The Open Internet on the Brink: Renewing Domestic and Global Institutions

Technology Policy Internet Policy

The Open Internet on the Brink: Renewing Domestic and Global Institutions

Paper
Posted on: 30th September 2021
By Multiple Authors
Andrew Bennett
Senior Policy Analyst
Melanie Garson
Policy Lead, Internet Policy Unit
Bridget Boakye
Policy Lead, Internet Policy Unit
Max Beverton-Palmer
Director of the Internet Policy Unit
Akos Erzse
Associate, Government Advisory
Download PDF

    Key Points

    • In the face of authoritarian challengers and growing technological complexity, traditional internet-governance institutions are failing to maintain, coordinate and promote the open internet model that generates so much economic and social value.
    • Debates over standards such as DNS-over-HTTPS and China’s New IP proposal illustrate how technical fora are increasingly making global policy decisions for which they are ill-equipped.
    • Tech-diplomacy initiatives have grown in recent years, with leading countries using this as a new avenue to shape the geopolitical role of the tech industry and integrate digital and technology issues into foreign policy.

    If geopolitical incentives are failing to promote effective cooperation between key states such as the US and EU, what about institutions? Unfortunately, both domestic governments and international bodies are increasingly ill-equipped to deal with a governance environment that is becoming more and more complex. While the internet itself has developed rapidly, now evolving into new fields such as the “internet of things” and decentralised networks, the institutions of the Web 1.0 era are unprepared for being used as instruments of geopolitical ambition.

    Notably, there is wide consensus within internet-governance communities – be it from technical participants, national policymakers or industry players – that the current institutional model is broken. But reform is costly and time-consuming, even if all could agree on a new model. To provide a common understanding of these challenges, this section sets out how these institutions are broken and why reform is so hard.

    Internationally, today’s organisations have strengths that should not be disregarded, but the whole governance ecosystem needs significant overhaul to be effective in this more complex environment. At a domestic level, states also need to treat internet governance as a foreign-policy priority and adopt a coherent strategy that integrates existing programmes, domestic regulations and new forms of cooperation.

    International Institutions

    International Institutions

    As we set out earlier, there are several international institutions focused on developing and maintaining the technical aspects of the internet including security standards and communication protocols. In theory, anyone with a technically sound argument can participate in these discussions and decisions are made by consensus. The market then acts as a selection mechanism: if technological proposals are good and useful, they will be adopted; if not, they won’t. These characteristics combine to make up the “open, multi-stakeholder” model of governance that has enabled the internet’s extraordinary growth.

    However, these institutions were also never designed to cope with the machinations of geopolitical competition and an increasingly complex internet ecosystem. Organisations such as the International Engineering Task Force (IETF) and the World Wide Web Consortium (W3C) represented the hope and optimism of the early internet, led by technical communities but with representation from civil society and some government actors. Yet many of these institutions are now falling short of what’s necessary.

    The most challenging issues are the lack of policy capability, authority and global representation of governance bodies. The lack of authority, in particular, enables geopolitical aggressors to go “forum shopping”: making proposals to multiple bodies in the hope they are taken up by at least one. This is an important constraint on the ability of today’s institutions to counter growing (geo)politicisation.

    Lack of Policy Representation

    Technical institutions have always embedded internet values, be they focused on privacy, security or openness. But technical decisions increasingly have significant consequences for policy, and states are limited in how they can shape these discussions. Indeed, forum participants with significant market power can both submit standards proposals and choose to implement those standards in services with billions of users. As such, there can be very little opportunity for states or civil society to intervene or raise policy concerns about these technologies.

    Case Study: DNS Over HTTPS (DoH)

    One recent example of the lack of policy representation in technical fora is that of DNS over HTTPS (DoH), a proposal which was developed at the IETF by a working group chaired by a representative from Google.

    The context for this proposal is Edward Snowden’s leaks about the surveillance of global internet activity by Western intelligence services. One technique that underpinned this was to intercept unencrypted DNS requests, which convert strings of text like “en.wikipedia.org” into an IP address like 208.80.154.224. In response, participants of the IETF proposed a new standard that would encrypt these requests at source to protect users’ privacy, stopping anyone from using this technique to inspect browsing activity.

    This approach, DNS over HTTPS (DoH), has now been implemented in many leading browsers, including Google Chrome and Firefox. Apple has also recently released Private Relay, a feature that encrypts traffic leaving a user’s device and routes it through multiple other internet relays, so that no one, including Apple, can see a user’s browsing activity. For intelligence agencies in the US, UK and elsewhere that have relied on this vulnerability for surveillance, including to identify illegal content such as terrorist and child exploitation and sexual abuse (CESA) material, these steps have created a problem.

