Rethinking Boundaries in Cyberspace

C o m m u n i c a t i o n s a n d S o c i e t y P r o g r a m

A Report of the Aspen Institute Internet Policy Project

by Erez Kalir and Elliot E. Maxwell

Rethinking Boundaries in Cyberspace

Communications and Society ProgramCharles M. FirestoneExecutive DirectorWashington, DC

2002


A Report of the Aspen Institute Internet Policy Project

by Erez Kalir and Elliot E. Maxwell

To purchase additional copies of this report, please contact:

The Aspen InstituteFulfillment OfficeP.O. Box 222109 Houghton Lab LaneQueenstown, Maryland 21658Phone: (410) 820-5338Fax: (410) 827-9174E-mail: [email protected]

For all other inquiries, please contact:

The Aspen InstituteCommunications and Society ProgramOne Dupont Circle, N.W.Suite 700Washington, DC 20036Phone: (202) 736-5818Fax: (202) 467-0790Web address: www.aspeninstitute.org/c&s

Copyright © 2002 by the Aspen Institute

The Aspen InstituteOne Dupont Circle, NW

Suite 700Washington, DC 20036

Published in the United States of America in 2002by the Aspen Institute

All rights reserved

Printed in the United States of America

ISBN #0-89843-336-3

02-007

Charles M. FirestoneExecutive Director

Patricia K. KellyAssistant Director

1142/CSP/02-BK

Contents

FOREWORD, Elliot E. Maxwell ..........................................................................v

RETHINKING BOUNDARIES IN CYBERSPACE,Erez Kalir and Elliot E. Maxwell ......................................................................1

Prologue: Why a Conference on Internet Governance? .............................3

Trends and Challenges: Where We Are Now ..............................................7

Guiding Principles .....................................................................................13

Roles of Different Actors (I):

Traditional Governments ........................................................................21

Roles of Different Actors (II):

Alternative Governance Organizations ..................................................26

Roles of Different Actors (III):

Corporations, Traditional NGOs, and Users .........................................30

Coming Full Circle: Three Specific Governance Challenges ...................35

Conclusion..................................................................................................41

APPENDIX

List of Conference Participants .................................................................49

About the Authors......................................................................................51

The Aspen Institute Communications and Society Program..................53

Foreword

The Aspen Institute’s Internet Policy Project has never lackedambition. Under the leadership of David Johnson, one of thepioneers of cyberlaw, and then Andrew Shapiro, an influentialcommentator on Internet issues, the Project sponsored a series ofsmall group meetings and workshops aimed at helping to create anintellectual framework for Internet policy. These meetings focusedon the privatization of the domain name system, Internet privacy,the impact of the Internet on intellectual property rules, jurisdictionin cyberspace, the legal nature of e-commerce transactions, and theapplicability of self-regulation and self-ordering to the resolution ofInternet-related issues. It was an agenda fitting the fulsomeambitions for this new medium. The meetings resulted in significantcontributions to the development of new approaches to Internetgovernance and policymaking.

During the past year, the Project has focused on the nextgeneration of Internet issues. In the early days of the Internet, manycommentators saw it as a special place, “borderless” and free fromgovernment intervention, a locale run by and for its participants.Even in the first major Internet policy statement by the U.S.government in 1997—The Framework for Global ElectronicCommerce—the emphasis was on private-sector leadershipregarding Internet policy. But as the Internet has grown in visibilityand importance—economically, socially, politically, and culturally—and as the number of international transactions utilizing themedium has exploded, it is no surprise that governments around theworld have begun to give it greater scrutiny. In many casesgovernments have begun to pass laws and regulations seeking tocontrol conduct and content on the Internet, within and beyondtheir borders.

In the summer of 2001, 24 participants—leading entrepreneurs,technologists, academics, and policy advisors—took part in a three-day conference convened by the Project titled “RethinkingBoundaries in Cyberspace.” The conference agenda focused on thegrowth of government involvement in the Internet and, inparticular, the implications of the exercise of extraterritorial reach by

v

vi RETHINKING BOUNDARIES IN CYBERSPACE

governments in areas such as privacy, taxation, content regulation,and the sales of goods or services. A central question, given theglobal nature of the Internet, is who will make the rules governingthese and other issues, and what values will underlie these rules. Willrules be made by local, national, or international authorities, bygovernmental bodies or by private-sector actors? Will the rulesencourage or discourage the continued growth and development ofthe Internet? These questions have even greater resonance in thepost–September 11th environment as governments focus onsecurity issues and seek to extend their jurisdiction worldwide inorder to battle terrorism.

This question of who will make the rules is not new: It has beenaddressed in the context of the privatization of the domain namesystem. But the broad range of issues of interest to governmentsdramatically raises the stakes. The exercise of sovereignty byphysically based states could result in new borders on the“borderless” Internet, policed using rapidly developing location-identifying technologies. Imposition of national policies, based onvalues that vary from country to country or locality to locality, raisesthe possibility of segmenting the global Internet into a series ofregional, national, or even local data networks.

But control of the Internet by governments was not the only issueof control raised at the meeting. The conference also recognized therise in “private governance.” As Larry Lessig and others have pointedout, more and more “policy” decisions are being made by privateplayers and are being embodied in the hardware and software thatallow access to the Internet and provide its myriad applications.These policies found in “code” are part of a larger trend wherebyprivate actors make decisions that in the “physical world” would bethe province of governments. In some cases, governments havedelegated responsibilities to private firms (as in the most recentCouncil of Europe Treaty), deferred to industry self-regulation, orallowed firms to exercise control based on the firms’ own view ofcompetitive advantage. If private firms are going to be the ones whomake the rules for the Internet, it is important to understand thevalues and criteria they will employ.

At the same time, there is a technological arms race between thosewho seek to expand control and those who seek to minimize or

Foreword vii

escape it. Technologies to provide anonymity or promote privacycontinue to develop. They offer mixed blessings: protecting privateinformation or shielding dissidents from oppressive regimes and atthe same time allowing bad actors to escape their just rewards. Theconference examined one of these technologies—peer-to-peercomputing—which undermines control because of the absence ofany central point of authority. These technologies, coupled with therise of new communities such as those of the instant messagingworld, are simultaneously being praised for their ability to supportcollaboration and resource sharing and condemned for facilitatingmassive violations of copyright law.

The debates over of control will surely continue. They must,because the stakes are so high. They involve the centralcharacteristics of the Internet: the ability to communicate andcollaborate with anyone online; to access staggering amounts ofinformation hosted around the world; and to choose content,services, and features on the Net free from constraints built into thenetwork itself. The consequences of choosing the wrong path are adramatic decline in the political, social, and economic innovationmade possible by the Internet.

The conversations at the meeting were exceedingly rich. Thefollowing report is not a simple summary but an attempt to extractthe most salient themes, provide a useful context in which to viewthem, and identify issues worthy of future dialogue. The rules underwhich these Aspen meetings take place encourage wide-rangingdialogue that focuses on underlying values—in this case those ofcommunications, collaboration, and community. The Internet hasbroadened our sense of the possibilities in all of these areas. Thispublication reflects the general sense of the meeting, though eachparticipant may not agree with every statement. Further, theopinions expressed are those of the authors and not of any currentor former employer. By this report’s dissemination, we seek toengage a wider group in discussing how to ensure that the mediumgrows and flourishes.

AcknowledgmentsI am pleased to acknowledge and thank our sponsors for their

generous contributions to the success of the conference. The

viii RETHINKING BOUNDARIES IN CYBERSPACE

following entities sponsored the 2001 conference: Catenas,Citigroup, the Markle Foundation, McKinsey & Company, Nokia,Nortel Networks, Pitney Bowes, RealNames Corporation, VeriSign,Verizon Communications, and VISA U.S.A. I would like to thank allof the participants—all expert, all enormously busy, all willingpartners in our dialogue. I would particularly like to thank ourinternational participants for coming such long distances (provingthat distance is not dead yet) and for bringing important insightsabout this truly global medium that is too often viewed simply froma U.S. perspective. Charlie Firestone, executive director of the AspenInstitute’s Communications and Society Program, has given theInternet Policy Project a home at the Aspen Institute and alwaysprovided support and wise counsel; Lisa Dauernheim, Tricia Kelly,and Sunny Sumter-Sana of the Communications and SocietyProgram have helpfully and cheerfully provided for the myriad ofdetails necessary for this publication and for the operation of theProject as a whole. Amanda Mills of Yale Law School assisted us inshaping the agenda and identifying the issues to be addressed. Lastly,I would like to express my deep appreciation for the work of ErezKalir, the meeting’s rapporteur, whose dedication to searching forthe core of meaning in the swirling conversations at Aspen was thefoundation for this report.

Elliot E. MaxwellSenior Fellow for the Digital Economy, 2001

andDirector, Internet Policy Project, 2001

Communications and Society ProgramThe Aspen Institute

Washington, DCFebruary, 2002

RETHINKING

BOUNDARIES IN

CYBERSPACE

1


The Internet’s explosion into the public consciousness in the1990s was marked by a heady rhetoric about its uniqueness. Unlikeprevious technologies, the Internet would render geographyobsolete, allowing anyone, anywhere, to access a limitless fund ofdigitized information and to share such information with anyoneelse, free from control or regulation. Territorially based laws weresaid to have little or no effect in cyberspace—a global, “borderless”place beyond the sovereignty of any existing jurisdiction. The Netwould be governed, if at all, through the self-initiated efforts of itsconstituent communities: the dream of the Declaration ofIndependence made real, virtually.

As the Internet has matured, however, traditional governmentsand private actors have increasingly sought to assert control overconduct and content in cyberspace. Governments, responding to thegeographic dispersal of Internet users and the Net itself, havedirected their regulatory efforts not only at people and entitieswithin their territorial borders but also at those beyond them. Andprivate actors—service providers, applications vendors, andindustry consortia (among others)—have played a growing role indrawing new and different kinds of borders on the Net, such asborders around namespaces.1 To bolster their efforts to assertcontrol, governments and private actors alike have enlisted variousnew technologies that did not exist in the Internet’s early days. Notsurprisingly, users have countered with other innovations designedto “route around” the borders that constrain their freedom. Theresult is an evolving game of technological cat-and-mouse.

How will—and how should—governance in cyberspace evolvenow that the utopian vision of the Net as a perfectly self-governingrealm has been dispelled? This report takes up that question, not inthe hope of offering a blueprint but in the spirit of sketching someuseful (if still provisional) answers. The focus is on four key areas:

1) Where we are now. What are the trends and challenges thatcomprise today’s Internet policy agenda and will help shapetomorrow’s? Are there troubling aspects about the direction

2 RETHINKING BOUNDARIES IN CYBERSPACE

in which governance on the Net is evolving? What trends inparticular deserve the scarce attention of publicpolicymakers and the public?

2) Guiding principles for good governance. Algorithms forgood governance do not exist. But based on what we havelearned about the nature of the Internet since its inceptionand on relevant historical antecedents in other areas, can wearrive at principles to guide governance decisions for the Nettoward successful outcomes and away from dangerouspitfalls?

3) Proper roles for different actors. Governance on theInternet is not the exclusive province of traditionalgovernments. On the contrary: A proliferating array of otheractors—corporations, multinational rule-making, standard-setting, and advisory bodies, nongovernmentalorganizations (NGOs), and new kinds of organizations thatdo not fit neatly into any existing categories—playincreasingly significant roles in Net governance decisions.What are the proper roles for these actors? For traditionalgovernments? Can complex relationships among diversedecision makers be structured to prevent rivalry and chaos?

4) Specific governance challenges. Governance challenges forthe Internet exist in myriad subject areas. Three areas ofimportance to the future of cyberspace are extraterritoriality,confidence issues (e.g., promoting privacy, security, andtrust on the Net), and namespace management. Drawing onthe insights developed in earlier parts of the report, can webegin to map the right direction for public policy in theseareas—or at least identify some of the right questions onwhich public deliberation should center?

To probe these and related topics, the Aspen Institute’s InternetPolicy Project convened 24 leading entrepreneurs, technologists,academics, executives, and policy advisors for its 2001 conference.The conference, moderated by the Project’s director, Elliot Maxwell,took place July 22–25, 2001, in Aspen, Colorado. This report is asynthesis and interpretation of the conference discussions.

