[This is an excerpt from Chapter 6 of the forthcoming 2nd edition of my book, “Permissionless Innovation: The Continuing Case for Comprehensive Technological Freedom,” due out later this month. I was presenting on these issues at today’s New America Foundation “Cybersecurity for a New America” event, so I thought I would post this now.  To learn more about the contrast between “permissionless innovation” and “precautionary principle” thinking, please consult the earlier edition of my book or see this blog post.]

Viruses, malware, spam, data breeches, and critical system intrusions are just some of the security-related concerns that often motivate precautionary thinking and policy proposals.^[1] But as with privacy- and safety-related worries, the panicky rhetoric surrounding these issues is usually unfocused and counterproductive.

In today’s cybersecurity debates, for example, it is not uncommon to hear frequent allusions to the potential for a “digital Pearl Harbor,”^[2] a “cyber cold war,”^[3] or even a “cyber 9/11.”^[4] These analogies are made even though these historical incidents resulted in death and destruction of a sort not comparable to attacks on digital networks. Others refer to “cyber bombs” or technological “time bombs,” even though no one can be “bombed” with binary code.^[5] Michael McConnell, a former director of national intelligence, went so far as to say that this “threat is so intrusive, it’s so serious, it could literally suck the life’s blood out of this country.”^[6]

Such outrageous statements reflect the frequent use of “threat inflation” rhetoric in debates about online security.^[7] Threat inflation has been defined as “the attempt by elites to create concern for a threat that goes beyond the scope and urgency that a disinterested analysis would justify.”^[8] Unfortunately, such bombastic rhetoric often conflates minor cybersecurity risks with major ones. For example, dramatic doomsday stories about hackers pushing planes out of the sky misdirects policymakers’ attention from the more immediate, but less gripping, risks of data extraction and foreign surveillance. Well-meaning skeptics might then conclude that our real cybersecurity risks are also not a problem. In the meantime, outdated legislation and inappropriate legal norms continue to impede beneficial defensive measures that could truly improve security.

Meanwhile, similar concerns have already been raised about security vulnerabilities associated with the Internet of Things^[9] and driverless cars.^[10] Legislation has already been floated to address the latter concern through federal certification standards.^[11] More broad-based cybersecurity legislative proposals have also been proposed, most notably the Cybersecurity Information Sharing Act, which would extend legal immunity to corporations that share customer data with intelligence agencies.^[12]

Ironically, these efforts to expand federal cybersecurity authority come before the federal government has even gotten its own house in order. According to a recent report, federal information security failures had increased by an astounding 1,169 percent, from 5,503 in fiscal year 2006 to 69,851 in fiscal year 2014.^[13] Of course, many of these same agencies would be tasked with securing the massive new datasets containing personally identifiable details about US citizens’ online activities that legislation like the Cybersecurity Information Sharing Act would authorize. In the worst-case scenario, such federal data storage could counterintuitively encourage more attacks on government systems.

It’s important to put all these security issues in some context and to realize that proposed legal remedies are often inappropriate to address online security concerns and sometimes end up backfiring. In his research on the digital security marketplace, my Mercatus Center colleague Eli Dourado has illustrated how we are already able to achieve “Internet Security without Law.”^[14] Dourado documented the many informal institutions that enforce network security norms on the Internet to show how cooperation among a remarkably varied set of actors improves online security without extensive regulation or punishing legal liability. “These informal institutions carry out the functions of a formal legal system—they establish and enforce rules for the prevention, punishment, and redress of cybersecurity-related harms,” Dourado says.^[15]

For example, a diverse array of computer security incident response teams (CSIRTs) operate around the globe, sharing their research on and coordinating responses to viruses and other online attacks. Individual Internet service providers (ISPs), domain name registrars, and hosting companies work with these CSIRTs and other individuals and organizations to address security vulnerabilities.

Encouraging the development of robust and lawful software vulnerability markets would provide even more effective cybersecurity reporting. Some private companies and nonprofit security research firms have offered financial incentives for hackers to find and report software vulnerabilities to the proper parties for years now.[16] Such “bug bounty” and “vulnerability auction” programs better align hackers’ monetary incentives with the public interest. By allowing a space for security researchers to responsibly report and profit from discovered bugs, these markets dissuade hackers from selling vulnerabilities to criminal or state-backed organizations.[17]

A growing market for private security consultants and software providers also competes to offer increasingly sophisticated suites of security products for businesses, households, and governments. “Corporations, including software vendors, antimalware makers, ISPs, and major websites such as Facebook and Twitter, are aggressively pursuing cyber criminals,” notes Roger Grimes of Infoworld.^[18] “These companies have entire legal teams dedicated to national and international cyber crime. They are also taking down malicious websites and bot-spitting command-and-control servers, along with helping to identify, prosecute, and sue bad guys,” he says.^[19] Meanwhile, more organizations are employing “active defense” strategies, which are “countermeasures that entail more than merely hardening one’s own network against threats and instead seek to unmask one’s attacker or disable the attacker’s system.”^[20]

A great deal of security knowledge is also “crowd-sourced” today via online discussion forums and security blogs that feature contributions from experts and average users alike. University-based computer science and cyber law centers and experts have also helped by creating projects like Stop Badware, which originated at Harvard University but then grew into a broader nonprofit organization with diverse financial support.^[21] Meanwhile, informal grassroots security groups like The Cavalry have formed to build awareness about digital security threats among developers and the general public and then devise solutions to protect public safety.^[22]

The recent debacle over the Commerce Department’s proposed new export rules for so-called cyberweapons provides a good example of how poorly considered policies can inadvertently undermine such beneficial emergent ecosystems. The agency’s new draft of US “Wassenaar Arrangement” arms control policies would have unintentionally criminalized the normal communication of basic software bug-testing techniques that hundreds of companies employ each day.[23] The regulators who were drafting the new rules had good intentions. They wanted to crack down on cyber criminals’ abilities to sell malware to hostile state-backed initiatives. However, their lack of technical sophistication led them to unknowingly write a proposal that would have compelled software engineers to seek Commerce Department permission before communicating information about minor software quirks. Fortunately, regulators wisely heeded the many concerned industry comments and rescinded the initial proposal.[24]

Dourado notes that informal, bottom-up efforts to coordinate security responses offer several advantages over top-down government solutions such as administrative regulatory regimes or punishing liability regimes. First, the informal cooperative approach “gives network operators flexibility to determine what constitutes due care in a dynamic environment.” “Formal legal standards,” by contrast, “may not be able to adapt as quickly as needed to rapidly changing circumstances,” he says.^[25] Simply put, markets are more nimble than mandates when it comes to promptly patching security vulnerabilities.

Second, Dourado notes that “formal legal proceedings are adversarial and could reduce ISPs’ incentives to share information and cooperate.”^[26] Heavy-handed regulation or threatening legal liability schemes could have the unintended consequence of discouraging the sort of cooperation that today alleviates security problems swiftly.

Indeed, there is evidence that existing cybersecurity law prevents defensive strategies that could help organizations to more quickly respond to system infiltrations. For example, some argue that private individuals and organizations should be allowed to defend themselves using special measures to expel or track system infiltrators, often called “hacking back” or “active defense.” Anthony Glosson’s analysis for the Mercatus Center discusses how the Computer Fraud and Abuse Act currently prevents computer security specialists from utilizing defensive hacking techniques that could improve system defenses or decrease the number of attempted attacks.[27]

Third, legal solutions are less effective because “the direct costs of going to court can be substantial, as can be the time associated with a trial,” Dourado argues.^[28] By contrast, private actors working cooperatively “do not need to go to court to enforce security norms,” meaning that “security concerns are addressed quickly or punishment . . . is imposed rapidly.”^[29] For example, if security warnings don’t work, ISPs can “punish” negligent or willfully insecure networks by “de-peering,” or terminating network interconnection agreements. The very threat of de-peering helps keep network operators on their toes.

Finally, and perhaps most importantly, Dourado notes that international cooperation between state-based legal systems is limited, complicated, and costly. By contrast, under today’s informal, voluntary approach to online security, international coordination and cooperation are quite strong. The CSIRTs and other security institutions and researchers mentioned above all interact and coordinate today as if national borders did not exist. Territorial legal system and liability regimes don’t have the same advantage; enforcement ends at the border.

Dourado’s model has ramifications for other fields of tech policy. Indeed, as noted above, these collaborative efforts and approaches are already at work in the realms of online safety and digital privacy. Countless organizations and individuals collaborate on educational initiatives to improve online safety and privacy. And many industry and nonprofit groups have established industry best practices and codes of conduct to ensure a safer and more secure online experience for all users. The efforts of the Family Online Safety Institute were discussed above. Another example comes from the Future of Privacy Forum, a privacy think tank that seeks to advance responsible data practices. The think tank helps create codes of conduct to ensure privacy best practices by online operators and also helps highlight programs run by other organizations.^[30] Likewise, the National Cyber Security Alliance helps promote Internet safety and security efforts among a variety of companies and coordinates National Cyber Security Awareness Month (every October) and Data Privacy Day (held annually on January 28).^[31]

What these efforts prove is that not every complex social problem requires a convoluted legal regime or heavy-handed regulatory response. We can achieve reasonably effective safety and security without layering on more and more law and regulation.^[32] Indeed, the Internet and digital systems could arguably be made more secure by reforming outdated legislation that prevents potential security-increasing collaborations. “Dynamic systems are not merely turbulent,” Postrel notes. “They respond to the desire for security; they just don’t do it by stopping experimentation.”^[33] She adds, “Left free to innovate and to learn, people find ways to create security for themselves. Those creations, too, are part of dynamic systems. They provide personal and social resilience.”^[34]

Education is a crucial part of building resiliency in the security context as well. People and organizations can prepare for potential security problems rationally if given even more information and better tools to secure their digital systems and to understand how to cope when problems arise. Again, many corporations and organizations already take steps to guard against malware and other types of cyberattacks by offering customers free (or cheap) security software. For example, major broadband operators offer free antivirus software to customers and various parental control tools to parents. In the context of “connected car” technology, automakers have banded together to come up with privacy and security best practices to address worries about remote hacking of cars as well as concerns about how much data they collect about our driving habits.[35]

Thus, although it is certainly true that “more could be done” to secure networks and critical systems, panic is unwarranted because much is already being done to harden systems and educate the public about risks.^[36] Various digital attacks will continue, but consumers, companies, and others organizations are learning to cope and become more resilient in the face of those threats through creative “bottom-up” solutions instead of innovation-limiting “top-down” regulatory approaches.

[1]    This section partially adapted from Adam Thierer, “Achieving Internet Order without Law,” Forbes, June 24, 2012, http://www.forbes.com/sites/adamthierer/2012/06/24/achieving-internet-order-without-law. The author wishes to thank Andrea Castillo for major contributions to this section.

[2]    See Richard A. Serrano, “Cyber Attacks Seen as a Growing Threat,” Los Angeles Times, February 11, 2011, A18. (“[T]he potential for the next Pearl Harbor could very well be a cyber attack.”)

[3]    Harry Raduege, “Deterring Attackers in Cyberspace,” The Hill, September 23, 2011, 11, http://thehill.com/opinion/op-ed/183429-deterring-attackers-in-cyberspace.

[4]    Kurt Nimmo, “Former CIA Official Predicts Cyber 9/11,” InfoWars.com, August 4, 2011, http://www.infowars.com/former-cia-official-predicts-cyber-911.

[5]    Rodney Brown, “Cyber Bombs: Data-Security Sector Hopes Adoption Won’t Require a ‘Pearl Harbor’ Moment,” Innovation Report, October 26, 2011, 10, http://digital.masshightech.com/launch.aspx?referral=other&pnum=&refresh=6t0M1Sr380Rf&EID=1c256165-396b-454f-bc92-a7780169a876&skip=; Craig Spiezle, “Defusing the Internet of Things Time Bomb,” TechCrunch, August 11, 2015, http://techcrunch.com/2015/08/10/defusing-the-internet-of-things-time-bomb.

[6]    “Morning Edition: Cybersecurity Bill: Vital Need or Just More Rules?” NPR, March 22, 2012, http://www.npr.org/templates/transcript/transcript.php?storyId=149099866.

[7]    Jerry Brito and Tate Watkins, “Loving the Cyber Bomb? The Dangers of Threat Inflation in Cybersecurity Policy” (Mercatus Working Paper No. 11-24, Mercatus Center at George Mason University, Arlington, VA, 2011).

[8]    Jane K. Cramer and A. Trevor Thrall, “Introduction: Understanding Threat Inflation,” in American Foreign Policy and the Politics of Fear: Threat Inflation Since 9/11, ed. A. Trevor Thrall and Jane K. Cramer (London: Routledge, 2009), 1.

[9]    Tufekci, “Dumb Idea”; Byron Acohido, “Hackers Take Control of Internet Appliances,” USA Today, October 15, 2013, http://www.usatoday.com/story/cybertruth/2013/10/15/hackers-taking-control-of-internet-appliances/2986395.

[10]   Ed Markey, Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk, US Senate, February 2015, http://www.markey.senate.gov/imo/media/doc/2015-02-06_MarkeyReport-Tracking_Hacking_CarSecurity%202.pdf.

[11]   Ed Markey, “Markey, Blumenthal to Introduce Legislation to Protect Drivers from Auto Security and Privacy Vulnerabilities with Standards and ‘Cyber Dashboard,’” press release, February 11, 2015, http://www.markey.senate.gov/news/press-releases/markey-blumenthal-to-introduce-legislation-to-protect-drivers-from-auto-security-and-privacy-vulnerabilities-with-standards-and-cyber-dashboard.

[12]   Andrea Castillo, “How CISA Threatens Both Privacy and Cybersecurity,” Reason, May 10, 2015, https://reason.com/archives/2015/05/10/why-cisa-wont-improve-cybersecurity.

[13]   Eli Dourado and Andrea Castillo, “Poor Federal Cybersecurity Reveals Weakness of Technocratic Approach” (Mercatus Working Paper, Mercatus Center at George Mason University, Arlington, VA, June 22, 2015), http://mercatus.org/publication/poor-federal-cybersecurity-reveals-weakness-technocratic-approach.

[14]   Eli Dourado, “Internet Security without Law: How Security Providers Create Online Order” (Mercatus Working Paper No. 12-19, Mercatus Center at George Mason University, Arlington, VA, June 19, 2012), http://mercatus.org/publication/internet-security-without-law-how-service-providers-create-order-online.

[15]   Ibid.

[16]   Charlie Miller, “The Legitimate Vulnerability Market: Inside the Secretive World of 0-day Exploit Sales,” Independent Security Evaluators, May 6, 2007, http://www.econinfosec.org/archive/weis2007/papers/29.pdf.

[17]   Andrea Castillo, “The Economics of Software-Vulnerability Sales: Can the Feds Encourage ‘Pro-social’ Hacking?” Reason, August 11, 2015, https://reason.com/archives/2015/08/11/economics-of-the-zero-day-sales-market.

[18]   Roger Grimes, “The Cyber Crime Tide Is Turning,” Infoworld, August 9, 2011, http://www.pcworld.com/article/237647/the_cyber_crime_tide_is_turning.html.

[19]   Dourado, “Internet Security.”

[20]   Anthony D. Glosson, “Active Defense: An Overview of the Debate and a Way Forward,” (Mercatus Working Paper, Mercatus Center at George Mason University, Arlington, VA, August 10, 2015), http://mercatus.org/publication/active-defense-overview-debate-and-way-forward-guardians-of-peace-hackers-cybersecurity.

[21]   http://stopbadware.org.

[22]   https://www.iamthecavalry.org.

[23]   Andrea Castillo, “The Government’s Latest Attempt to Stop Hackers Will Only Make Cybersecurity Worse,” Reason, July 28, 2015, https://reason.com/archives/2015/07/28/gov-ploy-to-stop-hackers-will-backfire.

[24]   Russell Brandom, “The US is Rewriting its Controversial Zero-Day Export Policy,” The Verge, July 29, 2015, http://www.theverge.com/2015/7/29/9068665/wassenaar-export-zero-day-revisions-department-of-commerce.

[25]   Dourado, “Internet Security.”

[26]   Ibid.

[27]   Glosson, “Active Defense.”

[28]   Dourado, “Internet Security.”

[29]   Dourado, “Internet Security.”

[30]   Future of Privacy Forum, “Best Practices,” http://www.futureofprivacy.org/resources/best-practices/.

[31]   See http://www.staysafeonline.org/ncsam and http://www.staysafeonline.org/data-privacy-day.

