In short | The purpose of this article is to provide a brief technical and legal overview of the phenomenon of Internet Governance and of its new challenge: the Internet of Things (IoT). A fil rouge is drawn between the need for a multi-layered and polycentric governance model, and the conflictual relationship of such model with the traditional power of States. From this contrast, a conundrum emerges: the impossibility to provide the new digital society that the Internet has created with a unitary identity – such as in Pirandello’s world of ‘One, None and a Thousand’. This study encompasses both a theoretical and practical analysis. In the first part, the Author will analyse the cornerstone of Internet Governance – namely, the Internet itself, its regulators, and its layers of subjective and objective governance. In the second part, we apply this model to a number of practical issues, yet to be solved, concerning the emergence of the IoT.
1. The Internet and its Governance. A historical and technical premise
1.1. Introduction
The Internet is a universal space that many expect to remain open, free, and borderless, as it was when it was born. However, over the last decades, the Internet has drastically changed its structure, its content and its users, up to the point of no return, which Lawrence Lessig brilliantly stressed out in his famous quote “if you are reading this, you have used the Internet”.[1] A quote that becomes even more disturbing, if put in the words “…or, you have been used by it”.
Internet development has in fact allowed more and more businesses to exploit the opportunities deriving from the use of low-cost global communication technology for delivering services without any physical burden, regardless of their location. Furthermore, due to the development of new profiling technologies such as pattern recognition mechanisms, platforms can now increasingly rely on more pervasive control over information and data (many have talked of the evolution into an “algorithmic society”, especially in reference to the emergence of hosting providers such as Google, YouTube and Facebook) [2]. And finally, as with all the big innovations, while Internet connectivity generated new services, capabilities and unprecedented forms of sharing and cooperation, it also created new forms of crime, abuse, surveillance and social conflict. These themes, together with many others that we will further analyse in the next chapters, all call into question one big, complicated and messy thing: regulation – and, more in general, Law.
Hence, “Code [Is] Law” [3], and year after year we cannot but experience at higher and higher degrees this change from a cyberspace of anarchy to a cyberspace of control. In this chapter, we will outline the current landscape of Internet Governance, its fundaments, and the core-dilemma that, in a way, coexist.
1.2. What is the Internet?
Let us start from the basis: what is the Internet? Technically, the Internet is a globally distributed computer network comprised of independently-managed networks (the Intranets), woven together by standardized data communication protocols (primarily, TCP/IP and DNS) [4]. The common adoption and use of these protocols unified the world of information and communications, with millions of different electronic devices and services becoming compatible and interoperable. One of the major keys to its success, thus, was the Internet’s open and independent structure. This is all the more remarkable considering the historical context in which it was developed.
1966, Cold War. DARPA (US Department of Defence Advanced Research Projects Agency) conducts the first experiments into a then-risky new approach to data communication for strategic and anti-espionage purposes: packet switching. Differently from the previous military “message switching”, in such a system the data to be communicated was broken into small chunks, labelled, and forwarded from one computer to another. Shortly thereafter, similar work began at the National Physical Laboratory in the UK, followed by the BBN in Cambridge (MA) and by the NMC at UCLA (CA). These were the pillars of the first network, consisting roughly of four (!) computers. This was ARPANET. In a bit more than a decade, the project – NB: unclassified, open and independent – brought together (not without diverging opinions, of course) many of the most brilliant minds of the XX century, and ARPANET grew, under various names, bigger and faster, culminating in the «Internet» TCP/IP protocols of the 1980s, as we still know them (with the subsequent evolutions). [5]
Little, though, did DARPA know about the impact of such creation from the roaring ’90s on. Little could they know that in the spring of 1989 communism in Europe was about to collapse, together with the Berlin Wall. What emerged was a eutopia of a new society, that had to be based on freedom and liberty; that is to say, keeping the governments out of the way. And far far away from the original intents, the Internet was basically the perfect catalyst of this: not because the government would not control the cyberspace, but because it could not.
