For my latest column in The Hill, I explored the European Union’s (EU) endlessly expanding push to regulate all facets of the modern data economy. That now includes a new effort to regulate artificial intelligence (AI) using the same sort of top-down, heavy-handed, bureaucratic compliance regime that has stifled digital innovation on the continent over the past quarter century.

The European Commission (EC) is advancing a new Artificial Intelligence Act, which proposes banning some AI technologies while classifying many others under a heavily controlled “high-risk” category. A new bureaucracy, the European Artificial Intelligence Board, will be tasked with enforcing a wide variety of new rules, including “prior conformity assessments,” which are like permission slips for algorithmic innovators. Steep fines are also part of the plan. There’s a lengthy list of covered sectors and technologies, with many others that could be added in coming years. It’s no wonder, then, that the measure has been labelled the measure “the mother of all AI laws” and analysts have argued it will further burden innovation and investment in Europe.

As I noted in my new column, the consensus about Europe’s future on the emerging technology front is dismal to put it mildly. The International Economy journal recently asked 11 experts from Europe and the U.S. where the EU currently stood in global tech competition. Responses were nearly unanimous and bluntly summarized by the symposium’s title: “The Biggest Loser.” Respondents said Europe is “lagging behind in the global tech race,” and “unlikely to become a global hub of innovation.” “The future will not be invented in Europe,” another analyst bluntly concluded.

That’s a grim assessment, but there is no doubt that European competitiveness is suffering today and that excessive regulation plays a fairly significant role in causing it. As I noted in my column, “the EU’s risk-averse culture and preference for paperwork compliance over entrepreneurial freedom” had serious consequences for continent-wide innovation.  I note in my recent column how:

After the continent piled on layers of data restrictions beginning in the mid-1990s, innovation and investment suffered. Regulation grew more complex with the 2018 General Data Protection Regulation (GDPR), which further limits data collection and use. As a result of all the red tape, the EU came away from the digital revolution with “the complete absence of superstar companies.” There are no serious European versions of Microsoft, Google, Facebook, Apple or Amazon. Europe’s leading providers of digital technology services today are American-based companies.

Let’s take a look at a few numbers that illustrate what’s happened in Europe’s tech sector over the past quarter century. Here’s an old KPGM breakdown of market caps for public Internet companies over an important 20 year period, from 1995 to 2015, when the digital technology marketplace was taking shape. Besides the remarkable amount of churn over that period (with only Apple appearing on both lists), the other notable thing is the complete absence of any European companies in 2015.

Next, here’s a chart I constructed using CB Insights data for global unicorns ($billion valued companies) from 2010 up through early 2022. It shows how the U.S. dominates fully half the list with China having a 16% share, but all of the European Union’s firms equal just a 9 percent slice of the world’s share.

If you want to see a per capita breakdown of VC investment by country, here’s a handy Crunchbase News chart. While the U.S. is geographically much larger than Europe, a breakdown of VC funding on a per capita basis reveals that only Estonia ($915B) and Sweden ($700B) have startup investment on par with America ($808B). No other European country has even half as much per capita VC investment as the U.S., and most don’t even have a quarter as much.

As we enter the “age of AI,” what will the EU’s same regulatory model for mean for AI, machine learning, and robotics in Europe? We do have some early data on that, too. Here’s a breakdown of AI-related VC activity and AI unicorn in 2021 from the recent State of AI Report 2021, with European countries already trailing far behind:

Also, here’s some data on recent AI investment by region from the latest Stanford “AI Index Report 2022” which again highlights a gap that is only growing larger:

It’s important to listen to what actual AI innovators across the Atlantic have to say about the new EU regulatory efforts. Just last month, the UK-based Coalition for a Digital Economy (Coadec), an advocacy group for Britain’s technology-led startups, published a report entitled, “What do AI Startups Want from Regulation?” Coadec surveyed its members to gauge their feelings about the EU’s proposed approach to AI regulation, as well as the UK’s. 76% of those startups said that their business model would be either negatively affected or become infeasible if the UK were to echo the EU by making AI developers liable, and an equal percentage said they had varying concerns about whether it’s technically even feasible to make their datasets “free of errors,” as the EU looks set to demand. Respondents also said they feared that the new AI Act would be particularly burdensome to small and mid-size entrepreneurs because they cannot afford to deal with the costly compliance hassles like the larger competitors they face. This would end of being a replay of the burdens they faced from GDPR, which decimated small businesses. “The experience of GDPR demonstrated how unclear, complex and expensive regulations drove many startups out of business, and disproportionately impact startups that survived–GDPR compliance cost startups significantly more than it did the Tech Giants,” the Coadec report concluded.

At least those UK-based innovators might be in a slightly better position post-Brexit with the British government now looking to chart a different–and much less burdensome–governance approach for digital technologies. In fact, the UK government recently released a major policy document on “Establishing a Pro-Innovation Approach to Regulating AI,” which makes a concerted effort to distinguish its approach from the EU’s. “We will ask that regulators focus on high risk concerns rather than hypothetical or low risks associated with AI,” the report noted. “We want to encourage innovation and avoid placing unnecessary barriers in its way.” This is consistent with what the UK government has been saying on technology governance more generally. For example, in recent report advocating for Innovation Friendly Regulation, the UK government’s Regulatory Horizons Council argued that, when it comes to the regulation of emerging technologies like AI, “it is also necessary to consider the risk that the intervention itself poses.” “This would include the potential impact on benefits from a particular innovation that might be foregone; it would also include the potential creation of a ‘chilling effect’ on innovation more generally,” the Council concluded. Clearly, this approach to technology policy stands in stark contrast to the EU’s heavy-handed model. So, there is a chance that at least some innovators based in the UK can escape the EU’s regulatory hell.