[32]   Glosson, “Active Defense,” 22. (“The precautionary principle is especially inadvisable in the dynamic realm of tech policy, and until the ostensible harms of active defense materialize, the law should facilitate maximum innovation in the network security field.”)

[33]   Postrel, Future and Its Enemies, at 199.

[34]   Ibid., 202.

[35]   See Future of Privacy Forum, “Connected Cars Project,” accessed October 16, 2015, http://www.futureofprivacy.org/connectedcars; Auto Alliance, “Automakers Believe That Strong Consumer Data Privacy Protections Are Essential to Maintaining the Trust of Our Customers,” accessed October 16, 2015, http://www.autoalliance.org/automotiveprivacy. See also Future of Privacy Forum, “Comments of the Future of Privacy Forum on Connected Smart Technologies in Advance of the FTC ‘Internet of Things’ Workshop,” May 31, 2013, http://www.futureofprivacy.org/wp-content/uploads/FPF-Comments-Regarding-Internet-of-Things.pdf.

[36]   Adam Thierer, “Don’t Panic over Looming Cybersecurity Threats,” Forbes, August 7, 2011, http://www.forbes.com/sites/adamthierer/2011/08/07/dont-panic-over-looming-cybersecurity-threats.

On the whiteboard that hangs in my office, I have a giant matrix of technology policy issues and the various policy “threat vectors” that might end up driving regulation of particular technologies or sectors. Along with my colleagues at the Mercatus Center’s Technology Policy Program, we constantly revise this list of policy priorities and simultaneously make an (obviously quite subjective) attempt to put some weights on the potential policy severity associated with each threat of intervention. The matrix looks like this: [Sorry about the small fonts. You can click on the image to make it easier to see.]

I use 5 general policy concerns when considering the likelihood of regulatory intervention in any given area. Those policy concerns are:

1. privacy (reputation issues, fear of “profiling” & “discrimination,” amorphous psychological / cognitive harms);
2. safety (health & physical safety or, alternatively, child safety and speech / cultural concerns);
3. security (hacking, cybersecurity, law enforcement issues);
4. economic disruption (automation, job dislocation, sectoral disruptions); and,
5. intellectual property (copyright and patent issues).

I realize that some of these five categories could be sub-divided and refined. I also understand that these five groupings may not encapsulate the full range of potential policy issues out there, but I’ve tried to avoid having too many categories to keep this as conceptually tidy as is possible. However, I might need to add a separate category for civil rights and disabilities-related policy issues eventually. Likewise, “psychological considerations” might deserve its own category because they do not necessarily perfectly fit into either the privacy or safety buckets right now, even though that’s where I have them currently. For example, some privacy activists call for regulation of “big data” and large databases based on fears about how all that data collection makes people feel about themselves. I consider that a privacy-related concern now, but you could imagine that being in a separate category. Meanwhile, there’s long been calls to regulate various types of media content (music, movies, video games, online porn, etc) based on the psychological impact they have on children. Those “media effects” theories have always been considered a child safety issue, which is where I currently have them slotted, but they could probably be its own category that also included concerns about distraction and addiction (which could come to haunt VR technologies in the future).

Anyway, my colleagues and I use this current matrix to help us determine what we should be paying more attention to and what sort of scholarly outputs are needed to address regulatory threats on each front. Generally speaking, this is the portfolio of issues I try to stay on top of full-time at Mercatus as part of our ongoing “Permissionless Innovation” project.

Several people who have seen that matrix in my office tell me I should do something more with it, but I’m not really sure what that something would be. In any event, I thought it might make sense to post it here to give others a feel for the current set of emerging tech policy issues that interest us at Mercatus. I will try to upload new versions of the matrix as that giant whiteboard in my office morphs over time and the list of technologies and regulatory threats changes or grows.

Incidentally, I am often asked to explain the relative weights I’ve assigned to each potential regulatory threat, so I will try to justify some of those rankings here briefly. (Again, it’s all quite subjective and I’m always open to hearing the case for tweaking the rankings.)

• Big Data / Online Marketing / the Internet of Things (IoT): Privacy is the #1 policy threat for these sectors. From a public policy perspective, what unifies these technologies is a growing concern about how expanding private sector data collection efforts could affect our privacy or reputations. We’ve already seen a flurry of legislative and regulatory activity here in the U.S. aimed at placing restrictions on data collection or use. And it goes without saying that other countries, especially in Europe, already impose a wide variety of controls on data collection in the name of privacy protection. There also exists a variety of closely-related security concerns here. But the rise of IoT technologies have introduced safety concerns into the mix in a major way, too. That’s especially true because of the large number of Big Data services and IoT devices that are health and medical related.  Taken together, this is the issue set I spend the majority of my time covering because the privacy and security implications of a data-driven economy already occupies the attention of countless regulatory activists and public policymakers across the globe. I think that will continue to be the case for many years to come.
• Robotics: Safety concerns tend to be the biggest driver of calls for regulation of robotic and autonomous technology. For example, new laws and regulations are already being proposed for driverless cars based on fears about the hacking of connected vehicles. And commercial drones attract policy attention based on safety-related concerns such as whether a drone could strike an airplane, or even just fall on our heads. Proposals have been floated to mandate the equivalent of DRM for drones, which would force drone innovators to embed federally-approved technological controls into their systems designating where they are allowed to fly. Even if most of these concerns are overstated or are currently being dealt with, we can expect more safety-related policy proposals for robotic tech in coming years.  Economic concerns would be a close second here due to the increasing worry that robots will eat all our jobs. At least so far, however, that concern has tended to be more of an academic nature rather than a public policy consideration. And it remains unclear what the policy prescription would be in this regard without becoming a neo-Luddite, “smash-the-machines” sort of proposal. That could change in coming years, however. It all depends on the labor market situation over time. Meanwhile, academics are floating the idea of a Federal Robotics Commission to provide greater policy “expertise” in the form of yet another technocratic Beltway bureaucracy.
• Additive manufacturing / 3D printing: Safety is probably the #1 concern here, although depending on what type of 3D-printed object we are talking about, it could be the case that intellectual property concerns will be a bigger driver of calls for regulatory intervention. A lot of the policy-related concerns around 3D printing today are being driven by worries over things like 3D-printed guns. That’s mostly a safety concern, of course. But it we are talking about the replication of branded commercial objects (3D-printed toys or other things, for example), then IP tends to be the bigger concern. The question of product liability also looms large here and it remains unclear how claims might be sorted out when there are fewer large, deep-pocketed intermediaries to go after in a world of decentralized production. Hopefully, those liability norms will be left to the courts and common law to sort out over time, but I wouldn’t be surprised to see more calls for preemptive legislative interventions here in both directions: i.e., some will call legislators to impose greater liability on certain parties while others will push to immunize intermediaries from punishing forms of liability for the downstream actions of others (like a Sec. 230 norm for 3D printing).
• Medical tech innovation: It goes without saying that traditional safety concerns will drive policy for advanced medical technologies, just as they have for earlier drugs, devices, and treatments. As software continues to “eat the world” and invade the world of health and medicine, regulators are increasingly going to be trying to figure out how to pigeonhole new technologies into old regulatory constructs. That’s why I have been watching how the FDA continues to deal with 3D-printed prosthetics and mobile medical apps on our smartphones. Eventually, the continuing decentralized democratization of 3D printing (driven by rapidly falling costs) will collide with old medical device regulatory realities and a century’s worth of FDA command-and-control style regulation. Oh my, what a fight that will be! And then chemical printers will become more widespread and this issue will get even more intense. The policy fight here is even more interesting because of all the thorny ethical issues pertaining to the rise of embeddable technology, biohacking, and genome innovation. I have a feeling that my policy portfolio will shift rapidly in this direction in coming years as the modern info-tech revolution spreads to the world of medicine and health. I already have two new papers coming out on these issues in the next few weeks.
• Sharing economy: Economic disruption is clearly the big policy issue here. Specifically, many policymakers and incumbent industries aren’t very happy about new entrants coming into their sectors and offering consumers services without strictly complying with traditional regulations. But safety issues often pop up in these debates when regulators or advocates claim we can’t trust sharing economy operators. What’s particularly interesting about this space is how these policy battles are playing out at almost every level of government: federal, state, local, and international. At least thus far, sharing economy innovators tend to be winning most of those battles. But the fight continues.
• Crypto & Bitcoin: I think safety would probably be the biggest issue here, in the sense that policymakers fear a world of unregulated crypto and decentralized blockchain applications are a world in which the “bad guys” will be able to use those technologies to harm the public in some fashion. We’ve heard this all before, of course, but (going all the way back to the Clipper Chip wars) you can always bank on law enforcement officials resorting to Chicken Little claims about terrorists and child predators thriving in a world of unregulated crypto. In many ways, this is the most important of all these policy fights because if the government can regulate crypto and blockchain technologies, it severely undermines the fabric of almost all the other technologies and platforms discussed herein. This is why the current debate over government-mandated “backdoors” is so important; it has profound ramifications for every other tech regulation debate that follows.
• Immersive Tech (VR and augmented reality): This is an amorphous and evolving area that I am getting increasingly interested in, but the policy issues here have yet to come into clear focus. However, when Google Glass was launched, there was a brief technopanic of sorts over its privacy and security ramifications. Those concerns have subsided a bit as Google Glass has seemingly faded away (probably because of its high price point more than because of its privacy concerns), but I suspect that future iterations of augmented reality technologies will raise similar concerns. That will especially be true as more sophisticated biometric (and facial recognition) capabilities are integrated into them. Academics are already wondering how to enforce “notice and consent” privacy norms and rules in a world where everyone is wearing miniature body cams and heads-up displays in their sunglasses. I’m not sure it’s even possible, but that debate will continue and include all sorts of calls for technological controls. OK, that’s augmented reality, but what about virtual reality technologies? I think safety concerns could drive some policy proposals as critics grow concerned about the psychological implications of people (especially kids) spending more and more time in immersive virtual worlds. In that sense, we might see a replay of the earlier debate over violent video games and/or video game addition. But it remains to be seen.

Incidentally, I use this matrix and provide more context to it in my big presentation on “Permissionless Innovation & the Clash of Visions over Emerging Technologies.” [It’s embedded below.] And I discuss most of these issues in more detail in my book, Permissionless Innovation: The Continuing Case for Comprehensive Technological Freedom. I am in the process of finishing up the second edition of that book and will be expanding the case studies about the issues discussed above. Finally, I discussed many of these policy threats during my recent appearance on the Andreessen Horowitz podcast.

Update 10/2/15: For another take on various new technology trends and the potential policy issues they raise, check out this report from the World Economic Forum, Deep Shift: Technology Tipping Points and Societal Impact. The WEF report identifies 21 technology “shifts” and then groups them into six “mega-trend” categories. Almost all these issues are on my matrix above, but the WEF report provides some nice additional context on why each technology trend will be so disruptive.

In a recent Senate Commerce Committee hearing on the Internet of Things, Senators Ed Markey (D-Mass.) and Richard Blumenthal (D-Conn.) “announced legislation that would direct the National highway Traffic Safety Administration (NHTSA) and the Federal Trade Commission (FTC) to establish federal standards to secure our cars and protect drivers’ privacy.” Spurred by a recent report from his office (Tracking and Hacking: Security and Privacy Gaps Put American Drivers at Risk) Markey argued that Americans “need the equivalent of seat belts and airbags to keep drivers and their information safe in the 21^st century.”

Among the many conclusions reached in the report, it says, “nearly 100% of cars on the market include wireless technologies that could pose vulnerabilities to hacking or privacy intrusions.” This comes across as a tad tautological given that everything from smartphones and computers to large-scale power grids are prone to being hacked, yet the Markey-Blumenthal proposal would enforce a separate set of government-approved, and regulated, standards for privacy and security, displayed on every vehicle in the form of a “Cyber Dashboard” decal.

Leaving aside the irony of legislators attempting to dictate privacy standards, especially in the post-Snowden world, it would behoove legislators like Markey and Blumenthal to take a closer look at just what it is they are proposing and ask whether such a law is indeed necessary to protect consumers. For security in particular, there may be concerns that require redress, but if one looks at the report, it becomes apparent that it lacks a very important feature:: no specific examples of real car hacking are mentioned. The only examples illustrated in the report are described in brief detail:

An application was developed by a third party and released for Android devices that could integrate with a vehicle through the Bluetooth connection. A security analysis did not indicate any ability to introduce malicious code or steal data, but the manufacturer had the app removed from the Google Play store as a precautionary measure.

Great! The company solved the problem. What about the other instance cited in the report?

Some individuals have attempted to reprogram the onboard computers of vehicles to increase engine horsepower or torque through the use of “performance chips”. Some of these devices plug into the mandated onboard diagnostic port or directly into the under-the-hood electronics system.

So the only two examples of “car hacking” described in the Markey report are essentially duds. The first is a non-issue, since the company (1) determined there was little security risk involved and (2) removed the item from the market anyways, just to be sure. The second is, in a sense, hacking, but it is individual car owners doing it to their own cars. Neither of these cases appears to be sufficient grounds for imposing a set of arbitrary and, in many cases, capriciously anti-innovation approaches to privacy and data security in cars.

In the wake of the report’s release, this past Tuesday, March 10, General Motors, Toyota, and Ford were all hit with a nationwide class action lawsuit, alleging that the companies concealed “dangers posed by a lack of electronic security in a vast swath of vehicles.” Specifically, the lawsuit is aimed at the presence of controller area network (CAN) buses, which act as data hubs between the various electronic systems in a car. These systems are, indeed, susceptible to hacking, but no more than any personal computer that is connected to the Internet.

The trouble with this lawsuit, brought by the Stanley Law Group, is that it has not cited any specific harms that have occurred as a result of this “defect” (as a side note, saying a computer being susceptible to hacking constitutes a defect in design is the equivalent of saying an airplane that is susceptible to lightning strikes is fundamentally defective). Rather, the plaintiffs argue that “[w]e shouldn’t need to wait for a hacker or terrorist to prove exactly how dangerous this is before requiring car makers to fix the defect.”

As Adam Thierer and I pointed out in our 2014 paper, Removing Roadblocks to Intelligent Vehicles and Driverless Cars:

Manufacturers have powerful reputational incentives at stake here, which will encourage them to continuously improve the security of their systems. Companies like Chrysler and Ford are already looking into improving their telematics systems to better compartmentalize the ability of hackers to gain access to a car’s controller-area-network bus. Engineers are also working to solve security vulnerabilities by utilizing two-way data-verification schemes (the same systems at work when purchasing items online with a credit card), routing software installs and updates through remote servers to check and double-check for malware, adopting of routine security protocols like encrypting files with digital signatures, and other experimental treatments. (pg. 40-41)

It’s always easy to see the potential for abuse and harm with any new emerging technology, but optimism and fortitude in the face of the uncertain is what helps society, and individuals, grow and progress. Car hacking, while certainly a viable concern, is not so ubiquitous that it necessitates a heavy-handed regulatory approach. Rather, we should permit various standards to emerge and attempt to deal with possible harms. In this way, we can experiment to properly determine what approaches work and what do not. Federal standards imposed from on high assume that firms and individuals are not capable of working through these murky issues. We should be a bit more optimistic about the human capacity for ingenuity and adaptability.

To end on something of a more optimistic note, Tom Vanderbilt of Wired magazine gives keen insight into the reality of regulating based on hypothetical scenarios:

Every scenario you can spin out of computer error – what if the car drives the wrong way – already exists in analog form, in abundance. Yes, computer-guidance systems and the rest will require advances in technology, not to mention redundancy and higher standards of performance, but at least these are all feasible, and capable of quantifiable improvement. On the other hand, we’ll always have lousy drivers.

Additional Reading 

• Law review article: “Removing Roadblocks to Intelligent Vehicles and Driverless Cars,” September 17, 2014.
• “Don’t Hit the (Techno-)Panic Button on Connected Car Hacking & IoT Security,” February 10, 2015.
• “Don’t Slam the Brakes on Smart Cars,” December 1, 2014.
• “Intelligent Vehicles Could Save Lives,” November 25, 2014.
• Permissionless Innovation: The Continuing Case for Comprehensive Technological Freedom (2014)

Christopher Wolf, director of the law firm Hogan Lovells’ Privacy and Information Management group, addresses his new book with co-author Abraham Foxman, Viral Hate: Containing Its Spread on the Internet. To what extent do hateful or mean-spirited Internet users hide behind anonymity? How do we balance the protection of the First Amendment online while addressing the spread of hate speech? Wolf discusses how to define hate speech on the Internet; whether online hate speech leads to real-world violence; how news sites like the Huffington Post and New York Times have dealt with anonymity; lessons we should impart on the next generation of Internet users to discourage hate speech; and cases where anonymity has proved particularly beneficial or valuable.

