of data integrity, fraud and personal
privacy. But in a rapidly changing environment in which the tools,
the services and the potential threats are changing before our
eyes, we argue that it is better to do, lest rather than more
less well-intentioned legislation on the books becomes an impediment
to future change.
For the command and control analogy, see Stephen
J Lukasik, Will We Consider Ourselves Better Off? IEEE Internet
Computing (January/February 2000), p 47.
The current furore over Napster in the United
States is a case in point. Napster is an Internet service that
enables visitors to share MP3 music files and play music files
located on others' computers, most of which are pirated versions
of copyrighted music. Sued by the Recording Industry Association
of America (RIAA) in December 1999, Napster claimed in its defence
that it serves as a "mere conduit," and is thereby exempted
from responsibility for any copyrighted material transmitted.
This was a position that appeared to be consistent with the terms
of the Digital Millennium Copyright Act, passed in 1998, in part
to bring the US into compliance with existing international treaty
obligations concerning intellectual property rights. Chief Judge
Marilyn Hall Patel of the US District Court of Northern California,
however, rejected Napster's claim that it was a "mere conduit."
The judge's ruling leaves Napster with two remaining legal arguments:
that Napster functions as an Internet search engine, a category
of site protected by federal law; and that while pirated music
is sometimes transmitted on the site, Napster has other legal
uses.[32]
Since Judge Patel's finding, the Progressive
Policy Institute, a New Democrat think tank affiliated with the
Democratic Leadership Council (DLC), has released a policy brief
that, the New York Times reports, calls for additional restrictions.
Specifically, "the report recommends that the digital copyright
law be amended "to hold Napster, its users, and similar services
accountable for copyright violations while maintaining protections
from liability for service providers that are innocent bystanders
to digital piracy."[33]
According to the story, the report goes on to suggest that Napster
be required to collect personal identifiable and verifiable information
from userssuch as credit card data that presumably would
be made available to enforcement agencies. The story concludes
with a comment from the Electronic Frontier Foundation, a civil
liberties group, taking strong exception: "To say you are
going to take a whole new category of software and strangle it
in its infancy because one of its first uses resulted in piracythat's
a bad idea."[34]
This disagreement between the Progressive Policy
Institute (PPI) and the Electronic Frontier Foundation (EFF) is
interesting from the perspective of the implications of new Internet
uses on American politics. Until now, we would have expected both
groups to line up on the same side, and for both to oppose interventioneither
in the technology or in matters of collecting personal information
for purposes of enforcement. Yet the fissure between former alliesbetween
the New Democrats, who have consistently called for less intrusive
government as well as industry self-regulation, and the privacy
advocates, who tend to be inherently suspicious of government
and its potential abusescould not be more obvious. To compound
the confusion, it is not hard to find some privacy advocates in
the US, at the Electronic Privacy Information Center (EPIC), calling
for more government intervention to protect individual liberties.
We recognise that the mosaic of interests that
broadly coalesce into the American political party system will
not be replicated elsewhere; indeed, it is well known that the
political parties in the UK, for example, are far more disciplined
and more formally integrated into the parliamentary system. Yet
similar fault lines in traditional coalitions will be engendered
by other Internet issues (eg taxation of goods and services).
Thus, the Napster case suggests the ways that new technologies
shred existing alliances and that increasingly, alliances will
be fluid and temporary, adding to the difficulties in charting
a course in an unstable world.
I. GLOBAL INSTABILITY
Embedded in the notion of "trust" are the
values of consistency, coherence and fairness. Citizens are more
likely to have confidence in their civil servants and elected
officials when public behaviour meets public expectations and
is generally predictable and fair. Moreover, instilling trust
frequently lies in the details: having trains run on time matters.
Thus, in the US, a major concern during the Y2K roll-over was
ensuring that Social Security checks[35]
arrived on time, and to that end, they were mailed out early.
The stability of the financial system was also critical, and not
surprisingly, both oversight agencies and the financial institutions
moved early and aggressively to ensure that their systems were
Y2K compliant and backed-up.
The fundamental success in averting a Y2K meltdown,
perhaps, disguises the difficulties of sustaining a baseline of
social and economic security within and among nations at the threshold
of the new millennium. Since 1990, the world has been and remains
catalysed by three major and mutually-reinforcing trends: democratisation
of political systems following the end of the Cold War; globalization,
with the increasing interaction and interdependency of market
economies; and the Information Revolution. Specifically:
1. The collapse of the Soviet Union accelerated
a larger trend that has resulted in a sharp tilt of the political
landscape towards democracy. Even fundamentally authoritarian
regimes have integrated certain democratic forms if not the values
of liberal societies.
2. Characterised by high economic growth
rates and the integration of free market economies, increased
access and opportunities across borders, and decreasing central
government control, liberalisation has unleashed a wave of restructuring,
striking at formerly autarkic economies, previously dominant industries,
industrial monopolies, and established economic hierarchies. At
the same time, it is creating a single worldwide market with its
own terms and conditions that discipline particularistic and mercantilist
tendencies.
3. The Information Revolution encompasses
the new technologies for collecting, processing, transmitting,
distributing, and displaying information.
While the information technology industry had
evolved significantly during the Cold War, the downsizing of the
defence technology sector following the collapse of the bipolar
competition shifted the weight of technology research and development
to the private sector. This commercial proliferation of advanced
technologies is altering all the familiar political, economic,
socio-cultural, and military dimensions at a rate that most people
find difficult to accommodate and in ways that they do not fully
comprehend.[36]
Other new technologies, such as biotechnology, put similar premiums
on research and knowledge as opposed to exploitation of physical
resources and mass production.
