Kudzu or Golden Goose? Will Governance Strangle the Internet?

Amy FRIEDLANDER <amy.e.friedlander@saic.com>
Jeffrey R. COOPER <jeffrey.cooper@saic.com>
Science Applications International Corporation


Is the Internet the economic Golden Goose of our times? Or is it a rambling, out-of-control vine that threatens to overwhelm us all?[1] This paper addresses the implications of e-business, e-commerce, and technological convergence for governance of the Internet within the rapidly evolving international information environment. We argue that the Net is neither plant nor animal but an opportunity that possesses the kernel of its own international salvation.


1. What are the issues and are they new?

What started in the 1960s as an experimental project by a U.S. defense research agency to develop robust, reliable communications for operational military forces under potentially severe conditions of nuclear warfare is fast becoming an essential global information utility. We're talking, of course, about the Internet. This recent saliency of a new system with strange technical governance provisions is likely to have significant implications for the global and national regulatory regimes that control international communications. On the one hand, technological innovation and crucial technical decisions for the Internet have historically "bubbled up" from the community of developers in universities, and not-for-profit, government, and corporate research laboratories. On the other hand, other global communications utilities have traditionally been subject to both national and international regulation.

Historically, regulatory regimes in the United States have intentionally been somewhat anomalous with respect to the leading role of the private sector; most other states either owned or more tightly controlled their domestic telephony and broadcasting sectors. From the 1930s until comparatively recently, regulatory authority at the U.S. federal and state levels was neatly aligned according to technology and content: Telephony had its set of rules; broadcast radio and television, its set; and electrical power, an important source of business and regulatory precedent, its set. But in the 1990s, the United States found itself at the confluence of two trends: (1) The deregulation of highly regulated utilities. (2) The advent of new communications technologies.

These new technologies had two interesting characteristics. First, they conflated earlier distinctions between two notions of "communications" -- one that meant the engineering of signals and signals processing, and the other that meant "information," as in the press, print, broadcasting, and film. Second, they reduced the distinctions between traditionally regulated voice and unregulated data communications.

Communications policy in the United States has been characterized by a balance between public and private interests, with a hybrid governance regime -- a legacy that muddies the precedent nationally, not to mention internationally, for how the Internet will be treated. Until recently, long distance telephony in the United States operated as a single private monopoly under federal regulation, but local telephony was regulated by the individual states where there were multiple companies. All telephone companies were considered to be common carriers required to carry all traffic on a nondiscriminatory basis as long as their terms and conditions were met.

Ownership of the electromagnetic spectrum, however, was considered to belong to the nation, and spectrum allocation was a public matter based on a number of criteria, including "public interest." Radio and television broadcasting, that is "content," remained in private hands, and the broadcasting companies were not common carriers, required to transmit others' content. Although companies obtained regulated franchises for use of the scarce spectrum, content regulation was done with a relatively light hand by contrast with international norms, in consideration of American First Amendment sensitivities. A recent decision by the ninth circuit to recognize publication to a Web site of an encryption algorithm as "protected speech," despite the outcry in certain national security and intelligence quarters, is both the tip of the iceberg as well as a harbinger of how boundaries have fused.[2]

It is important to recognize that governance arrangements cannot be completely divorced from technical ones; both affect the environment in which private interests can engage in commercial activities. The underlying Internet architecture and the extraordinarily dynamic character of its growth tend to argue against completely defined and hierarchical arrangements. The rapid advance of optical technologies and the explosion in bandwidth capabilities of fiber optics is renewing the primary role of long-line cables and reversing the trend started in the late 1960s in which satellites became the dominant transmission medium for international telecommunications. Similarly, what now looks to be a poor technical decision by the Federal Communications Commissions (FCC) on American digital television standards could have immense impacts on the future development not only of television, but on both mobile and stationary wireless provision of advanced Internet services, everything from TVs, to PDAs, to cellular telephones. Construction of global fiber optic data networks, to take another example, is essentially unregulated, whereas satellite systems come under both stringent national and international controls.