Download

Related Links

• Viral Hate: Containing its Spread on the Internet, Amazon
• About Christopher Wolf, Future of Privacy
• Christopher Wolf Biography, Huffington Post

Thomas Rid, author of the new book Cyber War Will Not Take Place discusses whether so-called “cyber war” is a legitimate threat or not. Since the early 1990s, talk of cyber war has caused undue panic and worry and, despite major differences, the military treats the protection of cyberspace much in the same way as protection of land or sea. Rid also covers whether a cyber attack should be considered an act of war; whether it’s correct to classify a cyber attack as “war” considering no violence takes place; how sabotage, espionage and subversion come into play; and offers a positive way to view cyber attacks — have such attacks actually saved millions of lives?

Download

Related Links

• Cyber War Will Not Take Place, Rid
• About Thomas Rid, Rid
• The Great Cyberscare, Rid
• Cyberwar: don’t believe the hype, Stilgherrian

Ronald J. Deibert is the director of The Citizen Lab at the University of Toronto’s Munk School of Global Affairs and the author of an important new book, Black Code: Inside the Battle for Cyberspace, an in-depth look at the growing insecurity of the Internet. Specifically, Deibert’s book is a meticulous examination of the “malicious threats that are growing from the inside out” and which “threaten to destroy the fragile ecosystem we have come to take for granted.” (p. 14) It is also a remarkably timely book in light of the recent revelations about NSA surveillance and how it is being facilitated with the assistance of various tech and telecom giants.

The clear and colloquial tone that Deibert employs in the text helps make arcane Internet security issues interesting and accessible. Indeed, some chapters of the book almost feel like they were pulled from the pages of techno-thriller, complete with villainous characters, unexpected plot twists, and shocking conclusions. “Cyber crime has become one of the world’s largest growth businesses,” Deibert notes (p. 144) and his chapters focus on many prominent recent examples, including cyber-crime syndicates like Koobface, government cyber-spying schemes like GhostNet, state-sanctioned sabotage like Stuxnet, and the vexing issue of zero-day exploit sales.

Deibert is uniquely qualified to narrate this tale not just because he is a gifted story-teller but also because he has had a front row seat in the unfolding play that we might refer to as “How Cyberspace Grew Less Secure.” Indeed, he and his colleagues at The Citizen Lab have occasionally been major players in this drama as they have researched and uncovered various online vulnerabilities affecting millions of people across the globe. (I have previously reviewed and showered praise on a couple important books that Deibert co-edited with scholars from The Citizen Lab and Harvard’s Berkman Center, including: Access Controlled: The Shaping of Power, Rights, and Rule in Cyberspace and Access Denied: The Practice and Policy of Global Internet Filtering. They are truly outstanding resources worthy of your attention.)

Black Code’s Many Meanings

So, what is “black code” and why should we be worried about it? Deibert uses the term as a metaphor for many closely related concerns. Most generally it includes “that which is hidden, obscured from the view of the average Internet user.” (p. 6) More concretely, it refers to “the criminal forces that are increasingly insinuating themselves into cyberspace, gradually subverting it from the inside out.” (p. 7) “Those who take advantage of the Internet’s vulnerabilities today are not just juvenile pranksters or frat house brats,” Deibert notes, “they are organized criminal groups, armed militants, and nation states.” (p. 7-8) Which leads to the final way Deibert uses the term “black code.” It also, he says, “refers to the growing influence of national security agencies, and the expanding network of contractors and companies with whom they work.” (p. 8)

Deibert is worried about the way these forces and factors are working together to undermine online stability and security, and even delegitimize liberal democracy itself. His thesis is probably most succinctly captured in this passage from Chapter 7:

We live in an era of unprecedented access to information, and many political parties campaign on platforms of transparency and openness. And yet, at the same time, we are gradually shifting the policing of cyberspace to a dark world largely free from public accountability and independent oversight. In entrusting more and more information to third parties, we are signing away legal protections that should be guaranteed by those who have our data. Perversely, in liberal democratic countries we are lowering the standards around basic rights to privacy just as the center of cyberspace gravity is shifting to less democratic parts of the world. (p. 130-1)

What Deibert is grappling with in this book is the same fundamental problem that has long plagued the Internet: How do you preserve the benefits associated with the most open and interconnected “network of networks” the world has ever known while also remedying the various vulnerabilities and pathologies created by that same openness and interconnectedness?  Deibert acknowledges this problem, noting:

Ever since the Internet emerged from the world of academia into the world of the rest of us, its growth trajectory has been shadowed by a grey economy that thrives on opportunities for enrichment made possible by an open, globally connected infrastructure. (p. 141)

The Paradox of the Net’s Open, Interconnected Nature

Again, paradoxically, this inherent instability and vulnerability is due precisely to the Net’s open and globally interconnected nature. And many governments are looking to exploit that fact. “These unfortunate by-products of an open, dynamic network are exacerbated by increasing assertions of state power,” Deibert notes. (p. 233)

More generally, this uncomfortable fact—that the Net’s open, interconnected nature leads to both enormous benefits as well as huge vulnerabilities—isn’t just true for criminal online activity or the cyber-espionage activities that various nation-states are pursuing today. It is equally true for everything online today. There is a sort of yin and the yang to the Net that is simply undeniable and completely unavoidable. For one issue after another we find that the Net’s greatest blessing—its open, interconnected nature—is also its greatest curse.

For example, as I noted here recently in my review of Abraham H. Foxman and Christopher Wolf ‘s new book, Viral Hate: Containing Its Spread on the Internet, the open and interconnected Internet gives us “the most widely accessible, unrestricted communications platform the world has ever known” but also  means we have to tolerate a great many imbeciles “who use it to spew insulting, vile, and hateful comments.” The same is true for other types of online speech and content: You have access to an abundance of informational riches, but there’s also no avoiding all the garbage out there now, too.

Similarly, as I noted in my essay, “Privacy as an Information Control Regime: The Challenges Ahead,” the open and interconnected Internet has given us historically unparalleled platforms for social interaction and commerce. But that same openness and interconnectedness has left us with a world of hyper-exposure and a variety of privacy and surveillance threats—not just from governments and large corporations, but also from each other.

And then there’s the never-ending story of digital copyright. On one hand, the open and globally interconnected network or networks has provided us with an amazing platform for sharing knowledge, art, and expression. On the other hand, as I noted in this essay on “The Twilight of Copyright,” creators of expressive works have less security than ever before in terms of how they can control and monetize their artistic and scientific inventions.

I could go on and on—as I did in my essays on “Copyright, Privacy, Property Rights & Information Control: Common Themes, Common Challenges” and “When It Comes to Information Control, Everybody Has a Pet Issue & Everyone Will Be Disappointed”—but the moral of the story is pretty clear: The Internet giveth and the Internet taketh away. Openness and interconnectedness offer us enormous benefits but also force us to confront major risks as the price of admission to this wonderful network.

Will the Whole System Collapse?

The uncomfortable question that Deibert’s book tees up for discussion is: When will this balance get completely out of whack in terms of online security? Or, has it already? In some portions of the text, he hints that may already be the case. Consider this passage in Chapter 11 in which Deibert discusses whether the Chicken Little-ism of digital security worry-warts like Eugene Kaspersky and Richard Clarke is warranted:

Eugene Kaspersky, Richard Clarke, and others may sound like broken records or self-serving fear mongers, but there is no denying the evolving cyberspace ecosystem around us: we are building a digital edifice for the entire planet, and it sits above us like a house of cards. We are wrapping ourselves in expanding layers of digital instructions, protocols, and authentication mechanisms, some them open scrutinized, and regulated, but many closed, amorphous, and poised for abuse, buried in the black arts of espionage, intelligence gathering, and cyber and military affairs. Is it only a matter of time before the whole system collapses? (p. 186)

That sounds horrific, but is it really the case that the entire system really about to collapse? And, if so, what are we going to do about it?

This raises a small problem with Deibert’s book. He does such a nice job itemizing and describing these security vulnerabilities that by the time the reader wades through 230 pages and nears the end of the book, they are left in a highly demoralized state, searching for some hope and a concrete set of practical solutions. Unfortunately, they won’t find an abundance of either in Deibert’s brief closing chapter, “Toward Distributed Security and Stewardship in Cyberspace.”

Don’t get me wrong; I agree with the general thrust of Deibert’s framework, which I describe below. The problem is that it is highly aspirational in nature and lacks specifics. Perhaps that is simply because there are no easy answers here. Digital security is damn hard and, as with most other online pathologies out there, no silver-bullet solutions exist.

Deibert notes that some government officials will seek to exploit those vulnerabilities—many of which they created themselves—to expand their authority over the Internet. “Faced with mounting problems and pressures to do something, too many policy-makers are tempted by extreme solutions,” he notes. (p. 234) He worries about “a movement towards clamp down” that would be “antithetical to the principles of liberal democratic government” by undermining checks and balances and accountability. (p. 235) In turn, this will undermine the “mixed common-pool resource” that is the current Internet.

Deibert’s alternative cyber security strategy to counter the push to “clamp down” is based on three interrelated notions or components:

1. Principles of restraint or “mutual restraint”: “Securing cyberspace requires a reinforcement, rather than a relaxation, of restraint on power, including checks and balances on governments, law enforcement, intelligence agencies, and on the private sector,” he argues. (p. 239)
2. “Distributed security”: “The Internet functions precisely because of the absence of centralized control, because of thousands of loosely coordinated monitoring mechanisms,” Deibert notes. “While these decentralized mechanisms are not perfect and can occasionally fail, they form the basis of a coherent distributed security strategy. Bottom-up, ‘grassroots’ solutions to the Internet’s security problems are consistent with principles of openness, avoid heavy-handedness, and provide checks and balances against the concentrations of power,” he observes. (p. 240)
3. “Stewardship” which Deibert defines as “an ethic of responsible behavior in regard to shared resources” and which, he argues, “would moderate the dangerously escalating exercise of state power in cyberspace by defining limits and setting thresholds of accountability and mutual restraint.” (p. 243)

Again, as an aspirational vision statement this all generally sounds fairly sensible, but the details are lacking. I think Deibert would have been wise to spend a bit more time developing this alternative “bottom-up” vision of how online security should work and bolstering it with case studies.

Digital Security without Top-Down Controls

Luckily, as my Mercatus Center colleague Eli Dourado noted in an important June 2012 white paper, distributed security and stewardship strategies are already working reasonably well today. Dourado’s paper, “Internet Security Without Law: How Service Providers Create Order Online,” documented the many informal institutions that enforce network security norms on the Internet and shows how cooperation among a remarkably varied set of actors improves online security without extensive regulation or punishing legal liability. “These informal institutions carry out the functions of a formal legal system—they establish and enforce rules for the prevention, punishment, and redress of cybersecurity-related harms,” Dourado noted.

For example, a diverse array of computer security incident response teams (CSIRTs) operates around the globe and share their research and coordinate their responses to viruses and other online attacks. Individual Internet service providers (ISPs), domain name registrars, and hosting companies, work with these CSIRTs and other individuals and organizations to address security vulnerabilities. A growing market for private security consultants and software providers also competes to offer increasingly sophisticated suites of security products for businesses, households, and governments.

A great deal of security knowledge is also “crowd-sourced” today via online discussion forums and security blogs that feature contributions from experts and average users alike. University-based computer science and cyberlaw centers (like Citizen Lab) and experts have also helped by creating projects like “Stop Badware,” which originated at Harvard University but then grew into a broader non-profit organization with diverse financial support.

Dourado continues on in his paper to show how these informal, bottom-up efforts to coordinate security responses offer several advantages over top-down government solutions, such as administrative regulation or punishing liability regimes.

Dourado’s description of the ideal approach to online security is entirely consistent with Deibert’s vision in Black Code. In fact, Deibert notes, “It is important to remind ourselves that in spite of the threats, cyberspace runs well and largely without persistent disruption. On a technical level, this efficiency is founded on open and distributed networks of local engineers who share information as peers,” he observes. (p. 240) That is exactly right, but I wish Deibert would have spent more time discussing how this system works in practice today and how it can be tweaked and improved to head off the heavy-handed and very costly top-down solutions that we both dread.

Toward Resiliency

But there’s one other thing I wish Deibert would have explored in the book: resiliency, or how we have adapted to various cyber-vulnerabilities over time.

For example, in another recent Mercatus Center study entitled “Beyond Cyber Doom: Cyber Attack Scenarios and the Evidence of History,” Sean Lawson, an assistant professor in the Department of Communication at the University of Utah, has stressed the importance of resiliency as it pertains to cybersecurity and concerns about “cyberwar.” “Research by historians of technology, military historians, and disaster sociologists has shown consistently that modern technological and social systems are more resilient than military and disaster planners often assume,” he writes. “Just as more resilient technological systems can better respond in the event of failure, so too are strong social systems better able to respond in the event of disaster of any type.”

More generally, as I noted in my recent law review article on “technopanics” and “threat inflation” in information technology policy debates:

while it is certainly true that “more could be done” to secure networks and critical systems, panic is unwarranted because much is already being done to harden systems and educate the public about risks. Various digital attacks will continue, but consumers, companies, and others organizations are learning to cope and become more resilient in the face of those threats.

What Professor Lawson and I are getting at in our respective articles is that the ability of organizations, institutions, and individuals to bounce back from adversity is a frequently unheralded feature of various systems and that it deserves more serious study. (See Andrew Zolli and Ann Marie Healy’s nice book, Resilience: Why Things Bounce Back, for more on this general topic). In the context of online security, what is most remarkable to me is not that the Internet suffers from vulnerabilities due to its open and interconnected nature; it’s that we don’t suffer far more damage as a result.

This gets us back to that very profound question that Deibert poses in Black Code: “Is it only a matter of time before the whole system collapses?” The better question, I think, is: why hasn’t the system already collapsed? Perhaps the answer is, because things haven’t gotten bad enough yet. But I believe that the more realistic answer is that: individuals and institutions often learn how to cope and become resilient in the face of adversity. This is partially the case online because of the stewardship and distributed, decentralized security we already see at work today that makes digital life tolerable.

But it has to be something more than that. After all, many of the security problems that Deibert describes in his book are quite serious and already affect millions of us today. How, then, are we getting by right now? Again, I think the answer has to be that adaptation and resiliency are at work on many different levels of online life.

Consider, for example, how we have learned to deal with spam, viruses, online porn, various online advertising and privacy concerns, and so on. Our adaptation to these threats and annoyances has not been perfectly smooth, of course. No doubt, some people would still like “something to be done” about these things. But isn’t it remarkable how we have, nonetheless, carried on with online commerce and interactive social life even as these problems have persisted?

Conclusion

Going forward, therefore, perhaps there are some reasons for hope. Perhaps the various generic strategies that Deibert outlines in his book, coupled with the remarkable ability of humans to roll with the punches and adapt, will help us come out of this just fine (or at least reasonably well).

Of course, it could also be the case that these security concerns just multiply and that the Internet then morphs into sometime quite different than the interconnected “network of networks” we know today. As I noted in my 2009 essay on “Internet Security Concerns, Online Anonymity, and Splinternets,” we might be moving toward a world with more separate dis­connected digital networks and online “gated communities.” This could take place spontaneously over time and be driven by corporations seeking to satisfy the demand of some consumers for safer and more secure online experiences. As I noted in my review of Jonathan Zittrain’s book, The Future of the Internet, I am actually fine with some of that. I think we can live in a hybrid world of “walled gardens” alongside of the “Wild West” open Internet, so long as this occurs in a spontaneous, organic, bottom-up fashion. [For a more extensive discussion, see my book chapter, “The Case for Internet Optimism, Part 2 – Saving the Net From Its Supporters.”]

If, however, this “splintering” of the Net is done from the top-down through intentional (or even incidental) government action, then it is far more problematic. We already see signs, for example, that Russia is pushing even more strongly in that direction in the wake of the NSA leaks. (See “N.S.A. Leaks Revive Push in Russia to Control Net,” New York Times, July 14.) The Russians have been using amorphous security concerns to push for greater Internet control for some time now. Of course, China has been there for years. So have many Middle Eastern countries. Of course, there’s no guarantee that their respective “splinternets” are, or would be, any more secure than today’s Internet, but it sure would make those networks far more susceptible to state control and surveillance. If that’s our future, then it certainly is a dismal one.