The Information Revolution is creating three
distinct types of effects: New information technologies democratice
access to and control over information, thus reinforcing other
factors for democratication. Increased fractiousness and posturing
inhibiting reaching enforceable multilateral agreements can be
an unintended consequence. Information has also become the key
to economic globalication by increasing awareness of worldwide
alternatives and by reducing classic sources of transactional
friction. Even states that are committed to maintaining party
control, such as China, find it difficult to choose to stand aside.
Finally, the seamless interconnectivity that prevents tight control
of information by governments also allows access to previously
protected spaces, reduces control by established institutions,
and makes them potentially vulnerable to penetration and "infection"
by outside information, both electronic and cognitive. Thus, strategic
threats to critical national infrastructures no longer come only
from nation-states.
Perhaps the two most important induced effects
are the loss of control by traditional élites and hierarchies
and the accompanying growth of transparency and openness. Democratisation
shifted the locus of political power to individuals and away from
traditional leaders. Liberalisation has caused much of the same
impact in the economic domain by replacing top-down decisions
with bottom-up choices made by markets with broad public participation
in many activities formerly controlled as "closed" systems.
Finally, the technologies of the Information Revolution have diffused
the ability to control the power of information. Similarly, transparency
and openness have been fostered by greater public participation
in the political and economic decision processes since neither
democracy nor markets work well without the free flow of information,
producing a "virtuous circle" of information, liberalisation
of markets and democratisation.
Unfortunately, this virtuous circle also has
a dark side. Increased openness and transparency and the decline
of centralised, hierarchical control have contributed in many
countries to internal disintegration along ethnic, religious and
linguistic lines as well as to aggression among neighbouring states
over geographic, resource or iconic issues. Weak civic structures
with only the veneer of democracy have resulted in instability,
particularly with the abrupt shift from notoriously strong authoritarian
structures to new chaotic democracies.
The loss of centralised control has also cost
states their traditional monopoly over the instruments of large-scale
violence as well as its legitimate use. This reduces the ability
of states to maintain domestic order and increases the chances
for the proliferation of technologies and weapons of mass destruction.
Instability and systemic corruption under the veneer of democracy
coupled with displaced social, political and economic elites creates
an environment in which separatist pressures for self-determination
can easily blend with often popular nationalism to produce strong
revanchist tendencies, frequently fed by charismatic or populist
leaders, who see an opportunity to garner power.
At the same time, fears over contamination by
foreign values and concern over "cultural imperialism"
find fertile ground not only in smaller states but also in larger,
traditional world powers (and sometimes allies) such as China,
Russia, and France. Governments fear the loss of control over
their domestic economies as well as loss of economic sovereignty,
particularly where internal stability has often been maintained
through national controls on markets, such as taxes and regulations.
There is strong evidence that reduced government control leads
to substantially increased volatilityof exchange rates,
trade balances, and interest rates, among others; much of the
impact is due to increasing marketisation and securitisation of
critical elements of the world's economy. Furthermore, investors,
especially foreign investors with fiduciary responsibilities,
demand openness and transparency of economic decisions, and increasingly
of political decisions as well, potentially provoking further
destabilisation division and unrest.
Against this broader background, the "Love
Bug" virus of early May suggests some of the vulnerabilities
of the Internet and the societies increasingly dependent on it.
From the perspective of infrastructure, inter-connected, tightly-coupled
systems promise greater efficiencies whether viewed at the network
level or at the machine level. However, greater interdependency
can increase vulnerability[37]taking
down the electrical system now affects not only light, heat and
power but also asynchronous and real-time access to information
vital to financial markets, banking systems, retirement funds
and an increasing array of records from health care to voting
to corporate personnel. It is analogous within the machine. As
Kurt Kleiner and Duncan Graham-Rowe argue in the New Scientist,
one of the features that enabled the virus to sweep through individual
machines so easily is the close connection between the Microsoft
operating system and the Outlook e-mail application.[38]
Greater separation between the application software and the underlying
system as well as greater diversity among software applications
would "make software more resilient" and increase security.
The trade-off, it is feared, would be greater inefficiencies in
the system, in the worst nightmare, a return to a version of the
days in which an e-mail account through AOL did not talk to an
e-mail account through CompuServe.
Thus, the infrastructurethe nuts, bolts,
wires and waves together with the systems software that makes
the hardware workmatter to the applications, to the informational
parts of the system with which most of us will interact. And information
security concerns apply to the communications architecture as
well as to the uses that ride that architecture. The "Love
Bug" virus is believed to have cost people millions in downtime
and maintenance.[39]
This means that the disputes and decisions that traditionally
take place within such venues as standards setting organisations,
the International Telecommunications Union, the World Trade Organization
and so on, which govern what the facilities will look like, matter
to policy arenas such ase-commerce. It is no accident, to use
a familiar Soviet expression, that telecommunications access has
been consistently cited as a barrier to the expansion of e-commerce
from Europe to Japan or that mobilee-commerce, ie e-commerce that
relies on wireless, mobile devices, is likely to take off where
traditional, wireline telephony has posed a constraint. For example,
on May 19, 2000, the Financial Times reported that 25 per
cent of the population of Estonia were using the Internet based
on new wireless technologies rather than older telephone lines,
reflecting slow development during the previous Communist period
of telecommunications.[40]
But we caution against positing a false substitution
effect, namely, that expansion of mobile services necessarily
implies a decline in wireline services. Historically, the TCP/IP
protocol itself came about as a means of linking ALOHANet (in
Hawaii) via satellite with networks in the continental US; the
goal was to render the communications signals "platform independent."
