home pageBack to home page
Draft 9/5/96
Now that lots of people use (and plan to use) the internet, many -- governments, businesses, techies, users and system operators (the "sysops" who control ID issuance and the servers that hold files) -- are asking how we will be able to
(1) establish and enforce baseline rules of conduct that facilitate reliable communications and trustworthy commerce, and
(2) define, punish and prevent wrongful actions that trash the electronic commons or impose harm on others.
In other words, how will Cyberspace be governed, and by what right?
By creating a new global, border-disregarding, place that cannot readily be controlled by any existing sovereign -- an argument we make in more detail in our paper "Law and Borders: The Rise of Law in Cyberspace," available at http://www.cli.org/X0025_LBFIN.html -- the net weakens many of the institutions that we have come to rely on for a solution to the basic problems of collective action -- the selection of means by which individuals coordinate and order their interactions so as to achieve what they believe is a greater good. Thus, the very nature and growing importance of the net calls for a fundamental re-examination of the institutional structure within which rulemaking -- at least as applicable to the activities conducted solely on the net -- takes place. As more fully discussed below, that re-examination might lead us to conclude that the net allows the problem of collective action to be solved by a new, decentralized process that does not closely resemble those we have used in the past to pass laws and enforce behavioral norms.
Questions about whether and how the net shall be governed are now arising most pointedly in connection with the issuance of domain names (like "ibm.com"). Domain names are translated by means of lookup tables distributed across the net into the IP addresses (like "123.45.67.89") that determine how messages are routed over the net. Because domain names are easier to remember than long strings of numbers, and because top level domains are often used in email addresses (like "fred@ibm.com"), they have become a particularly valuable form of "virtual real estate". Yet, despite their value and importance, it is far from clear who (if anyone) has the authority to determine who has the right to use any particular domain name (and on what terms and conditions they have that right), or to establish the basic structure of the domain name system -- the combination of technical standards and trade practices pursuant to which domain names are registered and the associated lookup tables are distributed across the net.
As described in RFC 1591 (available at http://ds.internic.net/rfc/rfc1591.txt), the Internet Assigned Numbers Authority (IANA)
"is responsible for the overall coordination and management of the Domain Name System (DNS), and especially the delegation of portions of the name space called top-level domains. Most of these top-level domains are two-letter country codes taken from the ISO standard 3166. A central Internet Registry (IR) has been selected and designated to handled the bulk of the day-to-day administration of the Domain Name System. Applications for new top-level domains (for example, country code domains) are handled by the IR with consultation with the IANA. The central IR is INTERNIC.NET. Second level domains in COM, EDU, ORG, NET, and GOV are registered by the Internet Registry at the InterNIC. . . . Currently, the RIPE NCC is the regional registry for Europe and the APNIC is the regional registry for the Asia-Pacific region, while the INTERNIC administers the North America region, and all the as yet undelegated regions."
Although both IANA and InterNIC (which has delegated the DNS administration to Network Solutions, Inc. (NSI), a private company) receive US government funds for their operation, no contract, constitution, or treaty gives either these bodies or the US Government the right to set policy regarding domain names on the global network. Nor do these bodies have any obviously valid claim to make the exclusive delegation of registration duties. The financial support provided by the US Government has not given it ownership of any intellectual property or physical asset essential (other than in the very short term) to the operation of a domain name system. To the contrary, domain name look up tables function because local hosts point their domain name servers at these tables; a form of custom, and not 'law,' dictates the particular root servers to which local hosts point for this information.
The current uncertainty regarding governance of the domain name system extends to much more than the technical standards governing domain name registration and selection of root servers. Basic economic and policy questions remain unanswered. At present, NSI (with NSF's blessing) demands payment for registration of domain names. But, again, no statute or international convention -- nor even a universal acceptance of trade practice -- clearly legitimizes NSI's right to charge that fee (or justifies any particular amount that might be charged). Nor is there any obvious source of guidance regarding what other conditions (such as a promise to abide by particular laws, to resolve disputes in a specified manner, or to waive certain claims) may be imposed as a prerequisite to domain name registration. Thus, no one can now say that any given condition must, may, or may not be imposed as a minimum requirement for this particular passport to "netizenship". Nor do any of the many different private and governmental organizations that are currently discussing a range of questions in this area -- e.g., how many "top level domains" should be allowed, whether multiple registries should be allowed to compete, and what duties might reasonably be imposed on those who operate registries -- have an uncontested or clearly legitimate claim to the authority to decide these matters unilaterally.
These questions are of crucial strategic importance, despite the uncertainty surrounding them, because only through an IP address and an association of that address with a findable reference, whether through a domain name or a directory, can an individual meaningfully enter Cyberspace in the first instance. An IP address block and a Domain Name are necessary to become a sysop offering access to the net.. Domain name based email addresses are the essence of online identity for individual users. Dispensers of those virtual addresses thus stand at the border checkpoint between the virtual and the non- virtual world, and the contract pursuant to which one receives a domain name or other online ID can potentially serve as the means -- perhaps the most effective means -- by which the most basic rights and obligations of all Cyberspace participants can be specified.
Thus, although the current domain name policy debate appears to apply primarily to ministerial duties performed by a registry, for the purpose of avoiding duplicative names, the contracts entered into with such a registry (and any associated subsidiary contracts through which individual users contract with the domain name/address-holder to obtain access to the net) could prove of primary importance in determining both the degree of freedom and the level of order on the net.