The import of technical considerations on governance should be obvious. A serious concern is that technological and economic standards and processes that arise from negotiations under formal, and usually protracted, governance procedures could distort or inhibit the potential of the technology and, worse yet, the potential for innovation in the infrastructure and in the applications that reside on it. For example, in the United States, data services, such as Internet service providers (ISPs) and even America Online (AOL), operate under different regulatory rules that allow them to avoid paying local telephone access charges from their traditionally regulated competitors (such as "long distance" telephone companies) despite rapidly converging technological regimes. Similarly, the United States does not treat ISPs as common carriers. We are also beginning to see this phenomenon in the issue of naming, where a technical attribute -- the domain name -- has begun to take on cultural import as it is associated with trademark, copyright, and other concerns arising from intellectual property regimes and human behavior.[3]

We can postulate a continuum of governance forms from total democracy -- the Internet Engineering Task Force (IETF) at its liveliest -- to total state control, with a state-supported, state-controlled system in which state-to-state relationships are defined by a series of multilateral agreements and treaties, not unlike the current International Telecommunications Union (ITU) arrangements. The goal should be to devise an appropriate balance, recognizing that infrastructure issues should be separated from application and content issues and that different traditions, paradigms, and regimes may be invoked for different components. As more and more hitherto independent technologies -- from electrical power generation and distribution to entertainment -- converge on what may be loosely considered "the Internet," we find ourselves having to come to terms with multiple and divergent traditions of use, management, and oversight at home and abroad.

This convergence of technologies is made all the more complex by technological developments that appear to make bandwidth essentially infinite -- and cheap -- so that equitable allocation of scarce resources, a traditional rationale for public regulation, may become technologically moot. We note, though, that conceptually infinite bandwidth remains just that: conceptual, in the absence of an infrastructure that is broadly accessible. By the mid-1990s, some 95 percent of the U.S. population was just a local phone call from Internet access -- that is, by relatively slow dial-up access.[4] Whether the same dynamics that enabled the first wave of connectivity to embrace most of the nation will rework themselves to disseminate broadband is an open question, and one that lends itself fairly easily to possible intervention in the form of mandates and incentives should the market prove insufficient. Nonetheless, there is a cautionary statement: Merely because capacity is conceptually limitless, actuality, those "pesky" implementation details, may require more pragmatic consideration. It is an example of how managing the information infrastructure may differ from managing the uses to which that infrastructure may be put.

Regulation, while it may initially arise from issues of scarcity, also reflects contemporary values, the balance of societal equities, and concepts of distributive justice. Satellite transmission of imagery for a global entertainment audience may have to meet different national standards, based on the religious affiliation of the receiving station. Similarly, governance issues for e-commerce and e-business might well be settled under a regime or set of regimes that differs from ones that are appropriate for resolving issues related to technological standards. The point is that the regulation of satellite imagery may arise from what is being transmitted and not from the platform transmitting it. A nuanced and layered framework, we argue, is more appropriate to the heterogeneous environments and applications that the technologies support and may potentially support than a single, integrated entity.

2. A minimal framework

That said, we would also maintain that, at this point, the crucial need is for a broadly acceptable governance framework and a set of guiding principles within which issues may be resolved to the general satisfaction of affected parties. While giving all interested parties the opportunity to participate in governance of the system would be the best outcome, the acceleration of new technologies such as fiber optics, the expansion of Internet connectivity via terrestrial, wireless, and satellite services, the rapid rise of e-business and e-commerce, and the asymmetric global development of "New Economies" suggest that there is a new and shifting balance of power among the interested parties, within and among nations, that must be recognized in reaching decisions on governance forms. In this case, a minimal acceptable framework that can accommodate change is preferable to protracted discussions that themselves become an impediment.

