Snowden, the State, and the Future of Internet Governance

The classified documents leaked by Edward Snowden outlining the online surveillance practices of the U.S. National Security Agency ignited a raging debate in the United States over what constitutes appropriate online conduct by governments. That debate then went global, fueled by information included in the documents regarding the extent of global intelligence intelligence-sharing arrangements, particularly the depth of the institutional ties between the so-called “Five Eyes” intelligence agencies in Canada, Australia, New Zealand, the United States, and the United Kingdom. Snowden’s decision to leak this information is having an important effect: it is focusing global attention on the future of the Internet and our capacity to shape it at a time when such attention is badly needed – that is, before governments decide cyber freedom is too costly to national security to maintain.

The responses to the Snowden leaks by the U.S. and U.K. governments testify to their commitment to defending their current intelligence-sharing practices. These responses include the recent detention of David Miranda, partner of Glenn Greenwald (the Guardian journalist who broke Snowden’s leaks alongside Laura Poitras) for nine hours by U.K. security officials under Schedule 7 of the U.K.’s Terrorism Act of 2000. Miranda’s detention not only made clear the degree to which intelligence agencies are likely to protect their contemporary surveillance practices but also, somewhat ironically, demonstrated the material advantages of maintaining existing institutional arrangements, which take in multiple jurisdictions and allow intelligence agencies to confiscate information and arrest suspects for practices that some domestic institutions would deem illegal. In Miranda’s instance, for example, Fourth Amendment protections would have likely protected him from detention in the United States but there are no such protections for journalists in the United Kingdom. Subsequently, when the U.S. purportedly requested the U.K.’s GCHQ to detain Miranda, they were effectively outsourcing a practice that would have been illegal within their own territory.

Clearly, and as evidenced by Prime Minister David Cameron’s purported support for the leaks by the Guardian’s journalists to be stopped as well as President Obama’s reluctance to appear contrite in the face of mounting criticism, national governments at this point are unwilling to dramatically change their intelligence-gathering practices. This is due, in large part, to the fact that the security threats to which these programs were designed to respond continue to exist. Indeed, in the weeks following Snowden’s leaks, there were claims by the United Kingdom, United States, and Canada that online surveillance via programs such as Prism, Tempora, Echelon, Blarney, Fairview, Oakstar, Lithium, and Stormbrew had prevented approximately ten major terrorist incidents. For national security officials in these countries, the privacy violations that inevitably result from sifting through 75% of internet data, and enlisting providers such as Microsoft, Apple, Facebook, and Google in the process are unfortunate, but also avowedly necessary.

Put simply, for governments, which are primarily charged with protecting the security of their populations, the ends (improved security) justify the means (online surveillance). And the means to improved security may include outsourcing certain tasks in an effort to widen and deepen surveillance of terrorist networks. The United States, for example, cannot surveil its own citizens, but it can outsource this task to intelligence agencies that do not share the limitations imposed by American legislation. Documents leaked by Snowden suggest that the U.K.’s Government Communications Headquarters (GCHQ) received approximately $100 million for contracted intelligence work over the past three years. For the “Five Eyes” states, leveraging the capability of each sovereign agency to gather intelligence on the others was a logical answer to overcoming various legislative obstacles. Given that a majority of the world’s Internet exchanges (the plumbing of the contemporary Internet) run through the states that comprise “Five Eyes,” the five states are also at a considerable advantage when it comes to parsing through packets of information that pass through their respective countries. To give you idea of the scale of the ability of states to surveil the information that flows through their networks, the latest estimates suggest that the United States’ NSA programs are able to deeply analyze roughly 1.3% of the globe’s Internet traffic and the NSA has stored almost 4% of this traffic.

