Select Committee on European Union Written Evidence

Memorandum by Jeffrey Cooper and Amy Friedlander, PhD, Centre for Information Strategy and Policy, Science Applications International Corporation, on Trust: A Baseline for Future Governanceand e-Commerce

    "Everything comes if a man will only wait." Benjamin Disraeli (Earl Beaconsfield) Tancred. Book iv. Chap. viii. (1847.) As found in Barlett's Familiar Quotations, (

      In a White Paper issued in December 1999, Internet co-inventors Robert Khan and Vinton Cerf drew a critical distinction between the Internet as a communications architecture and the Internet as an information system. In the former guise, the Internet deals with "communications connectivity, packet delivery and a variety of end-end communications services"—all essentially engineering issues. In the latter, the architecture concerns "creation, storage and access to a wide range of information resources" that are "independent of its underlying communications infrastructure."[30] Thus, issues that arise from the communications infrastructure, while technically challenging, have the property that satisfaction can be measured according to widely accepted engineering criteria: speed, robustness, reliability, and so on. However, satisfaction with respect to information, by which we mean content and services—including all of e-commerce and e-business—can be much more difficult to achieve since the benchmarks are largely qualitative and, most importantly, culturally based. What constitutes satisfactory protection of personal privacy? What is the nature of the intellectual property regime, whom does it favor, and how will it be enforced? And what are the relative roles, responsibilities, rights and privileges of governments and their citizens in creating and maintaining the rapidly expanding Internet?

      However, a fundamental question from either perspective is building trust in the system. By this, we mean trust in the engineering of the system itself—that it is secure, robust and reliable—as well as trust, or confidence, in the information and services that rely on the engineering architecture—that they are authentic and will perform and be used according to our expectations. To use the language of command and control, that the system, whether engineering or information, does what we expect it to do when we expect it to do so, and that it does not do what we expect it not to do.[31] Many of the issues that presently dominate the global e-agenda traverse both the engineering and the content (for want of a better word) domains. Information security, for example, is both an engineering challenge and a question of data integrity, fraud and personal privacy. But in a rapidly changing environment in which the tools, the services and the potential threats are changing before our eyes, we argue that it is better to do, lest rather than more less well-intentioned legislation on the books becomes an impediment to future change.

    For the command and control analogy, see Stephen J Lukasik, Will We Consider Ourselves Better Off? IEEE Internet Computing (January/February 2000), p 47.

      The current furore over Napster in the United States is a case in point. Napster is an Internet service that enables visitors to share MP3 music files and play music files located on others' computers, most of which are pirated versions of copyrighted music. Sued by the Recording Industry Association of America (RIAA) in December 1999, Napster claimed in its defence that it serves as a "mere conduit," and is thereby exempted from responsibility for any copyrighted material transmitted. This was a position that appeared to be consistent with the terms of the Digital Millennium Copyright Act, passed in 1998, in part to bring the US into compliance with existing international treaty obligations concerning intellectual property rights. Chief Judge Marilyn Hall Patel of the US District Court of Northern California, however, rejected Napster's claim that it was a "mere conduit." The judge's ruling leaves Napster with two remaining legal arguments: that Napster functions as an Internet search engine, a category of site protected by federal law; and that while pirated music is sometimes transmitted on the site, Napster has other legal uses.[32]

      Since Judge Patel's finding, the Progressive Policy Institute, a New Democrat think tank affiliated with the Democratic Leadership Council (DLC), has released a policy brief that, the New York Times reports, calls for additional restrictions. Specifically, "the report recommends that the digital copyright law be amended "to hold Napster, its users, and similar services accountable for copyright violations while maintaining protections from liability for service providers that are innocent bystanders to digital piracy."[33] According to the story, the report goes on to suggest that Napster be required to collect personal identifiable and verifiable information from users—such as credit card data that presumably would be made available to enforcement agencies. The story concludes with a comment from the Electronic Frontier Foundation, a civil liberties group, taking strong exception: "To say you are going to take a whole new category of software and strangle it in its infancy because one of its first uses resulted in piracy—that's a bad idea."[34]

      This disagreement between the Progressive Policy Institute (PPI) and the Electronic Frontier Foundation (EFF) is interesting from the perspective of the implications of new Internet uses on American politics. Until now, we would have expected both groups to line up on the same side, and for both to oppose intervention—either in the technology or in matters of collecting personal information for purposes of enforcement. Yet the fissure between former allies—between the New Democrats, who have consistently called for less intrusive government as well as industry self-regulation, and the privacy advocates, who tend to be inherently suspicious of government and its potential abuses—could not be more obvious. To compound the confusion, it is not hard to find some privacy advocates in the US, at the Electronic Privacy Information Center (EPIC), calling for more government intervention to protect individual liberties.

      We recognise that the mosaic of interests that broadly coalesce into the American political party system will not be replicated elsewhere; indeed, it is well known that the political parties in the UK, for example, are far more disciplined and more formally integrated into the parliamentary system. Yet similar fault lines in traditional coalitions will be engendered by other Internet issues (eg taxation of goods and services). Thus, the Napster case suggests the ways that new technologies shred existing alliances and that increasingly, alliances will be fluid and temporary, adding to the difficulties in charting a course in an unstable world.