The Report 3

Prologue: Why a Conference on Internet Governance?As a few conference participants observed, much conversation

about Internet governance proceeds as if the problem were new, andthousands of years of political and legal thought simply irrelevant inlight of the Net’s uniqueness. This notion is manifestly false: Manyof the governance questions that apply to the Internet today arose insimilar form during the popularization of other technologies, suchas modern shipping, aviation, and telecommunications (to nameonly a few). The answers that human societies forged to thosequestions then can help us answer analogous questions today. Yetrecognizing that the Internet lies on a historical continuum oftransformative technologies led conference participants to ask twointerrelated questions that merit attention before delving intoothers: What characteristics mark the Internet as a novel andgenuinely disruptive technology? And what about the Net poses newchallenges for governance?

Begin with the first of these questions. While early accounts mayhave overstated the Internet’s uniqueness, conference participantsgenerally agreed that the Net has changed social, economic, andpolitical relationships around the globe in several significant ways.To begin with, by dramatically lowering transaction costs, theInternet has facilitated a vast increase in the volume of economictransactions.2 Net-based transactions that cross national borders aregrowing at a particularly impressive rate, in absolute terms and as apercentage of overall Internet traffic. The Internet is hardly the firsttechnological innovation to boost cross-border exchange; manyothers did so in their day as well (the telegraph, railroad, andtelephone, to name just a few). Yet the sheer magnitude of theincrease in cross-border transactions attributable to the Net,participants suggested, is unprecedented and consequential.

Second, the Internet has also revolutionized the economy ofinformation. On the production side, it has radicallydecentralized—and democratized—the power to distributeinformation to the public. Traditional media conduits such as print,radio, broadcast television, and cable have long been controlled byrelatively few large corporations. Ordinary individuals and groupscannot easily gain access to these conduits to broadly disseminatetheir ideas and opinions. The Internet provides users with a means


to do so; to paraphrase one conference participant, it turns freedomof speech into freedom of the press. This transformation equates, onthe consumption side, to a massive increase in the quantity ofinformation available to the public. But the consumption-sidechange isn’t only a matter of quantity: The Net also rendersinformation easily accessible over a far wider geographical scope (asdramatized in Yahoo!’s advertisements depicting a denizen of thearctic shopping on the Net in his igloo). The Net’s impact on theeconomy of information, too, distinguishes it from priortechnological innovations.

Third, the Internet disrupts existing relationships betweenindividuals, businesses, and states, spawning new intermediariesbetween these entities and eliminating old ones. Because the Netsignificantly increases the liquidity of information, for example, itcreates opportunities for new information hubs to connect buyersand sellers on an international scale—hence EBay, Priceline, andbusiness-to-business exchanges. Of course, the emergence of thesenew intermediaries has threatened the livelihood of others, such aslocal pawn shops, travel agents, and wholesalers. Nor is this processof dis- and re-intermediation limited to the private sector. In thesphere of policy and politics, the Internet has given rise to newentities mediating relationships between individuals and theirgovernments. Some of these new entities, such as the vote-tradingsites that sprung up during the 2000 American presidential election,are grassroots organizations that seek to facilitate broad-basedpolitical action. Others, such as the Internet Corporation forAssigned Names and Numbers (ICANN), are decision-makingbodies with narrower missions and a narrower membershipconsisting of technical experts. Yet both of these types of Net-centered entities—the grassroots and the technical—haveredistributed political and policymaking power away fromtraditional actors. They have also made it more difficult to surveilthe regulatory landscape and locate all the points of decision-making authority.

These three phenomena—the growth in the volume of cross-border transactions, transformation in the economy of information,and reordering of societal intermediaries—raise a host of newgovernance challenges. Much of the commercial law that undergirds

The Report 5

international business transactions, for example, has been designedto facilitate exchange among businesses, “repeat players” with theexperience and resources to fend for their interests effectively. Whatadaptations should be made to this law when individuals (e.g., theman in the igloo) become transactors in the global economy? Orconsider another challenge that follows from the Net’sempowerment of individuals. Nation-states differ widely in theirlaws and norms regarding freedom of speech and press. In the past,territorial borders prevented their differences in this sphere frombreaking into open conflict save in rare cases. But cyberspaceintroduces porousness into those borders, enabling individuals tocircumvent domestic laws and norms and to seek information injurisdictions where they’re most likely to find it. Thus, Americansconstrained by U.S. obscenity laws can shop for pornography onwebsites based in Holland, and French citizens governed by France’sregulations on the display of Nazi regalia can view it on websitesbased in the United States. How should nation-states resolve theinevitable legal and normative disputes that ensue?

Yet the challenges that the Internet poses for governance gobeyond practical problems of the kind discussed above. At a deeperlevel, the Net challenges familiar notions of “government” and“governance” themselves, inviting us to rethink what a governmentis and what governance entails. For the past two centuries, thedominant governmental actor has been the nation-state. On the Net,however, other decision makers—particularly leading corporations(such as AOL, EBay, and Microsoft) and private multinationalforums (such as ICANN, the Internet Engineering Task Force[IETF], and the World Wide Web Consortium [W3C])—areincreasingly as important if not more so. These other actors arelikely to make a greater number of governance decisions thannation-states, which are hampered by the slowness of legislatures,courts, and agencies. And their governance decisions are likely tohave at least as much impact because they are often closer to usersand to the Net’s infrastructure than are traditional governments. Ashift in governance instruments accompanies this shift ingovernance actors. The dominant regulatory instrument oftraditional governments has been law. But as Mitch Kapor, WilliamMitchell, and Larry Lessig have taught us, on the Net the dominant


instrument of governance is “code”: the combination of software,hardware, and network design that substantially defines the natureof cyberspace.3

As the earlier free speech example tacitly suggests, the Internetalso challenges traditional assumptions about sovereignty.Sovereignty in the physical world is, for the most part, clearlydelimited. Multiple sovereigns may assert power to regulate conductin the same territorial space, but their relations to one another areeither plain from the outset or resolvable through time-honoredlegal devices (such as treaties, choice of law rules, and the doctrine ofcomity). Thus, the U.S. federal government, the state of California,and the city of Berkeley all claim authority to set rules for behaviorin Berkeley, California, but all three understand that the U.S.Constitution’s supremacy clause resolves whose laws have primacy.4

And if a catastrophic industrial accident occurs in India at the localplant of an American firm using defective machinery manufacturedin France, longstanding doctrines will enable courts to determinewith relative ease the proper forum for the ensuing mass tortslitigation.

In cyberspace, in contrast, sovereignty is interpenetrated andambiguous. Consider the question of sovereignty over the Internet’score code. The Net is defined by a set of protocols collectively knownas Transmission Control Protocol/Internet Protocol (TCP/IP). Thedesign of these protocols—and, in particular, the overarching “end-to-end” principle that funnels control to users at the network’s“edges” and allows all forms of communication to travel across thenetwork without central control—has a profound effect on therange of conduct that can occur in cyberspace.5 Who has sovereigntyto direct the evolution of this set of protocols and to decide whetherand how the “end-to-end” principle changes? Private companies thatown the physical infrastructure underlying the Net? Privatecompanies offering applications and services that use theinfrastructure? Governments that traditionally regulate the conductof inhabitants within their territorial borders? There are no obviousanswers to this question.

The foregoing discussion reflects the view—shared by mostconference participants, though not all—that the governancechallenges the Internet poses are in some ways new, and defy simple

The Report 7

analogies to the challenges that followed previous technologicalinnovations. But there is an important caveat. Virtually allparticipants agreed that the Net’s impact on human affairs is bestunderstood within a broader context. The growth in the volume ofcross-border transactions, increase in the liquidity of information,and advent of new social intermediaries, as well as the rise ofcompetitors to the nation-state and the complication of traditionalnotions of sovereignty are not attributable to the Internet alone.They should be viewed as part of a larger phenomenon ofglobalization—which fuels, and is fueled by, the Internet’spopularity.

The conference that spawned this report took place before thecatastrophic events of September 11, 2001. It goes almost withoutsaying that those events have changed the way Americans and othersthink and talk about many issues, including Internet governance. Inthe United States, security is now at the forefront of publicconsciousness, and other values (such as privacy) have receded.What the long-term effects of September 11 will be—and whetherthe new emphasis on security becomes a permanent feature ofpublic policy in the United States and elsewhere in the West—remains unclear. Whatever the long-term repercussions ofSeptember 11, however, it has already underscored that Internetgovernance is inextricably tied to broader questions of governanceand globalization.

Trends and Challenges: Where We Are NowWhat are the trends and challenges that define today’s Internet

policy agenda and that will help shape tomorrow’s? Three keythemes emerged from the conference discussions: first, thedisappearance of the “borderless” Internet, as states and privateactors alike seek to assert control over cyberspace by transforming itinto an increasingly regulated space; second, the efforts of users toescape these controls by using new technologies, and the “arms race”that ensues as public and private actors respond; and third, thegrowing trend to resolve the contest for control on the Net by resortto private governance—governance by private entities which, unlikemany traditional governments, afford the public little or norepresentation in decisions that affect it.


The Disappearance of the Borderless Internet and the Quest for Control

The quest of public and private actors to assert control overconduct in cyberspace results from, and accelerates, the erosion ofthe boundary between cyberspace and the physical world. As the Netmediates a growing proportion of human interactions, states findthat they must regulate it in order to maintain the force of their lawswithin their physical borders. Thus, the attorney general ofMinnesota sued gambling sites outside his state not because hewished to suppress the activity throughout cyberspace but becausehe sought to enforce his state’s own law that forbids Minnesotansfrom gambling.6 The Council of Europe backed the “cybercrime”treaty for similar reasons. The treaty, which has yet to take effect inthe United States, would require Internet service providers (ISPs) tomaintain logs of users’ activities for up to seven years and to keeptheir networks tapable by law enforcement agencies.7 Thesemeasures spring not from any desire by European governments toassert Orwellian control over the Internet but from their accuraterecognition that effective crime control “on the street” now requiresinterdicting criminal activity online. As the foregoing examplesindicate, erosion of the boundary between cyberspace and thephysical world renders cyberspace itself a more regulated, borderedplace—a place that more closely resembles the world outside.

A similar dynamic is at work with private actors such as ISPs,software vendors, and content distributors. The blurring ofboundaries between the “virtual” and the “real” world manifests itselfin the private sector as a blurring of the boundary betweene-commerce and “physical” commerce: A growing proportion of allcommerce is transacted at least in part online. In their efforts tocapture and cordon off a share of this commerce, private actors arebuilding new kinds of borders in cyberspace that often reinforce states’attempts to superimpose territorial borders there. Thus, AOL, theowner of a massive “names and presences” database associated with itsAIM instant messenger service, has bordered this namespace in thename of “security” and thereby prevented other instant messengerservices from interoperating with AIM. Microsoft has unveiled aninitiative to issue all Netizens with digital certificates or “passports”that would contain authenticated identifying information aboutthem—encoded in software controlled by Microsoft and its partners,

The Report 9

and not presently interoperable with other identification systems.Numerous firms are at work developing rights-management systemsthat would enable fine-grained monitoring and control of what usersdo with intellectual property on the Net: software that reports not justwhether you downloaded the MP3 file but how many times you’veplayed it, how many times you’ve copied it, where you’ve stored it, andwho you’ve shared it with. Still other firms are marketing “mapping”software that can pinpoint an Internet user’s geographical locationwith a high degree of certainty. This software allows advertisers totarget consumers with greater refinement, yet it’s likely to find anothercustomer base as well: sovereign states looking for efficient ways tomap their laws onto the Net.

The Unfolding Arms Race: Technologies of Freedom and Technologiesof Control

Not surprisingly, many users have responded to the zoning effortsof public and private actors by turning to technologies that restore(and in some cases enhance) elements of their freedom. Perhaps themost common example: anonymizing technologies aimed atempowering users to communicate in and move about cyberspacefree from surveillance by governments or corporations. Thesetechnologies range from “first generation” websites that serve asprotective “shells” for surfers seeking privacy to more sophisticatedsoftware enabling users to join a network of computers that serve asshells for one another. Needless to say, such technologies are lockedin a fierce battle with the new mapping technologies. But the battleisn’t purely technological. While it plays out through a rivalry oftechnologies, it reflects two broad groups of antagonists. On one sideare states and corporations that correctly understand that useranonymity deprives them of control. On the other are users andcode-writers (many academic, but some entrepreneurial) who resistthe control that states and corporations would wield. Each side inthis battle has resources beyond technology at its disposal. States andcorporations can leverage the power of laws and markets; users andcode-writers can leverage their quickness and relative anonymity.Which side will ultimately prevail? Conference participants did notaddress that question at length, but they agreed that the answer willhave a vast impact on the future of the Net.