What about AI innovators stuck on the European continent? What are they saying about the regulations they will soon face? The European DIGITAL SME Alliance, which is the largest network of small and medium sized enterprises (SMEs) in the European ICT sector, represents roughly 45,000 digital SMEs. In comments to the EC about the impact of the law, the Alliance highlighted how costly the AI Act’s conformity assessments and other regulations will be for smaller innovators. “This may put a burden on AI innovation” the Alliance argued, because smaller developers have limited financial and human resources of SMEs.” “[A] regulation that requires SMEs to make these significant investments, will likely push SMEs out of the market,” the group noted. “This is exactly the opposite of the intention to support a thriving and innovative AI ecosystem in Europe.” Moreover, “SMEs will not be able to pass on these costs to their customers in the final customer end pricing,” the Alliance correctly noted because, “[t[he market is global and highly competitive. Therefore, customers will choose cheaper solutions and Europe risks to be left behind in technology development and global competition.”

In March, the Alliance also hosted a forum on “The European AI Act and Digital SMEs,” which featured comments from some operators in this space. Some speakers were quite timid and you could sense that they might have feared pushing back too aggressively against the European Commission so as not to get on the bad side of regulators before the rules go into effect. But Mislav Malenica, Founder & CEO Mindsmiths didn’t pull any punches in his remarks. His company Mindsmiths is trying to build autonomous support systems in many different fields, but their ability to innovate and compete globally will be severely curtailed by the EU AI Act, he argued.

I usually don’t spend time transcribing people’s comments from events, but I went back and watched Malenica’s multiple times because his remarks are so powerful and I wanted to make sure others hear what he was saying. [Malenica’s opening comments during the event run from 42:29 to 49:34 of the video and then he has more to say during Q&A beginning at the 1:27:28 of the video.] Here’s a quick summary of a few of Malenica’s key points (listed chronologically):

• “I’m not sure we are doing everything we can do actually to create an environment that’s innovation friendly.”
• “we see a lot of uncertainty. We see fear.”
• “basically we won’t be able to get funding here.”
• while reading through the AI Act, he notes, “I don’t see start-ups being mentioned anywhere, and startups are the main vehicles of innovation.” […] “I find it very arrogant”
• if AI Act becomes law, “what we’ll do in Europe is we’ll create a new market and that’s the AI markets based on fear,” and in how to just build products that avoid the wrath of government or lawsuits.
• “we are really stifling innovation” and that means Europeans will have to import autonomous products from foreign companies instead of making them there.

Later, during in the Q&A period, Malenica notes how his first virtual currency startup had to use half it’s investment capital just dealing with regulatory compliance issues, and most venture capitalists wouldn’t get behind launching in Europe because of such legal hassles. He reflects upon what this mean for other innovators going forward as the EU prepares to expand their regulatory regime for AI sectors:

• “I don’t think we’re missing talent. That’s just a consequence” of all the regulation. “We are missing a sense that you have opportunities here. If you the opportunities here, then the talent will come, the funding will come, and so on because people see that they’ll be able to make money, they’ll be able to build companies, and so on.”
• “If we now take a look at the 10 biggest companies market capitalizations in the world, we’ll see that none of them comes actually from Europe” with U.S. tech companies dominating the list. “So, we missed that wave completely.” Why? “Because we didn’t inspire anyone to take action,” and that is about to happen for AI.
• “We need to decide if we are going to be a land of opportunities, or will we be just consumers of other people’s tech, the same we are right now” for digital software and services.
• “We’re already finding excuses for the loss” of the AI market, he argues.

Malenica’s comments are extraordinarily demoralizing if you care about innovation. Now, I’m an American and one way to look at this dismal situation is that, by hobbling its own startups and existing AI innovators, Europe is doing the U.S. another favor by essentially taking itself out of the running in next great global tech race. Europe’s actions may also mean that America gains many of their best and brightest if they come to the U.S. when looking to create the next great algorithmic service or application because they can’t do so in the EU. This is exactly what happened over the past few decades for Internet startups, Malenica noted.

But that’s dismal news in another sense. Europe is filled with brilliant innovators, highly-skilled talent, world-class educational institutions, and even many venture capitalists looking to invest in this arena. Unfortunately, the continent’s suffocating regulatory approach makes it nearly impossible for digital technology innovators to have a fighting chance. Through their heavy-handed policies, European officials have essentially declared their innovators “guilty until proven innocent.” And that means that Europeans and the rest of the world are being deprived of many important life-enriching and life-saving AI applications that those innovators could create. Technological innovation is not a zero-sum game that only one country can “win.” Innovation drives growth and prosperity and lifts all boats as its benefits spread throughout the world. When European innovators prosper, people all over the world prosper along with them.