    Embedded in the notion of "trust" are the values of consistency, coherence and fairness. Citizens are more likely to have confidence in their civil servants and elected officials when public behaviour meets public expectations and is generally predictable and fair. Moreover, instilling trust frequently lies in the details: having trains run on time matters. Thus, in the US, a major concern during the Y2K roll-over was ensuring that Social Security checks[35] arrived on time, and to that end, they were mailed out early. The stability of the financial system was also critical, and not surprisingly, both oversight agencies and the financial institutions moved early and aggressively to ensure that their systems were Y2K compliant and backed-up.

      The fundamental success in averting a Y2K meltdown, perhaps, disguises the difficulties of sustaining a baseline of social and economic security within and among nations at the threshold of the new millennium. Since 1990, the world has been and remains catalysed by three major and mutually-reinforcing trends: democratisation of political systems following the end of the Cold War; globalization, with the increasing interaction and interdependency of market economies; and the Information Revolution. Specifically:

      1.  The collapse of the Soviet Union accelerated a larger trend that has resulted in a sharp tilt of the political landscape towards democracy. Even fundamentally authoritarian regimes have integrated certain democratic forms if not the values of liberal societies.

      2.  Characterised by high economic growth rates and the integration of free market economies, increased access and opportunities across borders, and decreasing central government control, liberalisation has unleashed a wave of restructuring, striking at formerly autarkic economies, previously dominant industries, industrial monopolies, and established economic hierarchies. At the same time, it is creating a single worldwide market with its own terms and conditions that discipline particularistic and mercantilist tendencies.

      3.  The Information Revolution encompasses the new technologies for collecting, processing, transmitting, distributing, and displaying information.

      While the information technology industry had evolved significantly during the Cold War, the downsizing of the defence technology sector following the collapse of the bipolar competition shifted the weight of technology research and development to the private sector. This commercial proliferation of advanced technologies is altering all the familiar political, economic, socio-cultural, and military dimensions at a rate that most people find difficult to accommodate and in ways that they do not fully comprehend.[36] Other new technologies, such as biotechnology, put similar premiums on research and knowledge as opposed to exploitation of physical resources and mass production.

      The Information Revolution is creating three distinct types of effects: New information technologies democratice access to and control over information, thus reinforcing other factors for democratication. Increased fractiousness and posturing inhibiting reaching enforceable multilateral agreements can be an unintended consequence. Information has also become the key to economic globalication by increasing awareness of worldwide alternatives and by reducing classic sources of transactional friction. Even states that are committed to maintaining party control, such as China, find it difficult to choose to stand aside. Finally, the seamless interconnectivity that prevents tight control of information by governments also allows access to previously protected spaces, reduces control by established institutions, and makes them potentially vulnerable to penetration and "infection" by outside information, both electronic and cognitive. Thus, strategic threats to critical national infrastructures no longer come only from nation-states.

      Perhaps the two most important induced effects are the loss of control by traditional élites and hierarchies and the accompanying growth of transparency and openness. Democratisation shifted the locus of political power to individuals and away from traditional leaders. Liberalisation has caused much of the same impact in the economic domain by replacing top-down decisions with bottom-up choices made by markets with broad public participation in many activities formerly controlled as "closed" systems. Finally, the technologies of the Information Revolution have diffused the ability to control the power of information. Similarly, transparency and openness have been fostered by greater public participation in the political and economic decision processes since neither democracy nor markets work well without the free flow of information, producing a "virtuous circle" of information, liberalisation of markets and democratisation.

      Unfortunately, this virtuous circle also has a dark side. Increased openness and transparency and the decline of centralised, hierarchical control have contributed in many countries to internal disintegration along ethnic, religious and linguistic lines as well as to aggression among neighbouring states over geographic, resource or iconic issues. Weak civic structures with only the veneer of democracy have resulted in instability, particularly with the abrupt shift from notoriously strong authoritarian structures to new chaotic democracies.

      The loss of centralised control has also cost states their traditional monopoly over the instruments of large-scale violence as well as its legitimate use. This reduces the ability of states to maintain domestic order and increases the chances for the proliferation of technologies and weapons of mass destruction. Instability and systemic corruption under the veneer of democracy coupled with displaced social, political and economic elites creates an environment in which separatist pressures for self-determination can easily blend with often popular nationalism to produce strong revanchist tendencies, frequently fed by charismatic or populist leaders, who see an opportunity to garner power.

      At the same time, fears over contamination by foreign values and concern over "cultural imperialism" find fertile ground not only in smaller states but also in larger, traditional world powers (and sometimes allies) such as China, Russia, and France. Governments fear the loss of control over their domestic economies as well as loss of economic sovereignty, particularly where internal stability has often been maintained through national controls on markets, such as taxes and regulations. There is strong evidence that reduced government control leads to substantially increased volatility—of exchange rates, trade balances, and interest rates, among others; much of the impact is due to increasing marketisation and securitisation of critical elements of the world's economy. Furthermore, investors, especially foreign investors with fiduciary responsibilities, demand openness and transparency of economic decisions, and increasingly of political decisions as well, potentially provoking further destabilisation division and unrest.