Anonymizing and mapping software comprise only one facet ofthe technological arms race. Peer-to-peer computing (P2P)represents another, one which may prove at least as important indetermining the balance of power between users and entities thatwould govern them. P2P, made famous by Napster, refers to a class ofapplications that seek to take advantage of the immense computingresources latent in devices at the “edge” of the Internet—such as PCs,personal data assistants (PDAs), and web phones—by connectingthem directly to one another. To access these decentralized resourcesin a manner that maintains their autonomy from centralized servers,P2P applications bypass the Internet’s domain name system and relyinstead on alternative addressing architectures. P2P applicationsthereby liberate users in two interrelated ways. First, they enable usersto transform their devices into “peers” that can interact with oneanother and form impromptu networks while relying minimally (ifat all) on centralized intermediaries. Second, they empower users tounbundle, share, and aggregate any resource contained in theirindividual devices: storage capacity, processing power, communicationscapability, content, or whatever else. This leveraging effect is whattransformed the modest, isolated music collections of individualsinto the mega music library of Napster.

Both of P2P’s liberating effects—the ability to connect “edge”devices directly to one another and the ability to share the resourcesin these devices—make it much easier for users to form autonomouscommunities in cyberspace. Indeed, numerous P2P-basedcommunities already exist: Witness the immense followingsgarnered by Napster and its progeny or by instant messaging systemssuch as AIM and ICQ. Of course, the very characteristics that giveP2P its breathtaking community-building potential also render thecommunities it spawns very difficult to police because of an absenceof centralized control. P2P thus creates serious challenges forgovernments and service providers. Exhibit A: Napster. As everyoneknows, Napster was ultimately ordered to shut down because publicand private authorities could not devise a less draconian remedy toprevent the copyright infringement that it facilitated. Yet the legalinjunction against the company has been far from foolproof: OtherP2P applications such as Gnutella and Morpheus have sprung up assubstitutes (albeit with smaller user bases so far). In a future in

The Report 11

which P2P communities are rife, it seems unlikely that litigationalone will succeed in regulating them. A more plausible scenarioenvisions traditional governments enlisting private-serviceproviders to help restore a measure of centralized control throughtools such as terms of terms-of-service agreements and monitoringtechnologies. The effectiveness of that approach remains an openquestion.8

The Napster case raises an important, broader point that severalconference participants took pains to emphasize: namely, thenormative ambiguity of the emerging arms race betweentechnologies of freedom and technologies of control. This battle,participants agreed, does not pit “good” versus “evil.” P2Papplications, for instance, lend themselves just as easily to positiveends (e.g., communities engaged in grassroots sharing of ideas andinventions) as they do to destructive ones (e.g., networks oflawbreakers aggregating computing resources to destabilize society).The point applies to mapping and anonymizing technologies as well.In the hands of authoritarian governments, mapping technologiescan facilitate repression, while anonymizing technologies can allowusers to escape it. Conversely, in the hands of wrongdoers,anonymizing technologies can facilitate fraud, defamation, piracy ofintellectual property, and cyberterrorism, while mapping technologiescan allow governments to police such violations. Whether thesetechnologies promote the public good depends entirely on who isusing them and how. This reality suggests that society may do well tostrive for balance between the powers of users and those ofgovernance actors—a theme we revisit below.

The Rise of Private Governance Arrangements

If the contest for control between decentralized users andcentralized authorities is a defining part of the present moment inthe Internet’s history, so too is the rise of private governancearrangements that increasingly mediate that contest. “Privategovernance” refers to governance by private actors that affects thepublic but affords it little or no representation in decision making.Such governance exerts influence over the Net in several differentforms. Private, multinational entities such as ICANN, IETF, andW3C, which are not directly accountable to the public, leverage


technical expertise to play growing rulemaking, standard-setting,and advisory roles in shaping the changing architecture ofcyberspace. Private corporations such as AOL and Microsoft, whosefirst mission is to maximize shareholder value, control borders onthe Net (such as borders around namespaces) that concern not onlytheir own customers but also millions of other users. Andgovernments themselves increasingly seek to “deputize” privateactors such as ISPs and portals in order to regain traditional powersthat have ebbed in cyberspace—as illustrated by developments suchas the European cybercrime treaty and the French judiciary’songoing conflict with Yahoo! This “deputizing” trend—whichenables governments to regulate with far less transparency thanmany ordinarily do—is likely to become more important in thefuture as P2P applications blossom.

The rise of private governance arrangements on the Net intersectsin important ways with the rise of code (software, hardware, andnetwork design) as the dominant instrument of regulation incyberspace: The trends are mutually reinforcing. Greater reliance oncode as a regulatory instrument further “privatizes” decision makingfor several reasons. First, code is less transparent than law andtherefore less susceptible to democratic scrutiny. The popular pressand the public can readily grasp the import of most laws enacted inWashington and Brussels; the same cannot be said about theirabilities to decipher the political decisions invisibly embedded inproducts that emanate from Silicon Valley or Redmond.

Second, as Larry Lessig has demonstrated in his pathbreakingwork, code is less amenable than law to resistance by individuals andto the oversight by democratic institutions that resistance facilitates.If you believe that a contract to which you’re a party interferes withyour rights under the copyright law, you can breach it and therebyplace the burden on the other party to sue you; what’s more, acourt—a neutral and independent decision maker—will decidewho’s right. But if you believe that the coded copyright protectionscheme on your newly purchased software infringes your rights,resistance is far more difficult. If you can’t hack through theprotection scheme (and most of us can’t), your options are to dealwith the company (not exactly an unbiased adjudicator) or to sue incourt yourself (an expensive and time-consuming burden that fewpeople are likely to undertake).9

The Report 13

Third, the rise of code tends to privatize decision making becausecode-based solutions to governance problems originatedisproportionately from private actors—and thus often reflect thepreferred approach of those actors to the choices at hand. This lastpoint is in a sense the “flip side” of the earlier point regardingtransparency: It’s not just that the public can’t easily understandcode, but also that it can’t easily write it, and isn’t abundantlyrepresented by people who can. Laws enacted in legislatures typicallyreflect the input of numerous “public interest” groups that advocateon the public’s behalf; coded solutions to governance problems do soto a far lesser extent.

From Where We Are to Where We Are GoingThe aim of the foregoing discussion has been to set the stage. We

began by pausing to consider why it makes sense to think aboutInternet governance at all, then briefly canvassed some of the keytrends that mark the present moment in the Net’s development. Thesurvey of those trends has been necessarily selective: much morewould need to be said to offer a complete picture of “where we are”(and providing such a complete picture was not one of theconference’s objectives). But the themes in the foregoing discussionframe the discussion to come. Amid the vanishing of the“borderless” Internet, the unfolding contest for control betweenstates, private actors, and users, and the rise of “private governance”arrangements, can we arrive at guiding principles to help steertoward effective governance solutions for the Net? What are theproper roles for traditional and alternative governments—for states,private decision-making forums, corporations, NGOs, and users?And can the answers to these questions help address specific Internetgovernance challenges in areas such as extraterritoriality, userconfidence, and namespace management?

Guiding PrinciplesAs conference participants emphasized time and again, reliable

formulas for good governance do not exist in the Internet contextany more than they do in the context of society writ large. Effectivesolutions to governance challenges on the Net are likely to emergefrom the concrete particulars of problems, not from abstractprescriptions. Yet this reality does not mean that the search for


principles to guide decision making is wasted. On the contrary: Suchprinciples—beacons in a sea of choices—can help decision makerschart a course away from known dangers and along routes morelikely to lead to safe land. In their absence, navigation is moredifficult and more perilous. The conference discussions pointed toseveral of these beacons.

Decision Making Based on Openly Debated and Clearly ArticulatedValues

Participants generally agreed that regardless which institutionstake the lead in any particular governance decision for the Internet,both the process of decision and the substantive outcome should bebased on values that communities affected by the decision haveopenly debated and chosen. Ideally, everyone affected by a decisionwould reach consensus on these values, but in practice consensusmay often be unachievable. In such cases, openly debating the valuesthat will guide decision making and articulating the values chosen isa second-best objective.

Participants suggested numerous values that may meritconsideration in any given governance decision. With respect to theprocess of decision making: Are the decision makers accountable? Isthe process transparent? Does it provide adequate representation tothose affected? Does it otherwise take account of their interests?Does it provide for a diversity of participants? Is it quick enough torespond to technological and market developments? Has itconsidered competing solutions and any empirical evidence as totheir success or failure? With respect to the substantive result: Is itenforceable? Scaleable? Cost-effective? Has it factored in theexistence of economic, technological, and regulatory uncertainty?What are its effects on innovation? On connectivity? On the public’saccess to information? On other values, such as the “end-to-end”principle? What, if any, are its distributive consequences? Its equityimplications and impact on the “digital divide”? These questions areonly a beginning, but they capture some of what should be includedin public deliberation on appropriate values to guide governancedecisions for the Net.

States and the communities that comprise them differ, of course,with regard to the values they hold dear. Participants suggested that

The Report 15

it will frequently be impossible for diverse communities linkedtogether by the Net to harmonize their disparate values. No oneshould expect the emergence of a constitution for the Internet—atleast not one that offers the far-reaching rights and privileges ofmany national constitutions. Still, a majority of states may be able toagree on a limited number of substantive norms—for instance,protecting the integrity of the Internet itself against terrorism, orprohibiting the distribution of child pornography in cyberspace.When agreements are unobtainable states may cooperate to maketheir rules for the Net “interoperable,” thereby minimizing outrightconflicts.

The inevitability of normative disagreement betweencommunities raises a difficult issue. Most political decision-makingbodies in today’s world are local or national. Yet the Internet is aglobal medium, and some governance decisions regarding the Net(although it may be unclear which) are global in nature. How shouldthe Net’s stakeholders deal with this asymmetry? Three relevantpoints emerged from the conference discussions. First, participantsdisagreed with one another about whether and to what extentInternet governance actors committed to “democratic” values havethe prerogative, or the duty, to advance those values in jurisdictionsthat reject them. If an authoritarian state makes a practice of usingthe Internet to spy on the activities of political dissidents, forinstance, how should a democratically oriented ISP that has enteredthe market in that state respond: by taking affirmative steps to foilthe practice, by tolerating but refusing to abet it, or by complyingwith the state’s demands for cooperation? Participants offeredwidely divergent answers to this type of question.

They reached consensus, however, on a second point: illiberalregimes demanding that the rest of the world incorporate theirvalues into the governance of the Net as the sine qua non of theirconnectivity should be flatly refused, even if this means sacrificingthe Net’s global reach. One conference participant posed a prescienthypothetical scenario in teeing this point up for discussion: Supposethe Taliban suggested that they would permit widespreadconnections to the Internet within their jurisdiction as long as allphotographs of women on the World Wide Web featured themclothed in hijab. The scenario is obviously an extreme one but all


participants agreed on how the Internet’s existing stakeholdersshould respond to such an offer.

Participants also expressed agreement on a third point: thatcertain “democratic” values are embedded in the currentarchitecture of the Net itself. The end-to-end principle providesperhaps the best (and most widely cited) example. Thoughoriginally adopted to promote the network’s efficiency, not toprotect the Internet’s users from centralized control, the end-to-endprinciple has contributed in a profound way to the latter value. The“dumb” network we have today cannot filter the data packets ittransports on the basis of their content; indeed, it does not “know”(and therefore cannot reveal) what those contents are. Of course, theend-to-end principle is not inherent to the Internet. On thecontrary, an intense debate rages regarding whether and to whatextent it should be retained as the Net’s infrastructure evolves.10 Butas the various actors struggle to resolve normative differencesbetween them in making global governance decisions forcyberspace, the values embedded in its existing infrastructureprovide important “defaults.” Participants generally agreed that theburden should lie with those who would modify these defaults andnot with those who would retain them.