We are approaching the hard core of “the Internet Governance question”. To understand it, we must put the Internet not only through the lens of history but also under a juridical light (in the broadest sense possible). To this extent, the Internet is simultaneously a technological and a socio-economic space: it is, exactly, a cyberspace – basically the opposite of a territorial space. The consequences are as simple as tremendous: the unlimited territory of the Internet is not, and cannot, be treated as a sovereign entity, such as that of a Nation [6]. That’s why a single government is impotent against it. This revolutionary wave originated at the end of the last century, has swept us into arguably the biggest conundrum of this century: the (digital) crisis of the 1648 Westphalian system. [7] Said model has enabled countries to draw boundaries between each other and establish authority for more than 300 years, but now it clearly clashes with the open and global approach that the Internet requires.[8]
We live, to this extent, the Faustian crisis of our Pirandello’s protagonist: he looks at himself in the mirror, but he cannot recognise his identity. This is the question: if we could put the Internet in front of a mirror, who or what would we see? what kind of society and which regulator? None, one, or a thousand identities?
1.3. How to govern the Internet
In line with the above recognitions, it can be asserted that cyberspace demands a new understanding of how regulation works, for «no one person, company, organization or government runs the Internet» (see ICANN). It should in particular be clear that, from a transnational constitutional perspective, the main concern of the XXI century is exactly how to address – lawfully and efficiently – a global phenomenon occurring outside of a territory.[9] Said in other words: the Internet is a shared environment, and as such, the decisions made on it are a shared responsibility, because a sovereign act in one geography may affect Internet users in other geographies, just as a polluted river that runs through one country could flow downstream into others. [10]
With this in mind, we can rightfully talk of Internet governance, and not government, because many issues in cyberspace cannot be handled by the traditional, territorial, national, public institutions, due to their pluralistic and hybrid (technical-juridical-political) nature.
Internet Governance can be looked through under two conventional points of view: subjectively (i.e. who regulates the Internet, and how); objectively (i.e. what is regulated). Joined together, they render the following definition, articulated in the Tunis Agenda for Information Society (WSIS, 2005): «Internet governance is the development and application by governments, the private sector and civil society, in their respective roles, of shared principles, norms, rules, decision-making procedures, and programmes that shape the evolution and use of the Internet». [11]
1.4. Subjective governance – The ‘regulators’ of the Internet
According to the IGP [12], Internet Governance space can be informed by institutional economics, which identifies three broad “horizontal categories” of governance: markets, hierarchies, networks.
Markets are driven by transactions and price mechanisms; stakeholders are henceforth private [13]. Hierarchies govern interactions through orders or compulsion by an authority; governance is thus obtained with more traditional public interest mechanisms, such as rule of law enforcement, binding treaties, or the organizational control of a firm [14]. Networks are semi-permanent, voluntary negotiation systems that allow interdependent actors to opt for collaboration or unilateral action in the absence of an overarching authority; non-governmental organisations, technical institutions and soft laws clearly play a key role here [15]. Internet governance involves a complex mixture of the three relationships (especially the latter) – four, if we include the forms of self-governance – extending not only horizontally but also in multiple “vertical levels” of regulation (local, national, international). The thorough – yet non-exhaustive – lists of specific actors and stakeholders expanded in the footnotes provide a sense of the scope and the complexity of the involved regime, which we cannot but just tip here.
1.5. Objective governance – The ‘layers’ of the Internet
Given the horizontal and vertical pluralism of interests (thus stakeholders) and actors (thus regulators), we cannot but expect equally differentiated functions and subjects of governance, which are commonly called (and grouped into) «layers». [16]
The Internet, therefore, functions based on a multi-layered governance model. Although there are different ways to look at these layers, at the bottom there is almost always the infrastructure layer, which comprises the physical networks through which data travels; then we locate the logical (or application layer), which contains protocols, standards, numbering, and in general the code by which the Internet operates; one step up we find the content layer, which defines the information that is exchanged through the Internet, and the legal rules that govern such information; at the top, finally, we find the social layer, which encloses the «practices that define paramount rights and principles associated with social conduct online».