Civil liberties advocates have expressed shock at the extent of the sharing of online information and intelligence collection among allies, but institutionalized multilateral cooperation in the realm of cybersecurity or cyber operations should not come as a surprise; it has emerged in similarly challenging areas like environmental protection. For states, competition generally goes hand in hand with collaboration in the international arena and the cyber realm is no exception. Programs such as Flame and Stuxnet indicate that the Internet is viewed by governments as another (and hitherto surreptitious) means for controlling developments – not only in “enemy” states, but also in allied competitors. Mandiant’s report of February 2013 suggesting that the Chinese People’s Liberation Army’s Unit 61398 was behind attacks on various U.S. government targets, China’s counter claims against the United States, and the New York Times identifying attacks against their institution emanating from China all suggest that state-to-state online monitoring is emerging as a new global norm. In the effort to protect sensitive material and their networks, those states that enjoy deep relationships (such as those involved in the Five Eyes intelligence-sharing institution) are likely to pool their resources and share the source of their exploits in order to mitigate their respective risks of being infiltrated. Most importantly, they are also therefore likely to cooperate and participate in expanding international efforts to regulate the Internet.

However, conceptualizing the Internet as a regulated venue for international cooperation and competition remains a challenge, no doubt because a generation of citizens understand the Internet as an unparallelled resource for communicating across borders – an encyclopedia of information situated at a stateless final frontier. Too often this leads to a conceptualization of the Internet as an ethereal space where states have more or less divorced themselves themselves from the governance process, and where governance as it exists is minimal. While it true that the contemporary “multi-stakeholder” model for Internet governance is uniquely designed to be looser than arrangements governing the likes of territorial waters, governments have always maintained their ability to influence the manner in which their citizens engage with online material within their borders. Iran and China offer two extreme examples of the level of control that a state can exert on the Web. In both states, various search terms or websites are censored by state-mandated communications agencies. And while these two states appear repeatedly at the forefront of news stories discussing censorship, many others, including Western states, are struggling to balance the risks of allowing free access to the Web with the potential deleterious economic and potential political consequences of limiting their citizens’ Internet freedoms.

Presently, concerns over online surveillance – now massively expanded by the Snowden leaks – are combining with the long-held desire of emerging powers for contemporary international governance mechanisms that reflect new geopolitical realities to potentially put the future of an “open” Internet into jeopardy. Thus far, the utility of open access to the Internet has deterred state-by-state fragmentation of the existing network and the subsequent narrowing of access that follows. But there is no guarantee that this will last. States are now in the process of evaluating the full collaborative and competitive potential of the Internet. It is therefore worth considering what the the Internet of the future should look like, and how that future might be realized.

Any consideration must necessarily reflect upon the continuing and perhaps growing role of the state in either promulgating or limiting Internet freedom. Recently, a Council on Foreign Relations independent task force called for the promotion of an “open, global, secure, and resilient Internet.” In its report, the task force provided over seventy recommendations for policymakers to work toward the protection of the contemporary Internet that has become vital for “communication, commerce, trade, culture, research, and social connections” as well as its potential contribution to “disaster relief, diplomacy, conflict prevention, global education, and science.” The CFR task force also made clear the various challenges facing international policy-makers from the appropriateness of surveillance; norms and rules governing the use of cyber weapons; the manner in which to engage with non-state actors online; and copyright protection. To deal with these issues, there are two possible scenarios. One is a move toward intergovernmental regulation of the Internet and the other suggests building around the existing governance mechanisms.

The disagreement concerning the future of the Internet was made clear at the most recent World Conference on International Telecommunications talks in Dubai that yielded a split decision (among states that hoped to add Internet technology to the responsibilities of the International Telecommunications Union and those that rejected increased state involvement in regulation of the Internet). The battle for the future of Internet governance will also shape the upcoming ITU Plenipotentiary in 2014 and will certainly raise questions concerning the appropriateness of having states deciding the appropriateness of various practices online. Unfortunately for opponents of creating an intergovernmental process for Internet governance, the fact that the United States and its Five Eyes partners have been widely condemned by foreign governments (including countries such as Germany and Brazil) for surveiling their citizens and embassies has led many states to question the degree to which they are protected online and has perhaps strengthened the case for adding Internet technology issues to the purview of the ITU.