Drawing on Relevant Historical and Legal Antecedents to Help GuideDecisions

Just as values embedded in the infrastructure of the Internet arerelevant to decisions regarding the Net’s future, so too are valuesembedded in the historical and legal traditions of societies. Toooften in conversations about cyberspace, several conferenceparticipants suggested, these values are forgotten or ignored.Thinking of governance decisions for the Internet as a tabula rasa isdangerous for at least two reasons. It cheats decision makers ofaccumulated wisdom that can help craft effective solutions, and itdistances decision making from social values that often have alreadygarnered legitimacy and public support, increasing the risk thatgovernance choices will fail to reflect those values adequately.

Marc Rotenberg’s recent scholarship powerfully demonstrateshow a close analysis of historical and legal antecedents can cast lighton societal values and norms that should bear on governance

The Report 17

decisions for the Internet.11 Focusing on the area of privacy,Rotenberg mines the rich legal tradition of privacy protection in theUnited States: Justice Brandeis’ classic dissent in Olmstead v. UnitedStates, the Supreme Court’s adoption of Brandeis’ view—and itsrecognition that the Fourth Amendment applies to telephonewiretaps—in the Katz case, Congress’s adoption of the landmarkPrivacy Act of 1974, the evolution of Fair Information Practices, andthe ensuing incorporation of these practices into a host of statutes,administrative rulings, and technical standards.12 This tradition,Rotenberg posits, embodies a cohesive set of choices about howprivacy should be protected in the United States, yet it has beenalmost entirely ignored by “cyber-pundits” in discussions regardingprivacy protection in cyberspace. One need not agree withRotenberg’s position on the extent to which these historical choicesmerit assimilation into the Net to accept his contention that it is amistake to omit them from conversation about Internet privacy. Andthe deeper point of his argument applies beyond the realm ofprivacy to the full array of governance decisions facing the Internet.

“Globality”: Truly Global Participation Where Decisions Are TrulyGlobal in Impact

Institutionally speaking, the Internet is an invention of theAmerican government—a fact by now well known. Over time, thegovernment has moved to privatize the Internet’s administration. Yetseveral conference participants, particularly those based outside theUnited States, reported a widespread perception around the worldthat U.S. institutions and personnel still dominate key governancedecisions for the Net. This perception, many participants agreed, isoften accurate. A representative example: ICANN. Although ICANNhas taken important steps to internationalize the composition of itsexecutive board, numerous participants (based inside and outsidethe United States) noted that the organization retains an American“tilt.” Its headquarters are located in Los Angeles, for example,making the organization more naturally attuned to American input,and its staff consists disproportionately of U.S. nationals.Conference participants agreed that this situation needs to change:Where governance decisions for the Net are truly global in impact—for example, in decisions regarding the administration of the


domain name system or the transition to the next generation of theInternet Protocol (IPv6)—they should be made with truly globalparticipation. Participants called this the “globality” principle.Respecting globality becomes increasingly important as we movetoward a world in which China and India overtake the United Statesas states with the greatest number of Internet users.

Yet the globality principle has limits. As the Taliban examplesuggests, global participation does not trump all other values thatimpinge on Internet governance. Where such participation trades offagainst other values, participants agreed, it may need to give way.Furthermore, not all Internet governance decisions are global innature. Commentators have often remarked that “cyberspace”consists of myriad “cyberspaces,” in which innumerable governancedecisions are made through diverse forms of government (rangingfrom government by AOL to government by the agora). For most ofthe Net’s users, this federalism and the opportunities for localdecision making it allows are an integral part of what makes themedium worthwhile. Accordingly, globality should not be mistakenas an endorsement of a “global government” for the Internet. Theneed for global participation in Internet governance decisions thathave a global impact by no means suggests that all or even mostgovernance decisions implicating the Net are global ones calling outfor centralized authority.

Turning Institutional and Procedural Heterogeneity into an Advantage

The diversity of Internet governance actors alluded to above can bebewildering. The orderly structure of government that many of uswere taught in civics class does not exist for the Internet (thoughwhether its absence is cause for celebration or concern is debatable).Instead, Internet governance unfolds in a mosaic of interactionsamong multinational, national, and local entities operating in thepublic, private, and “third” sectors that wield influence through laws,norms, architectures, and markets (among other instruments). It istempting to try to resolve which of these entities and instrumentswould be “best” suited to address governance challenges in specificareas—for instance, whether criminal law enforcement on the Netshould be delegated principally to multinational, national, or localentities, how closely private actors (such as ISPs) should be involved,

The Report 19

and to what extent the problem should be addressed throughmodifications to the Internet’s architecture, instead of (or in additionto) through law. Conference participants expressed widely divergentviews on these types of questions. A few participants, for instance,sought to produce a matrix “matching” specific subject areas withcertain actors. Others maintained that such a matrix could not dojustice to the diversity of actors and modalities of influence thatimpinge on any given subject area in the Internet governance arena.Participants likewise disagreed on related questions: for instance,whether new governance institutions are needed for the Net tosupplement those that already exist, which governance challenges arebetter addressed transnationally and which by individual nation-states, the proper balance of public and private action in particulargovernance areas, and how much faith to place in the “self-governance” arrangements of users. These disagreements made clearthat the entities and instruments best suited to address the Net’sgovernance challenges are likely to vary from case to case and toemerge only after competing solutions have been tried.

Yet it would be a mistake to regard the heterogeneity of Internetgovernance actors and instruments merely as a source of confusionand disagreement. It is also a source of opportunity. In the U.S.Constitution, the separation of powers among different branches ofgovernment (legislative, executive, and judicial) and the splitting ofsovereignty among different levels of government (federal, state, andlocal) yield a system of checks and balances and democraticexperimentation.13 The checks and balances help prevent anyindividual governance actor from accreting an excess of power thatwould lend itself to abuse. Democratic experimentation, in turn,generates competing solutions to governance problems that enabledecision makers to zero in on the most effective solution based on anempirical record of success and failure. The heterogeneity of entitiesand instruments interacting to make governance decisions for theInternet holds out the promise of similar advantages—if they can beorchestrated to complement (and check) one another to avoidBabelian cacophony.

To that end, conference participants observed that there is oftenroom for multiple actors to participate helpfully even in a single areaof governance, and that the intervention of a particular actor need


not occupy the field. Several distinctions illuminate the variegatednature of the space for intervention. One interrelated set ofdistinctions are those between coordination and control and betweenprevention and enforcement. These distinctions pertain principallyto states and the agents to which they delegate or cede authority overInternet governance. At one extreme, states can intervene in anInternet governance decision solely in a coordinating capacity—forinstance, to encourage industry standard-setting. Here states have nosignificant prevention or enforcement role, and space for other actorsto participate in governance is wide. At another extreme—forexample, in policing cyberterrorism—states can intervene to controlconduct, and can deploy their full powers both to prevent certainconduct from happening and to punish it after the fact by enforcingthe law. Here space for other actors to participate in governance isnarrower, but it still exists. Indeed, states may seek to conscriptprivate entities (such as ISPs) to assist them in monitoring andenforcement. Other private parties may participate voluntarilythrough alternative instruments of governance; users in chat rooms,for instance, might engage in a cyberspace version of “neighborhoodpolicing” to report suspicious remarks or postings to authorities.Between the extremes of coordination and control lies a spectrum ofvarying degrees of sovereign intervention, corresponding to varyingspace for other actors to participate in governance.

Another distinction that highlights the opportunity (and need)for coordinated governance by multiple actors is that between“horizontal” and “vertical” decisions. “Horizontal” decisionsproduce rules that are specific to a discrete policy area (e.g.,taxation). “Vertical” decisions, in contrast, seek to create cohesivenessbetween rules in different policy areas (e.g., taxation and criminallaw enforcement). In practice, the distinction between horizontaland vertical decisions is less a dichotomy than a continuum: Rulesthat govern a particular area can have greater or lesserinterconnectedness with rules in adjacent areas. Building anappropriate degree of interconnectedness between rules in differentareas, participants suggested, should be an important part of theInternet governance agenda. Meeting this goal will necessarilyinvolve multiple actors—not just the bodies responsible forrulemaking but also third parties (such as regulated entities and

The Report 21

watchdog organizations) with knowledge of how rules in differentareas interact with one another at the implementation level.

To be sure, in rare cases space for multiple actors to participaterobustly in Internet governance may not exist. In these cases—the“natural monopolies” of Internet governance—intervention by toomany would-be decision makers would risk fragmentation of theNet or chaos. (Consider, for instance, the likely outcome if rivalrousactors undertook competing efforts to manage certain parts of theInternet’s core infrastructure.) Here, participants generally agreed,the task is to settle on a single, legitimate decision maker, entrustedwith “final” authority, that can efficiently administer the resource atissue. Of course, this decision maker will succeed only with thecooperation of other actors—including, at minimum, theirforbearance from intervention.

Roles of Different Actors (I): Traditional GovernmentsThe foregoing discussion suggests that the heterogeneity of

entities and instruments for Internet governance may be ablessing—if these entities recognize the opportunities for, andimperative of, coordinated action. Spheres of Internet governanceare rarely akin to natural monopolies; more often, these spheresresemble ecosystems in which diverse actors occupy discrete nichesand thereby contribute to the well-being of the whole. Theecosystem analogy, however, raises an obvious yet difficult question:What are the appropriate niches of different actors? To expand thequestion: What are the distinctive strengths and weaknesses ofpotential participants in Internet governance arrangements? And inlight of those strengths and weaknesses, as well as the trends thatcharacterize today’s Internet policy agenda, what roles should thoseparticipants be expected to play? The discussion to come takes upthese questions for an array of different actors, beginning withtraditional governments.

A Brief History: Traditional Governments and the Internet from Thento Now

During the early years of the Internet’s explosive growth phase,conventional wisdom held that traditional governments should “stayout” of regulating cyberspace. Policymakers, cyberpundits, and


academics alike recited this conventional wisdom as gospel. Thus,the Clinton administration’s influential white paper, A Frameworkfor Global Electronic Commerce, argued that government shouldregulate the Internet only when “necessary” and should generallyavoid intervening in its development.14 Activist John Perry Barlow’smuch-cited Declaration of the Independence of Cyberspace toldgovernments they had “no sovereignty where we gather” and askedthem to “leave us alone.”15 And in the Stanford Law Review, attorneysDavid Johnson and David Post published a seminal articlecontending that cyberspace should be governed not by the laws ofany traditional sovereign but by the rulemaking efforts of itsconstituent communities.16

As the Internet has matured and its integration with economic,political, and social life in the “physical” world has increased,governments have abandoned the old conventional wisdom andstarted to assert some of their traditional regulatory authority incyberspace. Their efforts have been motivated at least in part by a“Red Queen effect”—a recognition that they must expand the reachof their laws into the Internet if they hope to preserve the force ofthose laws within their physical territories. As governments arediscovering, however, enforcing traditional laws is far lessstraightforward in cyberspace than in the physical world. Privategovernance arrangements increasingly compete with and displacethose laws altogether. P2P and anonymizing applications enableindividuals to transact on the Internet largely free from centralizedcontrol. And the fact that the Internet allows individuals to be in twoplaces at once—at their desks as well as online—presents states withan extraterritoriality conundrum. To enforce domestic laws againstcitizens surfing the Web at their desks, states must seek to applythose laws to websites based entirely abroad, creating conflict withforeign sovereigns. We revisit this problem in greater detail below.

Why States Aren’t Going Away

Notwithstanding these difficulties, states are unlikely to take leavefrom Internet governance matters. On the contrary: Conferenceparticipants agreed that states are likely to remain dominant actorson the scene, for several reasons. First, as one participant—a leadingpolicy advisor—pointed out, traditional governments tend to

The Report 23

believe they have the power, legitimacy, tools, and obligation toaddress Internet governance. The difficulties they have met inapplying their customary regulatory authority in cyberspace has notdissuaded them from this conviction. Second (and relatedly), statesare unlikely to allow their sovereignty in the “physical” world to belost to actors in the virtual world without their consent. So long ascyberspace appeared to be a “separate” realm where “Netizens”gathered to experiment in self-governance, states could afford tostand back and permit the grand experiment to unfold. But as theinterpenetration of cyberspace and physical space has increased, andstates have come to realize that this interpenetration puts theirsovereignty over the physical world at risk, they have lost theirinclination to forbear from intervening. Third, even where statesforbear from direct intervention, they are likely to remain a loomingpresence; their powers may be invoked to help prevent thebreakdown of private mechanisms and to referee disputes that arisewhen such breakdowns occur. Conference participants agreed thatstate powers will predictably be called upon, for instance, to monitorself-governance schemes, prevent fraud, police the exercise ofmarket power, enforce private agreements, and remedy the perceivedfailure of alternate decision makers—among other purposes.