So, what assumptions govern the formulation of this minimal framework? Beyond the issues of realignment and redistribution, governance of a successful information culture must address four other sources of tension that arise from particular competing equities[5]:

  1. Enhanced efficiency and effectiveness come at the price of a system that may only be dynamically stable.
  2. "Reciprocal dependency" inevitably characterizes a society that is fully interconnected and thus vulnerable to the mistakes or malice of any of its participants.
  3. Interoperable systems and databases offer unprecedented access to information. But the ability to access information remotely also offers a veil of anonymity to knowledgeable users with malevolent intent. Thus, there is a network paradox. On the one hand, the value of a network increases with the number of nodes, and there is an inherent value in increasing the scale and scope of the interconnected information flows. However, precisely because of the scale and scope, any member of the system becomes individually more vulnerable, and the perception of personal risk increases as more sensitive information is digitized and transmitted via interconnected networks.
  4. Benefits that come from a continuing flow of innovations must be balanced against the innovators' degree of responsibility or liability for their products. Recent attempts to amend the Uniform Commercial Code in the United States have been met with dismay by some communities in the software industry, and there is no small concern that practices, such as reverse engineering, which are traditional to the research enterprise, will end up having been criminalized.[6]

The scope of these challenges demands an integrated approach to addressing a transformed environment. To adapt successfully, we must create an entire culture appropriate to living with a technology that has the potential to threaten both individuals and societies. Finding agreement on some common ground among the many interested parties appears to be an important first step. Crucial are government actions to foster trust on which a cooperative regime can be built.

The world has seen this before. The 19th century saw the increased importance of intermediary institutions: Banks, equity markets, and "trusted transactions"[7] (such as checking, promissory notes, and letters of credit) facilitated flows of goods and services (including transfers of capital) that demanded trust among anonymous people dispersed across continents. New structures supported projects of hitherto unheard of scale. Thus, canal building in the 1820s led directly to organization of the early stock exchanges; the New York Exchange, in particular, expanded significantly to support the railroad boom of the 1850s. Private arrangements that had characterized ventures in the age of sail were simply not large or robust enough to raise capital for the age of iron and steel.[8] Political structures and power balances also changed to reflect new circumstances of wealth and influence, the result of redistributed power and social realignment. Examples from the history of banking and finance -- probably the first U.S. information infrastructure -- abound, beginning with the New York Clearing House, a self-policing entity created by the banks themselves to stabilize a volatile industry, and culminating in New Deal banking reforms, which have only recently been dismantled. [9]

Any assessment of the role of government and the extent of its legitimate functions, including how it exercised its powers, cannot ignore these types of changes. Three that are critical are

  1. from information scarcity to abundance,
  2. from top-down control towards coordination mechanisms, and
  3. from restricted, hierarchical one-way communications towards many-to-many networks -- all of which have profound political (as well as economic and social) effects.

Thus, a key element in developing a national information policy and strategy suitable to living in the Information Age is to realign responsibility, authority, and capability consistent with the current transformation. Responsibility is defined here to mean the inherent obligation to address the problem. Authority is defined as the legitimated power to address the specified problem; it is granted through explicit delegation by the people (or, in some systems, seizure by coup de main), and it may possessed by several holders concurrently. Finally, Capability is the physical potential or expert competence to address the problem. If an acceptable solution is to be found, agreement on these issues must, however, be achieved within the bounds of the social compacts that bind nations together.[10]

How this is accomplished -- that is, the choices of where to vest these powers and which instruments to use -- must be consistent with a nation's political beliefs, economic system, and social fabric. Many societies might choose to place all these powers in the hands of the national government. The tradition in the United States has been to diffuse authority among levels of government (federal, state, and local) and, indeed, to retain many powers in the hands of the people themselves. Whatever the frictional losses, Americans prefer foregoing the arguable advantages of centralized decision-making, believing that there is less risk in minimizing the powers granted to government.[11] Alternatively, the public often prefers to disperse authority among many government hands, introducing additional complexity.