      Against this broader background, the "Love Bug" virus of early May suggests some of the vulnerabilities of the Internet and the societies increasingly dependent on it. From the perspective of infrastructure, inter-connected, tightly-coupled systems promise greater efficiencies whether viewed at the network level or at the machine level. However, greater interdependency can increase vulnerability[37]—taking down the electrical system now affects not only light, heat and power but also asynchronous and real-time access to information vital to financial markets, banking systems, retirement funds and an increasing array of records from health care to voting to corporate personnel. It is analogous within the machine. As Kurt Kleiner and Duncan Graham-Rowe argue in the New Scientist, one of the features that enabled the virus to sweep through individual machines so easily is the close connection between the Microsoft operating system and the Outlook e-mail application.[38] Greater separation between the application software and the underlying system as well as greater diversity among software applications would "make software more resilient" and increase security. The trade-off, it is feared, would be greater inefficiencies in the system, in the worst nightmare, a return to a version of the days in which an e-mail account through AOL did not talk to an e-mail account through CompuServe.

      Thus, the infrastructure—the nuts, bolts, wires and waves together with the systems software that makes the hardware work—matter to the applications, to the informational parts of the system with which most of us will interact. And information security concerns apply to the communications architecture as well as to the uses that ride that architecture. The "Love Bug" virus is believed to have cost people millions in downtime and maintenance.[39] This means that the disputes and decisions that traditionally take place within such venues as standards setting organisations, the International Telecommunications Union, the World Trade Organization and so on, which govern what the facilities will look like, matter to policy arenas such ase-commerce. It is no accident, to use a familiar Soviet expression, that telecommunications access has been consistently cited as a barrier to the expansion of e-commerce from Europe to Japan or that mobilee-commerce, ie e-commerce that relies on wireless, mobile devices, is likely to take off where traditional, wireline telephony has posed a constraint. For example, on May 19, 2000, the Financial Times reported that 25 per cent of the population of Estonia were using the Internet based on new wireless technologies rather than older telephone lines, reflecting slow development during the previous Communist period of telecommunications.[40]

    But we caution against positing a false substitution effect, namely, that expansion of mobile services necessarily implies a decline in wireline services. Historically, the TCP/IP protocol itself came about as a means of linking ALOHANet (in Hawaii) via satellite with networks in the continental US; the goal was to render the communications signals "platform independent." This was successfully achieved in the early 1970s, and convergence of formerly distinct technologies (cable, telephony, broadcast, etc.) now creates havoc in the traditional telecommunications and broadcast industries: publishing, entertainment (TV, radio, and film), and a host of other industries that relied wholly or in part on these systems. The alignment of certain functions with certain technologies is collapsing, rendering existing regulatory, economic and commercial arrangements muddied and disorganised. Is cellular telephone service, for example, to be priced the same as wireline? What functions and capabilities are suitable to a small handheld device? The absence of a space for a keyboard on a small portable is supposedly offset by a voice interface, but at least one very-well regarded computer designer has expressed skepticism, at least for the near term.[41]

      From the technological perspective, there is a tension between those who argue that information appliances (specialised devices that have relatively limited functionality) are the vehicle for e-commerce services and those who believe in general purpose machines (the personal computer). It is probably too early to tell which kind of device will predominate. Rather, in the near term, an ecology of information devices and services, including business, financial and retail consumer services, are likely to ride on an increasingly heterogeneous infrastructure that represents the convergence of a series of communications technologies. We do feel confident in predicting total global growth. Indeed, some have argued that the relative position of the U.S. e-Commerce market will decline, so that by 2003, US Internet users may sink to 37 per cent from 42 per cent by the end of 2000. Western Europe is expected to reach almost 30 per cent by 2003, followed by the Asia-Pacific region at 27 per cent, and Latin America at more than 5 per cent.[42]


    Eighteen months ago, the US technical and business press began to talk about the significance of e-business—the back office systems that greatly improved internal transactions processing as well as vendor relationships—relative to e-commerce, the retail end. How we talk about e-commerce—or e-business—has much to do with the context that supports it as well as the users who demand it. As Jeetu Patel, Mark Schenecker, Gautam Desai, and Jason Levitt pointed out in their December 7, 1998 Information Week story, "there are two major types of e-commerce applications: business-to-consumer and business-to-business."[43] The hype over the holidays in 1999 was about business-to-consumer; the predictions then—and now—are that the "real impact" will be in business-to-business. This was followed by a report from the US Department of Commerce that also found that e-business applications dwarfed e-commerce applications by orders of magnitude.[44]

      Moreover, we are more properly talking about many e-businesses, not just one. For example, a survey conducted by Beyond Computing Magazine in 1999 found that only 25 per cent of the technology and business executives polled sold products or services via the Internet, and 62 per cent of those who did found that these sales accounted for less than 10 per cent of their total revenues. However, these same enterprises relied heavily on Internet technologies to improve their communications, internal operations, and supply chains, and 82 per cent of them expected to expand this functionality in 1999.[45] Depending on the user, e-business or e-commerce can mean anything from website and intranet technologies to data warehousing and knowledge management tools to outsourcing help desk applications to shared utilities. For example, an Internet service provider offers clients access to servers, high speed connections, and some constellation of technical and administrative services. One class of relatively new Web-based applications are the applications service providers (ASPs), who offer small and medium-sized companies the advantages of industrial strength applications without the threshold costs of installation and development—for a monthly charge.[46]

    As of this writing, the next "big thing" is collaborative commerce or "c-business," which the Gartner Insight electronic newsletter characterises as the "most advanced form of e-business." c-Commerce applications enable multiple enterprises to work interactively to spend, save and solve problems, which can include restructuring relationships as needed. These applications are expected to be deployed by 2004 and are best suited to "enterprises that are heavily dependent on their ability to innovate and serve customers."[47]