States’ Handicaps and the Need for Self-Restraint

The fact that states are likely to play leading roles in Internetgovernance does not mean that they are ideally suited to do so.Indeed, conference participants cited several factors that handicaptraditional governments in this sphere. Internet governancedecisions are typically technical in nature, but states often lacktechnical expertise. The pace of change in technology and globalelectronic marketplaces is highly rapid, but government decisionmaking is notoriously slow. And the most powerful instrumentthrough which to mediate governance solutions in cyberspacefrequently is code, but states traditionally express their governancedecisions through law.17

These mismatches (among other reasons) motivated manyconference participants to posit that states should be encouraged toexercise self-restraint in Internet governance arrangements.Participants cited numerous factors that might influence states to


forbear from intervening. These factors include conclusions by statesthat their vital interests, and those of their constituents, are not atstake, that other organizations occupy the field and have gained ameasure of legitimacy, that nonstate solutions (e.g., self-governanceby users) offer the most cost-effective and legitimate means ofpromoting the public interest, and that the nature or scale of theactivity does not yet justify deploying the state’s powers. Obviously,each of these “forbearance factors” raises questions of its own.Gauging the legitimacy of nonstate actors and solutions, forexample, is far from straightforward. Yet the difficulty of describingprecisely where forbearance by states is appropriate should notobscure the general point that states should regard self-restraint inmatters of Internet governance as a virtue.

States’ Strengths and the Need for Their Continued Involvement

Not, however, the only virtue. For conference participants alsosuggested that states have a responsibility to help promote theemergence of positive civic orders on the Internet, and that theemergence of such orders hinges on states’ assuming active roles inseveral areas. Many participants, for instance, agreed that states arewell-suited to capture and consolidate the collectively shared valuesthat should guide Internet governance decisions. AOL, W3C, andnonprofit organizations such as TRUSTe do not afford individualsthe rights of democratic participation and representation throughwhich collectively shared values are often expressed and crystalized.Many traditional governments do. Recognizing that traditionalgovernments constitute repositories for these values does notcommit one to any particular position on how they should interveneto advance them in Internet governance decisions, or even whetherthey should intervene at all. But, at minimum, such a recognitionsuggests that traditional governments are well-suited to serve thereferee and safety-net functions earlier mentioned when privategovernance mechanisms in cyberspace break down.

Several conference participants—though far from all—alsomaintained that states have a broader duty in Internet governance:to mediate relationships between individuals and private actors incyberspace in a way that protects individuals’ rights and the valuesthat society deems inalienable. As Larry Lessig and others have

The Report 25

compellingly argued, one way that traditional governments canfulfill this duty is to deploy public policy in support of Internetarchitectures that comport with collectively shared values. Whatthose architectures might be is hotly contested; frequentlymentioned examples include an “end-to-end” network, open-sourcesoftware for Internet applications, and “open access” to broadbandconduits.18 One may question the desirability of each of thesearchitectures and still support the active involvement of traditionalgovernment in architectural design decisions for the Net.

Another, related role that traditional governments can play infulfilling the more expansive duty that several participants posited isto vet “self-governance” arrangements in cyberspace for their accordwith collectively shared values. Although such arrangements comein different shapes and sizes, some emerge not from grassrootsorganizations but from industry consortia. These consortia, in turn,often design self-governance arrangements with industry’s interests,not the public’s, in mind. Because relationships betweencorporations and individuals on the Internet are characterized byasymmetric power, users are frequently unable to bargain fairlyregarding the “terms” of these arrangements, nor to reject them infavor of others once they are in place. Here is where traditionalgovernments can usefully intercede: By vetting these arrangementsbefore they take effect, governments can seek to incorporateprotections for social values and utilize their weight to blockarrangements that fail to protect those values adequately.

The European Union’s (EU) scrutiny of the Platform for PrivacyPreferences (P3P) offers a recent example of traditional governmentplaying this type of role. P3P, sponsored by W3C, is a privacymanagement architecture that would take input from usersregarding their privacy preferences and then determine if any givenwebsite met those preferences. Seeking to assess the impact of P3Pon legal rights in force under its privacy directive, the EU assigned aworking group to examine the proposed scheme. This workinggroup, in turn, concluded that P3P would “not in itself be sufficientto protect privacy on the Web” and would succeed in doing so onlyif “applied within the context of a framework of enforceable dataprotection rules, which provide a minimum and non-negotiablelevel of privacy protection for all individuals.”19 The working group


report prompted the EU to withhold its support from P3P—despitethe fact that it had been endorsed in the United States by leadinggovernment officials and by privacy NGOs. This is not to say that theEU’s decision is correct, but that governments may help to ensurethat private arrangements reflect societal values.

A Sense of BalanceNot surprisingly, in light of their diversity, conference participants

expressed broadly divergent views on the proper role of traditionalgovernments in governing the Net. Some argued that governmentsshould err on the side of self-restraint, others that they should err onthe side of active involvement. What emerges, perhaps, is thatgovernments should strive for a sense of balance. As permanentparticipants in this ecosystem, governments should take care neitherto dominate it themselves nor to permit it to be dominated by otheractors.

Roles of Different Actors (II): Alternative GovernanceOrganizations

As traditional governments strive for balanced engagement withInternet governance matters, they will need to pay special attentionto a cluster of alternative governance organizations (AGOs) that playan important role in the Net’s ongoing evolution. These alternativedecision makers—such as ICANN, IETF, and W3C—are diverse intheir own right but share several common characteristics. Althoughtheir authority is typically limited to advice-giving, standard-setting,and (occasionally) private-sector rulemaking, in practice theirdecisions are often incorporated into the Net’s architecture withlittle input from traditional governments. This influence over theNet’s architecture stems in part from the “technical” matters onwhich these organizations focus: for instance, administering theNet’s domain name system (ICANN), shaping the next-generationInternet Protocol (IETF), or designing a system for filtering contenton the World Wide Web (W3C). Yet while the decisions made byAGOs are typically “technical” (i.e., readily understood only by thosewith specialized knowledge), they are also political—directlyaffecting the distribution of resources and creating “winners” and“losers.” Unlike many traditional entities that make political

The Report 27

decisions, however, AGOs are often neither representative of, noraccountable to, the public. Though ostensibly “open” toparticipation by all comers, they are characteristically populated andrun by private-sector representatives with relevant expertise.Similarly, though ostensibly “global” in membership, they typicallyinclude few or no representatives from the developing world in theirleadership ranks, despite making decisions that are often genuinelyglobal in impact. And though ostensibly “transparent” in theirdecision processes, AGOs remain virtually invisible to the publicbecause their work receives so little attention from the popularmedia.

The emergence of this new class of governance organizations isnot unique to the Internet. As journalist Richard Longworth notedin The American Prospect, their growth is part of the globalizationphenomenon, in which “the global economy has escaped nationalboundaries, but democracy and its practitioners have not.”20 Thus,ICANN, IETF, and W3C have much in common with entities thattraffic in very different subject matters, such as the InternationalAccounting Standards Board, the International Organization forStandardization, and (to a lesser extent) the Bank for InternationalSettlements. Yet if the rise of AGOs is not unique to the Internet,certain of the Net’s characteristics—the technical nature of decisionsabout its future course, its transnational reach, and the fact thattraditional governments long encouraged other actors to lead itsdevelopment—have given AGOs particularly powerful roles inInternet governance.

The Legitimacy Gap

Power, but not legitimacy. Many conference participants observedthat while alternative governance organizations have contributedmuch to the Internet’s development, their lack of accountability tothe public has rendered their decisions less than fully legitimate.21

Participants focused on ICANN as a representative case study.ICANN was formed to internationalize and privatize the

administration of the Internet’s domain name system (DNS) andother related tasks.22 Before ICANN existed, administration of theDNS resided with the U.S. government—which, in practice,delegated it to a small group of expert technologists and private


firms. ICANN, then, was conceived as a “good governance” measure:Administering the DNS through a single private body withinternational composition would (the theory held) improve theresults and make them more legitimate. But ironically, as severalconference participants pointed out, ICANN faced a legitimacy gapfrom its inception: The selection of its initial board members wasshrouded in secrecy and yielded a board composed predominantlyof U.S. nationals.

ICANN has since taken steps to meliorate these problems. Five ofits 19 board members are now elected by a vote of Internet usersworldwide, and a majority hail from outside the United States. Yetmany conference participants agreed that such measures, thoughdoubtless improvements, have failed to address deeper issues thatcontinue to undermine the legitimacy of ICANN’s decision making.Those issues—which, several participants noted, are just as relevantto IETF and W3C as to ICANN—concern a host of ambiguitiessurrounding the organization’s role and responsibilities. What areICANN’s goals? Are they purely substantive—for instance, toadminister the DNS in a manner that preserves a “single root” forInternet addressing? Or are they also procedural—for instance, torepresent the interests of all communities affected by theorganization’s decisions? Assuming that ICANN does have someprocedural duty to the public, is this duty to represent the public’sinterest, to be representative of the public, or to allow the public toparticipate in ICANN’s deliberations? If to represent the public’sinterest, how should one define that interest—by resort totraditional legal definitions or to others? And what kinds ofconstituencies (geographic, demographic, psychographic) should bethe focus as ICANN directors assess which interests make up the“public interest?” Different answers to these questions point to verydifferent choices for institutional design, but conference participantsagreed that these questions have not yet been adequately answered.Until they are, ICANN (and similar entities) will continue to sufferfrom a “legitimacy gap.”

That legitimacy gap, in turn, may undermine the standing ofalternative governance organizations in the eyes of traditionalgovernments and ultimately threaten their ability to contribute thevaluable expertise that even critics concede they possess.

The Report 29

Addressing the Legitimacy Gap

Participants voiced diverse views on ICANN’s mission and goals.Some suggested that the organization should seek to serve the publicinterest but not necessarily to represent the public. Others positedthat ICANN’s deliberations should allow for public participation,absent which the organization’s decisions would fall short of robustlegitimacy. Still others advanced arguments that neither the “publicinterest” nor “public participation” are proper touchstones forICANN and that the organization should instead focus on narrowsubstantive goals such as ensuring the continued existence of asingle, unified DNS. By focusing on narrow substantive goals insteadof broad procedural ones, these participants maintained, ICANNwould minimize the risk of a continual expansion in its mission thatcould lead (as some critics have already charged) to a “UnitedNations for the Internet.”

Although conference participants did not resolve thesedisagreements, they did arrive at a rough consensus on severalstrategies to address the legitimacy gap facing ICANN and otherAGOs in the Internet sphere. First, whatever their procedural goals,alternative governance organizations should be bound by well-defined substantive agendas centered on finding solutions to adiscrete set of problems. As a corollary, they should be reluctant toassume new responsibilities once their initial mandates have beenarticulated. Adhering to these principles should largely prevent“mission creep”—which, most participants agreed, does pose adanger of stretching an institution such as ICANN beyond its owncapabilities and competence. (As one participant who has had alongstanding involvement with ICANN put it, “ICANN” should notbecome a synecdoche for “Internet governance.”)

Second, alternative governance organizations should diversifytheir leadership circles and their implementation staffs. In part, thisdiversification needs to be geographical: AGOs should includerepresentatives from all corners of the globe (and the developingworld in particular) if they seek to respect the globality principle.But geographical diversity alone is not enough; AGOs should alsowork to diversify the perspectives of their membership so that theirdecision making reflects the input not only of private industry butalso of consumer advocates, local user communities, and other


stakeholders in Internet governance arrangements. To paraphraseone conference participant, taking globality seriously meansthinking about the implications of governance decisions forhumanity writ large, not just including token representatives fromstates around the globe. Ensuring that an AGO’s deliberations arebased on diverse perspectives is a precondition of such an enterprise.