This was successfully achieved in the early 1970s, and convergence
of formerly distinct technologies (cable, telephony, broadcast,
etc.) now creates havoc in the traditional telecommunications
and broadcast industries: publishing, entertainment (TV, radio,
and film), and a host of other industries that relied wholly or
in part on these systems. The alignment of certain functions with
certain technologies is collapsing, rendering existing regulatory,
economic and commercial arrangements muddied and disorganised.
Is cellular telephone service, for example, to be priced the same
as wireline? What functions and capabilities are suitable to a
small handheld device? The absence of a space for a keyboard on
a small portable is supposedly offset by a voice interface, but
at least one very-well regarded computer designer has expressed
skepticism, at least for the near term.[41]
From the technological perspective, there is
a tension between those who argue that information appliances
(specialised devices that have relatively limited functionality)
are the vehicle for e-commerce services and those who believe
in general purpose machines (the personal computer). It is probably
too early to tell which kind of device will predominate. Rather,
in the near term, an ecology of information devices and services,
including business, financial and retail consumer services, are
likely to ride on an increasingly heterogeneous infrastructure
that represents the convergence of a series of communications
technologies. We do feel confident in predicting total global
growth. Indeed, some have argued that the relative position of
the U.S. e-Commerce market will decline, so that by 2003, US Internet
users may sink to 37 per cent from 42 per cent by the end of 2000.
Western Europe is expected to reach almost 30 per cent by 2003,
followed by the Asia-Pacific region at 27 per cent, and Latin
America at more than 5 per cent.[42]
II. E-COMMERCE,
E-BUSINESS
AND THIRD
PARTY SERVICES
Eighteen months ago, the US technical and business
press began to talk about the significance of e-businessthe
back office systems that greatly improved internal transactions
processing as well as vendor relationshipsrelative to e-commerce,
the retail end. How we talk about e-commerceor e-businesshas
much to do with the context that supports it as well as the users
who demand it. As Jeetu Patel, Mark Schenecker, Gautam Desai,
and Jason Levitt pointed out in their December 7, 1998 Information
Week story, "there are two major types of e-commerce applications:
business-to-consumer and business-to-business."[43]
The hype over the holidays in 1999 was about business-to-consumer;
the predictions thenand noware that the "real
impact" will be in business-to-business. This was followed
by a report from the US Department of Commerce that also found
that e-business applications dwarfed e-commerce applications by
orders of magnitude.[44]
Moreover, we are more properly talking about
many e-businesses, not just one. For example, a survey conducted
by Beyond Computing Magazine in 1999 found that only 25
per cent of the technology and business executives polled sold
products or services via the Internet, and 62 per cent of those
who did found that these sales accounted for less than 10 per
cent of their total revenues. However, these same enterprises
relied heavily on Internet technologies to improve their communications,
internal operations, and supply chains, and 82 per cent of them
expected to expand this functionality in 1999.[45]
Depending on the user, e-business or e-commerce can mean anything
from website and intranet technologies to data warehousing and
knowledge management tools to outsourcing help desk applications
to shared utilities. For example, an Internet service provider
offers clients access to servers, high speed connections, and
some constellation of technical and administrative services. One
class of relatively new Web-based applications are the applications
service providers (ASPs), who offer small and medium-sized companies
the advantages of industrial strength applications without the
threshold costs of installation and developmentfor a monthly
charge.[46]
As of this writing, the next "big thing"
is collaborative commerce or "c-business," which the
Gartner Insight electronic newsletter characterises as
the "most advanced form of e-business." c-Commerce applications
enable multiple enterprises to work interactively to spend, save
and solve problems, which can include restructuring relationships
as needed. These applications are expected to be deployed by 2004
and are best suited to "enterprises that are heavily dependent
on their ability to innovate and serve customers."[47]
A lot can happen in four years. But as of today,
the application service provider market, which could easily evolve
into supporting collaborative relationships, is looking robust.[48]
The New York Times has reported estimates of this market
at $5.3 billion in revenues by 2001, up from $400 million in 1998.
Small businesses in the US, a group that is finding the ASP model
very attractive, represent an annual market worth $71.2 billion
and the size of this market is expected to grow from 28 million
to 37 million by 2002. PC manufacturers have seized this opportunity
to provide services. And the service is cheap. "For monthly
fees starting at just $14 a month for Internet-based support or
Web hosting services," Bronwyn Fryer writes in the May 2000
issue of Upside Magazine, "small businesses can finally
avail themselves of the kind of computing support that corporations
enjoy. The players include vendors such as Micron, Dell and Gateway
as well as a "new wave of service companies" that woo
small business with a variety of soup-to-nuts computing services"including
e-Commerce capabilities.[49]
Such third-party relationships are not exclusive to North America.