      A lot can happen in four years. But as of today, the application service provider market, which could easily evolve into supporting collaborative relationships, is looking robust.[48] The New York Times has reported estimates of this market at $5.3 billion in revenues by 2001, up from $400 million in 1998. Small businesses in the US, a group that is finding the ASP model very attractive, represent an annual market worth $71.2 billion and the size of this market is expected to grow from 28 million to 37 million by 2002. PC manufacturers have seized this opportunity to provide services. And the service is cheap. "For monthly fees starting at just $14 a month for Internet-based support or Web hosting services," Bronwyn Fryer writes in the May 2000 issue of Upside Magazine, "small businesses can finally avail themselves of the kind of computing support that corporations enjoy. The players include vendors such as Micron, Dell and Gateway as well as a "new wave of service companies" that woo small business with a variety of soup-to-nuts computing services"—including e-Commerce capabilities.[49] Such third-party relationships are not exclusive to North America. Given Scandinavia's shortage of IT workers, the Financial Times reports, Estonian companies are developing specific products to fill Scandinavian companies' outsourcing needs.[50]

      Thus, what the consumer sees in a sense is not the totality of what the consumer gets, and consumer protection is more than protection from shoddy merchandise and slipshod fulfillment.[51] In addition to the infrastructural concerns, such as information security and quality of service, the relationship between buyer and seller may actually be mediated by several parties, not all of whom may be visible to the buyer. Moreover, the intricacies of issues that appear to be internal to business can profoundly affect what consumers see and what they believe that they are seeing. For example, recent court cases concerning trademarks, cybersquatting, naming and addressing, and metadata point to the growing reality that consumers believe that the URL has semantic meaning in the conventional sense. That is, "IBM" means "International Business Machines" and so on. Recently, a US federal appeals court struck down an attempt by one vendor to use the trademark of a second as part of its metadata—which the user never sees but search engines use in retrieving results on behalf of users—thus, intending to lead users to its site, rather like false signage on the highway.[52] Trademarks, metadata, search engines—these are all technical issues in law or engineering, yet they take on increasingly important implications for consumers, blurring the distinctions between what is business-to-business, which has been largely handled by contract, and what is business-to-consumer, which has historic ties to consumer protection regulation.

    It is telling that both of these stories are from magazines that cover the business and technical community and tend to be sympathetic to, if not enthusiastic about, the technological potential and virtuosity.

      Layers of relationships that are internal to business but that profoundly affect the end-consumer are hardly new to the Internet. The invention of money meant that buyer and seller were emancipated from the problem of fortuitous double coincidence of need that had characterised barter. Fiat money (rather than specie or gold coin) meant that paper bank notes circulated in lieu of the treasure itself. But paper money, particularly in the US, was only as good as the bank that issued it and for the first part of the 19th century, some money (that printed in Philadelphia, for example) was considered "better" than others because the issuing banks were considered more reliable. Indeed, there were arbitrage markets in the US that dealt in various financial instruments: currency, promissory notes, bills of exchange, and so on. The system enabled goods to be traded over long distances, which was particularly important to the expansion of staple crop agriculture, but there was a series of intervening risk factors that concerned the integrity of the bank and/or the trading house that essentially underwrote the loan. The advent of checking in the 1850s required two unspoken gestures of trust: that the writer of the check banked with a reliable bank, which was itself enmeshed in a series of financial relationships with other institutions, and that the writer of the check had sufficient funds on account to cover it. The system frequently imploded, and much of the financial history of the U.S. from 1800 to 1930 is a series of 20-year cycles of panics and crashes frequently occasioned by crises of public confidence that precipitated a run on a local bank that could not be contained. In the U.S. example, stability of the banking and financial systems was finally achieved through a combination of industry self-regulation and agreed-upon ground rules established by state and federal authorities.[53]

      This is a simple example; the mosaic of interests and agencies that will be required to make e-Commerce work will require similar spoken and unspoken acts of trust among many parties, only two of which are the "buyer" and the "seller." The question is: How is trust instilled in the system? And whose responsibility is it?


      Any assessment of the role of government and the extent of its legitimate functions, including how it exercises its powers, requires attention to three attributes of the new information realities in the context of globalisation:

      1.  from information scarcity to abundance;

      2.  from top-down control towards collaborative co-ordinative mechanisms, and

      3.  from restricted, hierarchical one-way communications towards many-to-many networks—all of which have profound political (as well as economic and social) effects.

      Thus, a key element in developing an information policy and strategy, whether national or global, which includes a policy on e-Commerce, is to realign responsibility, authority, and capability. Responsibility is defined here to mean the inherent obligation to address the problem. Authority is defined as the legitimated power to address the specified problem; it is granted through explicit delegation by the people (or, in some systems, seizure by coup de main), and it may be possessed by several holders concurrently. Finally, Capability is the physical potential or expert competence to address the problem. If an acceptable solution is to be found, agreement on these issues must, however, be achieved within the bounds of the social compacts that bind nations together.[54]