Third and last, alternative governance organizations themselves—or, if need be, the traditional governments that retain power todisplace them—should devise and implement checks that renderAGOs more accountable to the public. In the United States (as inother countries), administrative agencies that concentrate technicalexpertise within the government are empowered to make decisionswith considerable independence from the more “political” branches.Yet these agencies are also constrained in ways that make thempublicly accountable. For starters, their mandates are textuallydefined in law. Stakeholders who believe that an agency has abusedits mandate can seek redress from Congress, which conducts regularoversight hearings. Or they can complain to the executive branch,whose head (the president) typically nominates the agency’sleadership. Or they can challenge the agency’s decision in the federalcourts, which retain power to reverse a decision if it exceeds theagency’s delegated authority. Similar mechanisms do not exist tocheck the decisions of ICANN, IETF, and W3C.23 (Traditionalgovernments can of course attempt to “undo” the decisions of theseAGOs by enacting laws, but that check is more drastic—and farmore difficult for complaining stakeholders to effect.) All of this isnot to suggest that the checks on agency decision making in theUnited States should (or could) be imposed on ICANN and its ilk,which after all are private entities. Such checks may serve as pointsof departure, however, as public policymakers think about how toattenuate the insulation of these AGOs from public accountability.

Roles of Different Actors (III): Corporations, TraditionalNGOs, and Users

Conference discussions on the roles of different actors in Internetgovernance focused predominantly on nation-states and on AGOssuch as ICANN. Yet participants uniformly agreed that otheractors—corporations, traditional non-governmental organizations,

The Report 31

and users—are often just as integral in formulating effectivegovernance solutions for the Net. Although participants did notaddress the challenges and opportunities confronting these otheractors in detail, they did broach questions and insights thatilluminate the relations of these actors to one another, to traditionalgovernments and AGOs, and to the Net’s overall governanceecosystem.

Corporations

With dominion over websites visited by more people per day thaninhabit most cities, significant influence in shaping the Internet’sarchitecture, and greater proximity to the Net’s users andinfrastructure than either nation-states or AGOs, corporations couldwell be described as the 800-pound gorillas of Internet governance.As nation-states increasingly seek to enlist their cooperation inpolicing the Net, and the Net itself spreads to non-Western states(such as China) with different expectations regarding theresponsibilities of corporate actors, the importance of corporationsin Internet governance is likely to grow larger still. This likelihoodraises a host of difficult questions for both corporations and thetraditional governments that regulate them. Broadly speaking,corporations need to ask themselves what their obligations are to thepublic beyond their shareholders when they act as de facto privategovernments whose decisions affect the lives of millions andimplicate core societal values (such as free speech and privacy).Traditional governments, in turn, need to ask themselves whether itmakes sense to continue to regulate firms in the same way wherethey exercise quasi-governmental authority over a sphere asimportant to society as the Internet.

The latter question addresses itself in different ways to differentbranches of traditional governments. For legislatures and executives,the key question may be whether and how to devise incentives thatalign corporate interests with a more expansive public interest—forinstance, by encouraging corporations to adopt open-source code,meaningful privacy protections, and intellectual property regimesthat safeguard the traditional fair-use rights of users on the Net. Forcourts, the question may be whether and how to redraw thedoctrinal line separating “public” from “private” action—or to put it


another way, whether to broaden what lawyers call “state action” toinclude certain corporate conduct now considered private.24

Broadening the state action rubric would bring more conduct withinthe ambit of many statutory and constitutional constraints andthereby provide users greater protections from abuse. It might also,however, discourage innovation and dampen private investment.

Legislatures, executives, courts, and corporations are each likely towrestle with the implications of new kinds of governancepartnerships between nation-states and firms. Arrangements inwhich states enlist (and sometimes conscript) the powers of privateactors to serve traditional governmental functions such as lawenforcement are particularly laden with challenges and tradeoffs. Incertain cases—for example, in combating cyberterrorism—effortsby states to seek the assistance of corporations in policing illicitconduct that confounds traditional law enforcement techniques mayyield substantial public benefit. But such efforts are not withoutcosts, however: They risk reducing the transparency of regulation if,for instance, governments use corporate intermediaries to engage inwidespread surveillance of the population without resort to thepolitical process that ordinarily casts light on this kind of activity.And in other cases, government attempts to deputize private actorsmay have no positive public benefit at all to counterbalance thecosts—for instance, where authoritarian regimes demand that firmsassist them in rooting out political dissidents or “undesirables.”Conference participants did not delve deeply into the difficultiesraised by the emerging class of public-private partnerships inInternet governance. It seems safe to say, however, that corporationswill need to commit themselves to uphold certain public values on a“nonnegotiable” basis if they are to resist coercion by governmentsto engage in improper activities. Delivering on such a commitmentis unlikely to come naturally to institutions whose primary missionis enhancing shareholder value and who rely on tolerance from theirgovernmental hosts. But because many corporations operatemultinationally, they may face pressure from customers indemocratic societies (e.g., boycotts and protests) if they fail to do so.And corporations themselves may be more willing to take stands ofprinciple if they are convinced that the growth of the Internetdepends, in the long run, on the maintenance of key values thatmade the medium so attractive to begin with.25

The Report 33

Traditional NGOs

Fortunately, corporations are not the only parties that can serve asa check on government actors. Long before the advent of theInternet, traditional non-governmental organizations contributed tosociety by performing a related cluster of oversight activities—reporting to the media and the public on corporate andgovernmental decisions, “translating” the implications of thesedecisions into terms that the public could more easily understand,and challenging them through relevant channels when they deviatedfrom legal obligations, accepted norms, or the public’s interest.Several conference participants observed that in the Internet age—in which far-reaching political choices often are made outside thepolitical arena and cast as “mere” technical decisions—theseactivities have become even more important. By serving as“transparency enforcers,” watchdogs, and whistleblowers, entitiessuch as the Center for Democracy and Technology (CDT), theElectronic Privacy Information Center (EPIC), the ElectronicFrontier Foundation (EFF), and other Net-focused NGOs occupy acritical niche in the Internet governance ecosystem.

Nor are Internet-focused NGO’s limited to these oversight roles.In some instances, they can also act as intermediaries in governancearrangements, facilitating interactions between states, corporations,and users by assuming coordination, enforcement, and otherfunctions. A case in point: TRUSTe, a nonprofit organization whosestated mission is to build users’ confidence on the Net and, in sodoing, to accelerate growth in e-commerce. The keystone ofTRUSTe’s approach is a branded online seal that the organizationawards to websites if they adhere to certain minimum privacyprinciples and agree to comply with TRUSTe’s oversight andcomplaint resolution process. Visitors to participating websites mayfeel more confident transacting there once they see TRUSTe’simprimatur. The organization promotes compliance with its policiesby demanding that participating sites sign a contract with TRUSTe;participants also have an incentive to comply because of thereputational harms they would likely incur if they were to embroilthemselves in a controversy with the organization. The privacyprinciples to which TRUSTe requires adherence evolve periodicallyand reflect some input from the U.S. and other governments. The


current version of TRUSTe’s participant contract, for instance,ostensibly incorporates the principles set forth in the Children’sOnline Privacy Protection Act.26

The TRUSTe model is not immune from criticism. Some mayquestion whether it is realistic to assume, as TRUSTe does, that theinterests of corporations and users in safeguarding individuals’privacy in cyberspace are naturally aligned because both benefitfrom promoting greater “trust” on the Net. Others may argue thatTRUSTe actually undermines the public good by giving users thefalse impression that participating websites have agreed to respecttheir privacy. (In fact, the current TRUSTe contract requires onlythat participants disclose to users what personal information theyare gathering, how they will employ it, with whom they will share it,and whether users have an option to control its dissemination—protections that are procedural and do not actually forbidparticipating sites from collecting or sharing certain types ofinformation.) Regardless whether such criticisms have merit,however, TRUSTe provides an important demonstration of howNGOs can serve as alternatives to the state in facilitating Internetgovernance arrangements. At a minimum, this model points to thepossibility of fruitful competition between state-mandated andNGO-enabled solutions to certain Net governance challenges.27

Users

Ideally, governance solutions for the Internet would reflect notonly the complex interactions of states, AGOs, corporations, andNGOs but also the consent of the governed—that is, the Internetusers whose lives are affected. But in practice, the growingsignificance of the Internet to everyday life and the accompanyingintercession of public and private actors in Net governance havemade it increasingly difficult for users to create meaningful spheresof self-governance or even to influence governance decisions thataffect them. Early adopters of new Net-related applications andtechnologies, participants agreed, can still exercise real influenceover governance decisions pertaining to an innovation because theycollectively wield the threat of deserting before the innovation “takesoff.” Paradoxically, once mass adoption has occurred, it may beharder for users to shape how an application or technology is

The Report 35

regulated. This effect—an inverse relationship between the totalnumber of users and their democratic power—gives early adoptersthe onus (or opportunity) of being the public’s representatives atdecision-making tables.28 Early adopters, however, sometimes do nothave the same concerns and values regarding technologies as later-stage adopters, and may not favor the same types of solutions topublic policy challenges. Conference participants did not arrive atany conclusions on how to address these challenges, if at all. But inlight of their consensus that users generally deserve a larger role inInternet governance arrangements, one upshot may be that buildingpublic accountability is an important goal at several stages ofdecision making regarding Net-related technologies—both in earlystages, when critical architectural decisions are being made, and atlater stages, when a greater number of “everyday” individuals havebecome stakeholders.

Coming Full Circle: Three Specific Governance ChallengesWhile many of the conference’s discussions focused on mapping

the interactions between different actors in the Internet governanceecosystem, participants also discussed three specific governancechallenges facing the Internet: extraterritoriality, user confidenceissues, and, more briefly, namespace management. Participantschose to focus on these three areas based in part on their sense thateach is important to the future of the Net. They also agreed,however, that other issues are of equal (and perhaps greater)importance. And they were acutely aware that each of the three areashas attracted a wealth of prior discussion and scholarship, includingsymposia, articles, and books. Accordingly, participants did not seekto arrive at even provisional “solutions” to these challenges. Insteadthey sought to air their thoughts, in a deliberative forum, on whatthe right questions are and on what dangers public policymakersneed to avoid.

ExtraterritorialityAttempts by states to enforce their laws beyond their territorial

borders are nothing new. Many governments, for instance, have longmaintained a right to prosecute terrorists under domestic laws forcrimes committed against their citizens abroad. Prior to the


popularization of the Internet, states had developed an array of legaldevices to resolve such extraterritorial assertions of power.Reciprocal extradition treaties bound states to deliver fugitives toone another under defined circumstances, for instance, and thedoctrine of comity called on courts in competing jurisdictions todefer to one another’s authority to handle a case after weighingvarious factors.

The explosive growth of the Internet, however, threatens tocompromise the effectiveness of these old legal devices and to makeextraterritoriality a major conundrum. The reasons are familiar. TheNet has made it vastly easier for content and conduct to traversenational borders and has exponentially increased the volume ofcross-border transactions. A mouse click in the United States cangenerate a storm in China—and the number of clicks per day thattransmit data across national borders numbers, conservatively, in thebillions. What’s more, states can’t easily police these transactions:There are no customs inspection points for data on the informationsuperhighway. Reacting to the new porousness of their borders,states increasingly seek to impose what were formerly localrequirements on distant actors. This trend potentially subjectsInternet users and service providers to the laws of hundreds ofdifferent jurisdictions whose rules may be in conflict. Theconceptual difficulty of tracing a particular Internet transaction to asingle “place” in the physical world renders extraterritorial assertionsof authority more complicated still.

The challenges posed by the rise of extraterritoriality in theInternet age are exemplified by the well-known Yahoo! case. The casebegan when a group of French plaintiffs led by a French civil rightsorganization sued Yahoo! in French court for violating a domesticstatute that forbids the public display in France of Nazi-relatedsymbols. The groups sought to prevent Yahoo! from hostingauctions for Nazi memorabilia. A French court, applying the Frenchstatute, ordered Yahoo! to block access to the disputed auctions byInternet users in France even though the auctions were hosted on aU.S. server and accessed at the URL “http://www.yahoo.com.”(Notably, Yahoo! did not host the auctions on the servers of itsFrench subsidiary, accessible at “http://fr.yahoo.com.”) Aftercollecting expert testimony, the French court later clarified that it

The Report 37

expected Yahoo! to reengineer its content servers in the United Statesand elsewhere to come into compliance with the order. Yahoo! theninitiated its own lawsuit in U.S. federal district court seeking adeclaratory judgment that the French court’s order violated the FirstAmendment to the U.S. Constitution and was thereforeunenforceable in the United States. In November 2001, the U.S.district court sided with Yahoo!, ruling that the company could notbe compelled to comply with the French order in the United States.29

While the Yahoo! case centers on freedom of expression, Internettraffic is raising similar jurisdictional conflicts in the areas oftaxation, intellectual property rights, consumer protection, privacy,and criminal action (among others). Discussing the Yahoo! case aswell as the jurisdictional conflicts arising in these other areas,conference participants expressed diverse views on the problem ofextraterritoriality. On three points, however, a rough consensusemerged.