Therefore, from a U.S. perspective, solutions to these critical choices appear in learning how to induce, not order, appropriate actions by all the relevant players, most significantly individuals and private organizations. Civil society must be prompted to accept responsibility, perhaps through liability and contract enforcement, and employ its capabilities to protect its equities, not rely on government to protect vital information services.[12]

To the extent that private entities address these important needs, the less excuse there will be for intrusive government intervention. Indeed, to a large extent, the capabilities, along with the necessary authorities, to protect information and information systems, even those performing vital societal and national security functions (except for those clearly owned and operated by governments), already lie in the hands of private owners and operators. However, these perspectives on distributed power and more voluntary coordination are not fully shared around the globe, witness debates over privacy and "safe harbor." Therefore, it is to be expected that these different perspectives will give rise to significant tensions as international agreements to reduce information vulnerability and enhance information security are sought.

Based on the example of international spectrum allocation in the early twentieth century, it is likely that consensus can be reached on topics of shared concern. In the case of radio communications in the days before commercial broadcasting, consensus on how to measure the asset, i.e., the electromagnetic spectrum; on who the relevant players should be, i.e., representatives of nations; and on core values, i.e., safety at sea and the primacy of national cum military interests, enabled interested parties to draft treaties that were eventually ratified, albeit in the wake of the Titanic disaster.[13] Working out similar arrangements for our own revolution will likely take time; adaptation to revolution is, by necessity, a long-term process. How we choose to realign and balance these three critical powers tells us much about our view of the social contract.

3. The role of government: threats and negotiations

For a variety of reasons (including a pervasive distrust of many government agencies), there is now substantially less inclination in the United States to grant the government formal protective authority over the parts of the national information infrastructure that lie outside of government's direct control. Moreover, even if government today had the authority, it lacks the capability (the ownership or management of the physical systems) to address most threats that could arise through information systems -- assuming that there is consensus on what constitutes a "threat." We have glimpsed a world in which pranks can take on gravity well beyond their intent, mischievous though that may have been, and threats can no longer be deterred through various perimeter controls, cyber or physical. Additionally, deregulation of the telecommunications sector removed many of the authorities that government previously possessed, and the resulting decentralized industry structure has made it significantly more difficult for government to harness the technical capabilities that do exist by exhortation or calls to industry leadership. These are not the "good old days when government could call upon Ma Bell" to fix information infrastructure problems affecting national security and expect quiescent federal and state regulatory bodies to pass those costs on to the consumers.

Ultimately, the government's paramount responsibilities are (1) to provide "rules of the road" that foster respect for appropriate behaviors and establish behavioral norms; (2) to allow other parties, including other states, to accept their appropriate responsibility and exercise their capabilities; and (3) to commit to vigorous prosecution when criminal information incidents occur. Over the past several years, legislative actions to define criminal activities with respect to information systems, coupled with increasingly effective and publicized prosecutions for violations of those rules, have begun to establish socially acceptable guidelines for behavior.

These actions by governments are crucial to building trust, which is the essential element of a cooperative regime. Therefore, they underpin the overall framework for participatory governance by the entire information community. It is clear that government will not be able to execute its responsibilities for information age without nongovernment entities and private individuals playing a major role in securing the information infrastructure. Indeed, given the disarray among the three critical powers of responsibility, authority, and capability, private users, whether as individuals or organizations, may have the best opportunity to align them in dealing with information problems throughout the entire spectrum of potential incidents. Private entities may be able to accomplish prevention and remediation of many impacts within the context of an "information community" most efficiently and at least cost. Self-regulation by industry in the domain of privacy is a case in point.

In the developed world, individuals, organizations, or governments will not be able to choose to remain apart from the interconnected network of systems and relationships if they wish to function as part of society. An overriding feature of this new environment, therefore, is "reciprocal dependency" -- denoting sharing not only in the mutual benefits but also becoming both reliant on the information Web in which we are all enmeshed and vulnerable to the actions and behaviors of others, whether intended or unintended. While this feature of reciprocal dependency may not be new, the speed and intensity of its occurrence do set it apart, as do the immediacy of the linkages to distant and unknown parties.

This situation, in essence, creates an "information commons" -- a convergence of self-interest -- in which there are few barriers to entry, and in which involuntarily shared risks and exposure to the consequences of the acts of others are automatic. That is, these same characteristics of an information-dependent society -- the advantages of nearly instant connectivity and access to a wealth of information resources -- also create a series of "security and vulnerability externalities" that result in an extremely high degree of reciprocal dependency among all elements of the community. Under these circumstances, even accidents and negligence, much less malicious acts by others, can create serious, even catastrophic, impacts not only on individuals and private entities but also on the nation's general welfare and common defense.