2. The Internet and The Challenges Ahead
2.1. The Internet of Things
«In a few decades, computers will be interwoven into almost every industrial product», wrote computer scientist Karl Steinbuch in 1966. Coupled with connectivity, this prediction is finally coming to fruition. It is called the ‘Internet of Things’ (IoT), and it has the potential to change every aspect of the economy, society and politics towards a world of ‘Everything-as-a-Service’ (XaaS), and, in so doing, to reshape the whole Internet Governance environment.[17]
Some figures will immediately shed light on this phenomenon. In 2003, there were 6.3 billion people living on the planet and 500 million devices connected to the Internet. By 2020, there will be 8 billion people on the planet and 25 billion devices connected to the Internet. Ten years more, and some estimates put these figures at 50 billion connected devices.[18] In this scenario, it is clear that the impact of IoT will be higher and higher: already accounting 80% ca. of existing connections (if we include traditional devices such as computers and mobile phones too), the IoT has the potential to create an economic added-value of $2.7 trillion to $6.2 trillion annually by 2025, and this is one of the most conservative estimates. [19]
The present chapter will hereafter examine IoT’s principal characteristics, the technical backbone that makes them possible, and the series of powers (over network, products, services, distribution), rights (to privacy, to property) and interests (security, competition) that IoT has to successfully address, if it is to deliver on its promise of a better world. If the IoT development can be nudged in the right direction, there is no limit on its potential to enhance our lives.
Being this an exploratory insight, only “the tip of the [IoT] iceberg” is brought into light. Among the plethora of topics that IoT must intersect with we find in fact also health, public management, A.I., smart government, competition, and much more – only some of the arguments that we cannot afford to thoroughly discuss here. For this reason, where not otherwise mentioned, we will just analyse “a part for the whole”. Our metonymy, in particular, will concern one of the most expanding and economically valuable branches of the vast world of IoT: smart-commerce.
Having said that, let us start with a definition of IoT. The Internet of Things is the result of technological progress in many parallel and often overlapping fields: embedded systems, ubiquitous and pervasive computing, mobile telephony, telemetry, computer networking, wireless sensor networks. IoT-enabled products employ embedded technology that allow them to communicate, directly or indirectly, with each other, or with the Internet. McEwen & Cassimally have sought to condense the components of the IoT into one equation: physical object + controller, sensors and actuators + internet = Internet of Things.[20] Adopting a more holistic perspective, Dave Evans describes the networked connection of people, process, data and things as the Internet of Everything (IoE).[21]
According to Kellmereit and Obodovski, three factors are driving the rocket-rise of the IoT: miniaturisation of electronic components (smaller, powerful, efficient); affordability (constant decrease in costs); wirelessness (the last wire to disappear will be the power cable: see new power-by-induction methods). [22] The result is what could be called an ‘Internet Animism’. A diffused, and grounded, belief, from companies and society, that everything on Earth is soon to have a digital soul.
2.2. Governing the IoT
From the definition given in §1.1 and from what emerges in the analysis conducted in §2, we know that ‘governance’ is – or at least should be – «the collection of control mechanisms that a society [in its public and private components]adopts to prevent or dissuade potentially self-interested stakeholders from engaging in activities detrimental to other stakeholders’ welfare».[23]
Two problems here arise immediately: how do we govern a matter that, for its own nature, aspires to address everything? and secondly, even if we assume that the IG multi-layered model can in fact apply, how do we address the rights and principles that until now did not belong or pertain to the Internet? Of course, there is not a clear answer to these questions. Furthermore, the IoT distributes significant powers to many stakeholders in the value chain[24]: specifically, we look at (1) the power of developers over network standards, (2) the power of firms over products and their distribution, (3) the power of ISPs over network traffic, (4) the power of other service providers and service enablers over services and their distribution. Each of these powers can be potentially exercised to the detriment of others, that is to say to the detriment of the rights and the interests that underlie IG – and, most crucially, it can do so in ways that were before unpaved. Hence, the importance of a well-framed IoT governance model. In line with this recognition, it is important to further explore the implications of the just-mentioned IoT power dynamics and key assets for creating a well-tempered governance model.