This decentralized decision-making has helped to make it possible for large numbers of people with different goals to get interconnected. But the problem of collective action remains and, indeed, grows more urgent as the net becomes larger and more complex. Anarchy, after all, has costs. It just won't do for packets, for example, to be systematically misrouted. People won't trust their important commercial and private dealings to a network where a domain name might be translated to a different IP address depending on where the message happens to originate. Nor, indeed, will large numbers of users visit online spaces if they encounter systematic fraud or vandalism or other activities they view as harmful or antisocial. There are activities that, when permitted even in only a few online venues, impose costs on all others, and against which individuals may want to protect themselves. Spamming is a form of wrongdoing that may be beyond the capacity (or desire) of a particular local sysop to control but that can make lots of users of lots of other systems miserable. The same could be said of launching destructive code. Some web pages may invade your privacy on contact. Some parts of the electronic forest path may even be conducive to highway robbery. As the global village transforms itself into complex electronic city, crime cannot be far behind. If the natural result of decentralized activities on the net were the development of unpredictable technical environments and unsafe social spaces, then calls for top down, centralized forms of collective action would become louder and more persuasive. Thus, even with respect to activities that take place solely on the net, we face the questions whether and how to generate and enforce rules to control anti-social users and the sysops who tolerate them.
Moreover, the net can be used to facilitate communications among individuals whose online actions impose harm even on those who only frequent the nonvirtual world. Most real world communities will want to be assured that the net will not be used systematically to undercut their security. Online tax havens could harm the physical infrastructure of local communities that lose tax revenues. Online conspiracies to commit violence in the real world will surely draw a response from the potential victims. Accordingly, both users of the net and all of those affected by their actions will likely demand some form of "governance" or "order" that prevents wrongdoing. The key question now posed, in connection with the domain name system and derivatively with respect to every other aspect of online interaction, is whether that governance must take the traditional form of centralized, top down lawmaking or whether, instead, the nature of the net allows decentralized creation of another, very different, form of public order.
First, existing territorial sovereigns can simply seek to extend their jurisdiction, and to amend their laws as necessary, to attempt to govern all actions on the net that have substantial impacts on their own citizenry.
Second, sovereigns can enter into multi-lateral international agreements to establish new and uniform rules specifically applicable to conduct on the net.
Third, a new international organization can attempt to establish new rules - - and new means of enforcing those rules and of holding those who make the rules accountable to appropriate constituencies.
Fourth, de facto rules may emerge as a result of the complex interplay of individual decisions by domain name and IP address registries (regarding what conditions to impose on possession of an online address), by sysops (regarding what local rules to adopt, what filters to install, what users to allow to sign on, and with which other systems to connect) and by users (regarding which personal filters to install and which systems to patronize).
We believe that, in part because of serious problems with the first three, traditional models, and in part because of the surprising ability of decentralized action to address serious problems that might previously have been thought to require "top down" centralized law making by a sovereign with a monopoly on the authorized use of force, the net may well be capable of being "governed" primarily by the fourth method -- a mechanism that Tom Bell (following Hayek) calls "polycentric law" (see the article by that name at http://osf1.gmu.edu/~ihs/w91issues.html) and that we will call "decentralized, emergent law." The decentralized, emergent form of collective action involves voluntary acceptance of standards (or, as the Internet Engineering Task Force motto would have it: "rough consensus and working code"). Despite the fears of those who cannot conceive of order as arising from anything other than top down, hierarchical control, this is not a process that necessarily leads to chaos and anarchy. To the contrary, the technical protocols of the net have in effect created a complex adaptive system that produces a type of order that does not rely on lawyers, court decisions, statutes, or votes. We will argue that the same decentralized decisionmaking that created the net at a technical level may be able to create a workable and, indeed, empowering and just form of order even at the highest level of the protocol stack -- the realm of rules applicable to the collective social evaluation and governance of human behavior.
Because decentralized action may well be capable of generating responsible self- regulation of the net, those who propose other forms of collective action might be best advised to hold off any efforts to achieve top down control -- lest they prematurely preempt the growth of what might be the most efficient and empowering form of net governance. Existing sovereigns need not waive their ultimate power to take action to protect the well-being of their citizens, of course. But they should sensibly defer action to see whether the collective actions of domain name registries, sysops and users produces a set of operational rules that provides reasonable protection for the vital interests they are charged to protect. If the net is allowed to develop a responsible self-regulatory structure, by means of decentralized, emergent law making, and if this new mechanism proves up to the task of building a productive and non-predatory order, then all concerned will have saved the large resources that might otherwise have been spent trying, perhaps without similar success, to impose rules from a centralized source.
The non-geographic character of the net makes it very difficult to apply current, territorially-based rules to activities online. See "Law and Borders: The Rise of Law in Cyberspace" at http://www.cli.org/X0025_LBFIN.html. Local sovereigns may have a monopoly on the lawful use of physical force, but they cannot control online actions whose physical location is irrelevant or cannot even be established.