Is there any chance the European Commission softens its stance toward emerging technologies and looks to adopt a more flexible governance approach that instead treats AI innovators as innocent until proven guilty? I think it is extremely unlikely that will happen because, as Malenica noted, European technology policy is too rooted in fear of disruption and extreme risk-aversion. EU officials are forgetting that the most important lesson from the history of technological innovation is there can be no progress without some risk-taking and corresponding disruption. My favorite quote about the relationship between risk-taking and human progress comes from Wilbur Wright who, along with his brother, helped pioneer human flight. “If you are looking for perfect safety,” Wright said, “you would do well to sit on a fence and watch the birds.” European policymakers are essentially forcing their best and brightest innovators to sit on the fence and watch the rest of the world fly right past them on the digital technology and AI front. The ramifications for the continent will be disastrous. Regardless, as I noted in concluding my recent Hill column, Europe’s approach to AI “shouldn’t be the model the U.S. follows if it hopes to maintain its early lead in AI and robotics. America should instead welcome European companies, workers and investors looking for a more hospitable place to launch bold new AI innovations.”

Alas, European officials appear ready to ignore the deleterious impact of their policies on innovation and competition and instead make regulation their leading export to the world. In fact, the European Commission will soon open a San Francisco office to work more closely with Silicon Valley companies affected by EU tech regulation. European leaders have basically surrendered on the idea of home-grown innovation and are now plowing all their energies into regulating the rest of the world’s largest digital technology companies, most of which are headquartered in the United States. It’s no wonder, then, that The Economist magazine concludes that, “Europe is the free-rider continent” that “has piggybacked on innovation from elsewhere, keeping up with rivals, not forging ahead.” Instead, “the cuddly form of capitalism embraced in Europe has markedly failed to create world-beating companies,” the magazine argues.

European officials want us to believe that they are somehow doing the world a favor by being its global tech regulator, when instead the are simply solidifying the power of the largest digital tech companies, who are the only ones with enough resources–mainly in the form of massive legal compliance teams–to live under the EU’s innovation-crushing regulations. Sadly, many US policymakers hate our own home-grown tech companies so much now, that they are willing to let this happen. In a better world, those American lawmakers would stand up to European officials looking to bully tech innovators and we would reject the innovation-killing recipe that the EU is cooking up for AI markets and expects the rest of the world to eat.

Additional Reading on AI & Robotics:

• Adam Thierer, “How Science Fiction Dystopianism Shapes the Debate over AI & Robotics,” Discourse, July 26, 2022.
• Adam Thierer, “Why is the US Following the EU’s Lead on Artificial Intelligence Regulation?” The Hill, July 21, 2022.
• Adam Thierer, “Algorithmic Auditing and AI Impact Assessments: The Need for Balance,” Medium, July 13, 2022.
• Adam Thierer, “What I Learned about the Power of AI at the Cleveland Clinic,” Medium, May 6, 2022.
• Adam Thierer, Governing Emerging Technology in an Age of Policy Fragmentation and Disequilibrium, American Enterprise Institute (April 2022).
• Adam Thierer, “How to Get the Future We Were Promised,” Discourse, January 18, 2022.
• Adam Thierer, “A Global Clash of Visions: The Future of AI Policy,” The Hill, May 4, 2021.
• Adam Thierer, “A Brief History of Soft Law in ICT Sectors: Four Case Studies,” Jurimetrics, Vol. 61 (Fall 2021): 79-119.
• Adam Thierer, “Artificial Intelligence Governance in the Obama–Trump Years,” IEEE Transactions on Technology and Society, Vol, 2, Issue 4 (2021).
• Adam Thierer, “The Worst Regulation Ever Proposed,” The Bridge, September 2019.
• Ryan Hagemann, Jennifer Huddleston Skees & Adam Thierer, “Soft Law for Hard Problems: The Governance of Emerging Technologies in an Uncertain Future,” Colorado Technology Law Journal, Vol. 17 (2018).
• Adam Thierer & Trace Mitchell, “No New Tech Bureaucracy,” Real Clear Policy, September 10, 2020.
• Adam Thierer, “OMB’s AI Guidance Embodies Wise Tech Governance,” Mercatus Center Public Comment, March 13, 2020.
• Adam Thierer, “Europe’s New AI Industrial Policy,” Medium, February 20, 2020.
• Adam Thierer, “Trump’s AI Framework & the Future of Emerging Tech Governance,” Medium, January 8, 2020.
• Adam Thierer, “Soft Law: The Reconciliation of Permissionless & Responsible Innovation,” Chapter 7 in Adam Thierer, Evasive Entrepreneurs & the Future of Governance (Washington, DC: Cato Institute, 2020): 183-240.
• Andrea O’Sullivan & Adam Thierer, “Counterpoint: Regulators Should Allow the Greatest Space for AI Innovation,” Communications of the ACM, Volume 61, Issue 12, (December 2018): 33-35.
• Adam Thierer, Andrea O’Sullivan & Raymond Russell, “Artificial Intelligence and Public Policy,” Mercatus Research (2017).
• Adam Thierer, “Shouldn’t the Robots Have Eaten All the Jobs at Amazon By Now?” Technology Liberation Front, July 26, 2017.
• Adam Thierer, “Are ‘Permissionless Innovation’ and ‘Responsible Innovation’ Compatible?” Technology Liberation Front, July 12, 2017.
• Adam Thierer, “The Growing AI Technopanic,” Medium, April 27, 2017.
• Adam Thierer, “The Day the Machines Took Over,” Medium, May 11, 2017.
• Adam Thierer, “When the Trial Lawyers Come for the Robot Cars,” Slate, June 10, 2016.
• Adam Thierer, “Learning by Doing,” the Process of Innovation & the Future of Employment,” Technology Liberation Front, September 25, 2015.
• Adam Thierer, “Problems with Precautionary Principle-Minded Tech Regulation & a Federal Robotics Commission,” Medium, September 22, 2014.
• Adam Thierer, “On the Line between Technology Ethics vs. Technology Policy,” Technology Liberation Front, August 1, 2013.