Given Scandinavia's shortage of IT workers, the Financial Times
reports, Estonian companies are developing specific products to
fill Scandinavian companies' outsourcing needs.[50]
Thus, what the consumer sees in a sense is not
the totality of what the consumer gets, and consumer protection
is more than protection from shoddy merchandise and slipshod fulfillment.[51]
In addition to the infrastructural concerns, such as information
security and quality of service, the relationship between buyer
and seller may actually be mediated by several parties, not all
of whom may be visible to the buyer. Moreover, the intricacies
of issues that appear to be internal to business can profoundly
affect what consumers see and what they believe that they are
seeing. For example, recent court cases concerning trademarks,
cybersquatting, naming and addressing, and metadata point to the
growing reality that consumers believe that the URL has semantic
meaning in the conventional sense. That is, "IBM" means
"International Business Machines" and so on. Recently,
a US federal appeals court struck down an attempt by one vendor
to use the trademark of a second as part of its metadatawhich
the user never sees but search engines use in retrieving results
on behalf of usersthus, intending to lead users to its
site, rather like false signage on the highway.[52]
Trademarks, metadata, search enginesthese are all technical
issues in law or engineering, yet they take on increasingly important
implications for consumers, blurring the distinctions between
what is business-to-business, which has been largely handled by
contract, and what is business-to-consumer, which has historic
ties to consumer protection regulation.
It is telling that both of these stories are from
magazines that cover the business and technical community and
tend to be sympathetic to, if not enthusiastic about, the technological
potential and virtuosity.
http://www.bna.com/e-law/cases/brookca9.html
Layers of relationships that are internal to
business but that profoundly affect the end-consumer are hardly
new to the Internet. The invention of money meant that buyer and
seller were emancipated from the problem of fortuitous double
coincidence of need that had characterised barter. Fiat money
(rather than specie or gold coin) meant that paper bank notes
circulated in lieu of the treasure itself. But paper money, particularly
in the US, was only as good as the bank that issued it and for
the first part of the 19th century, some money (that printed in
Philadelphia, for example) was considered "better" than
others because the issuing banks were considered more reliable.
Indeed, there were arbitrage markets in the US that dealt in various
financial instruments: currency, promissory notes, bills of exchange,
and so on. The system enabled goods to be traded over long distances,
which was particularly important to the expansion of staple crop
agriculture, but there was a series of intervening risk factors
that concerned the integrity of the bank and/or the trading house
that essentially underwrote the loan. The advent of checking in
the 1850s required two unspoken gestures of trust: that the writer
of the check banked with a reliable bank, which was itself enmeshed
in a series of financial relationships with other institutions,
and that the writer of the check had sufficient funds on account
to cover it. The system frequently imploded, and much of the financial
history of the U.S. from 1800 to 1930 is a series of 20-year cycles
of panics and crashes frequently occasioned by crises of public
confidence that precipitated a run on a local bank that could
not be contained. In the U.S. example, stability of the banking
and financial systems was finally achieved through a combination
of industry self-regulation and agreed-upon ground rules established
by state and federal authorities.[53]
This is a simple example; the mosaic of interests
and agencies that will be required to make e-Commerce work will
require similar spoken and unspoken acts of trust among many parties,
only two of which are the "buyer" and the "seller."
The question is: How is trust instilled in the system? And whose
responsibility is it?
III. CAPABILITY,
RESPONSIBILITY AND
AUTHORITY
Any assessment of the role of government and
the extent of its legitimate functions, including how it exercises
its powers, requires attention to three attributes of the new
information realities in the context of globalisation:
1. from information scarcity to abundance;
2. from top-down control towards collaborative
co-ordinative mechanisms, and
3. from restricted, hierarchical one-way
communications towards many-to-many networksall of which
have profound political (as well as economic and social) effects.
Thus, a key element in developing an information
policy and strategy, whether national or global, which includes
a policy on e-Commerce, is to realign responsibility, authority,
and capability. Responsibility is defined here to mean the inherent
obligation to address the problem. Authority is defined as the
legitimated power to address the specified problem; it is granted
through explicit delegation by the people (or, in some systems,
seizure by coup de main), and it may be possessed by several holders
concurrently. Finally, Capability is the physical potential or
expert competence to address the problem. If an acceptable solution
is to be found, agreement on these issues must, however, be achieved
within the bounds of the social compacts that bind nations together.[54]
How this is accomplishedthat is, the
choices of where to vest these powers and which instruments to
usemust be consistent with a nation's political beliefs,
economic system and social fabric. Many societies might choose
to place all these powers in the hands of the national government.
In contrast to many European nations, the tradition in the United
States has been to diffuse authority among levels of government
(federal, state and local) and, indeed, to retain many powers
in the hands of the people themselves. Whatever the frictional
losses, Americans prefer foregoing the arguable advantages of
centralised decision-making, believing that there is less risk
in minimising the powers granted to government.[55]
Alternatively, the American public often prefers to disperse authority
among many government hands, introducing additional complexity.
Anne-Marie Slaughter of Harvard University Law School has recently
argued that the state is becoming disaggregated as certain functions
are handled more or less informally through global networks rather
than through formal, state-to-state instruments.[56]
Her strongest evidence arises in financial and technical areas,
but her larger point has been echoed by others who point to human
rights and environmental agendas that have become influential
albeit non-state voices.[57]
Therefore, solutions to these critical choices appear
in learning how to induce, not order, appropriate actions by all
the relevant players, most significantly individuals and private
organisations. Civil society must be prompted to accept responsibility,
perhaps through liability and contract enforcement, and employ
its capabilities to protect its equities, not rely on government
to protect vital information services.[58]
Thus, New Scientist editorialised on 13 May 2000, that
consumers have a responsibility: to insist that the products they
buy are better. "It's time to start demanding better security.