To be sure, any local sovereign can seek to control the persons within its geographic jurisdiction. Thus, it has not escaped the attention of current governments that system operators collectively hold the effective monopoly on the "lawful use of electronic force" with regard to actions on the net -- at least with respect to the admission of users and messages into their own online areas. Moreover, because sysops must have physical hard disks that are present within particular territorial areas, they are clearly subject to the jurisdiction of the countries where they conduct their operations. The US could pass a law threatening to shut down the operations of all sysops within its reach that do not abide by specific rules. And, if such a bill were to pass, substantial compliance by US-based systems would surely follow.
But overly aggressive regulation operates to drive disfavored activities "offshore" - - what Michael Froomkin and others have described as "regulatory arbitrage" -- and to disconnect the local territory from the new, valuable global trade. And any legal doctrine that gives the right of regulation of the net to one country (or state, county or city) must give that right to all sovereigns -- with resulting conflicts that render any such system internally contradictory and totally unworkable. The US will surely resist assertions of jurisdiction by other countries over servers within its own territory. And other countries would just as surely reject any effort to impose US law on the rest of the world.
The problem with using existing territorial governments as the source of rules for activity on the net is not merely that such rules are unlikely to have universal, long-term impact; it is that no existing sovereign possesses the legitimate authority to make such rules. This model of governance represents, in effect, an extra-territorial power grab when transposed to the net, a form of colonialism long rejected (and rightly so) in the non- virtual context. Not only are the political institutions of established sovereigns not well suited to create wise rules for the net -- because any sovereign's rules for online conduct, even if they are arrived at democratically, do not take into account the interests of all of those who are affected by those rules when they are implemented in the online world -- no country's efforts to "plant its flag" on the net and in effect declare sovereignty over the net is more clearly grounded in legitimatacy than any other's, and is going to -- and should -- be met with fierce resistance.
2. International Treaties.
The problems raised by conflicts between national laws, and the ability of users and sysops to flee (virtually) across physical borders, might be addressed by means of creating a uniform law of the net by treaty. But this second model for governance also has many problems. The treaty process is agonizingly slow, especially in contrast to the extremely rapid development of new technologies, new behaviors, and new governance issues, on the net. Moreover, it is not clear that any treaty process could obtain agreement from all nations -- and, again, the opportunities for regulatory arbitrage in such contexts, and the negative externalities created by actions sanctioned in countries that do not agree with the majority, are likely to be substantial. It's one thing to live with the fact that some few countries sanctions fraud (or, for example, gambling of a type banned locally), when those countries are far away and hard to get to. It's quite another thing to have every tax-haven or money-laundering-friendly sovereign right next door electronically. No treaty regime is likely to succeed in imposing any uniform rules on the net unless every sovereign whose citizens connect to the net joined in the agreement. The very difficulty of that task -- and the increasing rewards to those who disagree with the majority view and invite widely condemned activities under their protective sovereign umbrella -- suggests that the treaty route to net governance is unlikely to be enormously successful.
Even if some core principles for the governance of the net could be agreed upon by treaty, such an agreement would almost certainly take the form of a high level document written with a fair degree of generality. But the devil is in the details. The net continuously presents novel questions that test our prior understandings of law -- and many of those questions need rapid resolution if the potential for development of new forms of business and community on the net is to be realized. For example, a new treaty might declare that copyright law is applicable to the net (or, if the US has it way, might even amend that law in various ways). But such a treaty would not likely resolve the question whether caching a web page under certain conditions is permitted by an implied license. Such a treaty would not likely make clear whether and how to apply US-based First Amendment doctrines to web sites outside the US. Such a treaty would not likely provide for sufficient, low cost, easily accessible dispute resolution procedures to give those arguing about whether some posting represents a "fair use" meaningful guidance. The bottleneck characteristics of any any centralized law-making machinery, and the natural frailties of law-making processes based on writing authoritative texts -- make centralized systems unsuitable for tackling a diverse, rapidly changing, large scale set of problems -- like those posed by the net.
3. International Organizations
Suppose we created a new international organization, not tied (directly or by treaty) to the sovereign power of any territorial government, whose mission was merely to establish and enforce the most basic rules for the net (such as the key conditions associated with establishing a domain name registry or holding a domain name and IP address). This third model could avoid some of the problems identified above, because it would not be tied to a particular territory or need to obtain, as a condition of addressing any particular issue, the agreement of all interested governments. But it would create new problems of its own. While some territorial governments might be content to defer to such a self-regulatory regime, how could such a non-governmental organization impose its rules on the net as a whole? Even if it somehow controlled the current domain name system, how could it prevent the creation of a new one? And by what right would any such organization "govern"?
The problems with any "top down" governance of the net, even by an institution specially created for that purpose, become apparent if we try to apply democratic values -- as surely we would, and should -- in this new environment. To prevent domination of some global governance body by any single group, the "legislative" arm would have to be held accountable by means of some form of election of representatives. But who would be represented, given a world in which the notion of separate "individuals" is virtually meaningless? Should we have an upper house elected by current domain name holders and a lower house representing those who merely have email addresses? How could we prevent -- or even define -- vote fraud in an environment in which identity on the net need not trace back to unique, singular identity in the real world? Should we allow for representation by constituencies who are importantly affected by online activities but who are not themselves online? We intuitively believe that "top down" governance mechanism for the net should be made accountable to relevant constituencies. But, once we abandon as unworkable the current system of national sovereignties as the source of such accountability, it's not easy to find an acceptable alternative.