In developing ways to address the difficult choices among the values that are in tension, mechanisms for governance must accommodate the organic processes that are crucial to societal adaptation of a new technology. Process implies a progressively achieved outcome rather than simply a clearly perceptible end-state or result that can be accomplished all at once, and this suggests that recognizing where we are in the process may be important to understanding the best way to proceed.

Models for governance range from (1) leaving protective measures in individual hands as a matter of retaining personal responsibility (individual self-defense), to (2) accepting the responsibility for protecting the community's interests and retaining the authority in the community's hands (collective self-defense), to (3) shifting the authority for community protection to the government (formally delegated authority). The real issue is probably not to choose among them as exclusive options, but how to dynamically balance among them. This choice depends fundamentally upon several crucial factors: first, where one wishes to retain responsibility as opposed to authority; second, how much authority the community is prepared to place in someone else's hands; and third, where the capabilities to ameliorate problems are lodged.

The new information structures are imposing divergent exogenous costs on many segments of societies, both domestic and global. As the exogenous costs- -- "externalities" to economists- -- of these behaviors became more widely appreciated, attitudes began to change; these activities impose costs on the community at large, not just the careless individual.[14] This is, in fact, the very same situation in which we find ourselves living in a codependent information society. Increasingly, certain types of activities -- -ones dangerous to others -- run afoul of tightening community intolerance for "reckless disregard" of norms and laws designed to protect the common welfare of the entire community. Society should be no less intolerant of similar types of information abuses that could endanger others.

Within the information domain, tensions between local identity and personal choice, on the one hand, and attempts at federal preemption or imposition of uniform national standards, on the other hand, have already created significant tensions. Increasing globalization, with its attendant standardization and homogenization of behaviors as well as products, may deepen tensions even further. Concern over "American cultural hegemony," renewed over the recent announcement of the America Online/Time-Warner merger, may already be as widespread as concern over our present unchallenged military advantage.

Although national governments clearly have paramount responsibility for governing information infrastructures, and governments at all levels share the responsibility for prosecuting criminal activity, there are three reasons they cannot perform these functions in the information domain without substantial assistance from private individuals and organizations. First, appropriate activities by private actors are crucially important because private actors, in reality, hold most of the technical and physical capabilities for preventing potentially adverse information incidents or ameliorating their consequences. Second, as governments increasingly become buyers of commercial information and telecommunications services, this reliance on private capabilities by the government will continue to grow even with respect to protecting government's own critical information systems. Third, exactly because information is sensitive and information systems so pervasive, private parties are not likely to extend the government writ so as to give government additional, and necessarily intrusive, authorities for information protection sufficient to allow the government to perform these functions successfully. Indeed, current suspicions of FidNet, which claims merely to enable information to flow smoothly among concerned agencies, contain, as a subtext, the fear that this will open the way for intrusive domestic investigations and access to sensitive information.[15]

4. Conclusion: a modest proposal

We propose, therefore, not another committee, board, or similar governance body vested with the authority to make binding decisions and issue rules. Instead we first propose a vigorous discussion of values on which we can build a self-policing community in the original spirit of the Internet protocols: a small set of agreed-upon standards within which many implementations are possible. We further propose that the point of departure is a commitment to aligning responsibility, capability, and authority wherein the outcomes are agreed-upon counterparts for resolving disputes, perhaps focusing on those germane to the smooth conduct of business. Thus, the intent is to harmonize government functions, not agencies.

This is a tall order; we should get busy.