Consumers need to push back. . . Nothing will change while we
continue to tolerate lax security."[59]
To the extent that private entities address
these important needs, the less excuse there will be for intrusive
government intervention. Indeed, to a large extent, the capabilities,
along with the necessary authorities, to protect information and
information systems, even those performing vital societal and
national security functions (except for those clearly owned and
operated by governments), already lie in the hands of private
owners and operators. However, these perspectives on distributed
power and more voluntary co-ordination are not fully shared around
the globe, witness debates over privacy and "safe harbour."
Therefore, it is to be expected that these different perspectives
will give rise to significant tensions as international agreements
are sought. We note, however, that how the issues are defined
will remain critical: there are important distinctions among personal
privacy, data protection and fraud that must be understood since
these definitional subtleties govern what should remain subject
to private agreementscontractand what is fair game
for public involvement and oversight.
Based on the example of international spectrum
allocation in the early 20th century, it is likely that consensus
can be reached on topics of shared concern. In the case of radio
communications in the days before commercial broadcasting, consensus
on how to measure the asset, ie, the electromagnetic spectrum;
on who the relevant players should be, ie, representatives of
nations; and on core values, ie, safety at sea and the primacy
of national-cum-military interests, enabled interested parties
to draft treaties that were eventually ratified, albeit in the
wake of the Titanic disaster.[60]
Working out similar arrangements for our own revolution will likely
take time; adaptation to revolution is, by necessity, a long-term
process. How we choose to realign and balance these three critical
powers tells us much about our view of the social contract. That
said, the existence of WIPO and progress in international database
agreements, which may not be to the liking of everyone, indicate
that a framework can be created that does not impede continued
growth and diffusion of the technology and the services that ride
it. Yet.
Ultimately, the government's paramount responsibilities
are: (1) to provide "rules of the road" that foster
respect for appropriate behaviours and establish behavioural norms;
(2) to allow other parties, including other states, to accept
their appropriate responsibility and exercise their capabilities;
and (3) to commit to vigorous prosecution when criminal information
incidents occur. Over the past several years, legislative actions
to define criminal activities with respect to information systems,
coupled with increasingly effective and publicised prosecutions
for violations of those rules, have begun to establish societally
acceptable guidelines for behaviour. But as has been widely reported
in the US press, one of the inhibitors to identifying the possible
creator of the "Love Bug" virus is limitation in Philippine
law, which substantially slowed down law enforcement.
Actions by governments are crucial to building
trust, which is the essential element of any co-operative regime.
Therefore, they underpin the overall framework for participatory
governance by the entire information community. It is clear that
government will not be able to execute its responsibilities for
information age without non-government entities and private individuals
playing a major role in securing the information infrastructure.
Indeed, given the disarray among the three critical powers of
responsibility, authority, and capability, private users, whether
as individuals or organisations, may have the best opportunity
to align them in dealing with information problems throughout
the entire spectrum of potential incidents. Private entities may
be able to accomplish prevention and remediation of many impacts
within the context of an "information community" most
efficiently and at least cost. Self-regulation by industry in
the domain of privacy is a case in point. Whether this model can
be used to solve issues related to taxation is an open question.[61]
In the developed world, individuals, organisations,
or governments will not be able to choose to remain apart from
the interconnected network of systems and relationships if they
wish to function as part of society. An over-riding feature of
this new environment, therefore, is "reciprocal dependency"denoting
sharing not only in the mutual benefits but also becoming both
reliant on the information web in which we are all enmeshed and
vulnerable to the actions and behaviours of others, whether intended
or unintended. While this feature of reciprocal dependency may
not be new, the speed and intensity of its occurrence do set it
apart, as do the immediacy of the linkages to distant and unknown
parties.
This situation, in essence, creates an "information
commons"a convergence of self-interestin which
there are few barriers to entry, and in which involuntarily shared
risks and exposure to the consequences of the acts of others are
automatic. That is, these same characteristics of an information-dependent
societythe advantages of nearly instant connectivity and
access to a wealth of information resourcesalso create
a series of "security and vulnerability externalities"
that result in an extremely high degree of reciprocal dependency
among all elements of the community. Under these circumstances,
even accidents and negligence, much less malicious acts by others,
can create serious, even catastrophic, impacts not only on individuals
and private entities but also on the nation's general welfare
and common defence.
In developing ways to address the difficult
choices among the values that are in tension, mechanisms for governance
must accommodate the organic processes that are crucial to societal
adaptation of a new technology. Process implies a progressively
achieved outcome rather than simply a clearly perceptible end-state
or result that can be accomplished all at once, and this suggests
that recognising where we are in the process may be important
to understanding the best way to proceed.
Models for governance range from: (1) leaving
protective measures in individual hands as a matter of retaining
personal responsibility (individual self-defence); to (2) accepting
the responsibility for protecting the community's interests and
retaining the authority in the community's hands (collective self-defence);
to (3) shifting the authority for community protection to the
government (formally delegated authority). The real issue is probably
not to choose among them as exclusive options, but how to dynamically
balance among them.
This choice depends fundamentally upon several
crucial factors: first, where one wishes to retain responsibility
as opposed to authority; second, how much authority the community
is prepared to place in someone else's hands; and third, where
the capabilities to ameliorate problems are lodged.
The new information structures are imposing
divergent exogenous costs on many segments of societies, both
domestic and global. As the exogenous costs"externalities"
to economistsof these behaviours became more widely appreciated,
attitudes began to change; these activities impose costs on the
community at large, not just the careless individual.[62]
This is, in fact, the very same situation in which we find ourselves
living in a co-dependent information society. Increasingly, certain
types of activitiesones dangerous to othersrun afoul
of tightening community intolerance for "reckless disregard"
of norms and laws designed to protect the common welfare of the
entire community. Society should be no less intolerant of similar
types of information abuses that could endanger others.