More fundamentally, what would keep such a governance mechanism from being captured by factions? The right to set the rules for the global network would be too valuable not to become the focus of intense factional strife or, worse, to be bought. This is especially troubling in light of the ability of oppressive majorities to use the net itself to marshal support for their cause. As Phil Agre has pointed out to us, Madison's optimism in Federalist 10 about the ability of a large geographic territory to damp down the influence of factions is seriously undermined by the use of global communications. At a minimum, the risk of corruption would be heightened by the absence in this context of intermediary social institutions of the type that can contend for influence and generally prevent extremism and oppression. Thus, even if we could create an apparently satisfactory method for making a new international governance mechanism "accountable", any such mechanism might all too rapidly be captured, by one means or another, by special interests.
Moreover, even if we could devise some sort of centralized "governance" mechanism that would be consistently and appropriately politically responsive to online constituencies, it is far from clear how we could protect the most basic rights of unpopular minorities or of those whose property the majority might prefer to take. Without a judiciary and a bill of rights, any such institution would find it all too easy to pick on the weakest sysops and users. It is not easy to set up an appropriate balance of powers within a new organization with quasi-governmental powers when the participants and constituents come from geographic places that have widely divergent views regarding democratic institutions, centralized authority and even "fairness" itself. And, even if we could write a "bill of rights" for the net and create a judiciary branch capable of interpreting it, such mechanisms would deal only with the most fundamental problems -- hardly supplying an appropriate source for the myriad decisions that must be made, somehow, every day regarding whether some particular online behavior is or is not permitted in the context in which it occurs.
Consider what makes the net work. The net itself solves an immensely difficult collective action problem: how to get large numbers of individual computer networks, running diverse operating systems, to communicate with one another for the common good. And, yet, the net is really nothing more than a set of voluntary standards regarding message transmission, routing, and reception. There is not now and never was a central governmental body that decreed or voted to adopt a law stating that TCP/IP is required to be used by those wishing to communicate electronically on a global scale, or that HTTP is required to be used if you wish to communicate over a particular portion of the global network (the World Wide Web). If you connect to a neighboring host and send out packets of data that conform to the protocol, your messages can be heard by others who have adopted the protocol. All are free to decline to follow the standard and to obey some other protocol, and they will communicate only to those who, literally, speak their language. Many people and groups have, in fact, seceded (or declined to join) the global net, forming local area, or proprietary wide area, networks.
The "rule-making" process for baseline protocols of the net had none of the vices of centralized, top down, bureaucratic or political, governance. The rules instead evolved from the decentralized decisions by individuals to adopt a promising standard because it served their own interests. To be sure, the successful rules were created by individuals and small groups and they spread more quickly as a result of some government funded innovation and communications. But they did not stem from or rely in any way on the law of a geographically defined territory. They did not require any agreement among representatives of sovereign nations. And they did not require the creation of a new policy making apparatus that required an international bureaucracy or that faced questions regarding the accountability of decisionmakers to particular constituencies. Minorities are protected by their right to propose inconsistent rules and, indeed, to follow those alternative rules if they believe the benefits of doing so outweigh the costs. Enforcement of a predominant rule set stems naturally from uncoordinated, decentralized decisions.
Can this same decentralized process, used to choose technical protocols, also successfully govern the behavior of users and sysops and domain name registries -- and allow an effective and just pursuit of the public good on the net? A number of objections might be raised:
-- Objection 1: Any system of rules governing human behavior must have mechanisms to define, identify, and punish wrongdoing. The rules heretofore adopted in regard to transmission protocols can do so unambiguously because a packet either has TCP/IP headers or it doesn't, a document either complies with HTML standards or it doesn't, and violators are automatically detected and "punished" by becoming effectively dysfunctional and invisible to the system as a whole. How can rules regarding "fraud" or "infringement" emerge from a similar decentralized process of voluntary sysop adherence, when those actions cannot be so identified by the automatic interaction of software protocols?
Clearly, the preservation of civilized interaction on the net will require something other than mere "working software code." But sysops already can, and do, using words, define the kinds of behavior that they consider wrongful in the context of their own systems. The contracts they offer to their subscribers describe minimally acceptable behavior. And sysops can and do banish users who violate their rules. Moreover, both users and sysops can and do interpret the rules they set for themselves to decide what messages they wish to accept and from whom. Thus, human intervention -- wetware code -- substitutes for the software code that enforces the rules at lower levels in the protocol stack. The resulting programs may not operate with flawless consistency. But they can "work" -- in the sense of producing relatively predictable results. (Indeed, some of the technical protocols produce results that have a certain amount of unpredictability -- and the interactions between software agents will increase that uncertainty.) Thus, the mere fact that any decentralized, emergent law would involve subjective judgments does not mean that it could not have the same virtues that have been demonstrated for such decentralized mechanisms as a source of the "rough consensus and working code" that makes the net possible.
-- Objection 2: At present, virtually anyone can get a Domain Name and IP address from some source and set up a system. What prevents the rise of "data havens" that harbor a new type of pirate ship? Or, given pervasive interconnections, what prevents someone from moving rapidly from one system to another, perpetrating harm on each but escaping before being caught?