Ronald J. Deibert is the director of The Citizen Lab at the University of Toronto’s Munk School of Global Affairs and the author of an important new book, Black Code: Inside the Battle for Cyberspace, an in-depth look at the growing insecurity of the Internet. Specifically, Deibert’s book is a meticulous examination of the “malicious threats that are growing from the inside out” and which “threaten to destroy the fragile ecosystem we have come to take for granted.” (p. 14) It is also a remarkably timely book in light of the recent revelations about NSA surveillance and how it is being facilitated with the assistance of various tech and telecom giants.

The clear and colloquial tone that Deibert employs in the text helps make arcane Internet security issues interesting and accessible. Indeed, some chapters of the book almost feel like they were pulled from the pages of techno-thriller, complete with villainous characters, unexpected plot twists, and shocking conclusions. “Cyber crime has become one of the world’s largest growth businesses,” Deibert notes (p. 144) and his chapters focus on many prominent recent examples, including cyber-crime syndicates like Koobface, government cyber-spying schemes like GhostNet, state-sanctioned sabotage like Stuxnet, and the vexing issue of zero-day exploit sales.

Deibert is uniquely qualified to narrate this tale not just because he is a gifted story-teller but also because he has had a front row seat in the unfolding play that we might refer to as “How Cyberspace Grew Less Secure.” Indeed, he and his colleagues at The Citizen Lab have occasionally been major players in this drama as they have researched and uncovered various online vulnerabilities affecting millions of people across the globe. (I have previously reviewed and showered praise on a couple important books that Deibert co-edited with scholars from The Citizen Lab and Harvard’s Berkman Center, including: Access Controlled: The Shaping of Power, Rights, and Rule in Cyberspace and Access Denied: The Practice and Policy of Global Internet Filtering. They are truly outstanding resources worthy of your attention.)

Black Code’s Many Meanings

So, what is “black code” and why should we be worried about it? Deibert uses the term as a metaphor for many closely related concerns. Most generally it includes “that which is hidden, obscured from the view of the average Internet user.” (p. 6) More concretely, it refers to “the criminal forces that are increasingly insinuating themselves into cyberspace, gradually subverting it from the inside out.” (p. 7) “Those who take advantage of the Internet’s vulnerabilities today are not just juvenile pranksters or frat house brats,” Deibert notes, “they are organized criminal groups, armed militants, and nation states.” (p. 7-8) Which leads to the final way Deibert uses the term “black code.” It also, he says, “refers to the growing influence of national security agencies, and the expanding network of contractors and companies with whom they work.” (p. 8)

Deibert is worried about the way these forces and factors are working together to undermine online stability and security, and even delegitimize liberal democracy itself. His thesis is probably most succinctly captured in this passage from Chapter 7:

We live in an era of unprecedented access to information, and many political parties campaign on platforms of transparency and openness. And yet, at the same time, we are gradually shifting the policing of cyberspace to a dark world largely free from public accountability and independent oversight. In entrusting more and more information to third parties, we are signing away legal protections that should be guaranteed by those who have our data. Perversely, in liberal democratic countries we are lowering the standards around basic rights to privacy just as the center of cyberspace gravity is shifting to less democratic parts of the world. (p. 130-1)

What Deibert is grappling with in this book is the same fundamental problem that has long plagued the Internet: How do you preserve the benefits associated with the most open and interconnected “network of networks” the world has ever known while also remedying the various vulnerabilities and pathologies created by that same openness and interconnectedness?  Deibert acknowledges this problem, noting:

Ever since the Internet emerged from the world of academia into the world of the rest of us, its growth trajectory has been shadowed by a grey economy that thrives on opportunities for enrichment made possible by an open, globally connected infrastructure. (p. 141)

The Paradox of the Net’s Open, Interconnected Nature

Again, paradoxically, this inherent instability and vulnerability is due precisely to the Net’s open and globally interconnected nature. And many governments are looking to exploit that fact. “These unfortunate by-products of an open, dynamic network are exacerbated by increasing assertions of state power,” Deibert notes. (p. 233)

More generally, this uncomfortable fact—that the Net’s open, interconnected nature leads to both enormous benefits as well as huge vulnerabilities—isn’t just true for criminal online activity or the cyber-espionage activities that various nation-states are pursuing today. It is equally true for everything online today. There is a sort of yin and the yang to the Net that is simply undeniable and completely unavoidable. For one issue after another we find that the Net’s greatest blessing—its open, interconnected nature—is also its greatest curse.

For example, as I noted here recently in my review of Abraham H. Foxman and Christopher Wolf ‘s new book, Viral Hate: Containing Its Spread on the Internet, the open and interconnected Internet gives us “the most widely accessible, unrestricted communications platform the world has ever known” but also  means we have to tolerate a great many imbeciles “who use it to spew insulting, vile, and hateful comments.” The same is true for other types of online speech and content: You have access to an abundance of informational riches, but there’s also no avoiding all the garbage out there now, too.

