Berkman Center Fellows Hour Course: Web Exceptionalism

Yashomati Ghosh, Berkman Center Fellow and professor at the National Law School of India University, spoke on February 1, 2011 about efforts by the Indians federal government to deploy technology in support of an initiative to empower India’s rural poor.

[My apologies to Yashomati for failing to post this write-up sooner.  Brad A.]

At the outset, Yashomati said she was unsure whether the presentation would fit the Fellows Hour “web exceptionalism” theme, except perhaps by suggesting digital media and Internet technologies as tools of empowerment.  Yashomati noted that at present less than 7% of the Indian population has Internet access.

The occasion for the introduction of significant Internet access in rural India has been the federal government’s implementation of the Mahatma Gandhi National Rural Employment Guarantee Act 2005 (“Gandhi Act” — my term, not Yashomati’s).  Yashomati explained that the Gandhi Act is globally significant legislation.  Its expressed objective is to provide work to rural people for a minimum of 100 days in a particular area, and the object of the work guarantees is to “bootstrap economic development.”

Yashomati stated that the Gandhi Act reflects Gandhi’s own ideals.  Gandhi was wont to observe that a country that focuses on rural development will develop itself.  The law represents a significant policy shift in India away from its previous emphasis on urban development.  The Gandhi Act hopes to bring India in line with UN Millennium Development Guarantees.  Finally, the Gandhi Act advances India’s constitutional commitment to human dignity.

At present, employment in rural areas is seasonal, because of the agricultural cycle.  On the downside of the cycle, many of India’s rural laborers simply aren’t working — a fact that contributes to the growing problem of mass migration into urban areas.  By providing 100 days’ work to rural poor who would otherwise be idle in the off-season, India expects to increase the rural population’s spending capacity on food, health, and education.  Moreover, Yashomati explained, securing minimum wages will exert upward pressure on the rural labor market and open up better job opportunities for vulnerable communities, including low-caste rurals and women.  The hope is to kick-start rural development, which will then proceed — it is hoped — without government intervention.

Yashomati emphasized that the Gandhi Act does not mean to create a system of public employment, so much as to subsidize wages for rural workers taking up other off-cycle work projects.  The law will guarantee each person 100 days per year of minimum wage.

So much for the law’s promise.  Yashomati went on to discuss the problems the federal government has encountered in implementing it.

Most importantly, the law’s implementation is impaired by corruption.  The legislation requires rural households to register locally and obtain a job card.  Then the beneficiaries must apply for work, after which work will be provided within 14 days.  Work sites are selected on basis of local need.  Timely payment of wages is promised, with compensation due for untimely payment.  If there is no work available, then the government arranges for payment of unemployment allowances.  At each phase of this process, there are opportunities for corrupt officials to frustrate the law: officials may fail to issue job cards, delay or deny receipt of the acknowledgment required for obtaining the work, select work sites based on their own vested interests, delay payment of wages or make an improper accounting of the work done.  Corrupt officials may also fudge the muster rolls (local officials overstate work days and pocket the difference), work site records, or withhold unemployment allowances for themselves.

Rural populations depend upon local officials to advise them of the Gandhi Act’s provisions and their rights thereunder.  The people lack awareness and understanding of the Act, and for that matter, a mechanism to enforce it.

Yashomati reported that ideas have been floated to correct the problems.  One preferred method is to initiate communication using information technology.  The government has created a central Digital Knowledge Repository — a public website that tries to give details about the kinds of work initiated by the government.  Links on the site display pictorial representations of the work, along with audio explanations, so that content is accessible to illiterate users.  The site is about two years old.

The website alone is ultimately not of much use to the people in rural areas, Yashomati pointed out.  As she earlier noted, a mere 7% of Indians have access to the Internet, and those who do reside primarily in the urban areas.  People also don’t have the necessary computer literacy.

Accordingly, the government has introduced “Info Kiosks” into rural communities.  An Info Kiosk is a touch-screen, voice-enabled device that supplies information about the Gandhi Act, workers’ entitlements, work site options, and unemployment allowances.  The kiosks also feature help and grievance platforms and job application platforms; they issue job receipts and payment slip receipts, and record individuals’ work history.

In addition to Info Kiosks, the government has deployed Unified Hand Held Devices at work sites.  The UHHDs feature a biometric- and GPS-verified attendance tracking system.  An “e-muster” is generated based on biometric measures of workers’ presence at work sites.  A UHHD can issue work receipts, photograph work that has been performed, and so enable assessments of its progress.  At the point of setting up the computers, the Indian federal government obtains biometric information from program participants; the information ties fingerprint and eyeball (retinal scan?) information to unique ID numbers.

Q: doesn’t the biometric information gathering raise privacy concerns?  Yashomati answered that a recent proposal to issue national ID cards did trigger a privacy backlash.  Not so much for this program, which is seen to provide an improvement of living conditions, notwithstanding the detriment to privacy — that is, a net gain.  Yashomati added that the Indian people regard the state with much less suspicion than, say, Americans do, due to the less significant social role of private corporations.  Yashomati explained that in India, unlike in the West, political democracy was achieved in advance of economic development, with the result that, for example, India railways are nationalized and heavily subsidized.  The Indian constitution does not specify a right of privacy.  Privacy rights are indeed recognized by the Supreme Court of India, but always balanced against/qualified by the public good.

Q: How does the federal effort to open up work opportunities jibe with the rural caste system’s strict division of labor?

Yashomati said that castism is prohibited in India, as a matter of law.  Indeed, in urban settings caste consciousness is already outmoded, as it cannot be strictly observed.  The constitution carries a clause calling for the support of people in the “backward communities.”  The government has substantial latitude to legislate in this area, and the Gandhi Act strictly forbids any gestures to accommodate caste-based restrictions.

Q: How much does the technology-based answer to implementation issues reflect the influence of the “Bangalore Billionaires” on government policy?