Anyway, read Ron Deibert’s Black Code for an interesting exploration of these and other issues. It’s an excellent contribution to field of Internet policy studies and a book that I’ll be recommending to others for many years to come.

Additional resources:

• the official website for Black Code
• the Citizen Lab website at the University of Toronto
• follow Ronald Deibert and The Citizen Lab on Twitter
• video of Washington, D.C. book launch for Black Code (held at the National Endowment for Democracy on 6/24/13)

Other books you should read alongside “Black Code” (links are for my reviews of each book):

• Access Controlled: The Shaping of Power, Rights, and Rule in Cyberspace edited by Ronald J. Deibert, John G. Palfrey, Rafal Rohozinski, and Jonathan Zittrain
• Consent of the Networked: The Worldwide Struggle for Internet Freedom , by Rebecca MacKinnon
• Cyber War: The Next Threat to National Security and What to Do About It, by Richard A. Clarke and Robert K. Knake
• Liars & Outliers: Enabling the Trust that Society Needs to Thrive, by Bruce Schneier
• Regulating Code: Good Governance and Better Regulation in the Information Age, by Ian Brown & Christopher T. Marsden
• Networks and States: The Global Politics of Internet Governance, by Milton Mueller
• Resilience: Why Things Bounce Back, by Andrew Zolli & Ann Marie Healy

Washington Post columnist Robert J. Samuelson published an astonishing essay today entitled, “Beware the Internet and the Danger of Cyberattacks.” In the print edition of today’s Post, the essay actually carries a different title: “Is the Internet Worth It?” Samuelson’s answer is clear: It isn’t. He begins his breathless attack on the Internet by proclaiming:

If I could, I would repeal the Internet. It is the technological marvel of the age, but it is not — as most people imagine — a symbol of progress. Just the opposite. We would be better off without it. I grant its astonishing capabilities: the instant access to vast amounts of information, the pleasures of YouTube and iTunes, the convenience of GPS and much more. But the Internet’s benefits are relatively modest compared with previous transformative technologies, and it brings with it a terrifying danger: cyberwar.

And then, after walking through a couple of worst-case hypothetical scenarios, he concludes the piece by saying:

the Internet’s social impact is shallow. Imagine life without it. Would the loss of e-mail, Facebook or Wikipedia inflict fundamental change? Now imagine life without some earlier breakthroughs: electricity, cars, antibiotics. Life would be radically different. The Internet’s virtues are overstated, its vices understated. It’s a mixed blessing — and the mix may be moving against us.

What I found most troubling about this is that Samuelson has serious intellectual chops and usually sweats the details in his analysis of other issues. He understands economic and social trade-offs and usually does a nice job weighing the facts on the ground instead of engaging in the sort of shallow navel-gazing and anecdotal reasoning that many other weekly newspaper columnist engage in on a regular basis.

But that’s not what he does here. His essay comes across as a poorly researched, angry-old-man-shouting-at-the-sky sort of rant. There’s no serious cost-benefit analysis at work here; just the banal assertion that a new technology has created new vulnerabilities.  Really, that’s the extent of the logic at work here. Samuelson could have just as well substituted the automobile, airplanes, or any other modern technology for the Internet and drawn the same conclusion: It opens the door to new vulnerabilities (especially national security vulnerabilities) and, therefore, we would be better off without it in our lives.

Samuelson does admit that “Life would be radically different… without some earlier breakthroughs: electricity, cars, antibiotics,” so it is obvious he thinks their benefits outweigh their costs. But I could just as well say that new technologies such as cars and planes bring death and destruction, both in the theater of war and in everyday life. So, one might conclude of modern transportation technology that the “virtues are overstated, its vices understated. It’s a mixed blessing — and the mix may be moving against us,” just as Samuelson concludes of the Net.  Of course, such an assertion would be absurd without reference to the many benefits that accrue to us from these technologies. I don’t think I need to cite them all here. But Samuelson is certainly a sharp enough guy that he would engage in such a cost-benefit analysis if someone made such an assertion about other technologies.

When it comes to the Internet, however, all he can say about benefits is that “the instant access to vast amounts of information, the pleasures of YouTube and iTunes, the convenience of GPS and much more.” (GPS? Really? Strictly speaking, that’s not an Internet technology, Bob. But perhaps you have something against satellite technology, too! Looking forward to your column, “Is Satellite Communication Worth It?”)

Of course the first benefit of the Internet that Samuelson cites — “instant access to vast amounts of information” — is nothing to sneeze at! The fact that he so casually dismisses that benefit is rather troubling. For the vast majority of civilization, humans have lived in a what we might think of as a state of extreme information poverty. Today, by contrast, we are blessed to live in amazing times. An entire planet of ubiquitous, instantly accessible media and information is now at our fingertips. We are able to share culture and engage with others — both socially and commercially — in ways that were unthinkable and impossible even just a few decades ago.

It’s hard to quantify the benefits associated with these facts, but I would think most of us would agree they are enormous. But it’s hardly the only sort of benefit that comes from the Internet and modern digital communications technologies. The fact that Samuelson can’t think of anything more is either a serious failure of imagination or, more troubling, an intentional effort to minimize and ignore those benefits in order to prey on people’s worst fears.

I’ve spent a lot of time thinking about “technopanics” and the role that journalists sometimes play in hyping them. See, for example, my essay last summer, “Journalists, Technopanics & the Risk Response Continuum,” which is based on my Minnesota Journal of Law, Science & Technology law review article, “Technopanics, Threat Inflation, and the Danger of an Information Technology Precautionary Principle.” As I explain in that article, the model for what Samuelson has done in his essay is actually a very old logical fallacy: a so-called “appeal to fear.” Here’s how I explain it in my law review article:

Rhetoricians employ several closely related types of “appeals to fear.” Douglas Walton, author of Fundamentals of Critical Argumentation, outlines the argumentation scheme for “fear appeal arguments” as follows:

• Fearful Situational Premise: Here is a situation that is fearful to you.
• Conditional Premise: If you carry out A, then the negative consequences portrayed in the fearful situation will happen to you.
• Conclusion: You should not carry out A.

This logic pattern here is referred to as argumentum in terrorem or argumentum ad metum. A closely related variant of this argumentation scheme is known as argumentum ad baculum, or an argument based on a threat. Argumentum ad baculum literally means “argument to the stick,” an appeal to force. Walton outlines the argumentum ad baculum argumentation scheme as follows:

• Conditional Premise: If you do not bring about A, then consequence B will occur.
• Commitment Premise: I commit myself to seeing to it that B comes about.
• Conclusion: You should bring about A.

As will be shown, these argumentation devices are at work in many information technology policy debates today even though they are logical fallacies or based on outright myths. They tend to lead to unnecessary calls for anticipatory regulation of information or information technology.

I continue on in that article to provide several examples of how ” argumentum in cyber-terrorem ” logic is at work in several digital policy arenas today, especially as it pertains to cybersecurity and cyberwar fears. My Mercatus Center colleagues Jerry Brito and Tate Watkins have warned of the dangers of “threat inflation” in cybersecurity policy in their important paper, “Loving the Cyber Bomb? The Dangers of Threat Inflation in Cybersecurity Policy.” The rhetoric of cybersecurity debates illustrates how threat inflation is a crucial part of “argumentum in cyber-terrorem ” logic. Frequent allusions are made in cybersecurity debates to the potential for a “Digital Pearl Harbor,”  a “cyber cold war,”  a “cyber Katrina,”  or even a “cyber 9/11.”  These analogies are made even though these historical incidents resulted in death and destruction of a sort not comparable to attacks on digital networks. Others refer to “cyber bombs” even though no one can be “bombed” with binary code. A rush to judgment often follows inflated threats.

And that’s exactly what Samuelson has done in his essay. He’s rushed to an illogical, sweeping conclusion — namely, that we would be better off just bottling up the Net, or “repealing” it (whatever that means) — and he hasn’t even bothered considering the costs of such action. Worse yet, even though he admits that, “I don’t know the odds of this technological Armageddon. I doubt anyone does. The fears may be wildly exaggerated,” that doesn’t stop him from suggesting that we should live in fear of worst case hypothetical scenarios and take radical steps based upon them.

Again, it is certainly true that the Internet creates new vulnerabilities, including national security vulnerabilities, but that simply cannot be the end of the story. Those vulnerabilities need to be carefully evaluated and measured and, before we rush to panicked conclusions and advocate sweeping policy solutions, the corresponding benefits of the Internet must be taken into consideration.

Instead, Samuelson has engaged in the worst sort of fear-based, factually-challenged reasoning in his essay. It’s a model for how not to think or write about Internet policy. A more thoughtful analysis would acknowledge that the Internet is more than just “a symbol of progress;” it constitutes real progress and an improvement of the human condition.  And while it’s all too easy for newspaper columnists to suggest “we would be better off without it” and that it should be “repealed,” there are all too many government goons out there who would like to do just that since the Net has empowered the masses and given them a voice like no other technology in history.

Shame on Robert Samuelson for dismissing these realities — and the Internet’s many benefits — so lightly.

[ Note: See all my essays on “technopanics” here.]

In the wake of last week’s big SOPA showdown, a lot of people are talking about the expanded presence and power of the Internet, online operators, and digital Netizens in Washington policy debates. I certainly don’t mean to diminish the importance of this particular episode. It certainly is historic, regardless of how you feel about the specifics of SOPA. What does concern me, however, is the way this episode is prompting questions about how much more “engagement” Internet companies need to consider inside the Beltway. For example, today’s Wall Street Journal features an article on “The Web’s Growing Muscle” and notes:

The Internet industry has found a rare sweet spot in Washington. With Google in the lead, the companies have begun building a strong traditional lobbying force in Washington. And, to complement that inside game, websites’ millions of users have become a powerful outside weight on Congress. What’s more, in a rare Washington double play, the concerns of Internet companies have found a sympathetic ear both in the Democratic White House and among Republican presidential candidates who otherwise can’t agree with Barack Obama on anything.

The piece concludes with a quote from an anonymous media executive saying “People are looking at what Google spent on lobbying and wondering, ‘Can we match that?’ It has to be a big spend.”

I cannot possibly think of anything more demoralizing than that. The idea that web companies should spend more of their time in Washington showering politicians with cash instead of out there in the real world innovating and making consumers happy is extremely troubling. I wrote about this growing trend in my 2010 Cato essay on “The Sad State of Cyber-Politics.” I built that essay around an old manifesto by Cypress Semiconductor CEO T. J. Rodgers on “Why Silicon Valley Should Not Normalize Relations with Washington, D.C.”  Rodgers had argued that “The political scene in Washington is antithetical to the core values that drive our success in the international marketplace and risks converting entrepreneurs into statist businessmen,” and that “The collectivist notion that drives policymaking in Washington is the irrevocable enemy of high-technology capitalism and the wealth creation process.”

But no one was listening then and they certainly aren’t listening now. We find ourselves in the midst a mad rush to see who can open a bigger, fancier office in Washington and have glitzier parties to make the political class happy. As I noted in the Cato essay:

There’s enormous pressure on the high-tech sector to actually become more entrenched in coming years, at least to remain “competitive” with other companies who have planted a flag inside the Beltway. Recently, for example, Reid Hoffman, founder of LinkedIn, a social networking site for professionals, worried that policymakers tend to ignore high-tech startups. “We don’t have an entrepreneurship lobby,” he said, “because entrepreneurs are off doing it.” As if that was a bad thing! In particular, he fretted about startups not getting their share of recent stimulus funding and argued that “It’s much easier when you’re embedded in the political infrastructure to respond to immediate things” such as nabbing stimulus dollars, he said.

Am I being naive about all this? Don’t these new tech companies have to have armies of lobbyists pressing the flesh and greasing the palms here in DC in order to compete against other entrenched competitors who are doing to same thing?  Perhaps, but there’s always been self-fulfilling circularity to the argument that you have to be here in order to “be a player” or “have a seat at the table.” The end result of that thinking is always the same: more lobbying, more logrolling, more of “the big spend.” And then we end up with one giant cesspool of protected markets, protracted legal nightmares, bloated bureaucracies, and widespread regulatory capture. Welcome to the wonderful world of crony capitalism! And your tech sector superstars are now falling all over themselves to make sure they have that proverbial “seat at the table” so they can feast at this Big Government supper.

It makes me sick to my stomach to even think about it. So, I’ll continue right on being a naive dope and conclude this piece the same way I concluded my old Cato essay on the sad state of cyber-politics:

For that small remnant of believers in real Internet Freedom — freedom from incessant government techno-meddling — we will never stop hoping that disputes among high-tech companies might be settled in the marketplace instead of within regulatory agencies and congressional committee rooms. And we must continue our push to discourage high-tech companies from an excessive “normalization” of relations with the parasitic culture that dominates Washington by reminding them, as Rodgers noted in 2000, “that free minds and free markets are the moral foundation that has made our success possible. We must never allow those freedoms to be diminished for any reason.”

Just let me dream, people.

The folks at Reason magazine were kind enough to invite me to submit a review of Tim Wu’s new book, The Master Switch: The Rise and Fall of Information Empires based on my 6-part series on the book that I posted here on the TLF late last year. (Parts 1, 2, 3, 4, 5, 6)  My new essay, which is entitled “The Rise of Cybercollectivism,” has now been posted on the Reason website.

I realize that title will give some readers heartburn, even those who are inclined to agree with me much the time.  After all, “collectivism” is a term that packs some rhetorical punch and leads to quick accusations of red-baiting. I addressed that concern in a Cato Unbound debate with Lawrence Lessig a couple of years ago after he strenuously objected to my use of that term to describe his worldview (and that of Tim Wu, Jonathan Zittrain, and their many colleagues and followers). As I noted then, however, the “collectivism” of which I speak is a more generic type, not the hard-edged Marxist brand of collectivism of modern times. For example, I do not believe that Professors Lessig, Zittrain, or Wu are out to socialize all the information means of production and send us all to digital gulags or anything silly like that. Rather, their “collectivism” is rooted in a more general desire to have–as Declan McCullagh eloquently stated in a critique of Lessig’s Code–rule by “technocratic philosopher kings.” Here’s a passage from my Reason review of Wu’s Master Switch in which I expand upon that notion:

What’s perhaps most troubling about The Master Switch is something it shares with Lessig’s book: a concerted effort to redefine “Internet freedom.” In the Lessig-Zittrain-Wu construction of Internet freedom, technocrats liberate us from the supposed tyranny of the marketplace and what Lessig calls “code failure.” High-tech entrepreneurs are cast as villains; their innovations are viewed as threats to our liberties. When challenged, Wu, Lessig, and Zittrain all vehemently reject the notion that their outlook is pessimistic. They occasionally insist that they are actually libertarians at heart. But a plain reading of Lessig, Zittrain, and Wu provides little cause for optimism. Unless someone or something—usually the state—intervenes, they warn, the Net and all things digital are doomed. “Not only can the government take these steps to reassert its power to regulate, but…it should,” argues Lessig. “Government should push the architecture of the Net to facilitate its regulation, or else it will suffer what can only be described as a loss of sovereignty.”

Wu’s book has a very concrete regulatory vision in this regard (even though, strangely, he insists it really isn’t regulation at all). As I noted in my essay last week following his appointment as a senior advisor to the Federal Trade Commission, Wu wants a so-called “Separations Principle” to govern our modern information economy. It would require that all information providers be segregated into three buckets–creators, distributors, and hardware makers–and then kept strictly compartmentalized. He proposes this in the name of keeping private power in check, which he regards as the primary threat to the information economy, not the government. This is very much in line with the thinking we see in Lessig and Zittrain’s work.  Here’s how I summarize this thinking in my Reason piece:

Wu and other progressives don’t always come right out and say it, but they often suggest that private power, however defined, is so persistently insidious that the only way to counteract it is by greatly amplifying state power. We see that yearning for a stronger state in Wu’s suggestion that “the disposition of firms and industries is, if anything, more critical than the actions of the state in controlling who gets heard” and in his audacious regulatory solutions, which would greatly enhance the government’s power over the information economy.

For these reasons, I believe the “cyber-collectivism” label is appropriate. They want to collectivize (or politicize) decisions that some of us believe are ultimately better addressed by voluntary, spontaneous, bottom-up, marketplace responses and evolving social norms.