Within the information domain, tensions between
local identity and personal choice, on the one hand, and attempts
at pre-emption or imposition of uniform standards by national
authorities and others, on the other hand, have already created
significant tensions. Increasing globalisation, with its attendant
standardisation and homogenisation of behaviours as well as products,
may deepen tensions even further. Concern over "American
cultural hegemony," renewed over the recent announcement
of the AOL/Time-Warner merger, may already be as widespread as
concern over our present unchallenged military advantage. Negotiation
of safe harbour provisions, while limited, suggests that there
may be ways to come up with solutions. However, we note that the
safe harbour discussions were fairly protracted and well-defined,
confirming our own belief that where the Net is concerned, less
is always more and wait-and-see may be better. But this means
a willingness to come up with ex post solutions in response to
clearly defined evidence of problems rather than plunging ahead
with rules for an unknown world.
While national governments clearly have paramount
responsibility for governing information infrastructures, and
governments at all levels share the responsibility for prosecuting
criminal activity, there are three reasons they cannot perform
these functions in the information domain without substantial
assistance from private individuals and organisations. First,
appropriate activities by private actors are crucially important
because private actors, in reality, hold most of the technical
and physical capabilities for preventing potentially adverse information
incidents or ameliorating their consequences. Second, as governments
increasingly become buyers of commercial information and telecommunications
services, this reliance on private capabilities by the government
will continue to grow even with respect to protecting government's
own critical information systems. Third, exactly because information
is sensitive and information systems so pervasive, private partiesat
least those in the US who even under new estimates will still
represent the plurality of users in 2003are not likely
to extend the government writ so as to give government additional,
and necessarily intrusive, authorities for information protection
sufficient to allow the government to perform these functions
successfully. Indeed, current suspicions of FIDNet, which claims
merely to enable information to flow smoothly among concerned
agencies, contain, as a subtext, the fear that this will open
the way for intrusive domestic investigations and access to sensitive
information.[63]
The uproar in Europe over ECHELON suggests that Europeans are
at least sensitive to potential incursions into personal privacy
as we are; the difference, however, is what entity to trust?
IV. A FEW MODEST
PREDICTIONS
Assuming then, that the business of government
is to ensure the welfare of its citizens and that trust is vital
both to the legitimacy of government as well as the effective
functioning of the cyberworld, what should we expect? And what
should we do?
1. Increasing interdependence. Efficiencies
in scale and scope as well as network externality effects mean
that we are likely to see greater system interdependence at all
levels, internationally and within national boundaries, as well
as convergence of the various communication technologies. This
is primarily an infrastructure issue. Indeed, efficiency is one
of the drivers of e-commerce as well as e-business. Maintaining
long term trust requires reliability, and this demands systematic
attention to information security. By this, we mean expansion
and protection of the infrastructure systems as well as recourse
when information transmission and content are maliciously compromised.
We emphasise that compromising information content has several
facets, each of which should be dealt with separately. Nevertheless,
while acts of Godfire, storm and warmay be risks
that we should all expect to assume, there is rather broad scope
for human endeavour, starting with insistence on standards for
product liability that include information security.[64]
Thus, our first recommendation is systematic
attention to the infrastructure that enables provision of service
in all of its manifestations. This includes electrical power,
wireless and wired plant systems. It is the foundation of trust
and of reliable e-commerce systems and is an area in which responsibility,
authority and responsibility are recognised. Moreover, attention
to the engineering infrastructure is least influenced by culturally
based value systems and more amenable to agreed upon criteria
for performance. Not all issues will be amenable to an engineering
approach, but many will be. We suggest that issues in which we
can agree upon outcomes and metrics represent a way to build trust
in the process itself. Good starting points would be a focus on
security and robustness, a bias towards heterogeneity rather than
uniformity, and as stress on appropriate systems, such as for
"mission critical" applications.
2. Rapidly increasing diversity in functionality,
products and services (wireless and wired; appliances and general
purpose machines). Some of these are familiar and will fit fairly
well into known systems for sale and distribution. Much of e-commerce
is behaving like traditional mail order catalogue services, and
existing consumer protection systems may migrate well to these
products and services. There remains an urgent need for appropriate
liability, which to us means a minimalist approach to new legislation,
but one that will let civil action take its course.
http://www.cisp.org/imp/february-2000/02-00simons-insight.htm
For example on April 27, 2000, Xerox and Microsoft
announced the formation of a new company to produce and market
software that protects copyrighted material.[65]
Unlike the proposal to regulate Napster, this approach provides
a tool that shifts the responsibility for rights enforcement to
the rights holder and away from the intermediary search service.
There exists in U.S. law the notion of an "attractive nuisance."
This means, for example, that the family that owns a home in-ground
swimming pool has a positive obligation to maintain a fence around
the pool, which reduces but does not eliminate the risk that neighbourhood
children will wander in and drown. Given a reasonable software
tool, owners of valuable content, who wish to store that content
on machines that can be reached via the network, might be required
to observe some level of protection as a condition of buying the
content. The objective here would be to design a simple, transparent
toolnot jettison copyright protection or strangle a new
technology before its potential has even been explored. Together
with greater emphasis on product liability, such tools put technological
teeth into the argument that civil venuesrather than regulatory
venuescan be effective.
