a review of Laura DeNardis, The Internet in Everything: Freedom and Security in a World with No Off Switch (Yale University Press, 2020)
by Richard Hill
This highly readable book by a respected mainstream scholar (DeNardis is a well-known Internet governance scholar; she a professor in the School of Communication at American University and the author of The Global War for Internet Governance and other books) documents and confirms what a portion of civil society has been saying for some time: use of Internet has become pervasive and it is so deeply embedded in so many business and private processes that it can no longer be treated as neutral technology whose governance is delegated to private companies, especially not when the companies in question have dominant market power.
As the author puts the matter (3): “The Internet is no longer merely a communications system connecting people and information. It is a control system connecting vehicles, wearable devices, home appliances, drones, medical equipment, currency, and every conceivable industry sector. Cyberspace now completely and often imperceptibly permeates offline spaces, blurring boundaries between material and virtual worlds. This transformation of the Internet from a communication network between people to a control network embedded directly into the physical world may be even more consequential than the shift from an industrial society to a digital information society.”
The stakes of the Internet of Things (IoT) (which a respected technologist has referred to as the Internet of Trash) are high; as the author states (4): “The stakes of cybersecurity rise as Internet outages are no longer about losing access to communication and content but about losing day-to-day functioning in the real world, from the ability to drive a car to accessing medical care. Internet-connected objects bring privacy concerns into intimate spheres of human existence far beyond the already invasive data-gathering practices of Facebook, Google, and other content intermediaries”
The author explains clearly, in non-technical language, key technological aspects (such as security) that are matters of concern. Because, citing Janet Abbate (132): “technical decisions can have far-reaching economic and social consequences, altering the balance of power between competing businesses or nations and constraining the freedom of users.” Standardization can have very significant effects. Yet (147): “In practice, the individuals involved in standards setting have been affiliated with corporations with a stake in the outcome of deliberations. Participation, while open, requires technical expertise and, often, funding to meaningfully engage.”
The author also explains why it is inevitable that states will take an increasing interest in the governance of the Internet (7): “Technology policy must, in the contemporary context, anticipate and address future questions of accountability, risk, and who is responsible for outages, security updates, and reliability.”
Although the book does not explicitly mention it (but there is an implicit reference at (216)), this is not surprising in light of the historical interest of states and empires in communications, the way in which policies of the United States regarding the Internet have favored its geo-economic and geo-political goals, in particular the interests of its large private companies that dominate the information and communications technology (ICT) sector worldwide, and the way in which United States has deliberately used a human rights discourse to promote policies that further those geo-economic and geo-political interests.
As the author puts the matter (182, echoing others: “Powerful forces have an interest in keeping conceptions of freedom rooted in the free flow of content. It preserves revenue structures of private ordering and fuels the surveillance state.” However, “The free flow of information rests on a system of private surveillance capitalism in which possibilities for individual privacy are becoming increasingly tenuous. Governments then co-opt this infrastructure and associated data to enact surveillance and exert power over citizens. Tensions between openness and enclosure are high, with private companies increasingly using proprietary technologies, rather than those based on open standards, for anticompetitive means. Trade-secrecy-protected, and therefore invisible, algorithms make decisions that have direct effects on human freedom. Governments increasingly tamper with global infrastructure – such as local DNS redirection – for censorship.” In this context, see also this excellent discussion of the dangerous consequences of the current dominance by a handful of companies.
One wonders whether the situation might have been better if there had been greater government involvement all along. For example, as the author correctly notes (157): “A significant problem of Internet governance is the infinite-regress question of how to certify the authority that in turn certifies an online site.” In the original X.509 concept, there was no infinite-regress: the ultimate certification authority would have been an entity controlled by, or at least licensed by, a national government.
The book focuses on IoT and the public interest, taking to task Internet governance systems and norms. Those who are not yet familiar with the issues, and their root causes, will be able to understand them and how to deal with them. As the book well explains, policymakers are not yet adequately addressing IoT issues; instead, there is a focus on “content” and social media governance issues rather than the emerging, possibly existential, consequences of the forthcoming IoT disruption. While many experts in Internet matters will find much familiar material, even they will benefit from the author’s novel approach.
The author has addressed many issues in her numerous articles and books, mostly relating to infrastructure and the layers below content, as does this valuable book. However, in my view, the most important emerging issue of Internet governance is the economic value of data and its distribution (see for example the Annex of this submission and here, here and here.) Hopefully the author will tackle those subjects in the future.