Similarly, as I noted in my essay, “Privacy as an Information Control Regime: The Challenges Ahead,” the open and interconnected Internet has given us historically unparalleled platforms for social interaction and commerce. But that same openness and interconnectedness has left us with a world of hyper-exposure and a variety of privacy and surveillance threats—not just from governments and large corporations, but also from each other.

And then there’s the never-ending story of digital copyright. On one hand, the open and globally interconnected network or networks has provided us with an amazing platform for sharing knowledge, art, and expression. On the other hand, as I noted in this essay on “The Twilight of Copyright,” creators of expressive works have less security than ever before in terms of how they can control and monetize their artistic and scientific inventions.

I could go on and on—as I did in my essays on “Copyright, Privacy, Property Rights & Information Control: Common Themes, Common Challenges” and “When It Comes to Information Control, Everybody Has a Pet Issue & Everyone Will Be Disappointed”—but the moral of the story is pretty clear: The Internet giveth and the Internet taketh away. Openness and interconnectedness offer us enormous benefits but also force us to confront major risks as the price of admission to this wonderful network.

Will the Whole System Collapse?

The uncomfortable question that Deibert’s book tees up for discussion is: When will this balance get completely out of whack in terms of online security? Or, has it already? In some portions of the text, he hints that may already be the case. Consider this passage in Chapter 11 in which Deibert discusses whether the Chicken Little-ism of digital security worry-warts like Eugene Kaspersky and Richard Clarke is warranted:

Eugene Kaspersky, Richard Clarke, and others may sound like broken records or self-serving fear mongers, but there is no denying the evolving cyberspace ecosystem around us: we are building a digital edifice for the entire planet, and it sits above us like a house of cards. We are wrapping ourselves in expanding layers of digital instructions, protocols, and authentication mechanisms, some them open scrutinized, and regulated, but many closed, amorphous, and poised for abuse, buried in the black arts of espionage, intelligence gathering, and cyber and military affairs. Is it only a matter of time before the whole system collapses? (p. 186)

That sounds horrific, but is it really the case that the entire system really about to collapse? And, if so, what are we going to do about it?

This raises a small problem with Deibert’s book. He does such a nice job itemizing and describing these security vulnerabilities that by the time the reader wades through 230 pages and nears the end of the book, they are left in a highly demoralized state, searching for some hope and a concrete set of practical solutions. Unfortunately, they won’t find an abundance of either in Deibert’s brief closing chapter, “Toward Distributed Security and Stewardship in Cyberspace.”

Don’t get me wrong; I agree with the general thrust of Deibert’s framework, which I describe below. The problem is that it is highly aspirational in nature and lacks specifics. Perhaps that is simply because there are no easy answers here. Digital security is damn hard and, as with most other online pathologies out there, no silver-bullet solutions exist.

Deibert notes that some government officials will seek to exploit those vulnerabilities—many of which they created themselves—to expand their authority over the Internet. “Faced with mounting problems and pressures to do something, too many policy-makers are tempted by extreme solutions,” he notes. (p. 234) He worries about “a movement towards clamp down” that would be “antithetical to the principles of liberal democratic government” by undermining checks and balances and accountability. (p. 235) In turn, this will undermine the “mixed common-pool resource” that is the current Internet.

Deibert’s alternative cyber security strategy to counter the push to “clamp down” is based on three interrelated notions or components:

1. Principles of restraint or “mutual restraint”: “Securing cyberspace requires a reinforcement, rather than a relaxation, of restraint on power, including checks and balances on governments, law enforcement, intelligence agencies, and on the private sector,” he argues. (p. 239)
2. “Distributed security”: “The Internet functions precisely because of the absence of centralized control, because of thousands of loosely coordinated monitoring mechanisms,” Deibert notes. “While these decentralized mechanisms are not perfect and can occasionally fail, they form the basis of a coherent distributed security strategy. Bottom-up, ‘grassroots’ solutions to the Internet’s security problems are consistent with principles of openness, avoid heavy-handedness, and provide checks and balances against the concentrations of power,” he observes. (p. 240)
3. “Stewardship” which Deibert defines as “an ethic of responsible behavior in regard to shared resources” and which, he argues, “would moderate the dangerously escalating exercise of state power in cyberspace by defining limits and setting thresholds of accountability and mutual restraint.” (p. 243)

Again, as an aspirational vision statement this all generally sounds fairly sensible, but the details are lacking. I think Deibert would have been wise to spend a bit more time developing this alternative “bottom-up” vision of how online security should work and bolstering it with case studies.

Digital Security without Top-Down Controls

Luckily, as my Mercatus Center colleague Eli Dourado noted in an important June 2012 white paper, distributed security and stewardship strategies are already working reasonably well today. Dourado’s paper, “Internet Security Without Law: How Service Providers Create Order Online,” documented the many informal institutions that enforce network security norms on the Internet and shows how cooperation among a remarkably varied set of actors improves online security without extensive regulation or punishing legal liability. “These informal institutions carry out the functions of a formal legal system—they establish and enforce rules for the prevention, punishment, and redress of cybersecurity-related harms,” Dourado noted.