Yashomati acknowledged that this is “a bit of a deal with the Devil, but they meet an area of need.”  It is encouraging that public/private partnerships have been recognized as avenues to efficiency and quality.  Yashomati noted that Indians pay a high tax rate, but they expect results, too.  Although there is an opportunity for corruption in these partnerships, people see and accept so much baseline corruption that they are pleased to tolerate the sort that brings with it facility and convenience (and empowerment).

A third implemented technology is a system that enables program participants to retrieve their job cards by SMS texting.  One method of communication that has penetrated into rural areas is mobile phone usage: India has some 660 million mobile phone subscribers.

Yashomati identified factors hindering the expansion of information and communications technology into rural India, specifically — and the success of the Gandhi Act, generally.  These include the vast financial expenditure necessary to deploy the technologies, inadequate and irregular computer training of rural citizens, the lack of a computer-knowledgeable workforce ready and willing to work in rural areas, the mindset of government functionaries, and deficiencies in initiating prompt penal actions against corrupt officials.

“If technology helps to fulfill the basic human right to work for 22 percent of the world’s poor population,” Yashomati pronounced, “it will be an ‘exceptional’ event.”

On October 26, 2010 Taiwanese prosecutor and Berkman Fellow Doreen Tu presented on web exceptionalism and the evolving treatment of computer-related criminal offenses in Taiwan.  Doreen’s lively and thoughtful presentation offered interesting insights into the practice of law in Taiwan, on a subject of transnational import — as criminal impulses increasingly find their outlet online.

[Apologies to all — and especially Doreen — for the delay in writing up these notes.  Brad A.]

In 2003 Taiwan amended its Criminal Code to add a new chapter describing computer-related crimes.  Prior to these amendments, Taiwan prosecuted computer-related offenses under the existing laws, which for the most part were adequate to reach online conduct of concern to prosecutors.  A series of criminal complaints in the early 2000s put this assumption to the test, and ultimately the state determined that it needed computer-specific crimes on the books.

Doreen asked: do we need to define specific “cybercrimes,” or are cybercrimes simply an online manifestation of ordinary criminal conduct, albeit accomplished with different tools (and against different targets)?

For a period of time, the principal “cybercrimes” that had the attention of prosecutors in Taiwan were crimes with obvious “hard-copy” analogues that perpetrators had carried over onto the Internet.  The existing Criminal Code was appropriately enforced against online instances of fraud, illegal gambling, child pornography and copyright infringement.  Efforts to prosecute unauthorized access to or destruction or deletion of electronic data required a further analytical step: the law was required to treat electronic data as “property” or “documents.”  Nonetheless, once this interpretation took hold, the state could bring appropriate charges under the existing laws proscribing vandalism or theft.

Then “Lineage” came along to challenge this paradigm.  Lineage is a popular online computer game, and Doreen credits it for triggering the 2003 amendments to the Taiwanese Criminal Code.  The game originated in South Korea — we’ve translated the title to mean “Lineage,” whereas in Chinese the game’s title means “Heaven.”  The game made a splash in Taiwan around 2000.  It requires a user ID and password, and through gaming effort players obtain “virtual property” (e.g., weapons, jewelry) that can be traded among the players.  These properties are valuable enough — that is, they require enough of an investment of in-game time and effort to acquire — that they have real-world value to the players.  As a result, websites have appeared to facilitate exchange of Lineage properties.

One especially valuable Lineage resource is the invisibility cloak, about which Doreen tells the following story:

A teenage Lineage player traded for an invisibility cloak.  He later entered his user ID and password into Lineage, logged into the game, and found that he did not have it anymore.  It had vanished.  The player took his complaint to prosecutors.  “My invisibility cloak was stolen,” the youth told the Prosecutor on Duty, a colleague of Doreen’s.  The Prosecutor on Duty had no idea what to make of this, but following the investigator’s handbook, he asked appropriate questions, including “Where did you last have it?”  “Heaven,” the complainant answered.  This answer did little to relieve the PoD’s confusion.

A cascade of similar complaints to Doreen’s office — each involving lost or stolen Lineage artifacts — followed.  A common element emerged: all of the victims had been playing Lineage in the same Internet café.  Investigators came to understand that a single perpetrator had infected the machines, managed to obtain the user IDs and passwords Lineage players had entered at the cybercafé’s terminals, and, having appropriated the online identities of the users, disposed of their Lineage properties.

Prosecutors struggled to identify appropriate criminal charges for this conduct.  The “invisibility cloak” was an “electromagnetic record,” and therefore a form of property under Taiwanese law.  A theft charge would stick, as a legal matter.  And yet the government came to realize that the Criminal Code did not describe offenses that would reach the conduct prosecutors wanted to punish — namely, the infection of the café’s computers with malware and the abuse of third-party user authentication information. Infecting a computer with the malware necessary to swipe the ID information would not qualify as “destruction” of or damage to property sufficient to support a vandalism charge.  Likewise, there was no specific criminal charge available under Taiwanese law to punish the unauthorized access to another person’s Lineage account.  You could use that unauthorized access that to accomplish theft (as here), or, conceivably to defraud a third party.  But the access itself was no crime.

Nor was the Criminal Code written to punish other, more advanced forms of cybercrime, like a distributed denial-of-service attack.

Lawmakers responded with the 2003 amendment introducing Chapter 36 (“Offenses Relating to the Use of Computers”) into the Criminal Code.  Doreen displayed translations of Chapter 36’s six articles.  I couldn’t type fast enough to transcribe them, but here are two I found elsewhere on the Net:

Article 358: “Unauthorized access to another’s computer or related equipment by means of the use of another’s confidential account number code, or by circumventing protective measures, or the act of discovering and exploiting loopholes in a computer system shall be punished by up to three years in prison, jail or fines of up to NT$100,000, or both.”

Article 359: “Unauthorized acquisition, deletion, or alteration of the electromagnetic records of other’s computer or related equipment resulting in damage to the public interest or the interest of an individual person is punishable by up to five years in prison, jail or fines of up to NT$200,000, or both.”