      How this is accomplished—that is, the choices of where to vest these powers and which instruments to use—must be consistent with a nation's political beliefs, economic system and social fabric. Many societies might choose to place all these powers in the hands of the national government. In contrast to many European nations, the tradition in the United States has been to diffuse authority among levels of government (federal, state and local) and, indeed, to retain many powers in the hands of the people themselves. Whatever the frictional losses, Americans prefer foregoing the arguable advantages of centralised decision-making, believing that there is less risk in minimising the powers granted to government.[55] Alternatively, the American public often prefers to disperse authority among many government hands, introducing additional complexity. Anne-Marie Slaughter of Harvard University Law School has recently argued that the state is becoming disaggregated as certain functions are handled more or less informally through global networks rather than through formal, state-to-state instruments.[56] Her strongest evidence arises in financial and technical areas, but her larger point has been echoed by others who point to human rights and environmental agendas that have become influential albeit non-state voices.[57]

    Therefore, solutions to these critical choices appear in learning how to induce, not order, appropriate actions by all the relevant players, most significantly individuals and private organisations. Civil society must be prompted to accept responsibility, perhaps through liability and contract enforcement, and employ its capabilities to protect its equities, not rely on government to protect vital information services.[58] Thus, New Scientist editorialised on 13 May 2000, that consumers have a responsibility: to insist that the products they buy are better. "It's time to start demanding better security. Consumers need to push back. . . Nothing will change while we continue to tolerate lax security."[59]

  To the extent that private entities address these important needs, the less excuse there will be for intrusive government intervention. Indeed, to a large extent, the capabilities, along with the necessary authorities, to protect information and information systems, even those performing vital societal and national security functions (except for those clearly owned and operated by governments), already lie in the hands of private owners and operators. However, these perspectives on distributed power and more voluntary co-ordination are not fully shared around the globe, witness debates over privacy and "safe harbour." Therefore, it is to be expected that these different perspectives will give rise to significant tensions as international agreements are sought. We note, however, that how the issues are defined will remain critical: there are important distinctions among personal privacy, data protection and fraud that must be understood since these definitional subtleties govern what should remain subject to private agreements—contract—and what is fair game for public involvement and oversight.

  Based on the example of international spectrum allocation in the early 20th century, it is likely that consensus can be reached on topics of shared concern. In the case of radio communications in the days before commercial broadcasting, consensus on how to measure the asset, ie, the electromagnetic spectrum; on who the relevant players should be, ie, representatives of nations; and on core values, ie, safety at sea and the primacy of national-cum-military interests, enabled interested parties to draft treaties that were eventually ratified, albeit in the wake of the Titanic disaster.[60] Working out similar arrangements for our own revolution will likely take time; adaptation to revolution is, by necessity, a long-term process. How we choose to realign and balance these three critical powers tells us much about our view of the social contract. That said, the existence of WIPO and progress in international database agreements, which may not be to the liking of everyone, indicate that a framework can be created that does not impede continued growth and diffusion of the technology and the services that ride it. Yet.

  Ultimately, the government's paramount responsibilities are: (1) to provide "rules of the road" that foster respect for appropriate behaviours and establish behavioural norms; (2) to allow other parties, including other states, to accept their appropriate responsibility and exercise their capabilities; and (3) to commit to vigorous prosecution when criminal information incidents occur. Over the past several years, legislative actions to define criminal activities with respect to information systems, coupled with increasingly effective and publicised prosecutions for violations of those rules, have begun to establish societally acceptable guidelines for behaviour. But as has been widely reported in the US press, one of the inhibitors to identifying the possible creator of the "Love Bug" virus is limitation in Philippine law, which substantially slowed down law enforcement.

  Actions by governments are crucial to building trust, which is the essential element of any co-operative regime. Therefore, they underpin the overall framework for participatory governance by the entire information community. It is clear that government will not be able to execute its responsibilities for information age without non-government entities and private individuals playing a major role in securing the information infrastructure. Indeed, given the disarray among the three critical powers of responsibility, authority, and capability, private users, whether as individuals or organisations, may have the best opportunity to align them in dealing with information problems throughout the entire spectrum of potential incidents. Private entities may be able to accomplish prevention and remediation of many impacts within the context of an "information community" most efficiently and at least cost. Self-regulation by industry in the domain of privacy is a case in point. Whether this model can be used to solve issues related to taxation is an open question.[61]

  In the developed world, individuals, organisations, or governments will not be able to choose to remain apart from the interconnected network of systems and relationships if they wish to function as part of society. An over-riding feature of this new environment, therefore, is "reciprocal dependency"—denoting sharing not only in the mutual benefits but also becoming both reliant on the information web in which we are all enmeshed and vulnerable to the actions and behaviours of others, whether intended or unintended. While this feature of reciprocal dependency may not be new, the speed and intensity of its occurrence do set it apart, as do the immediacy of the linkages to distant and unknown parties.

  This situation, in essence, creates an "information commons"—a convergence of self-interest—in which there are few barriers to entry, and in which involuntarily shared risks and exposure to the consequences of the acts of others are automatic. That is, these same characteristics of an information-dependent society—the advantages of nearly instant connectivity and access to a wealth of information resources—also create a series of "security and vulnerability externalities" that result in an extremely high degree of reciprocal dependency among all elements of the community. Under these circumstances, even accidents and negligence, much less malicious acts by others, can create serious, even catastrophic, impacts not only on individuals and private entities but also on the nation's general welfare and common defence.

  In developing ways to address the difficult choices among the values that are in tension, mechanisms for governance must accommodate the organic processes that are crucial to societal adaptation of a new technology. Process implies a progressively achieved outcome rather than simply a clearly perceptible end-state or result that can be accomplished all at once, and this suggests that recognising where we are in the process may be important to understanding the best way to proceed.

