Get Real(ist): Don’t confuse NSA regulation with Internet regulation

In her UN General Assembly speech denouncing NSA surveillance, Brazil’s President Dilma Rousseff said:

Information and communications technologies cannot be the new battlefield between States. Time is ripe to create the conditions to prevent cyberspace from being used as a weapon of war, through espionage, sabotage, and attacks against systems and infrastructure of other countries. … For this reason, Brazil will present proposals for the establishment of a civilian multilateral framework for the governance and use of the Internet and to ensure the protection of data that travels through the web.

We share her outrage at mass surveillance. We share her opposition to the militarization of the Internet. We share her concern for privacy.

But when President Rousseff proposes to solve these problems by means of a “multilateral framework for the governance and use of the Internet,” she reveals a fundamental flaw in her thinking. It is a flaw shared by many in civil society.

You cannot control militaries, espionage and arms races by “governing the Internet.” Cyberspace is one of many aspects of military competition. Unless one eliminates or dramatically diminishes political and military competition among sovereign states, states will continue to spy, break into things, and engage in conflict when it suits their interests. Cyber conflict is no exception.

Rousseff is mixing apples and oranges. If you want to control militaries and espionage, then regulate arms, militaries and espionage – not “the Internet.”

This confusion is potentially dangerous. If the NSA outrages feed into a call for global Internet governance, and this governance focuses on critical Internet resources and the production and use of Internet-enabled services by civil society and the private sector, as it inevitably will, we are certain to get lots of governance of the Internet, and very little governance of espionage, militaries, and cyber arms.

In other words, Dilma’s “civilian multilateral framework for the governance and use of the Internet” is only going to regulate us – the civilian users and private sector producers of Internet products and services. It will not control the NSA,  the Chinese Peoples Liberation Army, the Russian FSB or the British GCHQ.

Realism in international relations theory is based on the view that the international system is anarchic. This does not mean that it is chaotic, but simply that the system is composed of independent states and there is no central authority capable of coercing all of them into following rules. The other key tenet of realism is that the primary goal of states in the international system is their own survival.

It follows that the only way one state can compel another state to do anything is through some form of coercion, such as war, a credible threat of war, or economic sanctions. And the only time states agree to cooperate to set and enforce rules, is when it is in their self-interest to do so. Thus, when sovereign states come together to agree to regulate things internationally, their priorities will always be to:

  • Preserve or enlarge their own power relative to other states; and
  • Ensure that the regulations are designed to bring under control those aspects of civil society and business that might undermine or threaten their power.

Any other benefits, such as privacy for users or freedom of expression, will be secondary concerns. That’s just the way it is in international relations. Asking states to prevent cyberspace from being used as a weapon of war is like asking foxes to guard henhouses.

That’s one reason why it is so essential that these conferences be fully open to non-state actors, and that they not be organized around national representation.

Let’s think twice about linking the NSA reaction too strongly to Internet governance. There is some linkage, of course. The NSA revelations should remind us to be realist in our approach to Internet governance. This means recognizing that all states will approach Internet regulation with their own survival and power uppermost in their agenda; it also means that any single state cannot be trusted as a neutral steward of the global Internet but will inevitably use its position to benefit itself. These implications of the Snowden revelations need to be recognized. But let us not confuse NSA regulation with Internet regulation.

10 comments

  1. Jeremy Malcolm

    Since I didn’t make this clear in the article that you linked to, the translation of “civilian multilateral framework for the governance and use of the Internet” is Marco Civil da Internet. So that’s what we’re talking about here. To say that this framework – essentially a bill of rights for Internet users – “is only going to regulate us” is just fear-mongering. Whether it will have an appreciable impact on states is a separate question, but you could at least have acknowledged that realism is only one theory of international relations, and that there are more mainstream liberal theories in which international law has a more significant place.