The introduction of Chapter 36 reflects lawmakers’ judgment that the Internet is exceptional.  It was not enough just to punish the theft of a virtual cloak of invisibility under the existing provisions of law: the manner in which the theft was accomplished, i.e., through the use of computers, cried out for legal treatment.

Doreen considers another, more recent example.  In April 2008 “Bahamut,” another important online game, with some 2.5 million users, was overcome by a DDOS attack.  Bahamut’s principals received the following anonymous message by email the next day, written in simplified Chinese characters (suggesting that the message came from Mainland China):

“Sorry for launching the attack yesterday.  It revealed the vulnerabilities of your website.  We are the unofficial agent of World of Warcraft, and we’d like to know if we can place an advertisement on your website.”

Understanding that the Taiwanese government is not in a position to investigate crimes committed in Mainland China, Bahamut never filed a complaint with the police.  Doreen points out that, again, an obvious “offline” crime — blackmail — could be charged on these facts.

Likewise the Zeus Botnet, which resulted in banks loses billions of dollars earlier this year: this was a simple case of fraud, but accomplished online, with computer code, on a massive scale.

Doreen describes the challenges Taiwan faces with respect to Internet crimes.  First, the perpetrators of online crimes are easily hidden — and they may conduct criminal enterprises from remote locations, perhaps abroad.  Second, online crime is more difficult to investigate.  Warrants are difficult to obtain, and there is too little cross-border cooperation.  Third, systems are insecure: small and medium-sized companies do not have competent IT managers.

Doreen explains that Taiwan proposes to tackle this last problem legislatively: a new data protection law recently issued, imposing a legal obligation on companies to protect personal data on their servers.  Laws like these turn out attention to the most important question we face on this subject: who should share the responsibility to protect cyberspace? At the government level, criminal and administrative agencies can take the lead.  But can government solve the problem on its own?  Consider the “ecosystem” of botnet: malware writers and controllers of botnets are criminally liable.  Should software companies that generate and release insecure software have some liability?  ISPs that use pirated, insecure software?  “Mules” who provide identity fronts to criminal actors?  “Victim” companies that use insecure systems and don’t adequately protect other people’s data?

Doreen stopped to take questions.  [My coverage of the ensuing discussion is incomplete, because at a certain point I put aside my computer so that I could participate.  But here’s what I have.]

Q: What did you mean by “mules?”  Doreen: the term we use in Chinese translates to “human head.”  Suppose a perpetrator needs someone to manage a bank account to receive the proceeds of online fraud.  The perpetrator pays a person to open an account and allow the perpetrator access.  The mule himself/herself often has very little knowledge of who had control of the account.

Q: Do I understand correctly that in Taiwan the state cannot bring charges absent a complaint?  Doreen: Yes.  It’s common in civil law countries to require a victim to initiate the criminal complaint.  The government needs to clear a certain evidentiary threshold to proceed, and a complaint requirement establishes harm as well.  Where, as in the Bahamut case, the victim is reluctant to come forward, the complaint requirement can impair investigations.

Q: What’s a good way to handle cross-border criminal activity?  How do we balance one nation’s sovereignty concerns with another’s need to enforce the rule of law?  Should there be some international institution that conducts/ manages transnational criminal investigations?  There have been efforts to improve international cooperation on evidence collection.

There followed discussion of a recent matter one of the practicing attorney Fellows had handled.  The case involved fraudulent purchase orders sent to vendors by email; the emails came from an account with a domain name suggesting a false affiliation with a large institutional buyer.  The domain name had been bought with a stolen credit card: “whois” information revealed that the credit card’s owner, a resident of South Carolina, owned the domain.  Investigators reviewed the email headers and traced the messages’ origin to Nigeria.  How do we tackle crimes of this nature?

As part of the fellows program at the Berkman Center this semester is a weekly discussion period that has the theme of Web Exceptionalism, the “belief (or attitude) that the Web is a significant break in the course of history, fundamentally changing institutions, norms, behaviors… It is not always proposed as a rigorous hypothesis, but is often expressed in an optimism (and occasionally pessimism) that in the Age of the Web, we have opportunities for deep change.” My contribution questions the presumption that the “open” Web is a more equitable space with respect to gender. My concern is whether the ethos and rhetoric of free and open content communities suppresses responses to, or even leads to, discriminatory or alienating speech.

Jim Bessen gave last week’s “Web Exceptionalism” presentation at the Berkman Fellows Hour.  Jim asked, “Is technological innovation on the Web different?”

What follows here is an attempt at recapping a lively, high-level Fellows Hour discussion.  To paraphrase [a no-doubt cringing] Wordsworth, liveblogging — as I’ve just come to learn — might best be described as a spontaneous overflow of note-taking recollected in tranquility, and the practice supplies ample opportunity for missing nuance and eliding worthy discussion points, both in the note-taking and in the tranquil recollection.  That’s my long way around to an apology for the summation failing to live up to the event.  (And sorry, too, for the time lag in getting this posted.)  Here goes:

At the outset, Jim makes clear that when talks of “innovation,” he means “technological innovation” and not cultural or production innovation.  Web-related innovation is of course a part of that, but his principal focus is on how the Web facilitates innovation more broadly — and whether that facilitation is, per the Fellows Hour theme, “exceptional.”

To be sure, Jim says, the Web enables a whole new level of collaboration (take, for example, open-source software).  Digital media and the Internet reduce the cost of communication, with the result that you can cheaply and easily “pool knowledge” all across the globe.  The conventional wisdom is that Internet collaboration has triggered a “revolution of innovation.”

Jim isn’t convinced, and he urges us not to buy into the hype, which is in large part predicated on mythologies of pre-digital innovation (i.e., an inventor has a moment of inspiration, followed by several moments of perspiration, obtains a patent, and starts a company).  In point of fact, the past was not so different.  Pre-digital innovation was fraught with collaboration.  Blast furnaces, steel minimills, U.S steamboats, the early PC — all of these significant technological advances were the products of extensive collaboration.  And indeed, biological innovation was until very recently an extremely collaborative effort.  Jim pauses for a moment over to wonder aloud why this history of pre-digital collaboration is “a hidden history.”  “Propaganda,” in support of the cult of the inventor, may have something to do with it.