First, as touched on earlier, participants agreed that states areunlikely to resolve the normative and policy differences that underlietheir jurisdictional conflicts. France and the United States, forinstance, are unlikely to harmonize their differences on theappropriate boundaries of freedom of expression. Thus, it isprobably unrealistic to expect the problem of extraterritoriality to besolved by a grand treaty that spells out permitted and forbiddenconduct throughout cyberspace.

Second, most participants also agreed that states have strongclaims to regulate conduct within their own territory. Thus, France’sclaim to prohibit the display of Nazi memorabilia in France isstrong; but by the very same principle, so is the United States’ claimto permit the display of such memorabilia in the U.S. In practice this“pluralism principle” suggests that the French court’s order isdefensible insofar as it seeks to regulate behavior in France but thatthe American judicial decision declining to enforce the French orderas it applies to Yahoo!’s U.S.-based servers is similarly defensible. Ofcourse, if Yahoo! has assets in France, it may be vulnerable to edictsof the French judiciary despite the American court’s refusal toenforce the French order.

Finally, most participants agreed that states’ claims to regulateconduct outside their territory—even conduct that affects their


interests—is weaker. Participants voiced divergent views on whetherextraterritorial assertions of power aimed at foreign-based Internetusers and service providers are justifiable under any circumstances.Some answered “yes,” particularly where a state’s “vital interests” areimplicated—for instance, in protecting its citizens from physicalharm, ensuring the integrity of its electoral processes, or perhapseven safeguarding the functionality of the Internet itself. Otherparticipants answered with a categorical “no.” These differences ofopinion, however, highlighted a general consensus that states are onfar weaker footing when they seek to impose their normative andpolicy choices beyond their borders.

Confidence Issues

Extraterritoriality represents an age-old problem that the Internethas made more complicated. In contrast, confidence issues—thecluster of issues centering on how to promote privacy, security, andtrust on the Net—present problems as novel as cyberspace itself.Two brief comparisons illustrate the gap between our confidence inthe “physical” world as opposed to the “virtual.” First, compareletters and e-mail. When one sends a postal letter, one can bereasonably certain that no one will open and read the contents whileit is in transit. Similarly, one can safely assume that the letter isunlikely to be disseminated further once it has reached its intendeddestination. Neither assumption is valid with respect to e-mail.Second, compare information distributed through traditional media(such as television) with information available on the Net. Pollssuggest that approximately 70 percent of Americans consider theformer to be trustworthy, whereas a similar proportion of thepopulation deems the latter to be untrustworthy.30

These comparisons suggest that we have a ways to go beforeindividuals conduct their business in cyberspace with the samedegree of confidence that they do in the physical world. Time willsurely help narrow the gap; after all, the Internet is still relativelyyoung as a mass medium for commerce and information. Yet closingthe gap entirely, many participants agreed, will not be easy—in partbecause of the tradeoff on the Net between privacy and what mightbe called “transactionability.” Privacy is available to users on the Netin a continuum, ranging from pure anonymity (no one knows any

The Report 39

facts about you at all) to pseudonymity (others know selected factsabout you but not your identity) to full identity (others know all therelevant facts about you that are true). Often, Net users prefer moreprivacy to less, and in many contexts they would just as soon remainanonymous to others in cyberspace if that option were available. Theproblem is that anonymity prevents the development ofreputation—an essential component in a significant number oftransactions. Consider, for instance, a deal for the purchase ofvaluable assets over the Internet between parties who had notpreviously transacted with one another. Unless an intermediary wereavailable to supply the missing trust (e.g., by vouching for thereputation of the parties or insuring the deal), the anonymity ofeither buyer or seller would likely preclude the transaction. As P2Papplications proliferate and the number of direct, unmediatedtransactions between individuals increases, reputation is likely tobecome even more important. The foregoing discussion, then,suggests that privacy and reputation systems in cyberspace mustdevelop hand-in-hand if users are to enjoy greater confidencetransacting on the Net. Striking the proper balance between the twowill be difficult, but a balance must be struck lest users limit theirinteractions on the Net for want of either.

While conference participants agreed on the need to balanceprivacy and reputation, they diverged on the proper role oftraditional governments in promoting privacy in cyberspace and on“how much” privacy is enough. In one camp were participants whoadvocated a market approach to privacy. This approach wouldinvolve minimal government regulation; instead, it would rely on“self-governance” measures designed to facilitate user choices onprivacy matters. Adherents of the market approach maintained that“privacy” is a murky concept on which there is little agreementamong individuals, that significant government regulation in thissphere would create a regulatory morass without yieldingsatisfactory privacy protection, and that self-governance solutions(such as TRUSTe or P3P) are superior because they allow users todecide for themselves whether a given website’s policies accord withtheir privacy preferences. In another camp were participants whoadvocated government intervention to safeguard individuals’privacy on the Internet. These participants argued that most people


desire a substantial basic level of privacy protection that a market-based approach would not afford—in particular, a requirement thata website notify them of its privacy practices and obtain theirinformed consent before collecting and sharing information aboutthem. A basic level of privacy protection would also, theseparticipants maintained, have broader benefits for societyirrespective of its popular support; for example, it would likely makeInternet users more comfortable experimenting with new forms ofinteraction on the Net.

The divergent views that emerged in the conference discussionsare representative of a debate over Internet privacy that has beenunfolding in legal, political, and technological circles in the UnitedStates for some time. While some disagreements between the twocamps in this debate may be irreconcilable, those camps have not yetconfronted the challenge of working out a mutually agreeablesolution through the crucible of the federal legislative process. Bothcamps may need to reassess their long-held views given the events ofSeptember 11, 2001, and the greater emphasis on security issues thathas ensued. This debate, it appears, is far from over.

Namespace Management

The past five years have witnessed dramatic changes in Internetnamespaces. Previously, the single namespace that facilitatedinteraction on the Net (the domain name system) was a commons“owned” by no one. Today, privately owned namespaces—such asICQ, AIM, and Napster—collectively include far more addressesthan does the DNS. These new namespaces differ not just inownership but also in architecture. Increasingly, the addresses theycontain refer to people, not to machines, making them “portable” ina way that IP addresses are not. Such address portability frees usersto make connections with one another directly, through P2Papplications, and to abandon their reliance on centralized servers—servers which are much more amenable to control by governmentsor private actors.

These changes, participants agreed, introduce a host ofgovernance challenges with which society is only beginning towrestle. Should the public feel comfortable with corporateownership of giant namespaces composed principally of the names

The Report 41

of millions of users and information about when those users goonline? Should these private namespaces be regulated to preventconduct by owners that arguably harms consumer welfare—such asrefusal to interconnect with similar namespaces or detailedmonitoring of users’ behavior on the Net? Or is the ability ofInternet users to “vote with their mice” a sufficient check on theseharms? To frame the problem slightly differently, what are theresponsibilities of namespace owners to users and other serviceproviders? To governments that seek their cooperation in regulatingthe “wild frontier” of P2P connectivity? To the future growth andsuccess of the Internet? Although participants did not hazardanswers, they agreed that these questions will grow in importanceand merit a prominent place on the Internet governance agenda.

Conclusion This report began with the uncontroversial observation that the

days of the borderless Internet are gone. What will take its place? Thefuture is already rapidly emerging through the choices of the Net’sstakeholders. It would be hubris to hope that a conference couldmap out that future. Our conference had a different aim: tocontribute an imperfect map of dangers and opportunities. TheNet’s stakeholders—users, firms, states, AGOs, NGOs—each havetheir own destinations in mind. Many are deeply engaged in effortsto steer the Net toward their preferred future. Working together witha shared map of the pitfalls and promises along the journey, theymay be able to chart a path that is safer and more rewarding for all.Hopefully, and at the very least, a shared map will encourage broaderdialogue among these diverse stakeholders, and between them andthe public that will inhabit the Internet to come.


Notes

1. A “namespace” is an online database whose records contain addresses of some kind.Namespaces have different characteristics: The addresses they contain, for instance, can pointto open-ended resources (as in a “keyword” system that allows users to search for whatever theywish) or to particular types of resources (as in a namespace of book or music titles). Examplesof namespaces include the domain name system, keyword systems (such as those of AOL orRealNames), and instant messaging systems (such as AIM or ICQ). Thanks to Keith Teare ofRealNames for providing a basic explanation of the concept.

2. See, e.g., Patrick Butler et al., “A Revolution in Interaction,” McKinsey Quarterly, no. 1 (1997),9–14.

3. See William J. Mitchell, City of Bits: Place, Space, and the Infobahn (1995); Mitch Kapor, quotedat http://cyber.law.harvard.edu/people/reagle/inet-quotations-19990709.html (last accessedJanuary 31, 2002); Larry Lessig, Code: and Other Laws of Cyberspace (1999).

4. U.S. Constitution, art. vi, §2: “This Constitution, and the Laws of the United States which shallbe made in Pursuance thereof; and all Treaties made, or which shall be made, under theAuthority of the United States, shall be the supreme Law of the Land; and the Judges in everyState shall be bound thereby, any Thing in the Constitution or Laws of any State to theContrary notwithstanding.”

5. Colloquially speaking, the end-to-end principle posits that networks should be designed to placecontrol over key features in applications residing at the “edges” (or “ends”) of the network ratherthan in the network itself. This principle empowers users at the expense of those who would makechoices on users’ behalf and build these choices into the network. For more detailed expositions ofthe end-to-end principle, see David P. Reed, The End of the End-to-End Argument (2000), availableat http://www.reed.com/dprframeweb/dprframe.asp?section=paper&fn=endofendtoend.html(last accessed January 2, 2002), and Jerome H. Saltzer, David P. Reed, and David Clark, End-to-EndArguments in System Design (1984), available at http://www.reed.com/Papers/EndtoEnd.html (lastaccessed January 31, 2002).

6. See Jeff Quan, “Case Study: Regulating Online Gambling,” Cnet News, July 11, 1997, availableat http://news.cnet.com/news/0,10000,0-1005-201-320416-0,00.html (last accessed Dec. 23,2001).

7. See Wendy M. Grossman, “Surveillance by Design,” Scientific American, September 2001,available at http://www.sciam.com/2001/0901issue/0901scicit5.html (last accessed January 31,2002).

8. One risk of regulation through private terms-of-service agreements is that such regulationwould likely offer little protection against arbitrary or discriminatory conduct by the firm. Ifsubject to the judicial scrutiny applied to state action, this type of regulation might well bestruck down. That standard of scrutiny is probably not appropriate under the current scope ofthe state action doctrine, but it does suggest some of the problems of devolving regulationordinarily entrusted to the state into private hands.

9. The example discussed in this paragraph is Lessig’s. See Lessig, Code, 136.

10. The papers presented at the Stanford Program in Law, Science, and Technology’s December2000 conference on “The Policy Implications of End-to-End” provide a good introduction to

The Report 43

this debate. These papers are available at http://lawschool.stanford.edu/e2e/papers.html (lastaccessed January 2, 2002).

11. The citations to Rotenberg’s work in this paragraph refer to Marc Rotenberg,“Fair InformationPractices and the Architecture of Privacy,” 2001 Stanford Technology Law Review (2001), 1.

12. In Olmstead v. United States, 277 U.S. 438 (1928), the Supreme Court upheld theconstitutionality of a telephone wiretap installed without a warrant, reasoning that the FourthAmendment’s protection against unreasonable searches and seizures does not extend totelephone conversations. In dissent, Justice Brandeis maintained that the amendment should beinterpreted to protect people against all unjustifiable government intrusions on their privacy,including intrusions on their uses of new technologies—such as the telephone—that did notexist when the amendment was adopted. In Katz v. United States, 389 U.S. 347 (1967), the Courtembraced the core of Brandeis’ view, ruling that the Fourth Amendment protects personsagainst all unreasonable searches and seizures, including those of a phone conversation. ThePrivacy Act of 1974 (as amended), codified at 5 U.S.C. 552A, created broad limitations on thecollection, use, and dissemination of personal information held by government agencies. Thekey principles underlying the Act were first articulated in a 1973 report of the Department ofHealth, Education and Welfare’s Advisory Committee on Automated Personal Data Systems.The Advisory Committee’s proposed “Code of Fair Information Practices” formed the basis forthe Privacy Act and much subsequent privacy legislation. This original Code is excerpted athttp://www.epic.org/privacy/consumer/code_fair_info.html (last accessed January 31, 2002).