    • Milton Mueller

      Jeremy
      Whoa. Marco Civil da Internet is a proposed piece of domestic legislation for the Internet in Brazil. It is not what President Rousseff was proposing for the international summit. Indeed, it has not even been passed yet in Brazil. I would note that my point in the blog is corroborated by what happened in Brazil after the NSA revelations: Dilma tried to amend the proposed law to include data sovereignty provisions. I have heard that due to opposition she is separating that proposal from the Marco, but it just goes to show that even what is nominally a civil rights bill can easily turn into a restrictive measure in the hands of a state; one can only imagine what a group of states including many less democratic and free than Brazil will do. Anyway, my main point, which you seem to not address in your comment, is this: if you want to control things like NSA espionage, regulate and control the NSA’s conduct, not “the use of the Internet.” Good to see that you admit that these efforts may not have “an appreciable impact” on states. If you and others are starting to get that, we are making progress.

    • Handal Morofsky

      Jeremy, perhaps you took offense to the use of the word, ‘flaw’. (substitute ‘presupposition’ for ‘flaw’.) The first response when something happens seems to be ‘more governance’, horizontally and vertically. Milton draws a necessary distinction between governing the NSA (and foreign counterparts) and governing use of the internet which can and likely will affect us. This is not fear-mongering. I don’t believe it is too out of the question to question more power being put into the hands of a group of states, many of which are less democratic than we are.

  2. Prabir

    So treaties banning chemical waepons, bilogical weapons etc are all useless? International law or countries agreeing not do something through treaties is bogus? That spying on the UN in spite a treaty obligation not do so is par for the course? Completely self-serving US defence. Yesa NSA is doing bad things, but that is the way of all governments and the “cure” is worth than the disease.
    And you do need to follow up on your sentence that “any single state cannot be trusted as a neutral steward of the global Internet but will inevitably use its position to benefit itself”. So why is multilateral control not better than this?
    Prabir

  3. Milton Mueller

    Can you tell me what treaty obligation exists to prevent the US from spying on Brazil or any other state? I am pretty sure you can’t find one.
    As for nuclear, chemical and biological weapons, I don’t think we are in disagreement. They need to be controlled, just as state cyber-war and intelligence agencies need to be controlled. But this will not happen via “Internet governance.”
    Realism simply tells us that more powerful states like the US will try to prevent other states from getting dangerous weapons that threaten their security, for obvious reasons. If enough states see it as in their self interest to cooperate in restricting the proliferation of these weapons, I admit that such controls could be somewhat effective. But only if quite a few sovereigns have the right incentives to cooperate, and only if the more powerful states have the ability to coerce the Syrias and North Koreas of the world.
    Multilateral control is not better than unilateral state control because it would make the Internet a plaything of international coalitions of states based on a one-state, one-vote formula and because it would shut the actual users and suppliers of Internet services out of the picture.

  4. Pingback: Library: A Round-up of Reading | Res Communis
  5. Mawaki

    I got your main point, but I’m trying to expand it to the fullness of my understanding about what is going on here. So I am thinking along your premises, whatever I might think of them otherwise.
    When states found that technology enables massively deadly weapons to proliferate and they really don’t want to take chances, they got into talks and struck deals –international treaties or multilateral agreement on rules of conduct all states should be obligated to re. those weapons. They did not just call on the weapons industry and producers to demand they stop producing certain types of arms by, say, making them sign a commitment. Not least because everybody knows that states are in fact the principals and industry actors only agents and contractors when it comes to that level of sophisticated weaponry.
    Now, we are facing a situation where Internet is the medium being used as a “weapon” or the means of a kind of warfare. The NSA’s of the world are state agents and they are not the ones that are going to define the rules that they will then impose upon themselves. If (beyond domestic checks and balances which only depend on every single state) any “civilian” conduct at international level is desirable and could be agreed on, it is going to have to be between states obviously. And one way or the other, it’s going to be about the Internet, right? Or cybersecurity or cyber something, whatever Internet related. Like in how states can agree to conduct themselves against each other (and maybe against their people) using the Internet, no? In any case, Internet would be the topic, it seems –even though we can agree not to call that Internet governance and that it needs not to involve Internet numbering and naming resources. (So, just as weapon treaties were negotiated and agreed among states as opposed to just jamming regulations to the throat of arm industry, I’d agree with you that the answer to President Rousseff’s concerns may lie somewhere other than regulation of IANA functions, Internet connectivity providers and operators.) Now, can you imagine any such summit or conference being announced in order for states to come up with some basic ground rules, or rules of engagement if you will, without generating any outcry from whichever actors claiming governments are having an Internet summit, indeed an _Internet governance treaty_ summit, and that automatically means Internet is in danger, etc. Plus if such conference were to take place, what else would civil society do other than to say “Wait a second, while you states are talking cybersecurity or whatever, and we all know you’re good at taking away our privacy rights in the name of security, we want to be in the room and make sure you recognize our fundamental rights in whatever you’ll decide.” At that point, do you really think it would be wrong to refer to such process as an Internet governance process?
    In other words, is it possible at all to have a process that will NOT be related to Internet governance, and is there really any realistic and “realist” way, to address the concerns that President Rousseff raises –which, granted, are not necessarily about Internet numbering and naming but which, perhaps precisely for that reason, may be shared by even more people in the civil society not for the sake of governments, as you can imagine, but because at the end of the day, it’s people’s individual freedoms that are also being chipped away in this vacuum of any concerted rules?