So the phenomenon of collaboration does not, in Jim’s view, make the Internet exceptional on its own.  Another possibility is scalability.  Larry Lessig has written of the Internet that entry costs to the technology are very low, such that scalability might be the Net’s exceptionality trait.  Jim is not sure this is any different from conditions in the 19^th century.

But collaboration nowadays, with Internet technology, is for the first time truly global, isn’t it?  Jim counters that researchers have recently unearthed records of substantial communications between French aviation innovators and the Wright brothers.  Sure, overseas collaboration can happen more quickly online, but Jim is not sure the rate of exchange is enough to be truly consequential.

Does the Net’s ability to pull in vast numbers of collaborators make it an exceptional engine of innovation?  Jim argues that the size of an innovation network is not critical.  Technological innovations generally — before and now — emerge from a core network of a handful of collaborators.

Jim suggests a recurring pattern for technological innovation.   We see early-stage collaboration, innovators exchanging knowledge until the point of a major breakthrough — the Kitty Hawk, Bessemer steel, the Apple II — triggers a shutdown of collaboration, while a single agent consolidates its gains into market dominance.  There are, of course, exceptions — Jim mentions Cornish mining and steam engines.

Jim considers that the Internet may indeed be exceptional in that online collaborative innovations tend to resist market domination/ collaboration failure.  Linux is by all accounts a mature OS.  The breakthrough moment has come and gone, and large firms are generating the majority of code.  Here, however, the firms participate in and benefit from the incremental innovation that large firms are good at, but there’s no domination.  Consider as well smartphone OS: Jim observes that contrary to many projections, we are seeing a space created for innovation (in this case, apps) that large companies do not dominate.

Finally, innovation accomplished on the Web — at least in cases where collaboration survives the “major breakthrough” stage — may be distinctive in the level of customization it offers.  Open-source software is accessible, and therefore customizable, and Jim posits that Web innovation is more open in the long-term to customization.

To sum up: Web-facilitated innovation is exceptional for its resistance to single-player domination and, relatedly, for its susceptibility to customization.

*** Discussion follows ***

Q: Let’s not forget that the Bessemer steel case differs from Linux on the ground that open-source licenses leveraged IP in the latter case to prevent the innovation from being captured.

Jim: It’s important to note that the Bessemer innovators licensed the process, mastered the technology as others had not, and then they built U.S. Steel.  But generally, yes, folks seeking to dominate a market will deploy patents to that end, as they can.  And it’s not just IP rights that would-be dominators will leverage into supremacy: often they leverage other assets, as Microsoft hoped to do with Windows and Internet Explorer.

Q: Can we point to instances in which we had significant post-“forking” innovation?  Maybe the OS X-Windows case?

Jim: This is one important mechanism for preventing dominance.  There’s the more formal mechanism of licensing, too.  Apache is a license that could be taken private, but there is so much community innovation around Apache, it resists any single-player dominance.

Q: Isn’t it the case that large-scale participants tended to exert a disproportionate influence on early-stage innovative collaboration?

Jim: In my historical examples, there weren’t big companies involved.

Q (follow-up): But collaboration on the Web — even early-stage collaboration — tends to find itself “dominated” by consistent/insistent participants.

Jim: There was a significant social network phenomenon in the pre-digital era.  The International Fraternity of Mechanicians would share technologies within the community but enforce a patent against out-group infringers.  Let’s take care to distinguish between what I’m talking about — market dominance — and contribution dominance.  How is it that in the open source context, hobbyist contributions have given way to large-firm professional contributions, but there is still no one exerting market dominance?  That’s the point of interest for me.

Q: Might we be understating the historical significance of the rise of the corporation, or the rationalization of scientific practices?  These are radical changes.

Jim: It’s been shown that involvement of an original scientist in a biotech corporation is directly related to its success.

Q (follow-up): . . . but you can’t innovate now without having a Ph.D. or corporate affiliation.

Jim: Mark Zuckerberg?

Q (follow-up): Point taken.

Jim: Several of the collaboration examples I described predate the modern corporation.

Q (follow-up): Nonetheless, it’s important to remember that the macroeconomy changes right alongside the technology — and it’s not easy to control for that.

Q: And let’s not forget [Clayton] Christensen’s “Innovator’s Dilemma”: the market dominator is unlikely to see the innovations that will disrupt its domination.

Jim: Yes.  And large companies are less able to leverage success with one technology into another area.

Q: Sarnoff was able to leverage radio into TV, but Microsoft couldn’t leverage OS supremacy into browser supremacy.

Jim: And indeed, Microsoft’s ability to leverage anything today is much less than in the case of the OS/IE failure fifteen years ago.  Windows is just now coming up with a phone OS.  The horse has left the barn.

Q: How do the phenomena you describe square with the patent push phenomenon?

Jim: In the past you’d see the heavy waves of patenting late in the life cycle.  Firms would only take out patents after they had staked out ground they wanted to dominate.  Now the patents are coming first — and in many cases inventors have no intention of marketing the technology.

Q (follow-up): Might aggressive patenting be a rearguard corporate action to use IP to take back some of the ground they’re losing elsewhere?

Jim: A lot of this is orthogonal and has to do with problems in the legal system.

Q: We’re seeing less de facto standardization from big firms.  What role will public standards organizations play in web-era innovation?

Jim: I’m not sure I agree with the premise: consider Apple’s iPhone apps standard.  But I do agree that public standard bodies have become more influential.  This may have to do with the greater modularity that comes from collaboration.

Q: Does the ability to interact quickly and electronically beat down the need to hash out standards?

Jim: The standards bodies still exist and flourish.

Q: HTML won in industry after industry, precisely because it’s a crappy, anything-goes standard.

Q: The Web may require more from us — whenever you want to work at a level where you have to have a common substrate (as you increasingly need to do on the Net) — standards are required.