These are substantial objections, to be sure. It may be that the best answer is that system operators and their users possess an entire arsenal of means by which wrongdoers may be excluded and repelled. Sysops could point their domain name servers only to registries that condition access to domain names on agreement to abide by whatever minimum standards of conduct they deem appropriate. Sysops can themselves deny access to anyone who does not act responsibly, as they define that term. Insofar as particular IP addresses are associated with "wrongdoing" (however one may choose to define that), sysops and users can establish software filters that exclude messages from that address -- a form of electronic confederation of local communities. Insofar as domain names and IP addresses underlie the links on the world wide web, sysops who host and users who create web pages can decide who to point to -- and can point to other web sites only if satisfied with the policy choices made by those other parties. Those who are especially concerned about potential harm from outside sources could, at the extreme, install software filters that preclude receipt of any message that does not originate from a known location or that has not been rated by a trusted source.
Although it would certainly seem an over-reaction to screen out all communications with anyone who has not passed some "good netizenship" test, the many different kinds of filters available to sysops and users serve to demonstrate that the real power to create a responsible public order on the net lies with the participants themselves. Sovereigns cannot compel agreement by rogue countries to accept a new global law. Outlaws cannot be isolated and "punished" based on their physical location -- because the net cannot readily recognize the geographical location from which online activities take place. But it is relatively easy -- or, at least, easier -- for sysops to isolate and shun wrongdoers on the basis of their virtual location. And it is relatively easy for domain name registries and sysops to use the ID-issuance process as the occasion to establish minimum standards of behavior applicable inside particular domains.
And the problem posed by the ability of individuals to perpetrate harm, suffer banishment from particular communities, and re-appear in new electronic guises to perpetrate further harm can be "solved" by the use of registries tying issuance of electronic identities to identifiable individuals (and the use of stable authentication devices). This, it need hardly be said, is a controversial suggestion, replete with deep consequences for personal privacy and the control over one's personal identity -- and that is precisely the point: rather than attempt to achieve a worldwide consensus on the "right" answer to this question in order to decide in some quasi-legislative fashion whether or not to implement such registries, we can allow individual users to decide for themselves whether the benefits of such systems in terms of personal security outweigh the costs to their personal privacy or other values they may hold dear.
-- Objection 3: How can we know that a decentralized, emergent form of law making for the net will produce a definition of the "public good" with which we agree? How can the nations of the world defer to this semi-chaotic process of private decision- making without knowing how far the net result will diverge from whatever set of rules existing sovereigns would have adopted if they had undertaken to deal with the problems of the net by traditional means?
This objection can be turned on its head. As suggested in the prior paragraph, ultimately the best case for decentralized, emergent law stems from the lack of any objective criteria by which to measure whether any particular rule set is optimal. Should we have one uniform set of rules on any particular topic, such as the application of copyright law to online postings, or should we allow every "local" online area to set its own rules? That question, obviously, must be answered by both local and global constituencies -- and there is a strong argument that decentralized decisionmaking is the most cost effective and accurate means of reflecting the real preferences of participants on the net with regard to the structure of electronic federalism. Insofar as we want a form of collective action that is relatively sure to reflect the views of participants of the net, and that attains this accuracy at minimum cost, we probably cannot find a better mechanism. The interaction between rulemaking by sysops and navigational decisions of users produces a very close fit between the overall desires of the online public and the actual experiences of these participants. The option and burden of identifying connections to avoid, or users to banish, or specific messages to filter, can be spread across the entire base of net users, as sysops and users decide unilaterally whether or not to rely on the recommendations of others. This new form of "net leverage" makes policing the boundaries of one's personal portion of Cyberspace light work indeed, as compared with the task of projecting your views onto some centralized global policy making process.
The central problem for the regulation of the net is not how to enforce widely agreed upon rules but, rather, how to define what we mean by wrongdoing. What is infringement? or defamation? or a privacy invasion? or unacceptably obscene? The net creates many different phenomena requiring the development of new rules. Is it wrong to send large volumes of unsolicited commercial email? What notice should be given before a host system writes a cookie file to my hard disk? Under what circumstances is it wrong to "cache" a web page? The great virtue of the net is that it allows multiple, incompatible resolutions of such policy questions -- by giving those who disagree about the resolution of any particular question the means to avoid contact with one another. If many people disagree on applicable standards, then the remedy is to allow each set to migrate to different areas of the net (and to filter out messages from non-congenial areas). If almost all agree on certain basic standards, then that agreement itself solves the problem, because outliers can be banished and their negative externalities filtered into irrelevancy. There will always be "outlaws" on the net, but the power of digital filtering is such that they can be kept safely away from the mainstream, and vice versa, most of the time.
-- Objection 4: How can a decentralized, private system of this type produces anything we should call "law"? Consensual adoption of standards of behavior is just "ethics" or "custom." And protection against wrongdoers has always required something stronger than that -- the ability to deploy physical force in the real world, to put people in real jails. And justice has always meant treating like cases alike, giving everyone equal rights.