[1] "Kudzu" is a vine that is indigenous to Asia (Pueraria lobata syn. P. thunbergiana); it is used for forage and erosion control. The plant was transplanted to North America with the intention of using it to anchor steep banks of soil and thereby prevent erosion. Instead it has become a rampant weed in parts of the southeastern United States since it readily spreads over trees and shrubs as well as exposed soil. See Encyclopedia Britannica, "kudzu vine," <http://www.britannica.com/>

[2] BERNSTEIN v USDOJ, 9716686. < http://caselaw.findlaw.com/scripts/getcase.pl?navby=search&case=/uscircs/9th/9716686.html>

[3] We note that association between domain names and allegations of trademark infringements arises from the associations that humans make with the strings; this is not inherent in the technical addressing itself. This has led some to characterize naming systems like domain names as "mneumonic" rather than "semantic," which would imply that the "name" had implications for the system. SAIC has a minority position in Network Solutions, Inc.

[4] Shane Greenstein, On the Net: The Recent Commercialization of Access Infrastructure, iMP: The Magazine on Information Impacts (December 1999). <http://www.cisp.org/imp/december_99/12_99greenstein.htm>.

[5] While some might term these as four elements of a "Faustian bargain," this would almost certainly convey too strong a negative flavor with respect to the potential costs. As Alexis de Tocqueville observed about a free press, "In order to enjoy the inestimable benefits of the liberty of the press ensures, it is necessary to submit to the inevitable evils that it creates." Alexis de Tocqueville, Democracy in America, Book 1, Chapter 11, Hypertext edition, American Studies @ The University of Virginia, <http://xroads.virginia.edu>.

[6] Barbara Simons, Melissa's Message, Communications of the ACM, 42 (June 1999): 25-26.

[7] We want to thank Stephen J. Lukasik for this interesting notion.

[8] Amy Friedlander, "In God We Trust; All Others Pay Cash:" Banking as an American Infrastructure, 1800-1935 (Reston, VA: Corporation for National Research Initiatives, 1996): 66-67. The original work on the organization of the stock exchanges and their association with railroads was done by Alfred DuPont Chandler, The Visible Hand: The Managerial Revolution in American Business (Cambridge, MA: Harvard University Press, 1977).

[9] On the organization of the New York City Clearinghouse, see Friedlander, Banking, 57-59; on the development and expansion of the Federal Reserve system, which embodied many of the structural elements pioneered in New York, see Ibid., 79-84, 92-96.

[10] This is an argument fundamentally about values and may be out-of-sync in a world that now demands econometric analysis of policy issues.

[11] Many, if not most, Americans would further argue, rather convincingly, that centralized decision-making is, in fact, less efficient as well as more dangerous. See David Brin, The Transparent Society (Reading, MA: Addison-Wesley, 1998).

[12] At the same time, civil society should demand that governments facilitate, not hinder, appropriate self-help measures. Unconsidered actions (such as the legislation (HR 2281) to conform US copyright law to the new World Intellectual Property Organization (WIPO) standards) can prevent private actors from carrying out legitimate and necessary information protection activities.

[13] An authoritative summary of the early treaties governing spectrum allocation can be found in Christopher H. Sterling and John M. Kittross. Stay Tuned; A Concise History of American Broadcasting (Belmont, California: Wadsworth Publishing Company, 1990 [second edition]); and Susan J. Douglas, Inventing American Broadcasting, 1899-1922 (Baltimore: The Johns Hopkins University Press, 1987).

[14] Consider the example of seatbelts. First, not wearing seat belts substantially increases the likelihood of a driver losing control in an accident and causing damage or injury to other vehicles or bystanders. Furthermore, in an era of skyrocketing medical costs and third-party or government coverage, the increased costs of expensive trauma injuries to the unbelted are transferred to the rest of the community. Similarly, when drunk drivers more often than not ran off rural roads and killed only themselves, most communities were prepared to tolerate this kind of reckless behavior. When innocent pedestrians or occupants of other vehicles began to suffer significant injuries as a result of drunk drivers, many communities became rapidly less accepting of these collateral costs being imposed on the community as a result of individuals' reckless behaviors.

[15] Barbara Simons, Building Big Brother, Communications of the ACM 43 (January 2000): 31-32.

© 2000. Center for Information Strategy and Policy, the Strategies Group, Science Applications International Corporation: An Employee Owned Company