(1) Network standards specify how a device communicates, and what it can communicate. Closed standards, therefore, create the possibility of controlling IoT networks, by affecting the IoT module. For example, deciding that one brand of smartwatches cannot talk to another brand of smartphones because they do not speak the same technical language – not very useful for consumers, besides potentially anticompetitive – would clearly go to the detriment of Internet open structure. For this reason, IoT Governance generally advocates the employment of interoperable standards-based solutions. [25]
(2) Product manufacturers have traditionally relied on distribution systems and intellectual property rights to control the supply of their products. These practices, however, have the potential to inhibit IoT networks, by affecting the IoT object. For instance, an IoT product may employ a third-party product, such as a smartphone or tablet, as its interface. Both products, therefore, need to be available in a given market for this XaaS solution to be viable for consumers. Moreover, even if both products are present in a market, one of them may refuse to cooperate (which is often the case if we are also inside a closed network standard): a real-case scenario, CNN reports that Keurig’s coffee machine is equipped with a camera that inspects coffee pods, so that unlicensed cups won’t work with Keurig’s device [26]. On the other hand, it is reported that such enclosure is critical for performance and security reasons. Again, governance issues. Issues that the “old” IG had already addressed with the freedom of access, but that here reappear, driven by a new strength which is the trade-off with other principles of other regulations, that in turn, until shortly beforehand, were not even supposed (nor designed) to ever address these matters.
(3) Network operators have the power to disrupt IoT networks. This is because they can affect the connectivity component (and, in so doing, cripple all the value that follows in the chain) of an IoT solution. For example, they can block or slow down traffic on their broadband networks: based on individual users, or by the type of traffic those users are accessing, or by the type of service that is sending the content. A good real-case scenario is Netflix and their fight over the issue of net neutrality (§2.1.2): the power IoT gave to ISPs (in the specific case, to Television Service Providers)[27] is such that it basically forced Netflix to conclude direct access contracts with Comcast and Verizon in order to gain sufficient speed for delivering customers the services and the data requested. But net neutrality is not the only challenge when it comes to power over network traffic. Consumers also need to be able to afford to pay for their IoT data use, and, given the past example of how high is the bandwidth consumption and the projection that there will be circa 50 billion devices by 2020, new private (or public?) business models have therefore to be developed. Moreover, switching network operators may become harder when the SIM cards that enable the connection are embedded in the IoT object and thus not easily substitutable via physical access to the device. At the most fundamental level, the core question here is whether in the end also IoT networks should be, in fact, treated as public utilities.
(4) Finally, pursuing a XaaS business model vests service enabler and service provider with considerable power, as it is able to affect the service system(s) implemented in an IoT device. For instance, this time let us take a smart-car as an IoT example (the reader may however enthral himself with many other hypotheses: from smart-airplanes to smart-shoes, to smart-trees… to smart-garbage, they all already exist, we checked). Heated seats. In the near future, this feature might be sold not as a hardware-based option, but as a service-based option, that would allow the car to be upgraded and downgraded through an ‘app’, to the liking (and the financial availability) of the owner. Smart-sci-fi? Not quite: the case is just an extract of the words of Peter Schwarzenbauer, Member of the Board Management at BMW AG, talking in 2014 about a new Mini prototype [28]. And in 2017, just three years later, part of this project already started becoming a reality, with the delivery of BMW IoT Services to one million car owners; they overcame the massive car data usage (around 25 GB per hour) throughout the combined use of IBM Cloud Computing (a.k.a. Bluemix), the Artificial Intelligence ‘IBM Watson’, and an ‘app’ marketplace open to third-party service providers instead of a single app built for each need [29]. Such an extension of the service framework leads to important pitfalls for the IoT governance: we will consider hereafter property, privacy and security.
Regarding property, it should be observed that smart devices possess ‘unique identifiers’ that allow (the user himself, and) a certain service provider to exert control and, if needed, take action: we can think of IMEI (used to disable mobile phones), IP or MAC address for computers (used to decide if consumers are allowed to watch online television depending on their location), RFID tags for metro tickets (used to decide if someone can travel or not). Similar approaches may be basically employed by all IoT solutions. Given this segmentation, it is more and more unclear who holds property rights (PRs). Conceiving PRs as the right to use, possess, exclude, transfer and destroy, we should expect that the more permissions are granted to the third-party system integrator, the more power (ie. the more property?) the latter gets, and the less power the actual producer holds in the IoT chain of value.
