Governing the ungovernable


Many thanks to Jonathan Zittrain for joining us this last week to talk about Internet governance. JZ is always thought-provoking, entertaining, and leaves you thinking about things you haven’t thought about before. I feel lucky to count him as a friend and colleague.

Talking about the Internet Engineering Task Force (IETF) is always fun and interesting. The IETF is governance as done by the geeks; it doesn’t really exist (at least legally), it has participants rather than members, and the members (even when they work for and are supported by a company or government) are expect to represent themselves, not their employers. It is a technocracy, running on the principles of loose consensus and running code. In many ways, it is just a somewhat larger version of the groups of graduate students who got together when their advisors told them to write the code for the original ARPAnet. But it is hard to argue with the power of what they produced, even if you can’t understand how they could have done it.

The other aspect of the IETF that tends to confuse people steeped in governance is its enforcement mechanism. Passing laws or creating standards isn’t much good if there is no way to encourage or force others to follow those laws or standards. After all, passing a law doesn’t do much good if you don’t have police to enforce the law.

But here the IETF is different, as well. It has no enforcement power. If you don’t implement a standard that the IETF publishes as an RFC, no one will challenge you. There are no fines to pay, and no one goes to jail. Nothing happens.

Except, of course, that you can’t communicate with any of the computers that do implement the IETF standard. Nothing says that a computer has to speak TCP/IP, and nothing happens if the computer doesn’t. Including getting the traffic from the other computers that do implement the standard.

In fact, there are lots of IETF RFCs that haven’t been implemented. There is even a group of them that are famous (well, famous in the IETF community) for being April Fools jokes. Some of my favorites are RFC 3092, an etymology of the term “foo”; and the standard for electricity over IP (RFC 3251). Not all RFCs are taken seriously, even those that are meant to be by the proposers.

But the core RFCs define the interoperability of the Internet, and as such they become self-enforcing. You don’t have to follow them, but if you don’t you are shut out of the community. And if you want to replace them, you need to get others to not only agree to the replacement, but get them to do so simultaneously with everyone else. Which is pretty much impossible. So the best approach is to simply go along with what everyone else is doing, and follow the standard.

This is much of the reason that groups like the ITU or various parts of the United Nations, that would dearly love to have control over the Internet, can’t quite figure out how to take that control. They might declare that they own the standards (they in fact have). They can insist that everyone change to use their standard (they have done this, as well). But they can’t make it worth anyone’s while to make the change, so they have no enforcement mechanism.

It’s enough to make a bureaucrat cry. Which is enough to make the geeks smile, and continue…

Who do you trust?
Cyber war, cyber crime, and jurisdiction

Leave a Comment