For example, a diverse array of computer security incident response teams (CSIRTs) operates around the globe and share their research and coordinate their responses to viruses and other online attacks. Individual Internet service providers (ISPs), domain name registrars, and hosting companies, work with these CSIRTs and other individuals and organizations to address security vulnerabilities. A growing market for private security consultants and software providers also competes to offer increasingly sophisticated suites of security products for businesses, households, and governments.

A great deal of security knowledge is also “crowd-sourced” today via online discussion forums and security blogs that feature contributions from experts and average users alike. University-based computer science and cyberlaw centers (like Citizen Lab) and experts have also helped by creating projects like “Stop Badware,” which originated at Harvard University but then grew into a broader non-profit organization with diverse financial support.

Dourado continues on in his paper to show how these informal, bottom-up efforts to coordinate security responses offer several advantages over top-down government solutions, such as administrative regulation or punishing liability regimes.

Dourado’s description of the ideal approach to online security is entirely consistent with Deibert’s vision in Black Code. In fact, Deibert notes, “It is important to remind ourselves that in spite of the threats, cyberspace runs well and largely without persistent disruption. On a technical level, this efficiency is founded on open and distributed networks of local engineers who share information as peers,” he observes. (p. 240) That is exactly right, but I wish Deibert would have spent more time discussing how this system works in practice today and how it can be tweaked and improved to head off the heavy-handed and very costly top-down solutions that we both dread.

Toward Resiliency

But there’s one other thing I wish Deibert would have explored in the book: resiliency, or how we have adapted to various cyber-vulnerabilities over time.

For example, in another recent Mercatus Center study entitled “Beyond Cyber Doom: Cyber Attack Scenarios and the Evidence of History,” Sean Lawson, an assistant professor in the Department of Communication at the University of Utah, has stressed the importance of resiliency as it pertains to cybersecurity and concerns about “cyberwar.” “Research by historians of technology, military historians, and disaster sociologists has shown consistently that modern technological and social systems are more resilient than military and disaster planners often assume,” he writes. “Just as more resilient technological systems can better respond in the event of failure, so too are strong social systems better able to respond in the event of disaster of any type.”

More generally, as I noted in my recent law review article on “technopanics” and “threat inflation” in information technology policy debates:

while it is certainly true that “more could be done” to secure networks and critical systems, panic is unwarranted because much is already being done to harden systems and educate the public about risks. Various digital attacks will continue, but consumers, companies, and others organizations are learning to cope and become more resilient in the face of those threats.

What Professor Lawson and I are getting at in our respective articles is that the ability of organizations, institutions, and individuals to bounce back from adversity is a frequently unheralded feature of various systems and that it deserves more serious study. (See Andrew Zolli and Ann Marie Healy’s nice book, Resilience: Why Things Bounce Back, for more on this general topic). In the context of online security, what is most remarkable to me is not that the Internet suffers from vulnerabilities due to its open and interconnected nature; it’s that we don’t suffer far more damage as a result.

This gets us back to that very profound question that Deibert poses in Black Code: “Is it only a matter of time before the whole system collapses?” The better question, I think, is: why hasn’t the system already collapsed? Perhaps the answer is, because things haven’t gotten bad enough yet. But I believe that the more realistic answer is that: individuals and institutions often learn how to cope and become resilient in the face of adversity. This is partially the case online because of the stewardship and distributed, decentralized security we already see at work today that makes digital life tolerable.

But it has to be something more than that. After all, many of the security problems that Deibert describes in his book are quite serious and already affect millions of us today. How, then, are we getting by right now? Again, I think the answer has to be that adaptation and resiliency are at work on many different levels of online life.

Consider, for example, how we have learned to deal with spam, viruses, online porn, various online advertising and privacy concerns, and so on. Our adaptation to these threats and annoyances has not been perfectly smooth, of course. No doubt, some people would still like “something to be done” about these things. But isn’t it remarkable how we have, nonetheless, carried on with online commerce and interactive social life even as these problems have persisted?

Conclusion

Going forward, therefore, perhaps there are some reasons for hope. Perhaps the various generic strategies that Deibert outlines in his book, coupled with the remarkable ability of humans to roll with the punches and adapt, will help us come out of this just fine (or at least reasonably well).

Of course, it could also be the case that these security concerns just multiply and that the Internet then morphs into sometime quite different than the interconnected “network of networks” we know today. As I noted in my 2009 essay on “Internet Security Concerns, Online Anonymity, and Splinternets,” we might be moving toward a world with more separate dis­connected digital networks and online “gated communities.” This could take place spontaneously over time and be driven by corporations seeking to satisfy the demand of some consumers for safer and more secure online experiences. As I noted in my review of Jonathan Zittrain’s book, The Future of the Internet, I am actually fine with some of that. I think we can live in a hybrid world of “walled gardens” alongside of the “Wild West” open Internet, so long as this occurs in a spontaneous, organic, bottom-up fashion. [For a more extensive discussion, see my book chapter, “The Case for Internet Optimism, Part 2 – Saving the Net From Its Supporters.”]

If, however, this “splintering” of the Net is done from the top-down through intentional (or even incidental) government action, then it is far more problematic. We already see signs, for example, that Russia is pushing even more strongly in that direction in the wake of the NSA leaks. (See “N.S.A. Leaks Revive Push in Russia to Control Net,” New York Times, July 14.) The Russians have been using amorphous security concerns to push for greater Internet control for some time now. Of course, China has been there for years. So have many Middle Eastern countries. Of course, there’s no guarantee that their respective “splinternets” are, or would be, any more secure than today’s Internet, but it sure would make those networks far more susceptible to state control and surveillance. If that’s our future, then it certainly is a dismal one.