At this point, some might ask: Do we need such labels at all? As a philosophy junkie, I think such labels and classifications play a useful didactic role. After all, something quite profound separates these different camps and leads to endless squabbles about nearly every aspect of technology policy. Consequently, my attempt to identify leading schools of thinking about Internet policy issues is not an effort to disparage but, rather, simply an exercise in philosophical classification to help us frame ongoing investigations of these issues in a more rational manner.

I am certainly open to other classification suggestions.”Cyber-progressive” might be one option that packs less of a perceived punch than “cyber-collectivist.” I’ve also used the term “cyber social Democrat” and “openness evangelicals” to describe this movement, although both labels have serious shortcomings.

As for myself, I have made no bones about my affiliation with what might be labeled the “cyber-libertarian” school of thought. Clearly, we’re a small band of brothers, and we are currently being utterly crushed in these intellectual debates by the cyber-progressives, who dominate almost all major university cyberlaw and Internet policy programs. Nonetheless, despite having so few adherents, I still think it is fair to identify cyber-libertarianism as a distinct school of thinking.

I think we’re also seeing the emergence of a clear school of thinking that we’ll eventually label “cyber-conservative,” as Jerry Brito alluded to in his post about “What Cablegate Tells Us about Cyber-Conservatism.” I think the defining characteristics for the cyber-conservative, as with conservatism more generally, can be boiled down to security, stability, moderation, and a healthy respect for tradition.  Conservatives occasionally place a high value on liberty in certain economic contexts, but when it conflicts too violently with those other principles, liberty typically gives way to planning. We see this in debates over many national security matters, some privacy discussions, and certain “faith and family” issues. Interestingly, however, conservative principles have never really taken hold in a unified or coherent way within the realm of technology policy, and it’s difficult to point to many scholars who would clearly fit under the “cyber-conservative” banner.  But I think that is changing today because of rising concerns about state secrets, cyber war, the ubiquity of content considered morally objectionable by many, fears about declining  “social order,” and so on. [See my comments on Rob Atkinson’s Who’s Who in Internet Politics for more discussion about cyber-conservatism.]

Do you have better labels for these philosophical schools of thinking about Internet policy matters? If so, I’m all ears.

Additional Reading:

• Cyber-Libertarianism: The Case for Real Internet Freedom
• The Case for Internet Optimism, Part 2 – Saving the Net From Its Supporters
• Thoughts on Wu, Part 5: What Ultimately Separates the Cyber-Libertarian & Cyber-Collectivist
• Cato Unbound debate with Lessig, Part 1: Code, Pessimism, and the Illusion of “Perfect Control” & Part 2: “Our Conflict of Visions.”

2009 was not as big of a year for Internet and information technology (“info-tech”) policy books as 2008 was, but there were still some notable titles released that offered interesting perspectives about the future of the Net and the impact the Digital Revolution is having on our lives, culture, and economy.  So, like last year, I figured I would throw together my list of the 10 most important info-tech policy books of the year.

First, let me repeat a few of the same caveats and disclaimers that I set forth last year.  What qualifies as an “important” info-tech policy book? Simply put, it’s a title that many people are currently discussing and that we will likely be referencing for many years to come.  However, I want to be clear that merely because a book appears on my list it does not necessarily mean I agree with everything said in it. In fact, as was the case in previous years, I found much with which to disagree in my picks for the most important books of 2009 and I find that the cyber-libertarianism I subscribe to has very few fans out there.

Another caveat: Narrowly-focused titles lose a few points on my list. For example, if a book deals mostly with privacy issues, copyright law, or antitrust policy, it does not exactly qualify as the same sort of “tech policy book” as other titles found on this list since it is a narrow exploration of just one set of issues with a bearing on technology policy.

With those caveats in mind, here are my choices for the Most Important Info-Tech Policy Books of 2009.

(1) Chris Anderson – Free: The Future of a Radical Price

Chris Anderson’s 2006 book The Long Tail will be remembered as one of the most influential tech policy books of the decade.  It changed the way we talk about the digital marketplace and it instantly garnered a huge audience outside of the nerdy world of Internet policy.  While Free: The Future of a Radical Price will forever live in the shadow of The Long Tail, it too is an important book and in many ways it is a much better one.

In The Long Tail, Anderson tried too hard to invent the latest business theory du jour, and in doing so he went much too far in proclaiming that, as the subtitle of the book argued, “the future of the business is selling less of more.”  That’s just not true. While there’s certainly a lot more action in the long tail than ever before since it is so much more accessible, that does not mean the entire future of business lies in “selling less of more.”  To the contrary, the fat head of the tail is just as profitable as ever.

Free certainly contains some of the flamboyance on display in The Long Tail, but Anderson has matured as a writer and is now far more willing to point out the limitations of his theories in a business sense.  He does a splendid job in Free of creating a taxonomy of free-oriented business models to guide discussions about these issues.  And he explains how “free” can be part of many different business models and strategies. His historical treatment of the issues is outstanding and includes many entertaining examples of how these “free” strategies have been used over time to offer innovative new goods and services.

The reason his book is important for Internet policy discussions is obvious: “free” is increasingly viewed as a threat to many existing companies, industry sectors, and traditional media business models.  For example, battles about the future of journalism and search engine indexing of news sites are obviously tied up with battles over “free.”  And, it goes without saying that the traditional entertainment industry business models are increasingly challenged by “free” as many struggle to adapt to the new realities of the online world, in which “free” (primarily advertising-supported  and “freemium” models) seems to be the only model with any legs.

Much like my top pick for 2008 book of the year, Jonathan Zittrain’s The Future of the Net and How to Stop It, Chris Anderson’s Free is the most important information technology book of the year because it is the one we will still be talking about the most a decade from now.  However, unlike Zittrain’s book and thesis, which I think will be largely discredited in another ten years, Anderson’s book will likely be viewed as an important and lasting contribution to the field.

(2) Larry Downes – The Laws of Disruption: Chaos and Control in Your Virtual Future

The Laws of Disruption is the closest thing you will find to a genuine cyber-libertarian manifesto these days.  But Downes isn’t a rigid ideologue; his skepticism of government regulation of the high-tech economy is based more on practical considerations and the fundamental “law of disruption”: “technology changes exponentially, but social, economic, and legal systems change incrementally.” Downes says this law is “a simple but unavoidable principle of modern life” and that it will have profound implications for the way businesses, government, and culture evolve going forward. “As the gap between the old world and the new gets wider,” he argues, “conflicts between social, economic, political, and legal systems” will intensify and “nothing can stop the chaos that will follow.” In this sense, The Laws of Disruption reads like an addendum to one of Alvin Toffler’s old books on technology and futurism in that Downes is essentially walking us through the practical consequences of life in a “post-industrial society.”

In terms of what it all means for public policy, Downes doesn’t so much fear legal and regulatory over-reach the way many cyber-libertarians do. Rather, he thinks most regulatory schemes just won’t work. In essence, he is a technological fatalist or consequentialist: Progress happens whether we like it or not, so get used to it!  Thus, the “laws of disruption” he articulates serve primarily as “Just-Don’t-Bother” warnings to over-eager government meddlers. “The best way to regulate innovation is to leave it alone,” he counsels.

In terms of structure, The Laws of Disruption resembles Blown to Bits: Your Life, Liberty, and Happiness After the Digital Explosion by Abelson, Ledeen, and Lewis, (which I reviewed here last year and named to my 2008 list). Both books survey a vast swath of territory — privacy, copyright, security, etc — and each chapter offers unique perspectives on each debate. In that sense, the book is useful to readers if for no other reason than you get a taste for how a wide variety of issues are playing out. Downes also owes much to Clayton M. Christensen and his seminal 1997 book The Innovator’s Dilemma: When New Technologies Cause Great Firms to Fail. Like that book, The Laws of Disruption is a business book with a strong policy hook.  That is, both books focus on advice-dishing for companies and innovators looking to “stay ahead of the curve” in the midst of relentless, gut-wrenching technological change, but the books also include important lessons regarding the public policies that should govern high-tech sectors.

I highly recommended The Laws of Disruption and found it to be the most enjoyable of all the books I read this year.

(3) Dawn C. Nunziato – Virtual Freedom: Net Neutrality and Free Speech in the Internet Age

Dawn Nunziato is the perfect foil for Larry Downes. Her book is a manifesto for cyber-collectivism and “media access theory.”  (For those unfamiliar with media access theory, see my old essay: “Your Soapbox is My Soapbox! Thoughts on the Media Access Movement in General and the Media & Democracy Coalition’s ‘Bill of Media Rights’ in Particular.”)  She attempts to bring media access theory up to date by taking the ideas made famous by Jerome Barron, Owen Fiss, Cass Sunstein, and others, and applying them to the Internet and digital technologies.  Like those earlier legal thinkers, she argues for “an affirmative conception” of the First Amendment that would allow government to use the First Amendment to “facilitate the conditions necessary for democratic self-government” (whatever that means). Net neutrality regulation becomes one of many ways she would put this theory into action. Importantly, she would not stop with ISPs. She makes the case for extending the entire regulatory regime to Google and search platforms. Welcome to the Brave New World of the the FCC as the Federal Search Commission or Federal Cloud Commission!

Her attempt to cast Net neutrality as the Internet’s First Amendment is a grotesque contortion of the real First Amendment, and a complete betrayal of the Founder’s original intentions.  As I made clear in my recent essay on “Net Neutrality Regulation & the First Amendment,” the Internet’s First Amendment is the First Amendment, not some new, top-down, heavy-handed regulatory regime that puts the Federal Communications Commission in control of the Digital Economy. Her conception of the First Amendment would convert it from a shield against government control into a sword that the government could use as it wished. It would mean that “Congress shall make no law…” would suddenly be replaced by “Congress shall make whatever law it wants” so long as it serves some amorphous “public interest.” Can you say “tyranny of the majority”?

Regardless, event though I find her views to be morally repugnant and the antithesis of true digital freedom, Nunziato’s book is a concise articulation of that vision and it deserves everyone’s attention. It serves as a blueprint for where the Net neutrality wars are taking us.

(4) David Bollier – Viral Spiral: How the Commoners Built a Digital Republic of Their Own

David Bollier’s Viral Spiral is the first major history of the “digital commons” / “free culture” movement, and despite my many person disagreements with him and this movement, it is an excellent treatment of the topic. Bollier surveys this growing intellectual movement from its early open source days to the rise of the Creative Commons and on into the present.  The cast of characters in this drama will be well-known to anyone involved in modern tech policy debates: Richard Stallman, Lawrence Lessig, Jonathan Zittrain, Yochai Benkler, et al.

There is absolutely no doubt that this intellectual movement is winning the war of ideas in cyberlaw front today, as I noted in a recent debate with Lessig and Zittrain over at Cato Unbound.  As a cyber-libertarian, I find myself occasionally at odds with these guys and this movement on a variety of policy issues, but that didn’t stop me from enjoying David Bollier’s treatment of this movement and these issues.

(5) David Post – In Search of Jefferson’s Moose: Notes on the State of Cyberspace

David Post is one of the early intellectual giants in the field of cyberlaw. Back in the days when most of us were still just trying to get our 14.4 modems to work properly to get on Al Gore’s “Information Highway,” David Post was writing essays and law review articles that were a decade ahead of their time.  In particular, his work on Internet governance and jurisdictional matters was path-breaking, and much of it is updated and extended in Jefferson’s Moose.

I must admit, however, that I was hoping for a bit more from David in this book.  Beyond just being a first-rate intellectual in this space, he is also one of the few remaining defenders of “Internet exceptionalism,” and he has genuine cyber-libertarian leanings.  After waiting almost 10 years for David to wrap this thing up after he first told me about it back around 2000, I was thinking he might come up with the sort of cyber-libertarian manifesto I’ve always hoped he would write.  Although he fell a bit short in that regard, it doesn’t mean it’s not a good book. It is. You will enjoy it no matter what cyber-philosophy you subscribe to.

Read my entire review of Jefferson’s Moose here.

(6) Dennis Baron – A Better Pencil: Readers, Writers, and the Digital Revolution

Baron’s A Better Pencil is a splendid history of techno-pessimism and the endless battles about the impact of new technologies on life and learning, something I have written about here before in my essays on “Internet optimists vs. pessimists” (See: 1, 2, 3).   Baron notes that almost as soon as people learned to put chisel to stone and then quill to paper, a great debate began about the impact of new communications technology on culture and education. And that debate rages on today with a new generation of optimists and skeptics battling over the impact that computing, the Internet, and digital technologies have on our lives and on how we learn about the world.

Baron walks us through a litany of historical examples—the printing press, the telegraph, telephones, typewriters, pocket calculators, personal computers, word processors, webpages, blogs, social-networking sites, and more—and identifies the usual pattern: we greet each new technology with deep distrust and dire warnings, but in time we adapt to the new realities. Indeed, as a species, we have an unparalleled ability to learn new ways of doing things. We don’t always like technological change, and often we deeply resent or fear it, but in the end, we learn to live with it and eventually to embrace it.  With the rise of the Internet and digital technologies, we see this pattern unfolding once again. But Baron counsels patience and understanding instead of the sort f hysteria and backlash we see from the likes of Andrew Keen, Lee Siegel and others.  It’s a refreshing and uplifting perspective.

Highly recommended. See my complete review of Baron’s A Better Pencil over at the City Journal website.

(7) Mark Helprin – Digital Barbarism: A Writer’s Manifesto

No book has been more disappointing to me in recent memory than Mark Helprin’s Digital Barbarism. As someone who still finds a lot to defend in copyright law, I was excited when I learned that one of America’s most gifted authors–and the author of my favorite literary work of the late 20th century (A Soldier of the Great War)–was taking a crack defending copyright in a short manifesto.

Alas, as I argued in my review of the book for National Review, while Helprin occasionally rises to great heights in his defense of copyright, he too often sinks to lamentable lows–by resorting to the same unbecoming rhetorical tactics used by the “cyber-mob” he seeks to condemn. Indeed, his book is filled with gratuitous vitriol and neo-Luddite ramblings about the Internet and Information Age that severely detract from his defense of copyright. Channeling the ghost of the late social critic Neil Postman, Helprin’s critique of copyright skeptics quickly turns into an all-out assault on modern digital culture and cyberspace. He argues that we are witnessing “the decline of culture,” the “mechanization of the soul,” our “intellectual and spiritual destruction,” and the rise of a movement of “wacked-out muppets led by little professors in glasses” that “threatens in a decade or two to dissolve the accomplishments of millennia, reordering the ways in which we think, write, and communicate.” And it just gets worse from there. Much like recent rants by Andrew Keen and Lee Siegel, Helprin speaks repeatedly about the “surrender of human nature” to “the machine revolution” and the corresponding need to “control the machine.”

How a man who has penned some of the most beautiful prose in modern times could craft an off-the-rails screed of this magnitude remains incomprehensible  to me.  What’s worse is that he set back the cause of defending what’s best about copyright in the process. Luckily for Helprin, there’s plenty of hysteria on the other side, as the next book on my list makes clear.

(8) William Patry – Moral Panics and the Copyright Wars

Bill Patry is an angry man. He is the anti-Helprin. The vitriol that Helprin directs against the copyright-haters is reversed in this screed and turned against not just copyright holders and content creators, but against the entire capitalist system. Patry, who is the author of a multi-volume treatise on copyright law, has done the intellectual equivalent of “going postal” within his own intellectual community. He has turned his intellectual guns on anyone and everyone who has ever had a kind word to say about copyright. He cannot find one nice thing to say about copyright or anyone who defends copyright in this book. Not one.

What’s most ironic about the book is that Patry seems utterly oblivious to the fact that in the process of critiquing the inflammatory rhetoric and “misuse of language” occasionally emanating from some copyright defenders, he goes completely over the top himself and engages in even more egregious rhetorical flourishes. Choice gems from the book include: “digital guillotines,” copyright as “cancer,” “copyright dwarves,” Maoism, the “sins” of copyright, “socialism for the wealthy,” and a comparison of the DMCA to “Mussolini’s Fascist Italy.”  Apparently when it comes to the “misuse of language,” Patry believes that two wrongs make a right.

And then there is his mind-boggling conclusion that: “I cannot think of a single significant innovation in either the creation or distribution of works of authorship that owes its origins to the copyright industries.”  Apparently, every great book, every great movie, every great video game, and ever great musical composition of the past century was done solely for the love of it all. Copyright had apparently had absolutely nothing to do with it according to Patry’s logic. That is just an astonishingly naive notion, in my opinion. Apparently this man’s hatred for copyright-related industries is so intense that it has blinded him to any potentially positive effects of copyright law. If nothing else, it would have been nice to see Mr. Patry address how it is that America is the world’s leading creator and exporter of creative arts.  Certainly copyright law must have had something to do with that!