Because the decentralized system creates a different sets of rules for people who visit different online spaces, those who think of law as a single, consistent set of timeless, top-down authoritative texts will be unconvinced -- or unhappy.. A decentralized, emergent rule-evolving system does destroy traditional notions of equality before the law. Even thinking about the idea that applicable rules may be different for every single user, depending on where the user goes, and how that user's electronic agents negotiate with incoming messages, makes a lawyer's head ache. (It certainly brings a new meaning to "choice of law"!) But the best answer to this objection is that the basic purpose of law is to maximize individual rational choice, and to minimize the role of power or force enjoyed by the few, in determining outcomes. Because the net allows easy movement among differing spaces, and also allows easy (online) separation of people who don't agree on basic groundrules, it can afford NOT to be consistent. Its inconsistency gives all users an equal right to create or select the rule sets they find most empowering. This new emergent law of the net can thus maximize individual, well informed, choice without failing to give clear prospective guidance regarding applicable rules (for any particular online space).
The more daunting part of this objection is the suggestion that, ultimately, the only way to subdue a determined wrongdoer -- a really nasty person or group -- is with the use of physical force. We certainly can't allow physical force to be deployed in a decentralized way by private parties. But the objection that online rules are not truly "law" until backed up by physical force is, at most, a semantic challenge -- because the premise of the decentralized means of net governance is that the nations of the world would agree to enforce the rules established by sysop and user interactions, just as they now enforce contracts entered into by private parties. Contracts are more than mere ethics. They can and do guide behavior. They get enforced. And their mandatory terms constrain options available to those who would rent a car, or a hotel room, just as clearly as would a local ordinance (indeed, usually more clearly and flexibly, because the sources for contractual rules are more dispersed, more market driven and more flexible than any legislature or bureaucracy). Thus, the prospect of governance of the net by means of decentralized, emergent decisionmaking does not imply that the use of force by governments would be irrelevant -- only that it would be deployed in the service of rules made predominantly by private actors.
-- Objection 5: Even if the nation states were to agree to defer, in general, to the results produced by decentralized, emergent rulemaking of the type described, surely they would feel the need to intervene to outlaw actions that threatened important interests of their constituencies. And, given the degree of disagreement, worldwide, on any given issue, wouldn't those exceptional interventions gobble up the general rule, leading us back to governance by territorially-based sovereigns, some international treaties and maybe some transnational organizations gingerly establishing some non-controversial rules?
There is no doubt that every country -- and state, county and city -- will feel a strong urge to intervene, to try to regulate the net, in some instances. But there is an existing international law doctrine of "comity" that strongly suggests that no local jurisdiction should have the right to impose its own law in preference to that of a foreign jurisdiction that has a stronger interest in the appropriate resolution of the dispute in question. How often and how strongly local sovereigns will seek to intervene to regulate the net will depend, in turn, on how strong a case can be made by net participants that they, collectively, have the strongest interest in being allowed to make the rules. And this will turn, in part, on whether the net in fact engages in responsible self-regulation or, instead, becomes a haven for types of activities that large numbers of local authorities define as serious wrongdoing. In short, decentralized, emergent law can work to create some form of order -- but whether that order will face a determined onslaught of local regulation depends on whether the self-regulatory order is sufficiently "responsible" from the perspective of the territorial powers that be.
-- Objection 6: The law that emerges from this decentralized process is not predictable. It may not be stable. It might not produce results we would, from our current perspectives, consider wise.
It's true that complex adaptive systems can behave in ways that are difficult, or even impossible to predict. But the top down lawmaking process is itself unpredictable and can produce results many think are unwise. Moreover, if anything, decentralized systems can behave in a much more stable fashion than those driven by centralized decisionmaking. The failure (or success) of a particular domain name registry, or a specific set of policies imposed on a subset of users, will have far less disruptive effect than the failure (or mistake) of a single centralized policy body. If a user leaves an online system because she disagrees with the local rules, or a particular system fails because many users share such a view, merely normal marketplace disruptions result. Finally, the beauty of complex adaptive systems is that they conduct very efficient searches. By allowing the "initiative" of individual components to find a wide range of alternative starting points, and then relying on the uphill march of imitation and the copying facilitated by online communications of the reputations of various online venues, the decentralized, emergent law-making system will, quite likely, find the high ground in policy space.
But the argument that all online activities must be governed by traditional, top down, "real world" legal standards, just because they might have an important impact on the real world, proves a little too much. The very same thing could be said about forms of interaction among all self-regulatory groups, including churches, clubs, stock-exchanges, business firms and non-governmental organizations. We want, in general, to empower individuals and groups to regulate their own affairs. The mere possibility of negative externalities cannot itself, in the abstract, answer the question of net governance.
More importantly, even with respect to those online activities that do have demonstrable and negative impacts on the real world, the claim that rules must be imposed from above depends ultimately on the right of the persons who wish to impose those rules to govern the conduct of the persons who, by definition, have decided to adopt a different set of rules. If the offending online activity is conducted by people who live in a different country from those who are offended, the "wrongdoers" may have a legal right (under the law of their local state) to engage in the activity in question. No matter how strongly the residents of Tennessee feel about an obscene web page based in Amsterdam, there may be no basis in current law on which to control that activity by means of top-down traditional legal rules.
Nevertheless, one might postulate some activities online that threaten most "real world" citizens and that are not even tolerated and protected by any geographic state. Imagine, for example, a host computer based in international waters, using wireless technology to broadcast messages that enable terrorist groups to make chemical weapons and coordinate an attack. In such a case, the small net "community" that patronized that online venue would be, in effect, at war with both the remainder of the online world and the authorities and citizens of the real world as well. Any scheme for responsible self- regulation of the net must deal, conceptually, with this kind of "hard case." The decentralized, emergent form of order deals with this kind of case by conceding that, at this extreme, the national sovereigns may exercise force to defend their interests -- just as sysops and users may use their own electronic form of force (their prerogatives to banish users or to leave a particular system) to set boundaries on others' otherwise uncontrollable wrongdoing.