The author approvingly notes that Morozov has criticized (181) “two approaches: cyber-utopian views that the Internet can vanquish authoritarianism, and Internet-centrism that pushes technological solutions without regard to context.” She correctly notes (183) that “The goal of restoring, or preserving, a free and open Internet (backward-looking idealization) should be replaced with the objective of progressively moving closer to freedom (forward-looking).” While the book does explain (Chapter 6) that “free and open Internet” has been used as an agenda to further certain political and economic interests, I would have welcomed a more robust criticism of how that past idealization got us into the dangerous predicament that the book so well describes. The author asks (115): “A critical question is what provides the legitimacy for this privatization of governance”. I would reply “nothing, look at the mess, which is so well described in the book.”
For example, the author posits (92): “Many chapters of Internet innovation have proceeded well without heavy regulatory constraints.” This is certainly true if “well” is intended to mean “have grown fast”; however, as the book well documents, it is not true if “well” is intended to mean “safely and deliberately”. As the author states (94): “From the Challenger space shuttle explosion to the Fukushima Daiichi nuclear disaster, the history of technological success is the history of technological failure.” Yes, and those failures, in particular for the cited examples, are due to engineering or operational mistakes. I posit that the same holds for the Internet issues that the book so clearly highlights.
The author recognizes that (181) “The majority of human Internet users are not in the United States or even in so-called Western countries”, yet the book struck me as being US-centric, to the point of sometimes appearing biased. For example, by never adding “alleged” to references of Russian interference with US elections or cyber-espionage; by adding “alleged” to references of certain US actions; by not mentioning supposed or acknowledged instances of US cyber-activities other than the Snowden revelations; by stating (211) “Energy-grid sensors in the United States should not be easily accessible in Russia” when the converse is also the case. And by positing (88): “One historical feature, and now limitation, of privacy advocacy is that it approaches this area as an individual problem rather than a global economic and political problem.” Non-US advocates have consistently approached this area from the global perspective, see for example here, here and here.
Chapter 1 reminds us that, at present, more objects are interconnected than are people, and explains how this results in all companies becoming, in sense, Internet companies, with the consequence that the (17): “embedding of network sensors and actuators into the physical world has transformed the design and governance of cyber infrastructure into one of the most consequential geopolitical issues of the twenty-first century.” As the author correctly notes (18): “Technical points of control are not neutral – they are sites of struggle over values and power arenas for mediating competing interests.” And (19): “the design of technical standards is political.” And (52): “Architectural constraints create political constraints.”
Chapter 2 explains how the so-called Internet of Things is more accurately described as a set of cyber-physical systems or “network of everything” that is resulting in (28): “the fundamental integration of material-world systems and digital systems.” And it explains how that integration shapes new policy concerns, in particular with respect to privacy and security (38): “Cybersecurity no longer protects content and data only. It also protects food security and consumer safety.” (Market failures resulting in the current inadequate level of cybersecurity are well explained in the ISOC’s Global Internet Report 2016.)
Chapter 3 explains how cyber-physical systems will pose an increasing threat to privacy. For example (60): “Privacy complications emerging in embedded toys underscore how all companies are now tech companies that gather and process digital data, not just content intermediaries such as Google but toy companies such as Mattel.” The author joins others in noting (61) that: “In the digital realm generally, it is an understatement to say that privacy is not going well.” As the author correctly notes (61): “Transparency and notice to consumers about data gathering and sharing practices should represent absolute minimal standards of practice. But even this minimal standard is difficult to attain.” I would have added that it is difficult to attain only because of the misguided neo-liberal policies that are still being pursued by the US and its allies, and that perpetuate the current business model of (61): “giving away free services in exchange for data-collection-driven targeted advertising” (for an in-depth discussion of this business model, see here). The author joins others in noting that (62): “This private surveillance is also what has enabled massive government surveillance of citizens”. And that (64):” This revenue model based on online advertising is only sustainable via the constant collection and accrual of personal information.” She notes that (84): “The collection of data via a constant feedback loop of sensors and actuators is part of the service itself.” And that (85): “Notice and choice are already problematic concepts, even when it is feasible to provide notice and gain consent, but they often do not apply at all to the Internet of things.”
While it is true that traditional notice and consent may be difficult to implement for IoT, I would argue that we need to develop new methods to allow users to control their data meaningfully, and I believe that the author would agree that we don’t want IoT to become another tool for surveillance capitalism. According to the author (84): “Public policy has to realistically acknowledge that much social and economic good emanates from this constant data collection.” In my view, this has to be qualified: the examples given in the book don’t require the kind of pervasive data trading that exists at present. Yes, we need data collection, but not data exploitation as currently practiced. And indeed the author herself makes that point: it is indispensable to move towards the collection of only the data that are (88) “necessary for innovation and operational efficiency”. As she correctly notes (91), data minimization is a core tenet of the European Union’s GDPR.