Our second recommendation is a modified "wait
and see" approach, that is, systematic review of existing
avenues for consumer protection to see how problems that do, in
fact, arise may be handled. At present, most EU nations conduct
e-commerce within their national borders so international concerns
may, in fact, be more pressing for US firms. However, recent liberalisation
of EU export restrictions on encryption technology may change
the balance.[66]
3. Framework for accommodating differences.
We understand that these perspectives on distributed power and
more voluntary co-ordination are not fully shared around the globe
and that many issues, such as "privacy," "obscenity"
and "fair use" are culturally based. Therefore, it is
to be expected that these different perspectives will give rise
to significant tensions as international agreements are sought.
How the issues are defined will remain critical. As of this writing,
a French court has "told Internet portal Yahoo on Monday
to `make it impossible' for Web surfers in France to gain access
to sales of Nazi memorabilia which appear on one of the websites
it hosts." These actions, the judge told the firm were "an
offence to the collective memory of the country." The company
was ordered to report back on July 24 to explain the measures
it had taken to prevent the French from participating in the sales
despite the fact that the company had argued that it was "impossible"
to scan all the content on its auction site.[67]
We understand that the French court finds these
activities offensive, but the extensible nature of the underlying
technology means that those who attempt to isolate an activity
will find themselves circumvented. Thus, the goal should be the
largest tent with agreed-upon frameworks, or networks, for resolving
differences since stopping the activity cold is unlikely to happen.
The issue is one of choice and accommodating
choice. In the case of Yahoo, French citizens are not obligated
to visit the site. Similarly, Yahoo is not obligated to provide
service in France. However, if French citizens want access to
Yahoo's services, then they may well have to accept "speech"
that is offensive to them. Still, before we rush to determine
anything "impossible," we caution that there are many
examples of differentiating access to services. The trick will
be to find the ones that work for the "right" people
at the "right" time. And before imposing one view upon
the world, we strongly recommend systematic study of which services
seem to require attention by what authority and what kinds of
tools might be available.
6th June 2000
30 Robert E Kahn and Vinton G Cerf, What
is the Internet (And What Makes It Work) (Internet Policy Institute,
Briefing the President, December 1999), p 4 Kahn and Cerf co-wrote
the TCP/IP protocol, which supports the inter-networking. The
"Institute," as we presently know it, is the outcome
of a rather long process in which many people can justly claim
important roles. Our emphasis on the computer science reflects
the engineering basis of the original network of networks. Back
31
The importance of trust has been pointed out by Marjory
Blumental, Reliable and Trustworthy: The Challenge of Cyber-Infrastructure
Protection at the Edge of the Millennium, iMP: The Magazine
on Information Impacts (September 1999). http://www.cisp.org/imp/september_99/09_99blumenthal.htm Back
32
Napster Loses First Round in Court, RIAA/press releases.
http://www.riaa.org/PR_Story.cfm?id=268. Back
33
Jeri Clausing, Report Proposes Update of Copyright Act,
New York Times (May 22, 2000), p C-6. Back
34
John Gilmore, as quoted ibid. Back
35
The Social Security Agency was created in 1935. The agency
provides retirement, medical (Medicare and Medicaid) and disability
insurance for qualified beneficiaries. Back
36
For an interpretive look at the technologies and impacts
of the Information Revolution, see Jeffrey R Cooper, The Emerging
Infosphere (Center for Information Strategy and Policy, October
1997). Back
37
This trade off in the infrastructure between efficiency
and vulnerability is discussed by Charles M Herzfeld, The Defense
of Infrastructure, iMP: The Magazine on Information Impacts
(September 1999). http://www.cisp.org/imp/september_99/09_99herzfeld.htm
and Stephen J Lukasik, Protecting Information-Dependent Infrastructures
iMP: The Magazine on Information Impacts (September 1999).
http://www.cisp.org/imp/september_99/09_99lukasik.htm. Back
38
Kurt Kleiner and Duncan Graham-Rowe, Go forth and multiply,
New Scientist (13 May 2000), p.7. Back
39
Ibid. Back
40
Vijai, Maheshwari, IT Pioneers Create Frenzy of Activity,
Financial Times (19 May 2000), p 15. Back
41
Gordon Bell, The Next Killer App, iMP: The Magazine on
Information Impacts (June 2000). http://www.cisp.org/imp [forthcoming] Back
42
Louis Trager, Inter@activeWeek (May 8, 2000). http://www.zdnet.com/filters/printerfriendly/0,6061,2562780-35,00.html.
The point was echoed by David Lynch, World Tests US Net Dominance,
USA Today (May 23, 2000), p 3B. Back
43
Jeetu Patel, Mark Schenecker, Gautam Desai, and Jason Levitt,
Tools for Growth In e-Commerce, Information Week Online
(December 7, 1998). http://www/informationweek.com/712/12oltoo.htm Back
44
US Department of Commerce, The Emerging Digital Economy
II (June 1999), p.5. Back
45
Nick Wreden, Cover Story, Beyond Computing Magazine,
(November/December 1998). http://www.beyondcomputingmag.com Back
46
See My Place or Yours? Computer Letter, February
1, 1999. Back
47
Gartner Insight, Vol 2, Issue £3-May 2000. Back
48
See for example, Dan Caterinicchia, Dan and Natasha Haubold,
The Dot-Com Invasion, Federal Computer Week Online, May
22, 2000; and Laurie J Flynn, Renting Software and the Skills
to Go with It, New York Times (May 22, 2000). Back
49
Bronwyn Fryer, PC Subscription Services, Upside Magazine
(May 2000), P 83. Back
50
Vijai, Maheshwari, IT Pioneers Create Frenzy of Activity,
Financial Times (19 May 2000), p 15. Back
51
We note, in this regard, that much of e-commerce rides on
traditional practices and systems, in particular, fulfillment
and preserving brand recognition and consumer loyalty. T J Grewal
reports that two years into the race to go online, the challenge
is "to fulfill the rights order, and do it on time."