Chapter 5 of his book makes it clear that Patry’s critique of copyright is actually rooted in a much deeper suspicion about capitalism itself.  He speaks of “the myth of economic freedom” and claims that “free market fundamentalism… destroyed much of the world’s economies.”  He then launches into a neo-Marxist critique of property rights more generally, treating property as a zero-sum game of winners and losers.  At times it all begins to sound like a rant from an old Herbert Marcuse book with questions like: “why are the interests of one social group favored over another?” and “What social objective is being furthered by the decision to privilege one group over another?”  And there’s all sorts of talk about “regulation in the public interest,” which I have critique as a meaningless non-standard here many times before.

In the end, Patry’s book will–along with Helprin’s–long be remember as marking the nadir in the “copyright wars;” a moment when grown men of great intelligence decided to trade in their integrity for the opportunity to engage in below-the-belt rhetorical cheap shots that would typically be reserved for college student debating politics over beers and shots at two in the morning.  They should both be ashamed of themselves.

(9) Gary Reback – Free the Market!  Why Only Government Can Keep the Marketplace Competitive

Gary Reback’s over-the-top ode to antitrust as the great savior of capitalism reads like an extended love letter. As I noted in my lengthy critique of his book, his fairy tale narrative of antitrust as the savior of capitalism is hopelessly one-sided, and his recommendations to expand antitrust enforcement wouldn’t “Free the Market” as he argues in his book’s shameful title, but would instead wrap it in regulatory chains.

He repeatedly insults the intelligence of the reader by claiming antitrust is supposedly not a form of economic regulation and that is can only have beneficial effects. He wants antitrust officials to intervene early and often in high-tech markets to guide markets to a supposedly better place. Reback considers just about everything “the Chicago School” taught us to be antitrust apostasy and he would like to erase four decades worth of economic literature and evidence that suggests antitrust law is a form of economic regulation and does have unintended consequences that often hurt consumer welfare.  Even if you are not an inherent antitrust skeptic like me, I think most people would hope for a better treatment of the other side of this story.

Read my lengthy review of Reback’s Strangle Free the Market here.

(10) tie – Tyler Cowen – Create Your Own Economy: The Path to Prosperity in a Disordered World and John Freeman – The Tyranny of E-Mail: The Four-Thousand-Year Journey to Your Inbox

OK, so I just couldn’t figure out which of these two to cut from the list so I took the easy way out by having them tie for the last slot!  In this case, however, there’s another reason it makes sense for both of them to round out the list: Both Freeman and Cowen explore how humans are coping with information overload–albeit from two very different perspectives.

As I noted in my lengthy essay on the topic earlier this year, Cowen is an unrepentant optimist. He believes humans have the ability to adapt to new technological realities and a world of information abundance. In fact, Cowen argues, new tools and information gathering and processing technologies actually “lengthens our attention spans in another way, namely by allowing greater specialization of knowledge.”

John Freeman, by contrast, wants us all to take a high-tech time out. Like other Internet skeptics, he is worried that cyberspace and digital technologies are reshaping humanity–and not for the better. “If we are to step off this hurtling machine, we must reassert principles that have been lost in the blur,” he argues. “It is time to launch a manifesto for a slow communication movement, a push back against the machines and the forces that encourage us to remain connected to them.”

Unlike most other Internet pessimists, however, Freeman’s tone is more measured and his recommendations more reasonable.  Of course, it helps that he is magical wordsmith. Even if you find yourself disagreeing with many of his ultimate conclusions–as I did–you should read The Tyranny of E-Mail for a lesson in how to construct an argument and to appreciate the gift of fine writing. It’s easily the best tract by any Net skeptic since Nick Carr’s The Big Switch, and a much better one in many ways. It will force you to ask tough questions about the impact of the Information Age on you and the world around you.  Nonetheless, I remain an unrepentant techno-optimist (albeit a pragmatic one)!

Honorable Mentions: Here are a couple of other books that I couldn’t fit on my list but that you might want to also consider adding to your bookshelf:

• Manuel Castells – Communication Power
• James Boyle – The Public Domain: Enclosing the Commons of the Mind
• Randall Stross – Planet Google: One Company’s Audacious Plan to Organize Everything We Know [my review]
• Ken Auletta – Googled: The End of the World As We Know It [my review]
• Scott Rosenberg- Say Everything: How Blogging Began, What It’s Becoming, and Why It Matters
• John W. Dozier Jr. and Sue Scheff – Google Bomb

Please let me know what titles might be missing from this list and which books you think are the best of the year.

And speaking of bookshelves, here’s my Shelfari digital bookshelf in case anyone is interested. If you hadn’t figured it out yet, I am a bit of book nerd!  My life is spent swimming through oceans of paper.  My friends often ask me, “How can you spend so much time reading?” My question back to them is: “How can you not?”

What Unites Advocates of Speech Controls & Privacy Regulation? [pdf]

by Adam Thierer & Berin Szoka The Progress & Freedom Foundation, Progress on Point No. 16.19

Anyone who has spent time following debates about speech and privacy regulation comes to recognize the striking parallels between these two policy arenas. In this paper we will highlight the common rhetoric, proposals, and tactics that unite these regulatory movements. Moreover, we will argue that, at root, what often animates calls for regulation of both speech and privacy are two remarkably elitist beliefs:

1. People are too ignorant (or simply too busy) to be trusted to make wise decisions for themselves (or their children); and/or,
2. All or most people share essentially the same values or concerns and, therefore, “community standards” should trump household (or individual) standards.

While our use of the term “elitism” may unduly offend some understandably sensitive to populist demagoguery, our aim here is not to launch a broadside against elitism as Time magazine culture critic William H. Henry once defined it: “The willingness to assert unyieldingly that one idea, contribution or attainment is better than another.”^[1] Rather, our aim here is to critique that elitism which rises to the level of political condescension and legal sanction. We attack not so much the beliefs of some leaders, activists, or intellectuals that they have a better idea of what it in the public’s best interest than the public itself does, but rather the imposition of those beliefs through coercive, top-down mandates.

That sort of elitism—elitism enforced by law—is often the objective of speech and privacy regulatory advocates. Our goal is to identify the common themes that unite these regulatory movements, explain why such political elitism is unwarranted, and make it clear how it threatens individual liberty as well as the future of free and open Internet. As an alternative to this elitist vision, we advocate an empowerment agenda: fostering an environment in which users have the tools and information they need to make decisions for themselves and their families.

I. The Elitism of Speech Regulation

First, consider how those two elitist beliefs identified above are on display when lawmakers or regulatory advocates make efforts to control speech or content.^[2] Calls to regulate free speech are often premised on the belief that something must be done to “protect The Children.”^[3] Personal and parental responsibility ^[4] are regarded as inadequate safeguards ^[5] since some parents will inevitably fall down on the job by not adequately shielding their children’s eyes and ears from potentially objectionable (or supposedly harmful) speech. Therefore, government must regulate content that is indecent, profane, excessively violent, and so on. The definition of those things is then left to unelected bureaucrats and judges to make on our behalf.

But it’s not just about “The Children.” Some regulatory advocates believe that even the choices made by consenting adults must be disregarded because some people fail to understand the supposedly destructive nature of the speech they are consuming. Government must act to protect people from making what some regulatory advocates regard as destructive or even immoral choices that could bring harm to them or their loved ones.

In sum, regulatory advocates are essentially saying that people cannot be trusted or left to their own devices and, therefore, government must intervene and establish a baseline “community standard” on behalf of the entire citizenry to tell them what‘s best for them.^[6] Even if those citizens have tools and information at their disposal to make sensible decisions about objectionable content, that’s not good enough because they might not do the job properly. Government must do it for them!

II. The Elitism of Privacy Regulation

This same mentality motivates calls for privacy regulations. Those who call for government interventions to “protect privacy” often claim that people too willingly surrender personal information about themselves and that they don’t understand the adverse consequences of those actions.^[7] Alternatively, regulatory advocates claim that advertising and marketing efforts are inherently “manipulative” and that people do not realize they are being duped into surrendering personal information or into buying products or services they supposedly don’t need.^[8] Of course, those regulatory advocates rarely pause to explain to us how it is that they were not also duped and manipulated by the same things—again revealing their deeply-rooted elitism! (As discussed below, this makes it clear how the psychological phenomenon of “third-person effect hypothesis” is driving much of this debate.)

“Protecting The Children” is also used as a rhetorical cover for regulation here, but not as often in debates over speech controls.^[9] Instead, regulatory advocates mostly focus on adults who are presumed not to know what is in their own best interest—necessitating paternalistic government intervention on their behalf.

III. Intellectual Schizophrenia on Both the Left & Right

What is particularly interesting about all this is the way these two issues expose a sort of intellectual schizophrenia at work on both the Left and Right of the political spectrum. Left-leaning policymakers and intellectuals typically decry censorship efforts (except where “commercial speech,” “hate speech” and “bias” are at issue), but are quick to rally around proposals to layer privacy regulations on the Internet. The opposite is often true of many on the Right of the political spectrum: They typically declare privacy regulations to be paternalistic and antithetical to free enterprise (or perhaps just erosive of efforts to legislate morality),^[10] but in the next breath advocate controls on content they find objectionable.

Few on either side stop to consider the relationship between speech and privacy. In fact, they are but two sides of the same coin. After all, what is your “right to privacy” but a right to stop me from observing you and speaking about you?^[11] “Protecting privacy,” therefore, typically means restricting speech rights in the process. Advocates of privacy regulation often insist that the use, processing and collection of information are “conduct” unprotected by the First Amendment, but in fact, the First Amendment broadly protects the gathering and distribution of information as part of the process of communication (“speech”).^[12] Similarly, attempts to “clean up” speech or “protect The Children,” often require regulations that would betray the privacy of adults by expanding the role of government, and impose serious burdens on businesses and markets—such as age verification mandates ^[13] or extensive data retention requirements.^[14]

IV. Common Tactics & Regulatory Mechanisms

The two movements also share common political tactics and regulatory approaches. Privacy advocates generally favor “opt-in” mandates as the federal “baseline standard” for any website collecting information about users, especially their browsing habits (regardless of whether the information is “personally identifiable”). In other words, the law would create a property right in such “personal information” (ironically, many advocates of this approach criticize or reject intellectual property.) In a similar vein, many advocates of speech controls push for mandatory parental control tools or restrictive default settings.^[15] That is, if government won’t censor speech outright, regulatory advocates want lawmakers to at least (1) require that media, computing and communications devices be shipped to market with parental controls embedded or included (as proposed in Australia and with China’s “Green Dam” filter),^[16] and possibly, (2) that such controls be defaulted to their most restrictive position—forcing users to opt-out of the controls later if they want to consume media rated above a certain threshold.

More sophisticated advocates of speech controls and privacy regulation will likely argue that their paternalism is less elitist or intrusive because they merely want to “nudge” the public into making “better” decisions. Economist Richard Thaler and legal scholar Cass Sunstein (director of President Obama’s Office of Information and Regulatory Affairs, responsible for analyzing most new federal regulations) popularized this approach with their 2008 book Nudge: Improving Decisions about Health, Wealth, and Happiness. Based on behavioral economics studies, they argue that both government and private actors must inevitably make decisions about “choice architecture” and that, by setting defaults, incentives and rules smartly, “choice architects” can and should improve decision-making without blocking, fencing-off or significantly burdening choices.^[17]

In this regard, Sunstein and Thaler’s approach parallels the work of Lawrence Lessig, one of the most influential Internet policy thinkers. Lessig has argued that the “architecture” of “code” (how software is written) “regulates” all online activities and requires government oversight and intervention to keep in check. Otherwise, he warned ominously a decade ago, “Left to itself, cyberspace will become a perfect tool of control.”^[18] Lessig’s hyper-pessimistic predictions have proven unwarranted, however. Far from fostering a world of “perfect control,” code and cyberspace have proven remarkably difficult to regulate, but nonetheless has generally benefited consumers and citizens without centralized direction.^[19] Still, Lessig, Sunstein, and others of this ilk persist in their advocacy of “nudges” of many varieties to impose their will on cyberspace through mandates from above.

But while it might be possible to define “better decisions” and argue that poor choice architecture leads people to choose things they clearly don’t want in contexts like investment decisions and mortgages, how can elites know what other people really want in highly subjective contexts like privacy and speech? Should they rely on opinion polls—the highly subjective results of which depend heavily on “choice architecture” of question-crafting—to guess what the right default should be?^[20] Was the Chinese proposal to mandate deployment of “Green Dam” just a harmless “nudge” because users weren’t barred from uninstalling the filtering software that must accompany their computers (i.e., “opting-out”)? The problem becomes even more difficult where trade-offs among competing values are inevitable. For example, data collection about Internet users raises privacy concerns for some but benefits all, creating more funding for “free” content (i.e., speech) and services users prefer by making more valuable the advertising that supports online publishers. In short, regulations of speech and privacy are likely to be pure paternalism, even when billed as “libertarian paternalism as Thaler and Sunstein label their approach.^[21]

What might be called “regulatory blackmail” is also a time-honored tradition among both advocates of speech controls and privacy regulation. When censorship advocates have previously been impeded by the First Amendment, they have worked behind the scenes with lawmakers or regulatory agencies to use indirect pressure and strong-arming tactics to extract “voluntary concessions” from companies or others.^[22] For example, in 2004, the FCC strong-armed radio giant Clear Channel into agreeing to a “voluntary” consent decree that involved taking Howard Stern off the air.^[23] Similarly, in 2008, XM and Sirius Satellite Radio finally agreed to set aside 4% of their system capacity for use by politically favored racial minorities (a kind of speech control) as a “voluntary condition” of their merger—after the FCC had sat on their application for nearly 16 months.^[24] This race-based preference would have been unconstitutional if the FCC had imposed it directly.^[25] While the FTC has been far less prone to such abuse and actually plays a key role in holding companies to their promises, its current Chairman, Jon Leibowitz, has hung the “regulatory sword of Damocles” over the heads of the online advertising industry, threatening them with a “day of reckoning” if he doesn’t get what he wants from industry self-regulatory efforts.”^[26] The sword could actually fall if the FTC turns self-regulation into the European model of “co-regulation,” where the government steers and industry simply rows.^[27]

V. The Crisis Mentality that Drives Regulation

Speech and privacy regulatory advocates share another trait in common: an affinity for the use of a crisis mentality as a method of spurring political action. In his 1995 book The Vision of the Anointed: Self-Congratulation as a Basis for Social Policy, political philosopher and economist Thomas Sowell formulated a model that he argued drives ideological crusades to expand government power over our lives and economy. “The great ideological crusades of the twentieth-century intellectuals have ranged across the most disparate fields,” noted Sowell. But what they all had in common, he argued, was “their moral exaltation of the anointed above others, who are to have their different views nullified and superseded by the views of the anointed, imposed via the power of government.”^[28] These government-expanding crusades shared several key elements, which Sowell identified as follows:

1. Assertion of a great danger to the whole society, a danger to which the masses of people are oblivious.
2. An urgent need for government action to avert impending catastrophe.
3. A need for government to drastically curtail the dangerous behavior of the many, in response to the prescient conclusions of the few.
4. A disdainful dismissal of arguments to the contrary as either uninformed, irresponsible, or motivated by unworthy purposes.

We see this model at work on a daily basis today with our government’s various efforts to reshape our economy, but the model is equally applicable to debates over speech controls and privacy regulation. In particular, the various “technopanics”^[29] we have witnessed in recent years fit this model. For example, consider how this model plays out in the debate over online social networking:

1. Assertion of a great danger to the whole society [online sexual predators], a danger to which the masses of people are oblivious.
2. An urgent need for government action [such as mandatory online age verification ^[30] or the Deleting Online Predators Act ^[31]] to avert impending catastrophe.
3. A need for government to drastically curtail the dangerous behavior of the many [must stop kids and adults from being online together on same sites], in response to the prescient conclusions of the few [some state Attorneys General].^[32]
4. A disdainful dismissal of arguments to the contrary as either uninformed, irresponsible, or motivated by unworthy purposes [child safety researchers and others are told that their research is meaningless or offbase].^[33]

We also see this model in play in other debates, such as efforts to regulate “excessively violent” video games and television programming.^[34] And consider how this model plays out on the privacy front:

1. Assertion of a great danger to the whole society [amorphous privacy violations], a danger to which the masses of people are oblivious.
2. An urgent need for government action [“baseline federal privacy regulation”] to avert impending catastrophe.
3. A need for government to drastically curtail the dangerous behavior of the many [anyone who shares information online], in response to the prescient conclusions of the few [a handful of privacy advocacy groups].
4. A disdainful dismissal of arguments to the contrary as either uninformed, irresponsible, or motivated by unworthy purposes [any suggestion that privacy concerns are being overblown and that most information-sharing is socially beneficial is dismissed out-of-hand].