Q: Maybe one way to see standards is that you dampen innovation in one space to enhance innovation above it.

Q: What happens if the courts retrench on patentability and reject software and business model patents?

Jim: We’ve concluded through research that these patents function as a 10% to 20% tax on innovation.  The big payers are the large companies, but every startup that makes any progress has to worry about patents and has had a patent asserted against them.  If thrown out, restricted reasonably, you’re alleviating the tax and improving incentives to innovate.

Q: Are we headed in that direction?

Jim: The Supreme Court made a step in the right direction with Bilski.  The Federal Circuit has made moves to restrict the availability of the doctrine of equivalents in proving infringement.  There’s an awareness now that things are screwed up.  The train may be turning around.  A number of patent law doctrines and Patent and Trademark Office practices affect the issuance of software patents.  They’ve all changed over time.  Five years ago, pretty much any software was patentable, but now it’s getting more difficult.  Patent litigation has tripled from the early 1990s.  It’s finally leveling off, but the litigation rate for software patents continues to increase.  Common problems include overlooked prior art, vaguely-stated claims subject to broad interpretation in patentee-friendly fora like the Eastern District of Texas.  Although courts may take baby steps in the right directions, the situation likely will continue to deteriorate until a crisis hits the large IT firms and they become politically active.

Q: What role does copyright play in locking down software?

Jim: This is not an issue with software innovations.

Q: It is possible to infringe a copyrighted header file if you use it, but typically you can rewrite the header file in a manner that does not, strictly speaking, infringe the copyright (although it will infringe a patent).  And of course, some expression is not copyrightable.  If there’s only one way to write code to accomplish a result, then you run the risk of infringing copyright, but in that case copyright’s “merger doctrine” would likely preclude infringement liability.

Q: Trafficking in technologies of subversion — hacking DSS, jailbreaking iPhones — is easily accomplished online.  That’s a consequential aspect of Web exceptionalism.

Q: But of course, that same quick-and-easy distribution has empowered the big-firm objects of subversion in the first place.

Q: The sort of online subversion we see tends to be directed at attacking models of rent extraction.

Jim: to sum up, I see the following aspects of the Web as “exceptional” promoters of innovation: (1) faster diffusion of information, (2) lower cost of entry (possibly), (3) a culture of civil disobedience, (4) the relative inability to leverage dominance from one area into another, (5) greater customizability, and (6) the ability of communities to create their own defensive perimeter to allow collaboration without subjecting a technology to control (i.e., through GPL).  That last bit might be “legal exceptionalism.”

Clay Shirky is leading a Berkman Fellows Hour session.

[Note: What follows is live-blogging. I am undoubtedly getting things wrong, not getting emphases right, missing some crucial points, etc. You can rest assured that Clay was brilliant, and any deficiencies are due to my reporting. Really.]

Clay begins by saying he’s an info junkie, and finds newspapers frustrating. The newspaper tells you that there’s been a coup somewhere, but you can’t get the backstory, although there’s sudoku and sports news. “Come back tomorrow for more information,” the paper implicitly says. The Web, on the other hand, lets us get all the info we want about any topic; there’s no width vs. depth trade-off.

Clay says that he’s been assuming that since he likes the Web handles this, so everyone else must, too. He took this as a systematic good. But, he’s changing his mind about it. “Markets produce less accountable journalism than democracies need to govern.” That’s the lens he’s using. Democracies oscillate between two poles: a complete market-driven environment for news (in which case you get less news than you need to discipline elites) or you get more of that accountable journalism through subsidies that distort the news. There doesn’t seem to be a good, stable optimum. Optimizing for all interests is actually worse, he believes.

He gives an example from today’s Boston Globe, about what the Secretary of Commerce is doing for area fisherman. Very few people — possibly in the low thousands — actually read the second paragraph. The article still is a signal that communicates to the elites something independent of the facts being reported: this is page B4 news. But, when the news junkies like Clay defect from newspapers (to newsfeeds, etc.), the paper loses its leverage; it can no longer tell the Secty of Commerce that he should keep working with the fisherman or we’ll get the story of his _not_ doing so promoted to page A1.

Clay says he’s not nostalgic. This can’t be reversed. And the analogies have been over-emphasized: the front page isn’t really like the home page. But we are at risk of the news junkies getting more of what they want, and the rest get what they want — less news. We’re giving up one of the mechanisms by which a grassroots could discipline local officials and, to some degree, the business community. Are we losing the representational function the newspapers served?

He ends by asking if that concern makes sense. And are there mechanisms by which we can capture some of the ability to discipline the elites even after the data is unbundled and the news junkies drift off?

Q: How is this different from the plaint about the loss of the three major networks as the shared platform for news?

CS: Tim Wu has a great book coming out on this. The centrism of the networks was non-organic, having been forced (in part) by the Fairness Doctrine. Also, lacking a parliamentary system, national disciplining of elites matter less. [I think I missed part of this.] In the 1950s, the coverage was 50-50 Congress vs. President. The rise of presidential coverage tracks with the nationalization of the news media (as well as with the increase in presidential power).

Q: In a small city that is part of LA, the people running the city systematically bilked the taxpayers, and were finally revealed by the LA Times. This is becoming a rallying cry for the value of traditional journalism. There are two sides. First, the reason the scammer chose that city was because it’s not well covered by the LA Times. It was almost an accident that the LA Times got it. Second, a local blogger was beating the drum about this story for a year but no one would listen to him. So, Clay, you’re suggesting we’re going through a shift in sorting mechanisms in how we encounter the news. Previously, the news was curated by a homogenous group, but they were also often somewhat protected from the need to drive advertising, and would give us a civically-interesting blend. Now we’ve gone from curation to search. I think there is a third shift, a social shift. In August, ComScore said we’re spending time on Facebook than Google. Over time, we’ll know the news because our friends are talking about it. But why are they talking about it? Either because of an authoritative curator or an echo chamber. Last point: The authoritative curator had a disciplinary function: You malfactors will be found and exposed. If this is right and we’re getting social curation, is there a social discipline that occurs when enough people recognize that someone is culpable, and can that become the disincentive for bad behavior?