Then there are questions surrounding privacy when consumers use IoT services. Two things immediately come into consideration: that the majority of data is machine- (not user-) generated; that a single sensor can already create gigabytes of data. Concepts of users providing informed consent or opting out become therefore unworkable in such a context. The reaction to this aspect could not be but divisive, of course[30]. Assuming this future, we can outline two options. Either one makes these third parties throw the data away, with the technical impediments to the service that this action will bring. Alternatively, one regulates what these parties can and cannot do with the data unilaterally acquired – as it happens, for example, in many insider trading regulations.
Finally, strongly linked to privacy are security issues. Consumers also need to be confident that their IoT services are secure, which is not a matter of conspiracy thinking, nor of a digital Orwellian complex, but a matter of reality. In January 2014, Proofpoint researchers discovered evidence of a much theorized, although never before seen, IoT risk of cyber-attacks [31]. Aside from the direct consequences of such attacks, there are also interesting questions of who should be held liable for the damage done: service enablers, providers, resellers, end-consumers? Seven years after the discovery, the point echoes even louder, after a new report showed that only 1% of the attacks made use of system vulnerabilities, whilst in more than 99% of cases they merely exploited the «human factor»[32].
3. Conclusions. One, None or a Hundred Thousand?
From this brief analysis, it emerges how the potential of conflict in the IoT (and, by extension, in the Internet Governance) is significant.
In order to balance power, rights and interests, stakeholders may seek to: i) reconcile their underlying interests; ii) determine who is right, and/or; iii) determine who is more powerful. «In an effective system, most disputes are resolved through reconciling interests, some through determining who is right, and the fewest through determining who is more powerful. By contrast, a distressed dispute resolution system would look like the opposite. The challenge for the systems designer is to turn the pyramid right side up».[33] This is the governance challenge. Thankfully there is already a point of departure: the value chain is known, the main rights and interests can be addressed, the counterbalancing measures are more and more effective. But so are the threats that this smart-world faces, let alone the new questions raising on the public management flip of the coin (the so called smart-cities, the discussion of which has been avoided as it would have dragged this paper way more than reasonably), and on the intervention agent who operates (whether it is public or private, individual or crowds, human or algorithmic).[34]
One thing, though, is sure. That if we are to live in a “smart-world”, we will need a “smart-governance”, even if that means shattering the unitary (jurisdictional) identities of our society.
_____________________
[1] Lawrence Lessig, ‘Code 2.0: Code and Other Laws of Cyberspace’ (2nd ed., 2006).
[2] See, among others, Jack Balkin, ‘Free Speech in the Algorithmic Society’ (2018).
[3] Lawrence Lessig, op. cit., p.5.
[4] It is important to stress that this is merely a conventional definition, mostly based on the articulation given by the US Federal Networking Council in 1995, which – undoubtedly with a vested interest too – focused specifically on the Internet use of the TCP/IP suite (Transmission Control Protocol / Internet Protocol, see infra), in order to differentiate it from other networks, based e.g. on other protocols (UDP, User Datagram P., or BGP, Border Gateway P.). For more definitions, encompassing also the non-infrastructural phenomena that underlie the concept of Internet, see especially L. Bygrave and J. Bing in ‘Internet Governance: Infrastructure and Institutions’ (2009).
[5] For a deeper historical analysis of the phenomenon, see the references available at https://www.internetsociety.org.
[6] Lawrence Lessig, op. cit., pp. 26-28.
[7] Bertrand De la Chapelle, Multistakeholder Governance (2011), in “Mind #2: Internet Policy Making”.
[8] For more speculations, see P. Schif Berman, Global Legal Pluralism (2012), pp. 177-178.
[9] Eric C Ip, Globalization and the Future of the Law of the Sovereign State (2010), in “Int. J. of Constitutional Law”.
[10] V. Cerf, P. Ryan, M. Senges, Internet Governance is our shared responsibility (2014), in “I/S JLP”.
[11] Extract from the full outcome document, which is available at https://www.itu.int/net/wsis/outcome/booklet.pdf.