  Models for governance range from: (1) leaving protective measures in individual hands as a matter of retaining personal responsibility (individual self-defence); to (2) accepting the responsibility for protecting the community's interests and retaining the authority in the community's hands (collective self-defence); to (3) shifting the authority for community protection to the government (formally delegated authority). The real issue is probably not to choose among them as exclusive options, but how to dynamically balance among them.

  This choice depends fundamentally upon several crucial factors: first, where one wishes to retain responsibility as opposed to authority; second, how much authority the community is prepared to place in someone else's hands; and third, where the capabilities to ameliorate problems are lodged.

  The new information structures are imposing divergent exogenous costs on many segments of societies, both domestic and global. As the exogenous costs—"externalities" to economists—of these behaviours became more widely appreciated, attitudes began to change; these activities impose costs on the community at large, not just the careless individual.[62] This is, in fact, the very same situation in which we find ourselves living in a co-dependent information society. Increasingly, certain types of activities—ones dangerous to others—run afoul of tightening community intolerance for "reckless disregard" of norms and laws designed to protect the common welfare of the entire community. Society should be no less intolerant of similar types of information abuses that could endanger others.

  Within the information domain, tensions between local identity and personal choice, on the one hand, and attempts at pre-emption or imposition of uniform standards by national authorities and others, on the other hand, have already created significant tensions. Increasing globalisation, with its attendant standardisation and homogenisation of behaviours as well as products, may deepen tensions even further. Concern over "American cultural hegemony," renewed over the recent announcement of the AOL/Time-Warner merger, may already be as widespread as concern over our present unchallenged military advantage. Negotiation of safe harbour provisions, while limited, suggests that there may be ways to come up with solutions. However, we note that the safe harbour discussions were fairly protracted and well-defined, confirming our own belief that where the Net is concerned, less is always more and wait-and-see may be better. But this means a willingness to come up with ex post solutions in response to clearly defined evidence of problems rather than plunging ahead with rules for an unknown world.

  While national governments clearly have paramount responsibility for governing information infrastructures, and governments at all levels share the responsibility for prosecuting criminal activity, there are three reasons they cannot perform these functions in the information domain without substantial assistance from private individuals and organisations. First, appropriate activities by private actors are crucially important because private actors, in reality, hold most of the technical and physical capabilities for preventing potentially adverse information incidents or ameliorating their consequences. Second, as governments increasingly become buyers of commercial information and telecommunications services, this reliance on private capabilities by the government will continue to grow even with respect to protecting government's own critical information systems. Third, exactly because information is sensitive and information systems so pervasive, private parties—at least those in the US who even under new estimates will still represent the plurality of users in 2003—are not likely to extend the government writ so as to give government additional, and necessarily intrusive, authorities for information protection sufficient to allow the government to perform these functions successfully. Indeed, current suspicions of FIDNet, which claims merely to enable information to flow smoothly among concerned agencies, contain, as a subtext, the fear that this will open the way for intrusive domestic investigations and access to sensitive information.[63] The uproar in Europe over ECHELON suggests that Europeans are at least sensitive to potential incursions into personal privacy as we are; the difference, however, is what entity to trust?


  Assuming then, that the business of government is to ensure the welfare of its citizens and that trust is vital both to the legitimacy of government as well as the effective functioning of the cyberworld, what should we expect? And what should we do?

  1.  Increasing interdependence. Efficiencies in scale and scope as well as network externality effects mean that we are likely to see greater system interdependence at all levels, internationally and within national boundaries, as well as convergence of the various communication technologies. This is primarily an infrastructure issue. Indeed, efficiency is one of the drivers of e-commerce as well as e-business. Maintaining long term trust requires reliability, and this demands systematic attention to information security. By this, we mean expansion and protection of the infrastructure systems as well as recourse when information transmission and content are maliciously compromised. We emphasise that compromising information content has several facets, each of which should be dealt with separately. Nevertheless, while acts of God—fire, storm and war—may be risks that we should all expect to assume, there is rather broad scope for human endeavour, starting with insistence on standards for product liability that include information security.[64]

  Thus, our first recommendation is systematic attention to the infrastructure that enables provision of service in all of its manifestations. This includes electrical power, wireless and wired plant systems. It is the foundation of trust and of reliable e-commerce systems and is an area in which responsibility, authority and responsibility are recognised. Moreover, attention to the engineering infrastructure is least influenced by culturally based value systems and more amenable to agreed upon criteria for performance. Not all issues will be amenable to an engineering approach, but many will be. We suggest that issues in which we can agree upon outcomes and metrics represent a way to build trust in the process itself. Good starting points would be a focus on security and robustness, a bias towards heterogeneity rather than uniformity, and as stress on appropriate systems, such as for "mission critical" applications.

  2.  Rapidly increasing diversity in functionality, products and services (wireless and wired; appliances and general purpose machines). Some of these are familiar and will fit fairly well into known systems for sale and distribution. Much of e-commerce is behaving like traditional mail order catalogue services, and existing consumer protection systems may migrate well to these products and services. There remains an urgent need for appropriate liability, which to us means a minimalist approach to new legislation, but one that will let civil action take its course.