CS: I have no brief for the good old days or even for traditional media. But, I don’t think the situation with social media is as bad as you’re saying. Zephyr Teachout said last week that even people who think about this medium all the time have trouble decoupling stuff that went together. In particular, voice no longer means power. When there is scarce access to the medium, anyone who speaks in public takes on disproportionate power. Now anyone can speak, and it turns out not to matter. The old Soviet critique of the US: You can say whever you want, but no one cares. The Phoenix in Boston broke the Catholic priest scandal, it got picked up by the Globe, and the Globe got the Pulitzer. Voice != power any more.

Q: I actually read the fisheries stories. They’re changing the rules for fishery management for the first time in a hundred years. There is conflict between scientists and fishermen. The neswpaper plays an arbitrator role between these groups. Not just disciplining.

Q: For the discipline role, why does Section B exist?

CS: Anyone can do an RSS feed, but if there’s evidence that there’s a reporter on the story…It’s a show of strength.

Q: It’s maybe less than about power than about setting the narrative, which may in some cases matter for power reasons, but not always. It’s not always or even often about the levers of power being pulled

CS: But for the Secty of Commerce…?

Q: From within the belly of the beast, there’s more of a dance here. The killing fields wasn’t reported as important until Sydeny Schanberg wrote the book that told the story as a story. Editors want stories.

CS: Since aggregation moved from the server to the client, the old “Come for the golf, stay for the genocide” doesn’t hold. We seem to have a larger loyalty (see Richard Rorty) so we are paying attention, but we can’t route out corruption when the mix is so mixed.

Q: People think of themselves as watching news, but studies shows their attention is at best inconstant. Newspapers gave the reading of news status. It’s not so much about being a gatekeeper as an entity that says there is high social status in being conversant in the topics the news covers. But newspapers are more aware of what people are actually reading.

CS: The question of status is interesting because of the Madisonian argument that governing is a matter of balancing factions in contention. When reading a newspaper is a status symbol, that makes some institution a potential political force. When the Oregonian wrote story after story about the abysmal state of mental hospitals, nothing happened. Only when they ran a front-page editorial asking the governor to step in did they get any results.

Q: The curator on the Net is algorithmic and non-deterministic. Some articles become widespread but no single entity controls which.

CS: County-level corruption will never get to the top of Google News.

Q: That is an algorithm problem. Over all, it’s actually a demand problem. But you’re pointing at a supply problem: We don’t have people digging into very local stories. The problem you’re raising about disciplin is a variant of the collective action problem. When the LA Times prints 50 stories about the corruption in a small town, there’s a theory of change: Maybe the corrupt officials will be so embarrassed that they’ll resign, or the prosecutor will be so embarrassed that he’ll prosecute, or in the long term citizens will follow local politicians more closely. The civic consequences theory is overly-optimistic. Jonathan Stray wrote recently about designing journalism to be used. Sometimes that’s to get you to vote in a particular way. But it can also be to engage in civic action. To what extent is press scrutiny a special class of the collective action problem you discussed in your previous three books?

Q: You seem focused on regional news…

CS: Because we’re getting much more national than regional…

Q: … on the encouraging side, regional and local are the one type of news people seem willing to pay for.

CS: This is Jeff Jarvis‘ theory, but I’m not totally convinced.

Q: If we’re aiming at journalism as a spur to collective action, I have even less reason to get generalized news. I’ll just get it from my partisan sources.

Q: That’s the solidarity problem Clay is trying to duck.

CS: In financial journalism, it’s not a collective action problem. Markets work it out. I have trouble squaring news you can use with xenophilia: I can’t affect faraway lands.

Q: The best example is Darfur, which spurred collective action. There’s an enormous problem figuring out what constitutes activism in the digital sphere. All activism is a waste of time unless you link it to a theory of change. Malcolm Gladwell picks out the moments in the civil rights movement were the action was effective but skips all the attempts that were not. Hoder was sentenced to 19.5 years in an Iranian prison, and I don’t know what to do. The further a story is away from you, the harder it is to figure out how to pull the levers. Until you have some sense of how to affect change in the world, how do you figure out what is useful?

Q: Media still have power. The distinction between news junkies and the rest that you started with perhaps contains a bias? Are those who read what we consider to be trashy news — say birthers — also news junkies.

CS: It’s not a political alignment. It’s about knowing the broad range of stories that matter in the world. It’s not about political centrism.

Q: In moving from B1 to A1, the person doesn’t have time to make a substantitive change. Does the jump serve a substantitive purpose? Does discipline work?

CS: E.g., the outcry about the gutting the public option in the health care debate allowed the left to pull the discussion in that direction (even though they failed to get the public option). Similarly, the oil blew out in the Gulf. BP underreported. And you can see CEO Hayward‘s attitude change.

Alan Friedman, fellow at the Center for Research on Computation and Society at Harvard (CRCS), is inaugurating a new tradition at the Berkman Center: a fellows seminar. For years, the community of Berkman Fellows have met for discussion on Tuesdays afternoons. This year, we’re trying something a bit new. Each Tuesday, one or more of the fellows will offer a “seminar” on a topic, loosely connected to a central theme: internet exceptionalism. So Alan’s talk is addressing both his topic of choice – the dynamics of cybersecurity policy discussions – and a larger topic – are issues of security different in the world of the internet than in a pre-internet world?

Alan gets the honor of leading off our seminar in part because he’s about to leave Berkman and begin work at a Washington DC policy center. As such, these issues are near and dear to his heart. He begins by warning us that he’s going to give “a short, general talk on cybersecurity designed to persuade people not to listen to short, general talks on cybersecurity.” His concern – we do a disservice to the complex ideas behind cybersecurity by melding multiple issues into one. He acknowledges that there are key computer security and information security issues that need addressing, but the focus for his provocation is on skepticism about the current framings of cybersecurity.