With that said, the willingness to build an intergovernmental framework is risky because it potentially subjects global Internet governance to the very same dysfunctional dynamics that plague intergovernmental climate change negotiations and the UN Security Council. Put simply, creating an intergovernmental regulatory framework for the Internet puts decisions concerning network neutrality, network transmission processes, and the building of future Internet exchanges at the mercy of national governments. Under these circumstances, the potential for decision-making paralysis and political dissensus are relatively large. An oft-discussed fear is that an intergovernmental Internet governance framework might entrench state-sponsored censorship or lead to the tracking of dissidents  – particularly in autocratic states. Moreover, the formation of an intergovernmental body would concede that the contemporary model of Internet governance – the “multistakeholder model” – is no longer fit for purpose and that the ability to address existential threats “organically” via engineering or non-state-based solutions is no longer adequate.

It is my contention that this concession is absolutely unnecessary given the relative success of the current multistakeholder model that takes advantage of various nongovernmental organizations such as the Internet Society, the WSIS process, and even ICANN in growing the network without policing the activities that take place online. Through the contemporary arrangements, collections of engineers and public policy experts discuss and advise telecommunications companies all over the world while discussing optimal protocols for managing traffic and ensuring interoperability between networks hosted by different countries or companies. Abandoning the current institutional framework that has been responsible for building the present network appears to be ill-advised at best, and self-serving (on the part of government that wish to censor the Internet) at worst.

Instead of abandoning the current governance model, I propose that the powers of the Global Advisory Council of ICANN be expanded; the Internet Governance Forum further empowered; and commitments to an open global network should be signed by all those states necessary to sustaining it. This multipronged approach would address the concerns of states that remain aggrieved at the current status of the global network while protecting the network from the worst aspects of intergovernmental negotiation processes by giving them a venue to discuss and remediate disputes, and while allowing engineers and experts to continue to play a key role in maintaining the network. It would also avoid, for now, the potential of network fragmentation.

For this approach to work, a serious debate on the part of policymakers and the general public regarding what behaviors are most appropriate for states to engage in on the Web is fundamentally necessary. Indeed, a large number of states will likely have to admit culpability for their actions online and must consider remedies that will protect their citizens and corporations from spying or snooping.

This gradual approach would contribute to all states considering and reconciling broader sovereignty issues raised by the sustained importance of the Internet to global commerce and affairs of the state. In this process it is absolutely necessary for Canada and its partners to develop a clear vision and strategy for an Internet with clear value-added for the global economy, social welfare, and politics.  Such a strategy, developed by a combination of intelligence, military, and diplomatic agencies, would allow for the formation of cooperative standards to protect intellectual property, copyright, and privacy, as well as “Internet freedoms.” Thus far, the nascent EU Code of Conduct related to online activities offers the most mature institutional mechanism for broaching these issues.

There is a collective realization that the Internet is inexorably changing. Canada is debating Bill C-32 related to copyright protection while the United States is considering the future of domestic legislation to stop online piracy and police some behaviors on the Web. As the states that created and disseminated Web-based technology eventually lose their first-mover advantage and the network democratizes, there is likely to be an ongoing discussion of what is normatively acceptable on the network. In the process, the form of cooperative arrangements such as the “Five Eyes” arrangement may change, but the arrangements themselves are unlikely to disappear altogether given the strength of the geostrategic ties among states and overlapping interests shared by governments. Indeed, the institutionalized sharing of online data revealed by Snowden may even become an accepted component of processes governing government conduct on the web. With that said, what we need is a sustained and multifaceted dialogue on what new regulatory standards should look like if they are deemed necessary.

In the aftermath of the Snowden leaks, we are hearing calls from policymakers for the Internet to become a venue for cyber defense and offense, and opposing calls for it to be considered a sacred space, protected from military endeavors with an arrangement akin to the chemical or biological weapons conventions. While the future of the Internet and its governance arrangements remains uncertain, we can be sure that both states and non-state actors will play a large role in determining the appropriateness of the activities that occur on the network and the degree to which protecting the sanctity of the network and its users is prioritized. If nothing else, the attention being paid to government conduct online as a a result of the Snowden leaks presents an opportunity to bolster the current multi-stakeholder model for Internet governance. This is an opportunity that we cannot afford to ignore.