  For example on April 27, 2000, Xerox and Microsoft announced the formation of a new company to produce and market software that protects copyrighted material.[65] Unlike the proposal to regulate Napster, this approach provides a tool that shifts the responsibility for rights enforcement to the rights holder and away from the intermediary search service. There exists in U.S. law the notion of an "attractive nuisance." This means, for example, that the family that owns a home in-ground swimming pool has a positive obligation to maintain a fence around the pool, which reduces but does not eliminate the risk that neighbourhood children will wander in and drown. Given a reasonable software tool, owners of valuable content, who wish to store that content on machines that can be reached via the network, might be required to observe some level of protection as a condition of buying the content. The objective here would be to design a simple, transparent tool—not jettison copyright protection or strangle a new technology before its potential has even been explored. Together with greater emphasis on product liability, such tools put technological teeth into the argument that civil venues—rather than regulatory venues—can be effective.

  Our second recommendation is a modified "wait and see" approach, that is, systematic review of existing avenues for consumer protection to see how problems that do, in fact, arise may be handled. At present, most EU nations conduct e-commerce within their national borders so international concerns may, in fact, be more pressing for US firms. However, recent liberalisation of EU export restrictions on encryption technology may change the balance.[66]

  3.  Framework for accommodating differences. We understand that these perspectives on distributed power and more voluntary co-ordination are not fully shared around the globe and that many issues, such as "privacy," "obscenity" and "fair use" are culturally based. Therefore, it is to be expected that these different perspectives will give rise to significant tensions as international agreements are sought. How the issues are defined will remain critical. As of this writing, a French court has "told Internet portal Yahoo on Monday to `make it impossible' for Web surfers in France to gain access to sales of Nazi memorabilia which appear on one of the websites it hosts." These actions, the judge told the firm were "an offence to the collective memory of the country." The company was ordered to report back on July 24 to explain the measures it had taken to prevent the French from participating in the sales despite the fact that the company had argued that it was "impossible" to scan all the content on its auction site.[67]

  We understand that the French court finds these activities offensive, but the extensible nature of the underlying technology means that those who attempt to isolate an activity will find themselves circumvented. Thus, the goal should be the largest tent with agreed-upon frameworks, or networks, for resolving differences since stopping the activity cold is unlikely to happen.

  The issue is one of choice and accommodating choice. In the case of Yahoo, French citizens are not obligated to visit the site. Similarly, Yahoo is not obligated to provide service in France. However, if French citizens want access to Yahoo's services, then they may well have to accept "speech" that is offensive to them. Still, before we rush to determine anything "impossible," we caution that there are many examples of differentiating access to services. The trick will be to find the ones that work for the "right" people at the "right" time. And before imposing one view upon the world, we strongly recommend systematic study of which services seem to require attention by what authority and what kinds of tools might be available.

6th June 2000

30   Robert E Kahn and Vinton G Cerf, What is the Internet (And What Makes It Work) (Internet Policy Institute, Briefing the President, December 1999), p 4 Kahn and Cerf co-wrote the TCP/IP protocol, which supports the inter-networking. The "Institute," as we presently know it, is the outcome of a rather long process in which many people can justly claim important roles. Our emphasis on the computer science reflects the engineering basis of the original network of networks. Back

31   The importance of trust has been pointed out by Marjory Blumental, Reliable and Trustworthy: The Challenge of Cyber-Infrastructure Protection at the Edge of the Millennium, iMP: The Magazine on Information Impacts (September 1999). Back

32   Napster Loses First Round in Court, RIAA/press releases. Back

33   Jeri Clausing, Report Proposes Update of Copyright Act, New York Times (May 22, 2000), p C-6. Back

34   John Gilmore, as quoted ibid. Back

35   The Social Security Agency was created in 1935. The agency provides retirement, medical (Medicare and Medicaid) and disability insurance for qualified beneficiaries. Back

36   For an interpretive look at the technologies and impacts of the Information Revolution, see Jeffrey R Cooper, The Emerging Infosphere (Center for Information Strategy and Policy, October 1997). Back

37   This trade off in the infrastructure between efficiency and vulnerability is discussed by Charles M Herzfeld, The Defense of Infrastructure, iMP: The Magazine on Information Impacts (September 1999). and Stephen J Lukasik, Protecting Information-Dependent Infrastructures iMP: The Magazine on Information Impacts (September 1999). Back

38   Kurt Kleiner and Duncan Graham-Rowe, Go forth and multiply, New Scientist (13 May 2000), p.7. Back

39   Ibid. Back

40   Vijai, Maheshwari, IT Pioneers Create Frenzy of Activity, Financial Times (19 May 2000), p 15. Back

41   Gordon Bell, The Next Killer App, iMP: The Magazine on Information Impacts (June 2000). [forthcoming] Back

42   Louis Trager, [email protected] (May 8, 2000).,6061,2562780-35,00.html. The point was echoed by David Lynch, World Tests US Net Dominance, USA Today (May 23, 2000), p 3B. Back

43   Jeetu Patel, Mark Schenecker, Gautam Desai, and Jason Levitt, Tools for Growth In e-Commerce, Information Week Online (December 7, 1998). http://www/ Back

44   US Department of Commerce, The Emerging Digital Economy II (June 1999), p.5. Back

45   Nick Wreden, Cover Story, Beyond Computing Magazine, (November/December 1998). Back

46   See My Place or Yours? Computer Letter, February 1, 1999. Back

47   Gartner Insight, Vol 2, Issue £3-May 2000. Back

48   See for example, Dan Caterinicchia, Dan and Natasha Haubold, The Dot-Com Invasion, Federal Computer Week Online, May 22, 2000; and Laurie J Flynn, Renting Software and the Skills to Go with It, New York Times (May 22, 2000). Back