Anyway, read Ron Deibert’s Black Code for an interesting exploration of these and other issues. It’s an excellent contribution to field of Internet policy studies and a book that I’ll be recommending to others for many years to come.

Additional resources:

• the official website for Black Code
• the Citizen Lab website at the University of Toronto
• follow Ronald Deibert and The Citizen Lab on Twitter
• video of Washington, D.C. book launch for Black Code (held at the National Endowment for Democracy on 6/24/13)

Other books you should read alongside “Black Code” (links are for my reviews of each book):

• Access Controlled: The Shaping of Power, Rights, and Rule in Cyberspace edited by Ronald J. Deibert, John G. Palfrey, Rafal Rohozinski, and Jonathan Zittrain
• Consent of the Networked: The Worldwide Struggle for Internet Freedom , by Rebecca MacKinnon
• Cyber War: The Next Threat to National Security and What to Do About It, by Richard A. Clarke and Robert K. Knake
• Liars & Outliers: Enabling the Trust that Society Needs to Thrive, by Bruce Schneier
• Regulating Code: Good Governance and Better Regulation in the Information Age, by Ian Brown & Christopher T. Marsden
• Networks and States: The Global Politics of Internet Governance, by Milton Mueller
• Resilience: Why Things Bounce Back, by Andrew Zolli & Ann Marie Healy

The New York Times reports:

The Russians, who with only minimal success, had for years sought to make these companies provide law enforcement access to data within Russia, reacted angrily. Mr. Gattarov formed an ad hoc committee in response to Mr. Snowden’s leaks.

Ostensibly with the goal of safeguarding Russian citizens’ private lives and letters from spying, the committee revived a long-simmering Russian initiative to transfer control of Internet technical standards and domain name assignments from two nongovernmental groups that control them today to an arm of the United Nations, the International Telecommunications [sic] Union.

It’s not immediately clear to me how moving Internet standards and DNS from IETF and ICANN to the ITU is supposed to stop the NSA from spying on Russians, so the smart read is that this is retaliation pure and simple.

Brazil’s foreign minister, Antonio Patriota, for example, a week ago endorsed the Russian proposal to transfer some control over Internet technical standards to the United Nations telecommunications agency.

While these are not major changes in policy positions, the NSA’s surveillance programs seem to be galvanizing those who want the ITU to take an active role in Internet governance. It’s time for the USA to practice what it preaches on Internet freedom.

Next week, I’ll be in Geneva for the 2013 World Telecommunication/ICT Policy Forum, better known by the acronym WTPF-13. This is the first major ITU conference since the WCIT in December, and the first real test of whether what some are calling the “post-WCIT era” really exists, and if so, what it means. For those just now tuning in, the WCIT was a treaty conference in Dubai in which some ITU member states pushed hard to make elements of the Internet subject to intergovernmental agreement, resulting in the refusal of 55 countries to sign the treaty. I published a retrospective account of my experience at the WCIT at Ars Technica.

The WTPF will be different than the WCIT in several important ways:

• It’s not a treaty conference. The output of the meeting is instead a report and several opinions. Draft text of these have been negotiated over three preparatory meetings of an “Informal Experts Group” (IEG). The WTPF will finalize the text, which is non-binding, but is likely to be selectively quoted at future treaty conferences in order to pursue the agenda of each member state.
• Sector members can participate. The ITU is an intergovernmental organization, and member states are its primary constituency. However, the ITU also allows for “sector members,” which are mostly corporations that are involved in international telecommunications. Sector members will have microphones and be able to address the chair during the WTPF, something they could not do during the WCIT. It has not yet been made conclusively clear to me whether sector members will be able to formally vote, if a formal vote is held. (Secretary-General Hamadoun Touré said there would be no voting at the WCIT, but both informal and formal votes were held.)
• The Internet is explicitly on the table. The Secretariat promised that Internet governance would not be considered at the WCIT, but it ultimately was, which is one reason that the conference failed to produce a treaty that all countries could feel comfortable signing. But the official theme of the WTPF is “international Internet-related public policy matters,” so there is widespread agreement that the Internet is a suitable topic of discussion at the WTPF, even if there is little agreement on conclusions.
• Anybody can download and read the official WTPF documents. Before and during the WCIT, working drafts and member state contributions were kept secret. Jerry Brito and I started WCITLeaks in order to give the general public access to these documents. For whatever reason—whether exposure of the lack of transparency in the WCIT process embarrassed the ITU Secretariat, or they were planning to make the WTPF more open anyway—all WTPF documents are available for your perusal, several in all six official ITU languages. Either way, I’m happy to applaud the decision to make the documents available.
• The WTPF is only three days long. The WCIT was almost two weeks. This imposes significant limitations on the amount of deliberation that can occur. There is also a WTPF every 4 years, whereas a WCIT happens only on an as-demanded basis.