Because the net does have real impacts on the real world, it can best hope to preserve its decentralized, emergent character if it "renders unto Caesar what is Caesar's". If online commercial transactions radically undermine the tax system needed to build the physical infrastructure, territorial governments may be entitled to defend that core interest by shutting down host sites specially designed to facilitate such transactions. Perhaps the sysops who facilitate online transactions should anticipate this problem and create a centralized means for online commerce to pay a fair tax, to a single collector, as a means of discouraging more disruptive and potentially duplicative enforcement proceedings by local authorities. In the face of such responsible action by the net itself, local authorities would be more likely to recognize that they do not possess a writ that automatically runs to all areas of the net, and that they should not seek to set the rules governing online interactions that don't seriously negatively impact the tangible world they govern.
It bears remembering that the users of the net and the policy-setting inhabitants of the "real world" most affected by online activities are, to a first approximation, the same people. As a group, netizens will not want to support activities that threaten core values they share as citizens of the tangible world. There are lots of novel issues that arise from the ability of electronic messages to cross territorial borders -- but those issues will be resolved in part by means of the ability of every user and system to filter out unwanted messages, and, in part, by means of the ability of such cross-border communications to bring the world into close agreement about core values.
Notwithstanding the overlap between real world policy makers and participants on the net, there is reason to fear that the communications process by which various constituencies come to understand their own interests -- and as a result of which the various sources of authoritative decision making will decide to proceed or to defer to others better situated to make and enforce applicable rules -- needs to be enhanced. Rule- setting on the net has traditionally been done by a small group of engineers who have had an aversion even to discussion of softer policy matters. Those who make national laws have not generally understood the special policy issues posed by the net or been aware that the net is capable of producing responsible self-regulation. If either has had a concern that rules made by the other would impinge to an unacceptable degree on the vital interest of a particular geographic or online territory, there has been little opportunity to communicate that concern effectively to the other.
The need for workable, accepted rules to govern the new trade in ideas and services that takes place online can be largely satisfied without any massive new legislative agenda or rulemaking spree engaged in by the established authorities of the tangible world. But what may be needed is an enhanced communications process by means of which territorially based communities can make known to the net community when online actions threaten their vital interests. And, of course, there is a need for methods by which the online community can more effectively communicate to the governments and citizens of the "real world" when the actions and policies of these traditional venues impinge strongly on online values or freedoms.
There is reason to believe that even these challenging and contentious issues can be resolved by decentralized, emergent decision-making. For example, even the apparently fatal conflict between inconsistent domain name registration systems seem likely to be avoided without top down controls. Most users and sysops are interested in accurate routing of messages. They will want to connect to the DNS sources that most other people use. The confusing dual and inconsistent system hypothesized above is unstable (or, rather, could never arise in the first place) because the most widely used of the two system would soon attract virtually all of the traffic (or all of the connections from downstream systems). Thus, the successful deployment of two incompatible versions of a top level domain, or two widely distributed yet incompatible sets of lookup tables, is about as likely as the simultaneous growth in one country of two languages that have the same words mapped onto different meanings. Because people look to reliable sources for their information, good data drives out bad. Network economies, and the creation of order from positive returns to information structure, save the day. Thus, while it is physically possible and currently lawful for system operators to create a mess by pointing their domain name resolving software at multiple incompatible sources, that nightmare scenario probably won't occur and need not be prohibited by legislation of any kind.
Similarly, there is good reason to believe that some combination of domain name registries and domain name holders will impose rules, in connection with issuance of access to the net, that reflect widespread agreement regarding what constitutes wrongful action. And there is reason to think that the actions of users in selecting the online venues they visit and support will in general keep such regulation from becoming either too oppressive or too lax. The online public will band together to electronically shun tyrants and detectable crooks. (We may need to worry more about due process, to protect unpopular minorities from mobs, than law enforcement.) Dens of thieves -- and packets of data sent from known dens of thieves -- can generally be avoided online. If your concern is privacy, you can avoid web sites that don't post verifiable tokens indicating that they observe rules that you deem satisfactory. If you don't want certain sites to link to your web page, you can use software code to preclude such links. No matter what your policy goal, acting through the filtering power of sysops and users is much more likely to produce rapid and effective results than lobbying for the enactment of some rule by a new transnational legislative body.
To be sure, no decentralized, emergent lawmaking scheme of this kind could be 100% effective. But substantial consensus is, operationally and practically, quite important even when total compliance cannot be achieved (as, by the way, is always the case, even under centralized law enforcement regimes run by non-democratic sovereigns). The reason is, again, that screening applicants for IDs and filtering out known sources of wrongful messages reduces the impact of wrongdoing even when it does not put the wrongdoer totally out of business. Trademark infringement tolerated on web pages in a small corner of the net, and filtered out by most responsible sysops once they are on notice of the problem, simply cannot cause very much confusion.
