Jonathan Zittrain calls for a kind of situation awareness on the part of internet users and their devices. He suggests a principled, communal approach to internet security that will detect problems and solve them, without burning down the village to save it. It’s a useful direction to take. However, because the incentives of many of the incumbents involved in the internet economy don’t align with “netizenship,” the clarion call of a good idea may go unheard.
The word “security” is a cover label. It means different things to different people, just as “Internet” means different things to different people. Zittrain’s essay focuses on two different layers of security issues: edge and content-related security (penetration, espionage, spam, fraud, phishing, viruses, trojan horses, buffer overflow, identity theft) and infrastructure vulnerabilities (lines, switches, distributed denial of service attacks). He is suggesting that the compromising of machines through viruses can transform them into zombies useful for increasingly-sophisticated DDOS attacks: millions of devices working together, under the direction of a hired gun, to bring down particular internet resources. This is all true, and a constant drumbeat of concern is beating around the world to bring attention to the problem.
In the eyes of many existing institutions, though, security isn’t really a problem—it’s an opportunity.
These institutions include hardware manufacturers, law enforcement agencies, network access providers, and “internet governance” efforts. All of these actors have powerful incentives to both amplify the security issue and then be seen as solving it. Hardware manufacturers can say “Buy our boxes; we’ll allow you to know exactly what’s going on on your network.” Law enforcement can demand that users be identified online, to avoid the risk of unknown communications. Network access providers can use security threats as a reason for managing their networks—often to serve their own commercial interests. Internet governance institutions can claim that the insecurity scourge makes it necessary for them to have greater resources and greater enforcement authority.
I am not claiming that there is not a security problem online. There surely is. But the methods usually proposed for solving it—unlike the principled Zittrainian community approach—are (in effect) opportunities for reinserting friction, recreating borders, and reinstating authoritative filters. Instead of Walter Cronkite at our dining room tables, if these incumbents have their way, we’ll have a safe and authoritarian network.
Zittrain is right. We should be leading ourselves toward enlightenment, avoiding lock-down, and scrutinizing for ourselves what our machines are up to. This is clearly the right direction, the fruitful direction: the generative, liberating move. But, particularly in the United States, we haven’t had the opportunity to think of ourselves as Netizens. It’s all too new, and the institutions for which security is an opportunity are lumbering forward before our inner Netizens have woken up properly. Indeed, many people think of the internet as “mass media,” yet another source of entertainment or conversation; as a group, we don’t expect to be in charge the way we should.
Like Zittrain, I still think there’s a chance that the alternate community-led vision could come true, but it would demand some substantial shifts in reality. We’d need much more competition for internet access in the U.S., so that proto-Netizens could choose for themselves the non-paternalistic way. (Right now, 93% or more of highspeed internet access is controlled in this country by regional cable-telco duopolies, and all of these companies have strong incentives to avoid commoditization and competition—so they are “managing” up a storm.) Furthermore, the scaffolding of technical literacy would need to be firmly in place so that the situation awareness he calls for can be realized. You cannot see what you do not understand. And we’d need a set of gadgets that were beautiful (like the iPhone), open, and cheap—to take up the PC-based cause in handheld form. Absent these changes in our environment, our expectations will remain low, we’ll be fear-mongered into submission, media stories of horrific online experiences will continue to circulate at regular intervals, and we’ll be the passive, safe consumers of non-generative history.
I believe that people are good, that they’ll act humanely in digital environments, and that we can solve most problems for ourselves. So I believe Zittrain is right. I don’t affirm, however, that these beliefs outweigh the strong incentives that compel a wide variety of players to use the opportunity of security for their own political and profitable ends. I hope I’m wrong.
Click here to return to the New Democracy Forum
Susan Crawford is currently a Visiting Professor of Law at Yale Law School. She teaches at Cardozo School of Law in New York.
This is a response to Jonathan Zittrain's Protecting the Internet Without Wrecking It
Other responses in the New Democracy Forum:
Bruce M. Owen
David D. Clark
Roger A. Grimes
Jonathan Zittrain offers his own response to the