Since the conference is going to be short, I expect that most of the debate will focus on the six draft opinions that have been attached to the Secretary-General’s report. The report itself is probably too long to receive substantial revision in only three days. Consequently, the opinions are likely to be where the action is. The draft opinions are:

1. Promoting Internet Exchange Points (IXPs) as a long term solution to advance connectivity
2. Fostering an enabling environment for the greater growth and development of broadband connectivity
3. Supporting Capacity Building for the deployment of IPv6
4. In Support of IPv6 Adoption and transition from IPv4
5. Supporting Multi-stakeholderism in Internet Governance
6. On supporting operationalizing the Enhanced Cooperation Process

Opinions 1 and 2 will be consider in Working Group 1, 3 and 4 will be considered in Working Group 2, and 5 and 6 will be considered in Working Group 3.

The United States has expressed qualified support for the current draft text of all six opinions in its contribution to the WTPF:

The United States is prepared to endorse the consensus achieved by the IEG and adopt the six non-binding opinions as presented in the annex to the Secretary General’s report. We take this approach based on our desire for a successful forum, despite some concerns with respect to the opinions on multi-stakeholderism and enhanced cooperation. But we recognize, as we hope all participants do, that to attempt to renegotiate the text or introduce new topics or opinions during this meeting would cause significant difficulties and upset the consensus already achieved.

Nevertheless, other countries have proposed substantial changes to the draft IEG text. Perhaps the most controversial opinion is number 5 on multi-stakeholderism. Multi-stakeholderism is a tricky element of international Internet politics. Most participants have agreed at one point or another that the “multi-stakeholder” institutions that currently govern the Internet are an important part of the Internet’s success. However, this has led the more authoritarian countries to insist that governments are stakeholders too, and it has led those who support greater ITU involvement in international Internet policy to insist that the ITU is a multi-stakeholder organization.

For example, in a speech two weeks ago in Brussels, Secretary-General Touré said:

This opinion reiterates what I have been saying for some time—that the ITU has been multi-stakeholder from its inception, and that it was the success of the multi-stakeholder approach within ITU that inspired the multi-stakeholder principles agreed at the ITU-led World Summit on the Information Society, WSIS.

Now, Opinion 5 does  not say that the ITU is a multi-stakeholder organization (read it yourself), and the ITU is certainly not and has never been a multi-stakeholder institution, unless “multi-stakeholder” is defined as simply having multiple stakeholders. Among those who originally advocated multi-stakeholderism, the term connotes a certain bottom-up, voluntary, inclusive, and even informal process, which is incompatible with intergovernmentalism. This…loose talk…by the Secretary-General appears to be intended to position the ITU to take a more active role in Internet governance. Some member states share Dr. Touré’s apparent agenda. For example, Brazil’s proposed replacement for Opinion 5 explicitly says, “ITU is a multistakeholder organization.”

Russia’s proposed edits to Opinion 5 focus much less on the ITU itself and more on the role of government. For instance, it invites member states:

to exercise their rights on Internet Governance to control distribution, appropriation and development of Internet numbering, naming, addressing and identification resources and support the operation and development of the basic information and communication infrastructure, include the Internet, at the national level.

In other words, Russia wants to supplant existing Internet governance structures with national laws.

Aside from Opinion 5, the other major issue I am keeping my eye on is Working Group 2 on IP addresses and the IPv6 transition. Late last week, there was an unexpected shuffling of Working Group chairs. The chairwoman of WG3 was removed, the chairman of WG2 was moved to WG3, and Musab Abdullah from Bahrain was announced as the new chairman of WG2.

Those of us who were at the WCIT remember Mr. Abdullah as a forceful advocate for measures, like calling party identification and government-managed naming and numbering resources, that would have enabled greater government control of telecommunication services. And Bahrain is one of the most repressive regimes with respect to the Internet in the world. Reporters Without Borders considers Bahrain one of only five “state enemies of the Internet” in 2013.

So why did this shakeup of Working Group chairs happen, and why is one of the world’s top censors now chairing the Working Group on IP addressing? Could there be a strong push in favor of an expansive role for governments in assigning IP addresses, one that would allow governments to more easily link IP addresses to individuals in order to support censorship? We’ll find out next Wednesday morning when WG2 convenes.

For updates during the WTPF, follow me on Twitter. As always, any views expressed in this post or in future posts and tweets are my own, and should not be attributed to any government or delegation.

My piece about the U.S. Chamber of Commerce event last Friday on U.S. intellectual property attachés giving a report, and taking a hard line, on the enforcement of U.S. intellectual property, overseas, is now live on ip-watch.org.

Here’s the first couple of paragraphs:

WASHINGTON, DC – Nations ranging from Brazil to Brunei to Russia are failing to properly protect the intellectual property assets of US companies and others, and international organisations are not doing enough to stop it, seven IP attachés to the US Foreign and Commercial Service lamented recently.

Meanwhile, an industry group issued detailed recommendations for the incoming Obama administration’s changes to the US Patent and Trademark Office.

The problems in other nations extend from Brazil’s failure to issue patents for commercially significant inventions by US inventors, to an almost-complete piracy-based economy in Brunei, to an only-modest drop in the rate of Russian piracy from 65 percent to 58 percent.

The attachés, speaking at an event organised by the US Chamber of Commerce and its recently beefed-up Global Intellectual Property Center (GIPC), blasted the record of familiar intellectual property trouble zones like Brunei, Thailand and Russia.

But the problems extend to the attitudes and omissions of major trading partners like Brazil, India and even well-developed European nations, said the attachés.

[more at http://www.ip-watch.org/weblog/index.php?p=1387….]