Showing us the cover image from the July 1, 2010 issue of the Economist, which focused on cybersecurity, Alan attempts to unpack a four-page article in that newspaper. The article on cybersecurity covers over a dozen topics, including critical infrastructure, military strategy, cybercrime, financial fraud, economic espionage, espionage between states, and issues of global governance. These topics are so broad that it’s impossible for an individual to be knowledgeable about all fronts – in an academic context, each of these could be a full academic specialty.

It’s important to unpack the discourse of cybersecurity because framing matters – how you talk about a problem affects how you think about it and how you try to address problems. One common frame for cybersecurity is national security. If we frame these issues in terms of national security, then we conclude that these issues are hugely important and that price is no object. If we address them as criminal justice issues, we focus on getting the bad guy. Alan offers the frame of “identity theft” as an example. If we see identity theft as theft, we focus on deterring the their or on letting victims defend themselves. If we think of this in terms of “impersonation”, the responsibility might shift onto the processor and away from the “victim”. Alan suggests that we might consider frameworks aside from national security or criminal justice: pollution, public safety, or the cost of doing business.

Cyber policy can now touch on virtually everything, Alan tells us:
– National interest – other states have visions for how they deal with the digital world. Do we need an overarching national vision?
– International governance – people in the US tend not to be excited about the realization that these systems extend beyond our national border and that decisions of other states may shape what we can do
– Legal issues – Do computers and IT change our underlying assumptions about law
– Freedom of Expression
– Critical infrastructure

For the purposes of today’s discussion, Alan asks to focus on issues of national security and of crime. National security has become
a hot topic in cyber policy circles. The forthcoming US CyberCommand is a political compromise that allows the Department of Defense to engage in cyber activities without duplicating the National Security Agency’s deep competence in this field. But some of the rhetoric is getting downright strange – the Department of the Navy has declared that every one of their 75,000 employees are now “cyberwarriors”, whatever that might mean.

In the context of cyber policy and national security, Alan suggests we consider some key policy considerations:

Reachable states In defense planning, there are certainly people employed to think about the possibility of a full on war with China. As such, there are now people thinking about full-on cyberwar with China. Alan suggests we need to do “conditional probability” – before we consider full-on war or cyberwar with China, what’s already transpired. It may be ludicrious to consider the possibility that our adversary would knock out the electrical grid in the Northeast during winter because, at that level of conflict, we might already be exchanging nuclear arms.

Proportional response While this is a new battlefield, and while there are almost certainly dangers in terms of intercepting communications and espionage, it’s possible that we can use old language of proportional response. In the days of the cold war, we’d see a sub come too close to our shores and we’d put a few more bombers on the tarmac, which would be visible on the next satellite photo. This is the language of how states interact, and we should bring this into discussion of proportional response in terms of cybersecurity.

Cyberterrorism, or “state versus non-state actors” Alan offers the story of a town in New Jersey that sought – and received – $10,000 in anti-terrorism funding to protect a gumball machine, a local attraction. In the wake of 9/11, we noted that people could attack critical infrastructure and protected it as if someone would attack that infrastructure. We should explore how our digital infrastructures work and map resilience, but it may not make sense to protect every system as if it’s going to be attacked and critical if it fails.

Deterrence
The development of a national cyberwar strategy focuses on issues of deterrence. This is an attempt to map this new space onto a previously understood model. In the offline world, we know that bad actors can hide in other states, and since we can bomb those other states, we hold states responsible for the actions of their citizens and those they harbor. Following this logic, Richard Clarke suggests we hold nations responsible for every bit that transits their borders… and suggests the US take the lead in this space. This has serious implications for how we handle identity in a digital age – it points to the need for a hierarchical model that maps individuals back onto states.

Moving to cybercrime, Alan offers some observations about what’s new and what’s old in this space. Cybercrime is a visceral issue – theft through the computer screen feels more scary because it could happen because I failed to patch my software. And it’s scary because companies are trying to scare us – McAfee claims $1 trillion in annual damages from cybercrime… which is both larger than the total output of the global IT industry, and represents 8% of the global economy.

He suggests that most cybercrime fits into five general, and well understood, categories:
– hijacked resources
– authenticator fraud
– IP theft
– Illicit content
– Scams

The specific attacks and the ways these map to these categories are complicated, as are the vulnerabilities that make these attacks possible, and the organizations responsible for protecting us from these attacks. But much of this territory is understood. What’s genuinely new? Possibly the victimization of children. Possibly fraud, which now scales much more easily. But Alan recommends we focus on industrial espionage and cases where identity fraud can cause critical failures.

In summary, Alan is arguing that when we talk about cybersecurity, we’re talking about a huge bundle of issues, perhaps too huge a bundle. It behooves us to ask “Why is cyber now on the agenda?”, “Can and should we co-opt this attention to promote our own agendas?” and “What’s genuinely new and important here?”

Hal Roberts wonders if we know what security actually means in an online context. He notes that McAfee recently released the alarming statistic that 60% of people are victims of cybercrime. If that seems insane, it’s because McAfee includes anyone who reports being infected with a computer virus as being a cybercrime victim… which suggests that 40% of the people who’ve been infected with viruses don’t know they were affected. If you’re the “victim” of “crime”, and you didn’t notice, does it matter?

Ethan Zuckerman asks whether this tendency to lump everything under cybersecurity was a moment in time that would pass and proceed to more sane discourse in the future – can’t we just wait for everyone to figure this out and handle this issue slightly more sanely?

Alan explains that, if we don’t fight the current frames around cybersecurity, the best case scenario is that the US government spends billions of dollars badly. (He cites a deal between HP and the Navy where the Navy paid HP $2 billion so HP would tell it what it had done in building the Navy’s information architecture, as that architecture was the property of HP.) In the worst case scenario, changes made in the name of cybersecurity might add strong authentication and identity mechanisms to the internet and damage the current openness and generativity.