  6. Pingback: Governance | Americans for Internet Freedom
  7. Pingback: Anton’s Weekly International Law Digest, Vol. 4, No. 13 (5 November 2013) | Anton's Weekly International Law Digest
  8. Erik Bais

    The line between cripling and invasive privacy is a delicate one.

    For the record, I’m a sponsor of Bits of Freedom, a liberal party voter in The Netherlands and the owner and CEO of an ISP. I was the author for the policy RPKI for non-member at RIPE, (2013-04) to allow non-members ( Early registration and PI space holders) be able to participate in the whole RPKI system. 

    The Netherlands is one of 2 countries worldwide net-neutrality defined as required by law. 

    The intelligence agencies are in the business of invading ones privacy, with a focus on (foreign) espionage, extremist activity ( including green / left wing treehuggers and anti-goverment / anti-violance groups etc) and terrorism, background checks and overall intelligence gathering. 
    Every country has one (or more than one) and the national laws define what their mandate and the rules are which they need to work within… 

    Each country should have some oversight commity which approves and reviews the agencies actions, to make sure there is no scope creep of the stated laws /guidelines and keep the people accountable when needed as part of the democratic process… 

    Can one blame the US goverment that they (NSA) spy on the UN or embassy’s. No, it was naief to think it wouldn’t happen and it showed that the democratic process of oversight failed. 

    In the Netherlands, certain Intel. Agency laws prevent them (AIVD and MIVD) (currently) to massive cable infrastructure taps. But with more data moving across fibers instead of wireless (radio/ satelite) infrastructure, there wil be a change in those laws. Not because we like it, but it is required for them to do their job. 

    On the part where countries will agree on how to behave within a UN context towards eachother on and off-line, spying eachother, or agree to neutral zones or to not do specific activities across the internet, is going to be a discussion to be held. What the NSA did isn’t different from what the Chinese are doing with the Chinese counterpart. 

    Similar as with off-line out of country activities, which are considered an act of war and espionage etc, the online activities like DDOS attacks, hacking, breaking in at another country their various public entities like energy bodies or ministeries, city related infrastructures, planting malware, remote wiretapping etc are going to be regarded and treathed similar as off-line activities. When discovered, they will move up into the diplomatic lines and in some cases it will be put to the media to emberase the offending party, like the GHCQ and NSA at the Belgium telco Belgacom hacks. 

    How does this related to internet governance ? The country with the most grip on certain key parts of the internet infrastructure might have an advantage compaired to others. Like the DNS system or RPKI system. That is why dividing the governance for those systems is such a key element for our freedom on the net. 

    I am in favor for a governance structure for those key systems outside a specific US originated structure, because the US law disqualifies imho (Patriot Act and FISA) to have a structure which would keep it outside goverment hands.