Worse yet, regulatory intervention in these cases simply begets more and more intervention to correct the inevitable failures of, or dissatisfaction with, previous interventions.^[35] Thus, the “crisis” cycle never ends.

VI. Third-Person Effect Hypothesis as an Explanation

Something more profound than simple political elitism seems to be at work here, however. A phenomenon psychologists refer to as the “third-person effect hypothesis” can explain many calls for government intervention, especially in the media world.^[36] Simply stated, speech and privacy critics sometimes seem to only see and hear in media or communications what they want to see and hear—or what they don’t want to see or hear. When they encounter perspectives or preferences that are at odds with their own, they are more likely to be concerned about the impact of those things on others throughout society and come to believe that government must “do something” to correct those perspectives. Many people desire regulation because they think it will be good for others, not necessarily for themselves. The regulation they desire has a very specific purpose in mind: “re-tilting” speech or market behavior in their desired direction.

The third-person effect hypothesis was first formulated by W. Phillips Davison in a seminal 1983 article:

In its broadest formulation, this hypothesis predicts that people will tend to overestimate the influence that mass communications have on the attitudes and behavior of others. More specifically, individuals who are members of an audience that is exposed to a persuasive communication (whether or not this communication is intended to be persuasive) will expect the communication to have a greater effect on others than on themselves.^[37]

Davison used this hypothesis to explain how media critics on both the Left and Right seemed to simultaneously find “bias” in the same content or reports when they couldn’t possibly both be correct. In reality, their own personal preferences were biasing their ability to fairly evaluate that content. Davison’s article prompted further research by many other psychologists, social scientists, and public opinion experts to test just how powerful this phenomenon was in explaining calls for censorship and other social phenomena.^[38] In these studies, third-person effect has been shown to be the primary explanation for why many people fear—or even want to ban—various types of speech or expression, including news,^[39] misogynistic rap lyrics,^[40] television violence,^[41] video games,^[42] and pornography.^[43] In each case, the subjects surveyed expressed strong misgivings about allowing others to see or hear too much of the speech or expression in question, but greatly discounted the impact of that speech on themselves. Such studies thus reveal the strong paternalistic instinct behind proposals to regulate speech. As Davison notes:

Insofar as faith and morals are concerned… it is difficult to find a censor who will admit to having been adversely affected by the information whose dissemination is to be prohibited. Even the censor’s friends are usually safe from the pollution. It is the general public that must be protected. Or else, it is youthful members of the general public, or those with impressionable minds.^[44]

It’s easy to see how this same phenomenon is at work in debates about privacy. Regulatory advocates imagine their preferences are “correct” (right for everyone) and that the masses are being duped by external forces beyond their control or comprehension, even though the advocates themselves are somehow immune from the brain-washing and privy to some higher truth that the hoi polloi simply cannot fathom. Again, this is Sowell’s “Vision of the Anointed” at work.

Consider the flare-up in 2004 over the introduction of Gmail, Google’s free email service. At a time when Yahoo! mail (then as now the leading webmail provider) offered customers less than 10 megabytes of email storage, Gmail offered an astounding gigabyte of storage that would grow over time (now over 7 GB). Rather than charging some users for more storage or special features, Google paid for the service by showing advertisements next to each email “contextually” targeted to keywords in that email—a far more profitable form of advertising than “dumb banner” ads previously used by other webmail providers.^[45] Self-appointed (or, to extend Sowell’s framework, “self-anointed”) privacy advocates howled that Google was going to “read users’ email,” and led a crusade to ban such algorithmic contextual targeting.^[46] Thierer responded to these critics by pointing out that the service was purely voluntary and noted:

you don’t speak for me and a lot of other people in this world who will be more than happy to cut this deal with Google. So do us a favor and don’t ask the government to shut down a service just because you don’t like it. Privacy is a subjective condition and your value preferences are not representative of everyone else’s values in our diverse nation. Stop trying to coercively force your values and choices on others. We can decide these things on our own, thank you very much.^[47]

Interestingly, however, the frenzy of hysterical indignation about Gmail was followed by a collective cyber-yawn: Users increasingly understood that algorithms, not humans, were doing the “reading” and that, if they didn’t like it, they didn’t have to use it. Today, nearly 150 million of people around the world use Gmail, and it has a steadily growing share of the webmail market. Even though cyber-consumers have embraced the service, some privacy advocates persist in their effort to shut down Gmail. They appear determined to stop at nothing to impose their will on others—the essence of political elitism—even if that means cutting off free email service for 150 million people!^[48]

A similar debate has played out more recently regarding targeted online advertising in general. Advertising on search engines is, much like Gmail, targeted “contextually” based on search terms entered by users and most advertising on other websites is based on the nature of content on a site or page. But certain data is collected about users as they browse to make that advertising more effective—by measuring its performance, reducing fraud, preventing over-exposure, etc. Some privacy advocates have insisted that industry self-regulation of such practices (even if enforced by the FTC) is inadequate and have called for preemptive regulation. They are even more offended by “behavioral advertising” which allows publishers whose content would have little value as the basis for contextually targeting advertising on their own sites to compete for more highly valued advertising by showing ads to users based on other sites they’ve visited. In both cases, data collection can increase the funding available to publishers to produce more of the content and services preferred by users, thus conferring an enormous indirect benefit on users, but also directly benefits users by increasing the relevance of the advertising they see.^[49] For some of the more extreme advocates of privacy regulation, however, there are no trade-offs, only absolutist “solutions:” To them, privacy is so obviously desirable that they feel at ease in deciding what’s best for everyone else. Such absolutists often respond with righteous indignation and conspiratorial fulmination when challenged to identify the harm against which they’re protecting consumers, while disdainfully dismissing all talk of the benefits of online advertising as self-serving industry propaganda.^[50]

VII. The Principled Alternative: Trust People & Empower Them

There is an alternative to this elitist mentality: freedom and personal responsibility. Individuals should be permitted to live a life of their own, even if they sometimes make mistakes or choices that are at odds with what elites think is best for them. ^[51]

Of course, the world isn’t perfect. In an ideal world, adults would be fully empowered to tailor speech and privacy decisions to their own values and preferences. Specifically, in an ideal world, adults (and parents) would have (1) the information necessary to make informed decisions and (2) the tools and methods necessary to act upon that information. Importantly, those tools and methods would give them the ability to not only block the things they don’t like—objectionable content, annoying ads or the collection of data about them—while also finding the things they want.

Achieving that ideal is likely impossible, but the good news is that we are moving closer to it with each passing day. Citizens have more tools and methods at their disposal than ever before which enable them to make decisions for themselves and their families. And this is true for both parental controls ^[52] and privacy controls.^[53]

Of course, some speech and privacy elitists will argue that we can’t trust empowerment tools ( e.g., filters, rating systems, or other controls) that are created by companies or other affected parties. But rather than trying to enhance those tools and educate users about how to use them, these elitists skip right past user empowerment and channel their energies into regulations that would impose a top-down, one-size-fits all standard on all adults and families—or even into trying to craft the perfect “nudge” that will help users make what elites believe to be the “right” decisions. Of course, these tools can, and should, be improved. Those groups worried about speech/content and privacy issues should focus on how we might drive such protections from the bottom-up by empowering individuals instead of government bureaucrats. The goal in both cases should be a “let-a-thousand-flowers-bloom” approach, which offers diverse tools and strategies for our diverse citizenry.^[54] We need not accept “one-size-fits” all approaches, whether they be regulatory mandates or “nudges,” based on the presumption that elites know best.

Finally, it is vital not to lose sight of what’s ultimately at stake here. If regulatory approaches trump the empowerment agenda we have described, the future of a free and open Internet—indeed, as technology converges, the future of all media—is at risk.^[55] By imposing technological solutions from the top-down that can never keep pace with technological change, regulation necessarily forecloses freedom and innovation.^[56] By contrast, individual empowerment allows innovation to flourish. The better approach across the board is education, not regulation.^[57] Empowerment, not elitism, is the path forward. The digital elite should be leading this effort by developing and promoting technologies of empowerment, not crafting regulatory mandates to force their will upon us.^[58]

#

Adam Thierer is a Senior Fellow with The Progress & Freedom Foundation and the director of its Center for Digital Media Freedom. Berin Szoka  is a Senior Fellow with PFF and the Director of PFF’s Center for Internet Freedom.

[1] . William A. Henry, In Defense of Elitism (1995) at 2-3.

[2] . See Adam Thierer, The Progress & Freedom Foundation, Congress, Content Regulation, and Child Protection: The Expanding Legislative Agenda, Progress Snapshot 4.4, Feb. 2008, www.pff.org/issues-pubs/ps/2008/ps4.4childprotection.html. Like American courts, we use the term “speech” as a broad catch-all for communications, including both actual speaking as well as other forms of transmitting, as well as receiving, information (“content”).

[3] . See generally Adam Thierer, Don’t Scapegoat Media, USA Today, Dec. 4, 2008, www.pff.org/issues-pubs/ps/2008/ps4.24scapegoatmedia.html; Marjorie Heins, Not in Front of the Children, “Indecency,” Censorship, and the Innocence of Youth (2001); Karen Sternheimer, It’s Not the Media: The Truth about Pop Culture’s Influence on Children (2003); Karen Sternheimer, Kids These Days: Facts and Fictions about Today’s Youth (2006).

[4] . See Adam Thierer, The Progress & Freedom Foundation, FCC Violence Report Concludes that Parenting Doesn’t Work, PFF Blog, Apr. 26, 2007, http://blog.pff.org/archives/2007/04/fcc_violence_re.html.

[5] . See Adam Thierer, The Progress & Freedom Foundation, Sen. Rockefeller Gives Up on Parenting at Senate Violence Hearing, PFF Blog, June 26, 2007, blog.pff.org/archives/2007/06/sen_rockefeller_1.html.

[6] . Adam Thierer, Conservatives, Porn, and “Community Standards,” The Technology Liberation Front, March 2, 2009, http://techliberation.com/2009/03/02/conservatives-porn-and-community-standards.

[7] . Berin Szoka & Adam Thierer, The Progress & Freedom Foundation, Online Advertising & User Privacy: Principles to Guide the Debate, Progress Snapshot 4.19, Sept. 2008, www.pff.org/issues-pubs/ps/2008/ps4.19onlinetargeting.html.

[8] . Jeff Chester, for decades the great gadfly of American advertising, has decried “the system … developed to track each and every one of us and our behavior for one-on-one marketing efforts” as “manipulative, intrusive and un-democratic.” Wendy Melillo, Q&A: Chester Writes the Book on Privacy, Dec. 11, 2007, www.gfem.org/node/227. For instance, Chester and other leading “privacy advocates” ridicule the idea of smart phones as a “liberating technology” and insist that,

Despite the glowing words about customization and personalized service, what marketers and advertisers are increasingly offering consumers is merely the illusion of free choice. Mobile operators offer their various options and services, not on an individual basis, but preconfigured according to segmented demographic profiles.

Center for Digital Democracy and U.S. Public Interest Research Group, Complaint and Request for Inquiry and Injunctive Relief Concerning Unfair and Deceptive Mobile Marketing Practices, Jan. 13, 2009 (emphasis original), www.democraticmedia.org/files/FTCmobile_complaint0109.pdf. See generally Berin Szoka & Adam Thierer, The Progress & Freedom Foundation, Targeted Online Advertising: What’s the Harm & Where Are We Heading?, Progress on Point 16.2, Feb. 2009, www.pff.org/issues-pubs/pops/2009/pop16.2targetonlinead.pdf.

[9] . Berin Szoka & Adam Thierer, The Progress & Freedom Foundation, COPPA 2.0: The New Battle over Privacy, Age Verification, Online Safety & Free Speech, Progress on Point 16.11, May 2009, www.pff.org/issues-pubs/pops/2009/pop16.11-COPPA-and-age-verification.pdf.

[10] . The Supreme Court has used a “right to privacy” to strike down laws against the use of contraception by married couples, Griswold v Connecticut, 381 U.S. 479 (1965), and abortion, Roe v. Wade, 410 U.S. 113 (1973).

[11] . Eugene Volokh, Freedom of Speech and Information Privacy: The Troubling Implications of a Right to Stop People From Speaking About You, 52 Stanford L. Rev. 1049 (2000), available at www.pff.org/issues-pubs/pops/pop7.15freedomofspeech.pdf.

[12] . See , Amicus Brief for Association Of National Advertisers, Cato Institute, Coalition For Healthcare Communication, Pacific Legal Foundation And The Progress & Freedom Foundation In Support Of Appellants, IMS Health v. Sorrell, No. 09-1913-cv(L), 09-2056-cv(CON) (2nd Cir. 2009), available at www.pff.org/issues-pubs/filings/2009/071309-Brief-Amici-Curiae-ANA-et-al-Second-Circuit-(09-1913-cv).pdf.

[13] . See Adam Thierer, The Progress & Freedom Foundation, Social Networking and Age Verification: Many Hard Questions; No Easy Solutions, Progress on Point No. 14.5, March 2007, www.pff.org/issues-pubs/ pops/pop14.8ageverificationtranscript.pdf; www.pff.org/issues-pubs/pops/pop14.5ageverification.pdfAdam Thierer, The Progress & Freedom Foundation, Statement Regarding the Internet Safety Technical Task Force’s Final Report to the Attorneys General, Jan. 14, 2008, www.pff.org/issues-pubs/other/090114ISTTFthiererclosingstatement.pdf; Nancy Willard, Why Age and Identity Verification Will Not Work—And is a Really Bad Idea, Jan. 26, 2009, www.csriu.org/PDFs/digitalidnot.pdf; Jeff Schmidt, Online Child Safety: A Security Professional’s Take, The Guardian, Spring 2007, www.jschmidt.org/AgeVerification/Gardian_JSchmidt.pdf.

[14] . Adam Thierer, The Progress & Freedom Foundation, Mandatory Data Retention: How Much is Appropriate, PFF Blog, June 26, 2006, http://blog.pff.org/archives/2006/06/mandatory_data.html

[15] . Adam Thierer, The Progress & Freedom Foundation, The Perils of Mandatory Parental Controls and Restrictive Defaults, Progress on Point 14.4, Apr. 11, 2008, www.pff.org/issues-pubs/pops/2008/pop15.4defaultdanger.pdf.

[16] . Adam Thierer, China’s Green Dam Filter and the Threat of Rising Global Censorship, PFF Blog, June 17, 2009, http://blog.pff.org/archives/2009/06/chinas_green_dam_filter_and_threat_of_rising_globa.html

[17] . They define choice architecture as follows: “A structure designed by a choice architect(s) to improve the quality of decisions made by homo sapiens. Often invisible, choice architecture is the specific user-friendly shape of an organization’s policy or physical building when homo sapiens come into contact with it. Examples of choice architecture include a voter ballot, a procedure for handling well-meaning people who forget a deadline, or a skyscraper.” Nudge Glossary of Terms, www.nudges.org/glossary.cfm.

[18] . Lawrence Lessig, Code and Other Laws of Cyberspace (1999) at 6.

[19] . See Adam Thierer, Code, Pessimism, and the Illusion of “Perfect Control,” Cato Unbound, May 2009, www.cato-unbound.org/2009/05/08/adam-thierer/code-pessimism-and-the-illusion-of-perfect-control

[20] . See Solveig Singleton & Jim Harper, With A Grain of Salt: What Consumer Privacy Surveys Don’t Tell Us, 2001, http://papers.ssrn.com/sol3/papers.cfm?abstract_id=299930.

[21] . As Cato Institute scholar Will Wilkinson has argued, the book’s “agreeably banal doctrine of choice-preserving helpfulness” blurs the lines between paternalism and libertarianism, and thus “the thrust of the conceptual renovation behind the term libertarian paternalism is to empower, not limit, political elites.” Why Opting Out Is No “Third Way,” Reason, October 2008, www.reason.com/news/show/128916.html. See also Adam Thierer, The Progress & Freedom Foundation, Sunstein’s “Libertarian Paternalism” is Really Just Paternalism, PFF Blog, April 7, 2008, http://blog.pff.org/archives/2008/04/sunsteins_liber.html.