Ethan asks whether the big difference between the internet and the real world in security terms is that identity is so difficult to establish online. If we can’t identify who’s responsible for an attack – whether it came from a state or an individual, which state it came from – how do we retaliate? And without retaliation, is there deterrence? If the issue is identity, doesn’t that point to a solution that makes identity much less fluid on the internet… a solution many of us don’t want because it has terrible implications for privacy and freedom of speech.

Alan mentions that identity matters in terms of certain types of cyberattacks (the attacks on Estonia, for instance, where – citing an unnamed academic – he argues the attacks were a cyberriot, not a cyberwar) and in terms of phishing. Deep identity solutions might offer some protection there. But cyberwarfare isn’t just about attribution – it’s about defense. We need to understand our vulnerability to targeted attacks. If you really want to take out the east coast power grid, he argues, you might need eight riflemen shooting insulators… but they need to know which insulators to shoot. What’s scary in cybersecurity is how carefully targeted some of the attacks we’re starting to see are – espionage attacks that focus on specific deputy secretaries in the State department before critical negotiations. He warns, “If you’re negotiating an international contract, there’s a decent chance your counterparty knows your reserve price. it’s going to affect negotiations, and might mean that secrets live in people, not in networks.”

David Weinberger notes that US discourse over conflict no longer includes discussions of peace – we’re a long way away from the 1970s and 80s when “peace studies” was a central part of curicula about conflict. Now people are addressing cyber-insecurity and cyberwar. Do we have a vision for cyberpeace?

Alan offers that cyberpeace might be systems functioning as we expect them to. Perhaps cyberpeace was when the internet was young and innocent, prior to the Morris Worm. Now we might think in terms of pollution – the “background radiation of risk” that comes from spam, identity theft, phishing, DDoS. That might be a more appropriate frame than war and peace – we’ve had 25 years of IT fueled growth, and now we many need to deal with some of the pollution that industry has generated.

Wendy Seltzer draws out the pollution frame, suggesting that we consider problems in terms of ones with local bad effects (polluting a local water source) and those that have systematic effects (carbon dioxide emissions leading to global warming.) “Are there systemic-level cybersecurity problems that we need to address, without trying to make everyone perfectly safe?”

Hal Roberts suggests that Jonathan Zittrain‘s concept of generativity might be a vision of peace – it’s what we want to promote when the internet works well. The cosmopolitan vision of Global Voices could be another vision of what we want from an internet at peace. We handle the bad stuff via social insurance systems – systems that spread the cost of bad action over the many who benefit from being protected – and celebrate the good stuff.

Ethan tells a story from a conference at Princeton’s Center for Information Technology Policy. At a discussion of these issues, at least four camps were represented – a national security camp, a cybercrime camp, a human rights camp – which argued that activists are often targeted by their own states through IT systems, and a network administrator camp. The latter camp argued, “Sure, the internet is broken. But it seems to work pretty well nevertheless. Weinberger quotes Tim Berners-Lee as saying “the web will always be a little broken.” Wendy Seltzer contributes, “Any system that can’t be misused isn’t worth using,” a saying so pithy, it might need to go on Berkman’s coat of arms.

Charlie Nesson asks Joseph Reagle, who’s recently published a book on Wikipedia, about what cybersecurity looks like from the perspective of a community like Wikipedia, citing the community as an exemplar of “internet peace”. Reagle notes that Wikipedia is could be vulnerable to DDoS and is certainly affected by vandalism… but he wonders if we have meaningful enough definitions of war, peace and crime to be able to discuss these ideas. Some things are so massive in scale – an electromagnetic pulse attack on our information systems, for instance – that it’s a mistake to believe we can think through all the consequences.

Charlie pushes forward, wondering whether the model of Wikipedia – which Joseph’s book asserts is a community based on good faith at its core – could offer instructions to build other communities of good faith. Joseph suggests that “trust involves baring your throat”, and that Wikipedia depends on having faith in your fellow contributors and on a wealth of subtle factors. “These systems are delicate, much like internet security at large.” Game theory suggests that the system as a whole could fail if certain thresholds are crossed and contingent cooperation no longer leads to positive community behavior. Joseph worries that the way Alan is framing these issues – asserting that there may be no vision of cyberpeace – contributes to a world where mutual cyberarmament is inevitable. This, in turn is aided by a cyber-industrial complex that benefits from a militarized cyberspace.

Doc Searls invokes Scott Bradner, one of the “greybeards” responsible for international internet governance and Harvard’s chief security officer, who describes the difference between bellheads (telco techies) and netheads as a religious difference. Bellheads believe in the importance of carrier grade service, “six-nines” (99.9999% uptime) and central control, as opposed to the nethead values of “loose consensus and running code”. Carriers believe (still) that the internet doesn’t work. Perhaps this means that systems that are cyber are inherently somewhat insecure. Peaceful, perhaps, but not secure.

Brad Abruzzi suggests that, in the wake of 9/11, Americans began thinking about all the real-world vulnerabilities to terrorist attack that we might consider worrying about. Could reservoirs be poisoned? How secure was our food supply? What if terrorists targeted grocery stores? Eventually, many of us came to the conclusion that it’s impressive and surprising that, as vulnerable as we are, we aren’t attacked all that often. Cyberspace may be scarier, because attacks could come from one person anywhere in the world… but we need to contextualize our fear and realise that we’re vulnerable on many fronts.

Alan concludes by observing that a cybersecurity and cyberwar paradigm means we need to consider not just the flows of information on networks but the risks associated with those flows. He points out that there’s a treaty being proposed, pushed by Russia, that would prohibit cyberwarfare. That treaty is unlikely to be acceptable to the US, and may be designed to push the US into a corner, painting the US as the aggressor in this space. The EU’s approach to these problems may be quite different from the US approach, because their concerns about privacy carry more wait. These issues are real, in play, contentious and unlikely to be settled any time soon.

Hello!

You’ve found the blog for the 2010-2011 fellows hour course on Web Exceptionalism! More about the class and the topic can be found on the ‘about’ link towards the top left of the page.