49   Bronwyn Fryer, PC Subscription Services, Upside Magazine (May 2000), P 83. Back

50   Vijai, Maheshwari, IT Pioneers Create Frenzy of Activity, Financial Times (19 May 2000), p 15. Back

51   We note, in this regard, that much of e-commerce rides on traditional practices and systems, in particular, fulfillment and preserving brand recognition and consumer loyalty. T J Grewal reports that two years into the race to go online, the challenge is "to fulfill the rights order, and do it on time." See T J Grewal, Not a Fulfilling Experience, Business 2.0 (May 2000), p 440. The importance of customer satisfaction, which e-tailers are coming to appreciate, was underlined by Allen Weiss in a story in Upside: "Profits in every business since, well, the beginning of business, depend for the most part on customer loyalty." The importance of the customer may be less true in business-to-business e-commerce, he goes on to say. See Allen Weiss, Shedding light on e-commerce, Upside Magazine (May 23, 2000). Back

52   See BROOKFIELD COMMUNICATIONS, INC., Plaintiff-Appellant, v. WEST COAST ENTERTAINMENT CORPORATION, Defendant-Appellee, No 98-56918 D C No CV-98-09074-CRM, Filed April 22, 1999, US Court of Appeals for the Ninth Circuit, Decision, May 14, 1999. Electronic Commerce and Law ReportBack

53   Amy Friedlander, "In God We Trust; All Others Pay Cash": Banking as an American Infrastructure, 1800-1935 (Reston, Virginia: Corporation for National Research Initiatives, 1997). Back

54   This is an argument fundamentally about values and may be out-of-sync in a world that now demands econometric analysis of policy issues. Back

55   Many, if not most, Americans would further argue, rather convincingly, that centralised decision-making is, in fact, less efficient as well as more dangerous. See David Brin, The Transparent Society (Reading, MA: Addison-Wesley, 1998). Back

56   Anne-Marie Slaughter, Governing the Global Economy Through Government Networks, Seminar, The Carnegie Endowment for International Peace, Washington, DC, May 23, 2000. Back

57   See, for example, Allen Hammond and Jonathan Lash, Cyber-Activism: The Rise of Civil Accountability and Its Consequences for Governance, iMP: The Magazine on Information Impacts (May 2000). 2000/05-00hammond.htm Back

58   At the same time, civil society should demand that governments facilitate, not hinder, appropriate self-help measures. Unconsidered actions (such as the legislation (HR 2281) to conform US copyright law to the new World Intellectual Property Ogranization (WIPO) standards) can prevent private actors from carrying out legitimate and necessary information protection activities. Back

59   Only the best will do, New Scientist (13 May 2000), p3. Back

60   An authoritative summary of the early treaties governing spectrum allocation can be found in Christopher H Sterling and John M Kittross. Stay Tuned; A Concise History of American Broadcasting (Belmont, California: Wadsworth Publishing Company, 1990 [second edition]); and Susan J Douglas, Inventing American Broadcasting, 1899-1922 (Baltimore: The Johns Hopkins University Press, 1987). Back

61   We note that taxation is a complicated issue in the US, where the sales tax model, which is highly variable from jurisdiction to jurisdiction, does not map easily to the Value Added Tax characteristic of the EU countries. See Hal Varian, Taxation of Electronic Commerce, (Briefing the President, The Internet Policy Institute, April 2000). One solution that has been proposed is the creation of third party services with which online companies can contract to manage tax collection and remittance. This model of service delivery and governmental compliance invites the challenges described in the previous section. Back

62   Consider the example of seatbelts. First, not wearing seat belts substantially increases the likelihood of a driver losing control in an accident and causing damage or injury to other vehicles or bystanders. Furthermore, in an era of skyrocketing medical costs and third party or government coverage, the increased costs of expensive trauma injuries to the unbelted are transferred to the rest of the community. Similarly, when drunk drivers more often than not ran off rural roads and killed only themselves, most communities were prepared to tolerate this kind of reckless behaviour. When innocent pedestrians or occupants of other vehicles began to suffer significant injuries as a result of drunk drivers, many communities became rapidly less accepting of these collateral costs being imposed on the community as a result of individuals' reckless behaviour. Back

63   The Federal Intrusion Detection Network (FIDNet) has been described as "an automated correlation engine that can assist agencies in making sense of the voluminous alarm data from their intrusion detection services and other security devices such as firewalls." The fundamental idea is to allow agencies to share intrusion detection information as a means of enhancing the security of their information and information systems. See Thomas R Burke, FIDNet Tackles Computer Network Security, iMP: The Magazine on Information Impacts (February 2000). http://www/ Back

64   Cogent objections and concerns to both FIDNet and ECHELON are exemplified by Barbara Simons, Building Big Brother, Communications of the ACM 43 (January 2000): 31-32. Re-issued, in iMP: The Magazine on Information Impacts (February 2000). Back

65   Lawrence M. Fisher, Xerox and Microsoft Create Digital Safeguard Company, New York Times (April 28, 2000), pC5. Back

66   Code War, (May 25, 2000). 

67   France Gags Yahoo on Nazi Bids, Wired News (22 May 2000),,1294,36504,00.html 

previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2000