13. For a detailed elaboration of these features of the American Constitution, see Akhil Reed Amar,“Of Sovereignty and Federalism,” 96 Yale Law Journal (1987), 1425. Of course, separation ofpowers and co-existent sovereigns—though arguably American inventions—are no longerexclusive characteristics of the American system of government. In many other settings, suchas the European Union, decisions are made at supra-national, national, and local levels,imparting similar benefits.

14. William J. Clinton and Albert Gore, A Framework for Global Electronic Commerce (1997),available at http://www.iitf.nist.gov/eleccomm/ecomm.htm (last accessed January 31, 2002).

15. John Perry Barlow, A Declaration of the Independence of Cyberspace (1996), available athttp://www. eff.org/~barlow/Declaration-Final.html (last accessed December 20, 2001).

16. David R. Johnson and David G. Post,“Law and Border: The Rise of Law in Cyberspace,” StanfordLaw Review 48 (1996): 1367, available at http://www.temple.edu/lawschool/dpost/Borders.html(last accessed January 31, 2002).

17. Because it is unlikely that states can overcome these handicaps, one response may be toheighten the awareness of codewriters and hardware engineers regarding the policyimplications of their work. This goal might be accomplished through a “reverse Office ofTechnology Assessment”—an organization that would identify the policy choices that areavailable to be implemented in software and hardware.

18. See, e.g., Larry Lessig, “Innovation, Regulation, and the Internet,” American Prospect 11, no. 10(March 27–April 20, 2000), available at http://www.prospect.org/print/V11/10/lessig-l.html(last accessed January 31, 2002).

19. The working group’s assessment is quoted in Rotenberg, “Fair Information Practices,”paragraph 78.


20. Richard C. Longworth, “Government Without Democracy,” American Prospect 12, no. 12 (July2–16, 2001), available at http://www.prospect.org/print/V12/12/longworth-r.html (lastaccessed January 31, 2002).

21. Lack of accountability to the public is not the sole reason that many AGOs face a legitimacygap. As several conference participants pointed out, longevity (i.e., the amount of time aninstitution has existed) is another important driver of legitimacy, and AGOs participating inInternet governance obviously have not accrued the longevity of traditional governments andeven some corporations and NGOs. But this facet of their legitimacy gap will narrow withtime, if they can overcome other problems (e.g., their lack of public accountability) and survivein the Internet governance ecosystem.

22. The DNS is the method by which Internet addresses in mnemonic form such as“www.yahoo.com” are converted into numeric IP addresses on which the Net’s routingarchitecture relies.

23. A recent decision of the U.S. Court of Appeals for the First Circuit held that under the U.S.Anticybersquatting Consumer Protection Act, persons ordered to give up their domain namesin rulings arising from ICANN’s Uniform Domain-Name Dispute Resolution Policy canchallenge those rulings and seek to retain title to their domain names by suing in U.S. courts.See Sallen v. Corinthians Licenciamentos LDTA, Case. No. 01-1197 (1st Cir. 2001), available athttp://www.ca1.uscourts.gov/cgi-bin/getopn.pl? OPINION=01-1197.01A (last accessedJanuary 3, 2002); Gwendolyn Mariano, “Court: U.S. Law Trumps Domain Decisions,” CNetNews, Dec. 7, 2001, available at http://news.cnet.com/news/0-1005-200-8105325.html? tag=lh(last accessed January 31, 2002). It is too early to tell whether this decision presages a trend, butat present American law does not provide a generally applicable mechanism for judicial reviewof rulings by AGOs.

24. Here—as in many other parts of the Internet governance puzzle—the pathbreakingscholarship is Larry Lessig’s. See Lessig, Code, 217–18 (suggesting that the proper scope of the“state action” doctrine in the Internet context is ambiguous and that one could mount aplausible argument that the Constitution’s strictures should apply to Internet designdecisions).

25. What those key values are, of course, is open to debate. At minimum, they would seem toencompass the values essential to the preservation of the central characteristics of the Internet.These characteristics include the ability to communicate with any other willing user online; toaccess any content made available to the public; and to choose content, services, and featureson the Net free from intrusive constraints built into the network itself.

26. See The TRUSTe Story: Building Trust Online—TRUSTe, Privacy, and Self-Governance (2000),note 8; available at http://www.truste.org/about/oprah.doc (last accessed January 31, 2002).

27. The TRUSTe model also illustrates the tacit yet important relationship between NGO-enabledsolutions and private governance arrangements. Private governance arrangements for the Netare on the rise at least in part because firms, working with and through organizations such asTRUSTe (as well as through associations such as the Global Business Dialogue for ElectronicCommerce), have found receptive ears for their arguments in favor of self-regulation.

28. The inverse relationship also suggests a difficulty that corporations face in assessing the policyimplications of the “code” they write: The feedback they receive typically reflects theperspective of technologically sophisticated users, not the broader public.

The Report 45

29. SeeYahoo!, Inc. v. La Ligue Contre Le Racisme Et Le Antisemitisme,Order Granting Motion for SummaryJudgment, Case No. C-00-21275 JF (N.D. Cal. 2001), available at http://www.cand.uscourts.gov/cand/tentrule.nsf/4f9d4c4a03b0cf70882567980073b2e4/daaf80f58b9fb3e188256b060081288f/$FILE/yahoo%20sj%20%5Bconst%5D.PDF (last accessed January 3, 2002).

30. On the public’s trust of information disseminated through traditional news media such astelevision, see, for example, Gallup Poll, July 13–14, 1998 (finding that 73 percent of Americansbelieve they “can trust” information provided on their local television news), available athttp://www.pollingreport.com/media.htm# Accuracy of News Reports (last accessed January31, 2002). On the public’s distrust of information available on the Internet, see, for example,Markle Foundation, Toward a Framework for Internet Accountability ii (2001) (finding that 70percent of respondents agree with the proposition that “you have to question the truthfulnessof most things you read on the Internet,” as opposed to the proposition that “you can trustmost things you read on the Internet”).

APPENDIX

49

Note: Titles and affiliations are as of the date of the conference.

Izumi AizuPrincipalAsia Network Research, Inc.JAPAN

Zoë BairdPresidentThe Markle Foundation

Yochai BenklerProfessor of LawSchool of LawNew York University

Ramsen V. Betfarhad CounselHouse Energy and Commerce

CommitteeUnited States House of

Representatives

Vint CerfSenior Vice PresidentInternet Architecture and

TechnologyWorldCom

Kilnam ChonProfessorComputer Science DepartmentKorea Advanced Institute ofScience

TechnologyREPUBLIC OF KOREA

Adam CiongoliCounselor to the Attorney

GeneralUnited States Department of

Justice

Roger CochettiSenior Vice President for PolicyVeriSign

Esther DysonChief Executive OfficerEDventure Holdings, Inc.

Charles M. FirestoneExecutive DirectorCommunications and Society

ProgramThe Aspen Institute

Link HoewingAssistant Vice PresidentInternet and Technology IssuesVerizon

David R. JohnsonPartnerWilmer, Cutler, & Pickering

Erez KalirRapporteur

The Aspen Institute Internet Policy Project


List of Conference Participants

Aspen, ColoradoJuly 22-25, 2001


Stephanie Keller-BottomDirectorInnoventNokia

Tara LemmeyFounder and Chief Executive

OfficerLENS Ventures

andFounder and ChairmanPsoom, Inc.

Mark MacCarthySenior Vice PresidentPublic PolicyVISA U.S.A., Inc.

Ira MagazinerPresidentSJS, Incorporated

Elliot MaxwellSenior FellowCommunications and Society

Programand

DirectorInternet Policy Project The Aspen Institute

Lori McLeanVice President Events and EBC CentersNortel Networks

David NassefVice PresidentFederal RelationsPitney Bowes, Inc.

T. Michael NevensManaging DirectorHigh Tech PracticeMcKinsey & Company, Inc.

Niels Christian NielsenPresident and CEOCatenas, Ltd.UNITED KINGDOM

Clay ShirkyWriter and Consultant

James B. SteinbergVice President

and DirectorForeign Policy StudiesThe Brookings Institution

Keith TeareCEO and FounderRealNames Corporation

Paul VerhoefActing Head of UnitInternational AspectsDG Information SocietyEuropean Commission

William WhymanPresidentThe Precursor Group

Staff:

Lisa DauernheimProgram CoordinatorCommunications and Society


Amanda MillsResearch AssistantCommunications and Society


51

About the Authors

Erez Kalir is a management consultant, and was special assistant tothe General Counsel at the Federal Communications Commission in2001. He helped advise the FCC’s General Counsel andcommissioners on the law and policy of open access, spectrummanagement, merger reviews, and implementation of the 1996Telecommunications Act (among other matters). Kalir is a graduateof Stanford University, Oxford University where he studied as aRhodes Scholar, and Yale Law School where he served as a seniormember of the Law Journal.

Elliot E. Maxwell is an information and communicationstechnology consultant focusing on the Internet and electroniccommerce. He was senior fellow for the digital economy and directorof the Internet Policy Project for the Aspen Institute’sCommunications and Society Program in 2001. Prior to joining theInstitute, Maxwell was special advisor to the Secretary of Commercefor the digital economy. In that position he served as principaladvisor to the Secretary on the Internet and electronic commerce.He coordinated the Commerce Department’s efforts to establish alegal framework for electronic commerce, ensure privacy, protectintellectual property, increase Internet security, encourage broadbanddeployment, expand Internet participation, and analyze the impactof electronic commerce on all aspects of business and the economy.He was a member of the U.S. Government Interagency WorkingGroup on Electronic Commerce from its creation until January,2001.

Previously, Maxwell worked for almost ten years as assistant vicepresident for corporate strategy of Pacific Telesis Group, where hecombined business, technology, and public policy planning. Heserved at the Federal Communications Commission as specialassistant to the chairman, deputy chief of the Office of Plans andPolicy, and deputy chief of the Office of Science and Technology, andhe was director of international technology policy at theDepartment of Commerce. Maxwell also worked as senior counselto the U.S. Senate Select Committee on Intelligence Activities.

Maxwell graduated from Brown University and Yale UniversityLaw School. He has written and spoken widely on issues involvingelectronic commerce, telecommunications, and technology policy.

53

The Aspen InstituteCommunications and Society Program

www.aspeninstitute.org/c&s

The Communications and Society Program is a global forum forleveraging the power of leaders and experts from business,government and the nonprofit sector in the communications andinformation fields for the benefit of society. Its roundtable forumsand other projects aim to improve democratic societies and diverseorganizations through innovative, multidisciplinary, values-basedpolicymaking. They promote constructive inquiry and dialogue andthe development and dissemination of new models and options forinformed and wise policy decisions.

In particular, the Program provides an active venue for global leadersand experts from a variety of disciplines and backgrounds to exchangeand gain new knowledge and insights on the societal impact ofadvances in digital technology and network communications. TheProgram also creates a multidisciplinary space in the communicationspolicymaking world where veteran and emerging decision makers canexplore new concepts, find personal growth and insight, and developnew networks for the betterment of the policymaking process andsociety.

The Program’s projects fall into one or more of three categories:communications and media policy, communications technology andthe democratic process, and information technology and social change.Ongoing activities of the Communications and Society Programinclude annual roundtables on journalism and society, internationaljournalism, telecommunications policy, Internet policy, informationtechnology, and diversity and the media. The Program also convenesthe Aspen Institute Forum on Communications and Society, in whichCEOs of business, government, and the nonprofit sector examine issuesrelating to the new technologies and lifelong learning.

Conference reports and other materials are distributed to keypolicymakers and opinion leaders within the United States and aroundthe world. They are also available to the public at large through theWorld Wide Web.

Fulfillment OfficeP.O. Box 222109 Houghton Lab LaneQueenstown, MD 21658

02-007

Documents

Rethinking Boundaries in Cyberspace