See T J Grewal, Not a Fulfilling Experience, Business 2.0
(May 2000), p 440. The importance of customer satisfaction, which
e-tailers are coming to appreciate, was underlined by Allen Weiss
in a story in Upside: "Profits in every business since, well,
the beginning of business, depend for the most part on customer
loyalty." The importance of the customer may be less true
in business-to-business e-commerce, he goes on to say. See Allen
Weiss, Shedding light on e-commerce, Upside Magazine (May
23, 2000). http://www.upsidetoday.com/Opinion/39296f150.html. Back
52
See BROOKFIELD COMMUNICATIONS, INC., Plaintiff-Appellant,
v. WEST COAST ENTERTAINMENT CORPORATION, Defendant-Appellee, No
98-56918 D C No CV-98-09074-CRM, Filed April 22, 1999, US Court
of Appeals for the Ninth Circuit, Decision, May 14, 1999. Electronic
Commerce and Law Report. Back
53
Amy Friedlander, "In God We Trust; All Others Pay
Cash": Banking as an American Infrastructure, 1800-1935
(Reston, Virginia: Corporation for National Research Initiatives,
1997). Back
54
This is an argument fundamentally about values and may be
out-of-sync in a world that now demands econometric analysis of
policy issues. Back
55
Many, if not most, Americans would further argue, rather
convincingly, that centralised decision-making is, in fact, less
efficient as well as more dangerous. See David Brin, The Transparent
Society (Reading, MA: Addison-Wesley, 1998). Back
56
Anne-Marie Slaughter, Governing the Global Economy Through
Government Networks, Seminar, The Carnegie Endowment for International
Peace, Washington, DC, May 23, 2000. Back
57
See, for example, Allen Hammond and Jonathan Lash, Cyber-Activism:
The Rise of Civil Accountability and Its Consequences for Governance,
iMP: The Magazine on Information Impacts (May 2000). http://www.cisp.org/imp/may-
2000/05-00hammond.htm Back
58
At the same time, civil society should demand that governments
facilitate, not hinder, appropriate self-help measures. Unconsidered
actions (such as the legislation (HR 2281) to conform US copyright
law to the new World Intellectual Property Ogranization (WIPO)
standards) can prevent private actors from carrying out legitimate
and necessary information protection activities. Back
59
Only the best will do, New Scientist (13 May 2000),
p3. Back
60
An authoritative summary of the early treaties governing
spectrum allocation can be found in Christopher H Sterling and
John M Kittross. Stay Tuned; A Concise History of American
Broadcasting (Belmont, California: Wadsworth Publishing Company,
1990 [second edition]); and Susan J Douglas, Inventing American
Broadcasting, 1899-1922 (Baltimore: The Johns Hopkins University
Press, 1987). Back
61
We note that taxation is a complicated issue in the US,
where the sales tax model, which is highly variable from jurisdiction
to jurisdiction, does not map easily to the Value Added Tax characteristic
of the EU countries. See Hal Varian, Taxation of Electronic Commerce,
(Briefing the President, The Internet Policy Institute, April
2000). One solution that has been proposed is the creation of
third party services with which online companies can contract
to manage tax collection and remittance. This model of service
delivery and governmental compliance invites the challenges described
in the previous section. Back
62
Consider the example of seatbelts. First, not wearing seat
belts substantially increases the likelihood of a driver losing
control in an accident and causing damage or injury to other vehicles
or bystanders. Furthermore, in an era of skyrocketing medical
costs and third party or government coverage, the increased costs
of expensive trauma injuries to the unbelted are transferred to
the rest of the community. Similarly, when drunk drivers more
often than not ran off rural roads and killed only themselves,
most communities were prepared to tolerate this kind of reckless
behaviour. When innocent pedestrians or occupants of other vehicles
began to suffer significant injuries as a result of drunk drivers,
many communities became rapidly less accepting of these collateral
costs being imposed on the community as a result of individuals'
reckless behaviour. Back
63
The Federal Intrusion Detection Network (FIDNet) has been
described as "an automated correlation engine that can assist
agencies in making sense of the voluminous alarm data from their
intrusion detection services and other security devices such as
firewalls." The fundamental idea is to allow agencies to
share intrusion detection information as a means of enhancing
the security of their information and information systems. See
Thomas R Burke, FIDNet Tackles Computer Network Security, iMP:
The Magazine on Information Impacts (February 2000). http://www/cisp.org/imp/february-2000/02-00burke-insight.htm Back
64
Cogent objections and concerns to both FIDNet and ECHELON
are exemplified by Barbara Simons, Building Big Brother, Communications
of the ACM 43 (January 2000): 31-32. Re-issued, in iMP:
The Magazine on Information Impacts (February 2000). Back
65
Lawrence M. Fisher, Xerox and Microsoft Create Digital Safeguard
Company, New York Times (April 28, 2000), pC5. Back
66
Code War, ABCNews.com (May 25, 2000).
http://www.abcnews.go.com/sections/tech/DailyNews/encryption000524.html Back
67
France Gags Yahoo on Nazi Bids, Wired News (22 May
2000),
http://www.wired.com/news/print/0,1294,36504,00.html Back
|