The chapter includes a good introduction of the current Internet economic model. While most of us acquiesce at least to some degree to that business model I would dispute the author’s assertion that (62): “it a cultural shift in what counts as the private sphere”, for the reasons explained in detail by Harcourt. Nor would I agree that (64): “It has also changed the norms of what counts as privacy.” Indeed, the EU’s GDPR and related developments elsewhere indicate that the norms imposed by the current business model are not well accepted outside the USA. The author herself refers to developments in the USA (82), the “Fair Information Practice Principles (FIPPs)”; I would have preferred a reference to the COE Convention 108.
The author asks, I presume rhetorically, whether (65): “voluntary corporate measures suffice for protecting privacy”. The author correctly wonders whether, given the nature of IoT devices and their limited human interfaces (65): “traditional approaches such as notice, disclosure, and consumer choice even apply in cyber-physical systems”. That is, privacy problems are even more challenging to address. Yet, offline law applies equally online only, so I believe that we need to find ways to map the traditional approaches to IoT. As the author correctly says (84): “The question of what can and should be done faces inherent challenges” and conflicting values may need to be balanced; however, I don’t think that I can agree that (84): “In the realm of content control, one person’s privacy is another person’s censorship.”
The author correctly states (88): “Especially in the cyber-physical arena, privacy has broad public purposes, in the same way as freedom of expression is not only about individual rights but also about public power and democratic stability.” See in this respect GDPR Recital 4.
Chapter 4 explains well how insufficient cybersecurity is creating significant risks for systems that were traditionally not much affected by cyberthreats, that is, how what was previously referred to as the “physical world” is now inextricably tied to the cyberworld. As the book says, citing Bruce Schneier (106): “your security on the Internet depends on the security of millions of Internet-enabled devices, designed and sold by companies you’ve never heard of to consumers who don’t care about your security.” As the author says (109): “IoT devices are vulnerable, and this is a market failure, a political failure, and a technical failure.” (The market failures are well explained here).
The chapter reminds us that cyberattacks have taken place and might turn into cyberwar; it also reminds us that some cyberattacks have been carried out using malware that had been stockpiled by the US government and that had leaked. The author outlines the debate involving (99): “the question of when governments should notify manufacturers and the public of vulnerabilities they detect, versus stockpiling knowledge of these vulnerabilities and exploits based on these bugs for cyber offense.” In my view, there is little to be debated: as the President of Microsoft said (cited at (123)), governments should agree not to stockpile vulnerabilities and immediately to notify them; further reasons are found in (125); for concrete proposals, see here.
The author reminds us that (118): “Liability is an area in need of regulatory clarity.” This is reinforced at (225). As the author notes (120): “Those who purchase and install systems have a responsibility to be aware of the product’s privacy and security policies.” This is true, but it can be difficult or impossible in practice for consumers to have sufficient awareness. We expect people to check the pressure of the tires on their cars; we don’t expect them to check the engineering specifications of the brakes: manufacturers are liable for the engineering.
The author also notes that (118): “the tradition, generally, has been immunity from liability for Internet intermediaries.” This is also discussed at (170). And, citing Jack Balkin (219): “The largest owners of private infrastructure are so powerful that we might even regard them as special-purpose sovereigns. They engage in perpetual struggles for power for control of digital networks with nation states, who, in turn, want to control and co-opt these powerful players.” As the author notes, there are some calls to move away from that tradition, see for example here, in particular because (221): “ Much of the power of private intermediaries emanates from massive data collection and monetization practices that underpin business models based on interactive advertising.” I disagree with the author when she posits that (223): “shifting to content-intermediary liability would create a disincentive to innovation and risk.” On the contrary, it might unlock the current non-competitive situation.
The author asks, I trust rhetorically (121): “To what extent should back doors be built into cyber-physical system and device encryption for law enforcement access in light of the enormous consequences of security problems”. The answer is well known to anyone who understands the technical and policy issues: never (see also here and here). As the book puts the matter (126): “Without various types of encryption, there would be no digital commerce, no online financial systems, and no prospect whatsoever for private communications.”