[12] Internet Governance Project. Overview and researches available at https://www.internetgovernance.org.
[13] Social media, cloud & search platforms (Facebook, YouTube, Apple, Twitter, Microsoft, Google); Internet access providers (e.g. NANOG, RIPE, ENOG); hosting companies; domain name registries and registrars; Internet exchange points; cybersecurity firms; copyright and trademark holders (RIAA, MPA, IFPI, INTA); cryptocurrency industry.
[14] Intergovernmental organisations (ITU, UNESCO, WIPO, Council of Europe); treaties (TFEU, UN Charter of Human Rights); national governments (US FTC and FCC, Cyberspace Administration of China, Agenda Digitale Italiana); CERTS and CSIRTs (US Cyber-Infrastructure, ENISA); collateral regulation (antitrust, privacy, fair use).
[15] Civil society advocacy and education groups (IGP, Citizen Lab, EFF, NCUC, Geneva Internet Platform, etc.); technical standards and resource assignment organisations (IETF, ISOC, WWW Consortium, ICANN); international multistakeholder forums (Internet Governance Forum, Global Network Initiative); other networked governance initiatives (M3AAWG, London Action Plan, Internet Watch Foundation, Insafe EU).
[16] See V. Cerf, P. Ryan, M. Senges, op. cit., pp. 9-11. The term is in fact borrowed from the description of the “layered” technical architecture of the Internet, but it well explains also the different and yet interconnected means of governance.
[17] See, among others, the works of Perakovic, Kuljanic, and Musa (2011) and those of Yucong Duan (2015). For a more recent business-oriented outlook on the XaaS, see David McCurdy, ‘XaaS’ (2017).
[18] Source: Statista (05/2019), in IoT connected devices worldwide in 2018, 2025 and 2030.
[19] M. Fell, H. Melin, The Emerging of Internet of Things (2013), in “Clayton MacKenzie Research”. The reasons adduced to the so-called “Industrial Internet Opportunity” stem from five main drivers: asset utilisation (SG&A costs et sim.); employee productivity; supply-chain and logistics efficiencies; customer experience; return on R&D.
[20] Adrian McEwen and Hakim Cassimally, Designing the Internet of Things (2013), p.11.
[21] Dave Evans, The Internet of Everything, in cisco.com.
[22] D. Kellmereit, D. Obodovski, The Silent Intelligence: The Internet of Things (2013), p. 14.
[23] Adapted from David Larcker, Brian Tayan, Corporate Governance Matters (2nd ed., 2016), p.8.
[24] Value chain of IoT is usually represented as follows: device (IoT module and IoT object) > connectivity (IoT network operator and equipment) > service (s. enabler, s. applications, s. provider) > [reseller, if present] > consumer.
[25] Although it is not rare to still find closed systems justified in the light of «efficiency» (e.g. Apple’s AirDrop™).
[26] See https://edition.cnn.com/2014/03/07/tech/social-media/apparently-this-matters-keurig-drm/index.html
[27] Allegedly ratcheting back Netflix traffic, due to the massive amount of bandwidth used (⁓30% of US traffic!).
[28] See https://www.autocar.co.uk/car-news/detroit-motor-show/mini-should-have-uk-design-studio.
[29] A more detailed analysis can be read at the following link: BMW delivers IoT services using IBM (Altoros.com).
[30] See, for instance, the opposite views of Tim O’Reilly and Scott McNealy on the point.
[31] «Proofpoint, a leading security service provider, uncovered more than 750000 Phishing and SPAM emails launched from more than 100000 “Thingbots” including routers, televisions, and at least one refrigerator». Full article available at: proofpoint.com/us/proofpoint-uncovers-internet-things-iot-cyberattack.
[32] Proofpoint Report, The Human Factor (2019). PDF available here: human-factor-2019.pdf.
[33] W. L. Ury, J. M. Brett, S. B. Goldberg, Getting Disputes Resolved (1988), p.18.
[34] For a brilliant description of a possible intervention method, see M. Fell, H. Melin, op. cit., pp. 64-70.
______________________
© Cover Image: Alina Grubnyak