In contrast, efforts to use traditional top down, centralized lawmaking to solve the problems posed by the domain name system seem very likely to fail in more brittle ways. Take the question whether the establishment of alternative top level domains should be allowed. (See, in this regard, the Internet-Drafts "New Registries and the Delegation of International Top Level Domains," available at ftp://ds.internic.net/internet-drafts/draft-postel-iana-itld-admin-02.txt, and "Creation of and Registration in the '.NUM' Top Level Domain," available at ftp://ds.internic.net/internet-drafts/draft-rfced-info-schultz -00.txt.) In the context of decentralized, emergent law, this question is decided in the marketplace -- by multiple independent decisions whether to register with a new purported provider of a ".biz" domain or whether to point a local domain name server at another root lookup table. If, in contrast, the US were to purport to exercise its powers to prohibit the establishment of alternative top level domains, it would simply fail to attain jurisdiction over the actions of some host provider operating entirely outside the US. Perhaps the US could effectively prohibit all US hosts from pointing their local domain name servers at that remote root table, but the First Amendment might constrain such restrictions, which in any event would look silly if they contrasted with practices in other countries and the desires of the US market. If the US instead sought to negotiate a new treaty agreement governing the establishment of new top level domains, it would likely still be defining the shape of the bargaining table while the issue was decided, de facto, by engineering decisions. If it sought to delegate decisions on top level domain structure to a new international organization, it would face unanswerable questions about how to compel compliance with that organization's decisions by private actors. And even if most countries agreed to defer to and enforce the decisions of such an organization, there would be a serious question how to assure that its decisions reflected the needs and preferences of all participants in net based commerce. The best indicator of those needs and preferences would be the independent actions by sysops and users to accept a new standard. Traditional law making processes become, in the context, a counterproductive extra loop that at most delays or misdirects decisions otherwise likely to evolve rapidly from a decentralized process.
Similarly, contrast the likely outcome of traditional approaches to a problem involving potential conflicts between online behavior and the interests of those who may not even participate in net commerce: the use of domain names that overlap in some way with trademarks used on physical products. A US statute outlawing the registration of a domain name by someone other than the holder of the corresponding copyright would face many problems. The registrant (and even the registry) might not be subject to US jurisdiction, unless the US is prepared to take the expansive view that anyone making use of pointers on computers in the US can be governed by US law (a position that would come back to bite the US, badly, in its efforts to stave off regulation of US businesses by foreign governments). Treaties regarding intellectual property rights might address this issue -- but they would likely founder on the problem that multiple trademarks applicable to particular types of goods in particular geographic areas, and subject to differing local laws, might all seem equally entitled to preempt the others. As John Gilmore has said, you just cannot pour ten pounds of trademarks into a one pound domain name sack. And some countries might well take the view that domain names should be treated somewhat differently from traditional marks. A new international organization might try to establish a uniform policy. But the unsatisfied trademark owners could still file suit in local courts, which might not defer to this new international organization. And, in any event, dissatisfied domain name holders could support a competing registry. The apparent simplicity and uniformity of centralized, top down solutions to the new issues posed by the net tends to vanish upon closer inspection.
The issuance of domain names is a good core problem in connection with which to consider net governance because this natural "real estate" of the net presents, by its very nature, the occasion for solving the governance problem in a more general way. Every domain name, and every subsidiary email address, is issued by a registry or party that enters into a contract with the recipient. That contract, pursuant to which access to netizenship is granted, might contain various conditions that facilitate the growth of responsible self-governance by the net. The right balance between those conditions that ought to be imposed at the top level (on the domain name holder, by the registry) and those that ought to be imposed at lower levels (either on an ID holder, or as a condition for entry into a particular online space) will emerge as a result of a continuous negotiation between the various levels. We probably need competing domain name registries to allow this system to operate in a dynamic and responsive manner. While this contract-driven process will surely result in diversity, it (and the filtering and free movement provided by the net) will help to prevent conflicts and to limit the impact of any actions considered "wrongful" by particular constituencies.
Of course, we know that this model can work in some contexts -- itís called federalism, and we have witnessed its success in our own constitutional system and elsewhere. Net federalism looks very different than what we have become accustomed to, because here individual network systems, rather than territorially-based sovereigns, are the essential governance units. The law of the net has emerged, and we believe can continue to emerge, from the voluntary adherence of large numbers of network administrators to basic rules of law (and dispute resolution systems to adjudicate the inevitable inter- network disputes), with individual users ìvoting with their electronsî to join the particular systems they find most congenial. Or perhaps we should think of this as the law of the nets, for one possible (or even likely) consequence of this evolutionary development is the emergence of multiple network confederations, each with their own ìconstitutionalî principles -- some permitting and some prohibiting, say, anonymous communications, some imposing strict rules regarding redistribution of information and others allowing freer movement -- enforced by means of electronic fences prohibiting the movement of information across confederation boundaries.
This governance model does not, of course, ìsolveî all problems (any more than the existing system of international law perfectly administers and enforces rules in the non- virtual world), and these governance issues will not be resolved overnight. Nor will they be resolved without a struggle; existing sovereigns are not about to blithely relinquish their law-making prerogatives and go quietly into that ìTwilight of Sovereigntyî that Walter Wriston presciently foresaw several decades ago. But the Internet itself is testament to the enormous power of this rule-making model that we ignore at our peril and to the likely detriment of all those seeking to take advantage of the remarkable potentials of the new medium.