Chapter 5 explains why interoperability is at the heart of networks and how it has been evolving as the Internet moves away from being just a communications infrastructure, towards the infrastructure needed to conduct most all human activities. As the author correctly notes (145): “companies sometimes have an interest in proprietary specifications for anticompetitive effects and to lock in customer bases.” And (158): “social media platforms are, in some ways, closer to the proprietary online systems of the 1990s in which users of one online service could not communicate with users on other systems.” (A proposed solution to that issue can be found here). But it is worse that that (145): “intellectual property rights within connected objects enable manufacturers to control the flow of data and the autonomy and rights of individuals even after an object is purchased outright.” It would have been nice if the author had referenced the extensive criticism of the TRIPS agreements, which agreements are mentioned in the book (146).
Chapter 6 reviews the “free and open Internet” mantra and reminds us that Internet freedom aspirations articulated by the US (164) “on the surface, comport with U.S. First Amendment traditions, the objective of maintaining the dominance of U.S. multinational tech companies, and a host of foreign-policy interventions contingent on spreading democratic values and attenuating the power of authoritarian regimes. Discourses around Internet freedom have served a variety of interests.” Indeed, as shown by Powers and Jabolonski, they have been deliberately used to promote US interests.
Regarding Net Neutrality, as the author explains (177): “The complexity of the issue is far greater than it is often simplistically portrayed in the media and by policymakers.”
The author correctly notes that (177) multistakeholder governance is a fetishized ideal. And that (167): “a … globally influential Internet freedom formulation views multistakeholder governance models as a mechanism for democratic ideals in cyberspace.” That view has been disputed, including by the author herself. I regret that, in addition to works she cites, she did not also cite her 2013 paper on the topic and other literature on multistakeholder governance in general (see the Annex of this submission to an ITU group), in particular that it has been criticized as being generally not fit for purpose.
The chapter gives a good example of a novel cyber-physical speech issue (184): “Is a 3D-Printed Gun a Speech Right?”
Chapter 7 summarizes the situation and makes recommendations. These have largely been covered above. But it worth repeating some key points (199): “Based on the insufficient state of privacy, security, and interoperability in the IoT, as well as the implications for human safety and societal stability, the prevailing philosophy of a private-sector-led governance structure has to be on the table for debate.” In particular because (199): “local objects are a global Internet governance concern”.
The chapter also includes a good critique of those who believe that there are some sort of “invariant” architectural principles for the Internet that should guide policies. As the author correctly notes (210): “Setting aside global norm heterogeneity and just focusing on Western democracies, architectural principles are not fixed. Neither should they be fixed. … New architectural principles are needed to coincide with the demands of the contemporary moment.”
Chapter 8 reminds us that the world has always changed, in particular due to the development of new technologies, and that this is what is happening now (215): “The diffusion of digital technologies into the material world represents a major societal transformation.” And (213): “Another sea change is that Internet governance has become a critical global political concern.” It includes a good discussion of the intermediary liability issues, as summarized above. And reinforces points made above, for example (227): “Voluntary industry self-regulation is inadequate in itself because there is not always an endogenous incentive structure to naturally induce strong security measures.”
The author has written extensively on many topics not covered in depth in this book. People who are not familiar with her work might take certain statements in the book out of context and interpret them in ways with which I would not agree. For the sake of clarity, I comment below on some of those statements. This is not meant to be criticism of the book, or the author, but rather my interpretation of certain topics.
According to the author (40): “Theft of intellectual property – such as trade secrets and industry patents – is a significant economic policy concern.” (The same point is made at (215)). I would argue, on the contrary, that the current intellectual property regime is far too strict and has become dysfunctional, as shown by the under-production of COVID vaccines. While the author uses the term “piracy” to refer to digitally-enabled copyright infringement, it is important to recall that piracy is a grave violent crime, whereas copyright infringement is an entirely different, non-violent crime.
The author correctly notes (53) that: “The goal of preserving a ‘universal’ Internet with shared, open standards has always been present in Internet policy and design communities.” However, I would argue that that goal was related to the communications infrastructure (layers 1-5 of the OSI model), and not to the topics dealt with in the book. Indeed, as the book well explains (135), there is a clear trend towards proprietary, non-shared solutions for the cyber-physical infrastructure and the applications that it supports.
The author states (54): “The need for massive pools of globally unique identifiers for embedded systems should provide an incentive for IPv6”. This is a correct, but a non-specialist may fail to understand the distinction between addresses (such as IP address) that identify a place to which information should be sent; and names, that uniquely identify an object or entity regardless of location. In that context, an IP address can be viewed as a temporary identifier of an object. The same caveat applies later (193): “A common name and number space is another defining historical characteristic of the Internet. Every device connected to the Internet, traditionally, has had a globally unique IP address.”