[22] . See Robert Corn-Revere, “’Voluntary’ Self-Regulation and the Triumph of Euphemism,” in Rationales & Rationalizations: Regulating the Electronic Media (Robert Corn-Revere, ed., 1997), at 183-208.

[23] . Telecom Policy Report, Commission Settles Indecency Charges, But At What Cost?, June 30, 2004, http://findarticles.com/p/articles/mi_m0PJR/is_25_2/ai_n6091525.

[24] . See Adam Thierer, XM-Sirius, Regulatory Blackmail, and Diversity, June 17, 2008, http://blog.pff.org/archives/2008/06/xmsirius_regula.html.

[25] . See Comments of W. Kenneth Ferree on Implementation of Sirius-XM Merger Condition, The Progress & Freedom Foundation, MB Docket No. 07-57, March 30, 2009, www.pff.org/issues-pubs/filings/2009/033009siriusXMconditionfiling.pdf.

[26] . See Szoka & Adam Thierer, supra note 8 at 3.

[27] . See id. at 2.

[28] . Thomas Sowell, The Vision of the Anointed: Self-Congratulation as a Basis for Social Policy (1995) at 5.

[29] . Alice Marwick, To Catch a Predator? The MySpace Moral Panic, First Monday, Vol. 13, No. 6-2, June 2008, www.uic.edu/htbin/cgiwrap/bin/ojs/index.php/fm/article/view/2152/1966; Wade Roush, The Moral Panic over Social Networking Sites, Technology Review, Aug. 7, 2006, www.technologyreview.com/communications/17266; Anne Collier, Why Techopanics are Bad, Net Family News, April 23, 2009, www.netfamilynews.org/2009/04/why-technopanics-are-bad.html; Adam Thierer, Parents, Kids & Policymakers in the Digital Age: Safeguarding Against ‘Techno-Panics,’ Inside ALEC, July 2009, at 16-17, www.alec.org/am/pdf/Inside_July09.pdf; Adam Thierer, Progress & Freedom Foundation, Technopanics and the Great Social Networking Scare, PFF Blog, June 10, 2008, http://techliberation.com/2008/07/10/technopanics-and-the-great-social-networking-scare.

[30] . Supra note 13.

[31] . In the 109th Congress, former Rep. Michael Fitzpatrick (R-PA) introduced the Deleting Online Predators Act (DOPA), which proposed a ban on social networking sites in public schools and libraries. DOPA passed the House of Representatives shortly thereafter by a lopsided 410-15 vote, but failed to pass the Senate. The measure was reintroduced just a few weeks into the 110th Congress by Senator Ted Stevens (R-AK), the ranking minority member and former chairman of the Senate Commerce Committee. It was section 2 of a bill that Sen. Stevens sponsored titled the “Protecting Children in the 21st Century Act” (S. 49), but was later removed from the bill. See Declan McCullagh, Chat Rooms Could Face Expulsion, CNet News.com, July 28, 2006, http://news.com.com/2100-1028_3-6099414.html?part=rss&tag=6099414&subj=news.

[32] . See Emily Steel & Julia Angwin, MySpace Receives More Pressure to Limit Children’s Access to Site, Wall Street Journal, June 23, 2006, online.wsj.com/public/article/SB115102268445288250-YRxkt0rTsyyf1QiQf2EPBYSf7iU_20070624.html; Susan Haigh, Conn. Bill Would Force MySpace Age Check, Yahoo News.com, March 7, 2007, www.msnbc.msn.com/id/17502005.

[33] . See, e.g., Letter of Henry McMaster, Attorney General, South Carolina to Attorney General Richard Blumenthal and Attorney General Roy Cooper Regarding Internet Safety Task Force (“ISTTF”) Report, January 14, 2009, www.scag.gov/newsroom/pdf/2009/internetsafetyreport.pdf

[34] . See Adam Thierer, The Progress & Freedom Foundation, Video Games and “Moral Panic,” PFF Blog, Jan. 23, 2009, http://blog.pff.org/archives/2009/01/video_games_and_moral_panic.html ; Adam Thierer, The Progress & Freedom Foundation, Fact and Fiction in the Debate over Video Game Regulation, Progress Snapshot 13.7, March 2006, www.pff.org/issues-pubs/pops/pop13.7videogames.pdf.

[35] . “All varieties of interference with the market phenomena not only fail to achieve the ends aimed at by their authors and supporters, but bring about a state of affairs which—from the point of view of their authors’ and advocates’ valuations—is less desirable than the previous state affairs which they were designed to alter. If one wants to correct their manifest unsuitableness and preposterousness by supplementing the first acts of intervention with more and more of such acts, one must go farther and farther until the market economy has been entirely destroyed and socialism has been substituted for it.” Ludwig von Mises, Human Action, at 858 (3rd ed. 1963) (1949).

[36] . See generally Adam Thierer, The Progress & Freedom Foundation, Media Myths: Making Sense of the Debate over Media Ownership (2005) at 119-123, www.pff.org/issues-pubs/books/050610mediamyths.pdf (Explaining how the third-person effect serves as a powerful explanation for the heated backlash that followed an FCC effort to moderately liberalize media ownership rules in 2003-04).

[37] . W. Phillips Davison, The Third-Person Effect in Communication, 47 Public Opinion Quarterly 1, Spring 1983, at 3.

[38] . For the best overview of third-person effect research, see Douglas M. McLeod, Benjamin H. Detenber, and William P. Eveland., Jr., Behind the Third-Person Effect: Differentiating Perceptual Processes for Self and Other, 51 Journal of Communication, Vol. 51, No. 4, 2001, at 678-695.

[39] . Vincent Price, David H. Tewksbury & Li-Ning Huang, Third-person Effects of News Coverage: Orientations Toward Media, Journalism & Mass Communications Quarterly, Vol. 74, at 525-540.

[40] . Douglas M. McLeod, William P. Eveland & Amy I. Nathanson, Support for Censorship of Violent and Misogynic Rap Lyrics: And Analysis of the Third-Person Effect, Communications Research, Vol. 24, 1997, at 153-174.

[41] . Hernando Rojas, Dhavan V. Shah, and Ronald J. Faber, For the Good of Others: Censorship and the Third-Person Effect, International Journal of Public Opinion Research, Vol. 8, 1996, at 163-186.

[42] . James D. Ivory, Addictive, But Not For Me: The Third-Person Effect and Electronic Game Players’ Views Toward the Medium’s Potential for Dependency and Addiction, University of North Carolina at Chapel Hill, School of Journalism and Mass Communication, Aug. 2002.

[43] . Albert C. Gunther, Overrating the X-rating: The Third-person Perception and Support for Censorship of Pornography, Journal of Communication, Vol. 45, No. 1, 1995, at 27-38

[44] . Supra note 37 at 14. Along these lines, a December 2004 Washington Post article documented the process by which the Parents Television Council, a vociferous censorship advocacy group, screens various television programming. One of the PTC screeners interviewed for the story talked about the societal dangers of various broadcast and cable programs she rates, but then also noted how much she personally enjoys HBO’s “The Sopranos” and “Sex and the City,” as well as ABC’s “Desperate Housewives.” Apparently, in her opinion, what’s good for the goose is not good for the gander! See Bob Thompson, Fighting Indecency, One Bleep at a Time, The Washington Post, Dec. 9, 2004, at C1, www.washingtonpost.com/wp-dyn/articles/A49907-2004Dec8.html.

[45] . See Chris Anderson, Free: The Future of a Radical Price at 112-118 (2009).

[46] . See Letter from Chris Jay Hoofnagle, Electronic Privacy Information Center, Beth Givens, Privacy Rights Clearinghouse, Pam Dixon, World Privacy Forum, to California Attorney General Lockyer, May 3, 2004, http://epic.org/privacy/gmail/agltr5.3.04.html.

[47] . See email from Adam Thierer to Declan McCullaugh on Politech Email discussion group, April 30, 2004, http://lists.jammed.com/politech/2004/04/0083.html (emphasis added).

[48] . See Complaint and Request for Injunction of the Electronic Privacy Information Center against Google, Inc., March 17, 2009, http://epic.org/privacy/cloudcomputing/google/ftc031709.pdf; see also Ryan Radia, Should the FTC Shut Down Gmail and Google Docs Because of an Already-Fixed Bug?, Technology Liberation Front Blog, March 18, 2009, http://techliberation.com/2009/03/18/should-the-ftc-shut-down-gmail-and-google-docs-because-of-an-already-fixed-bug/.

[49] . See Berin Szoka & Mark Adams, The Progress & Freedom Foundation, The Benefits of Online Advertising & the Costs of Regulation, PFF Working Paper, forthcoming.

[50] . Anti-advertising crusader Jeff Chester often resorts to questioning the motives of those who question whether his regulatory prescriptions would actually benefit consumers, see, e.g., http://techliberation.com/2009/06/17/behavioral-advertising-industry-practices-hearing-some-issues-that-need-to-be-discussed/#comment-11698840. See generally Jeff Chester, Digital Destiny: New Media and the Future of Democracy (2007).

[51] . “The only freedom which deserves the name is that of pursuing our own good in our own way, so long as we do not attempt to deprive others of theirs or impede their efforts to obtain it. Each is the proper guardian of his own health, whether bodily or mental and spiritual.” John Stuart Mill, On Liberty (Penguin Classics, 1859, 1986) at 72.

[52] . Adam Thierer, The Progress & Freedom Foundation, Parental Controls & Online Child Protection, Special Report, Version 4.0, Summer 2009, www.pff.org/parentalcontrols.

[53] . Adam Thierer, Berin Szoka & Adam Marcus, The Progress & Freedom Foundation, Privacy Solutions, PFF Blog, Ongoing Series, http://blog.pff.org/archives/ongoing_series/privacy_solutions.

[54] . Comments of Adam Thierer, The Progress & Freedom Foundation, In the Matter of Implementation of the Child Save Viewing Act; Examination of Parental Control Technologies for Video or Audio Programming; MB Docket No. 09-26, April 16, 2009, www.pff.org/issues-pubs/filings/2009/041509-%5bFCC-FILING%5d-Adam-Thierer-PFF-re-FCC-Child-Safe-Viewing-Act-NOI-(MB-09-26).pdf.

[55] . See Adam Thierer, FCC v. Fox and the Future of the First Amendment in the Information Age, Engage, Feb. 20, 2009, www.fed-soc.org/doclib/20090216_ThiererEngage101.pdf

[56] . “To act on the belief that we possess the knowledge and the power which enable us to shape the processes of society entirely to our liking, knowledge which in fact we do not possess, is likely to make us do much harm.” Friedrich von Hayek, “The Pretence of Knowledge,” in The Essence of Hayek, (Hoover Inst., 1984), at 276.

[57] . Adam Thierer, The Progress & Freedom Foundation, Two Sensible, Education-Based Legislative Approaches to Online Child safety, Progress Snapshot 3.10, Sept. 2007, www.pff.org/issues-pubs/ps/2007/ps3.10safetyeducationbills.pdf.

[58] . See, e.g., Berin Szoka, Google, CDT, Online Advertising & Preserving Persistent User Choice Across Ad Networks Through Plug-ins, Technology Liberation Front Blog, March 13, 2009, http://techliberation.com/2009/ 03/13/google-cdt-online-advertising-preserving-persistent-user-choice-across-ad-networks-through-plug-ins/.

As faithful readers no doubt know, I’m a big fan of Section 230 and believe it has been the foundation of a great many of the online freedoms we enjoy (dare I say, take for granted?) today. That’s why I’m increasingly concerned about some of the emerging thinking and case law I am seeing on this front, which takes a decidedly anti-230 tone.

Consider, for example, how some might weaken Sec. 230 in the name of “child safety.”  You will recall the friendly debate about the future of Sec. 230 that I engaged in with Harvard’s John Palfrey.  Prof. Palfrey has argued that: “The scope of the immunity the CDA provides for online service providers is too broad” and that the law “should not preclude parents from bringing a claim of negligence against [a social networking site] for failing to protect the safety of its users.”  Similarly, Andrew LaVallee of The Wall Street Journal reported from a conference this week that Sec. 230 became everyone’s favorite whipping boy, with several participants suggesting that the law needs to be re-opened and altered to somehow solve online “cyber-bullying” problems.

There’s also some potential trouble brewing in the courts, as Braden Cox noted recently.  As usual, the prolific Eric Goldman has the best summary of what’s been going on over at his Technology & Marketing Law Blog. After Eric’s takes a close look at the most recent 230-related case of Barnes v. Yahoo!, Inc., which contained some troubling language about 230, he continues on to note:

47 USC 230 has weathered plaintiff attacks very well in the past dozen years, but the last 6 months have opened up a number of angles for plaintiffs to explore. Consider the track record: * Woodhull (October): soliciting and publishing a defamatory third party email wasn’t covered by 230 * Doe v. SexSearch (December): as mentioned, the court stepped back from saying 230 preempted liability for marketing representations * StubHub (January): interference with business claim wasn’t preempted by 230 * Gourlay (March): web host who provided extra commercial services to its customer couldn’t claim 230 * Project Playlist (March): 230 doesn’t preempt state IP claims (this is a loss only because it contravenes the wrongly decided Ninth Circuit ccBill case, which was more defense-favorable). * This case, saying that a promissory estoppel claim isn’t preempted by 230. I’m not sure what to make of this trend, but it’s clear that we’re finally finding some substantial limits in 230’s reach, and that’s creating new litigation opportunities for plaintiffs.

And let’s be clear about why these trends are so troubling. Keeping online intermediaries free from burdensome policing requirements and liability threats has created the vibrant marketplace of expression and commerce that we enjoy today. If not for Sec. 230, we would likely live in a very different world today.  The alternative approach of strict secondary liability on ISPs and other online intermediaries would have a profound “chilling effect” on online free speech and expression.  That’s why Sec. 230 is so important, and worth defending.

I’ve posted another response in the Cato Unbound online debate over the impact of Lawrence Lessig’s Code and Other Laws of Cyberspace upon the book’s 10th anniversary.  You will recall that I went fairly hard on Prof. Lessig in my essay, “Code, Pessimism, and the Illusion of ‘Perfect Control,’” and Lessig responded with a counter-punch that went after me for it.  I respond in a new essay about “Our Conflict of Cyber-Visions.” In the piece, I address Lessig’s assertion that I just didn’t understand the central teachings of Code, as well as his reluctance to accept the “cyber-collectivism” label that I affixed to his book and life’s work.  Again, please hop over to Cato Unbound for my complete response.

But one thing from the essay that I thought worth reproducing here is my effort to better define the key principles that separate the cyber-libertarian and cyber-collectivist schools of thinking.  I argue that it comes down to this:

The cyber-libertarian believes that “code failures” are ultimately better addressed by voluntary, spontaneous, bottom-up, marketplace responses than by coerced, top-down, governmental solutions. Moreover, the decisive advantage of the market-driven approach to correcting code failure comes down to the rapidity and nimbleness of those response(s).

Of course, another key difference relates to how quickly one jumps to the conclusion that “code failures” are actually occurring at all. I argue:

What concerns me about the way Prof. Lessig approaches these issues in Code and in his subsequent work is that he is far too quick to declare the debate over by labeling short-term code hiccups as sky-is-falling market failures. The end result of such myopic techno-pessimism is the inevitable call for governments to intervene and “do something” to correct supposed code failures.  The cyber-libertarian instead counsels patience. Let’s give those other forces — alternative platforms, new innovators, social norms, public pressure, etc. — a chance to work some magic. Evolution happens, if you let it. Moreover, if you are always running around crying “market failure!” and calling in the code cops, it creates perverse marketplace incentives by discouraging efforts to innovate or “route around” bad code or code failure. We don’t want the whole world sitting around waiting for government to regulate the mousetrap to improve it or even give everyone better access to it; we should want the world to be innovating to create better mousetraps! To reiterate a key point I already stressed in my original essay: One need not believe that the markets in code are “perfectly competitive” to accept that they are “competitive enough” — or at least, better than regulatory alternatives.

Anyway, please head over to the Cato site to read the whole thing and let me know what you think.  If nothing else, I’m sure that Seth Finkelstein will have something incredibly nasty to say about me!  And I will wear his scorn as a badge of honor.