The author states (66): “government surveillance primarily occurs via government requests to the private sector to disclose data”. My understanding of the Snowden revelations is different: the US government has its own extensive and pervasive data collection capabilities, quite independently of the private sector’s capabilities.
According to the author, anonymous speech and behavior on the Internet were facilitated by (77): “Making unique Internet identifiers logical (software defined) rather than physical (linked to specific hardware)”. Again, a non-specialist may be induced in error. As the author well knows (having written authoritatively on the subject), it was only the shortage of IPv4 addresses that resulted in DHCP and widespread NATting; the original idea was that IP addresses would be statically device-specific; but they are addresses, not names, so they cannot be hard-coded, otherwise you couldn’t move the device to another location/network.
The author posits regarding privacy (91): “Like most areas of Internet governance, it is a multistakeholder problem requiring multistakeholder solutions.” As already noted, the author has analyzed multistakeholder processes, their strengths and shortcoming, and the book explains clearly why the private sector has little interest in promoting privacy (as the author says (92): “In many ways, market incentives discourage privacy practices”), and given the visible failure of the Internet’s multistakeholder model to address fully the priorities set forth in the 2005 WGIG report: administration of the DNS root zone files and systems; Internet interconnection costs; security; and spam.
A mention of ENISA (which is cited in elsewhere in the book) would have been welcome in the catalog of policy proposals for securing systems (110).
The author notes (142): “ITU historically provides telecommunication specifications in areas such as Internet telephony.” Non specialists may not be aware of the fact that the key term here is “such as”: historically, the ITU did far more, and continues to do more, albeit not much in the specific area of Internet telephony.
According to the author (148): “Similar to W3C specifications, IETF standards are freely published and historically unconstrained by intellectual property rights.” This is not quite correct. IETF has a RAND policy, whereas W3C does not.
The author states that (153): “The original design of the Internet was itself a radical rethinking of existing architecture.” That is an overstatement: the Internet was an evolution of previous architectures.
According to the author (156): “Blockchain already underlies a variety of mainstream financial and industrial service implementations.” She does not provide a reference for this statement, which I (and others) find dubious, in particular with respect to the qualifier “mainstream”.
The author states that IETF engineers (166): “created traditions of bottom-up technical design.” I believe that it would be more accurate to say that the IETF built on and reinforced such traditions, because, since the 19th century, most international standards were designed by bottom-up collaboration of engineers.
The author posits that (166): “the goal of many standards is to extract royalties via underlying patents”. This may be true for de facto standards, but it is not true for international standards, since IEC, IETF, ISO, and ITU all have RAND policies.
With respect to the WGIG (178), the non-specialist may not be aware that it was convened by consensus of the UN Member States, and that it addressed many issues other than the management and administration of Internet domain names and addresses, for example security and spam. Most of the issues are still open.
Regarding the 2012 WCIT (182), what happened was considerably more complex than the short (US-centric) mention in the book.
According to the author (201): “Data localization requirements, local DNS redirection, and associated calls for Internet sovereignty as an ideological competitor to the multistakeholder model of Internet governance do not match the way cross-border technology works in practice.” This appears to me to contradict the points well made elsewhere in the book to the effect that technology should not blindly drive policies. As already noted, the book (because of its focus) does not discuss the complex economic issues related to data. I don’t think that data localization, which merits a serious economic discussion, should be dismissed summarily as being incompatible with current technology, when in my view it is not. In this context, it is important to stress the counter-productive effects of e-commerce proposals being negotiated, in secret, in trade negotiations (see also here and here). The author does not mention them, no doubt because they are outside the main scope of the book, but perhaps also because they are sufficiently secret that she is not aware of them.
The author refers to cryptocurrencies (206). It would have been nice if she had also referred to criticism of cryptocurrencies, see for example here.
Again, these quibbles are not meant to detract in any way from the value of the book, which explains clearly, insightfully, and forcefully why things are changing and why we cannot continue to pretend that government interventions are not needed. In summary, I would highly recommend this book, in particular to policy-makers.
Richard Hill is President of the Association for Proper internet Governance, and was formerly a senior official at the International Telecommunication Union (ITU). He has been involved in internet governance issues since the inception of the internet and is now an activist in that area, speaking, publishing, and contributing to discussions in various forums. Among other works he is the author of The New International Telecommunication Regulations and the Internet: A Commentary and Legislative History (Springer, 2014). He writes frequently about internet governance issues for The b2o Review Digital Studies magazine.