    These technologies have significant benefits for user privacy. Whatever their merits, however, by undermining this technique and domestic policy lever, a technical forum on privacy – together with private actors who have commercial incentives – have set global policy without a wider public discussion of the associated trade-offs for online safety or democratic legitimacy.

    In general, IETF and other bodies’ commitment to non-prescriptive protocols ensures that the internet’s underlying architecture is secure, effective and free from political interference. The IETF should not be burdened with the weight of geopolitical policy, and the internet would not benefit by reactively intervening more directly in these fora, since preserving the neutrality of infrastructure lower down the stack is important.

    Nevertheless, it is also true that the status quo of policy decisions made in fora that cannot envisage, and are not accountable for, their full political ramifications is not sustainable. Unfortunately, the Internet Governance Forum (IGF), which is supposed to promote dialogue on these global internet policy decisions, also lacks the necessary authority to step in.

    Lack of Authority and Global Representation

    The IGF, a UN-affiliated organisation set up to promote global dialogue on internet policy and governance, lacks any real decision-making power. As such, it is routinely viewed as little more than a “talking shop” by both the biggest technology companies and nation states alike, weakening its relevance. Similarly, while the IETF and W3C are well-respected standards organisations, they are frequently competing for responsibilities with the International Telecommunication Union (ITU), another UN body, which undermines its authority.

    Case Study: China’s New IP at the ITU vs IPv6 at the IETF

    As participatory models that favour a free and open internet undermine the influence of countries with alternative objectives, authoritarian states are increasingly turning to UN-affiliated organisations with greater authority such as the ITU for standards-setting.

    For example, as the number of internet-connected devices worldwide grows, the current IP address system – IPv4 – will run out of addresses. The IETF, which is primarily responsible for internet standards, has proposed a new system called IPv6. However, China has used the ITU to promote its competing New IP proposal, after it was originally rejected at the IETF and elsewhere.

    This battle is a microcosm of the more assertive steps on standards and infrastructure that the ITU has been taking since 2012, following the World Conference on International Telecommunications 2012 (WCIT-12), which expanded the ITU’s mandate beyond telecommunications to encompass the internet. This move was criticised by the European Parliament, the US House of Representatives, the Electronic Frontier Foundation, Google and others as a land grab by the UN at the expense of the existing multi-stakeholder model.

    Although the IETF and similar bodies are nominally open fora, in reality they have very high barriers to entry in terms of time, resources and technical expertise required to participate. In contrast, the IGF and ITU are among the few fora where the global internet community, and particularly those from under-represented countries, have a voice. This is one variable where the dominant multi-stakeholder model is falling short.

    However, voting rights at the ITU, a UN body, are only available to member states. While industry, civil society and the technical community can participate – for example, China’s New IP proposal was ultimately submitted by a group containing private (Huawei) and state-owned companies (China Mobile, China Unicom) as well as the Ministry of Industry and Information Technology – decisions are led by states. As such, despite its strong global representation, empowering the ITU further risks enabling more attempts to co-opt standards settings for geopolitical objectives at the expense of the wider internet ecosystem. Indeed, China’s New IP proposal was originally rejected at the open, multi-stakeholder IETF, but was taken up by the ITU – most likely due to the stronger influence China had there. This illustrates how co-opting standards decisions into geopolitical fora can undermine the quality-assurance role of a market-led, standards-setting culture.

    Figure 14 – Key council working groups at the ITU favour states with less liberal internet models

    ITU Leadership

    China (Secretary General)

    UK (Deputy Secretary General)

    Internet Policy

    Saudi Arabia

    South Africa

    Paraguay

    UAE

    India

    Azerbaijan

    UK

    International Telecommunication Regulations

    Zambia

    Ivory Coast

    Canada

    Egypt

    China

    Russia

    Netherlands

    SDGs and annual World Summit on Information Society

    Russia

    Rwanda

    Brazil

    Saudi Arabia

    Iran

    Azerbaijan

    Poland

    The Six Official (UN) Languages

    Tunisia

    USA

    Kuwait

    China

    Russia

    Spain

    France

    Child Online Protection

    UAE

    Nigeria

    Disney (sole corporate member)

    Jordan

    India

    Azerbaijan

    Italy

    ITU Financial & Human Resources

    United States

    Senegal

    Bahamas

    UAE

    India

    Russia

    Czech Republic

    Cost recovery for Satellite Networks

    Russia

    Egypt

    USA

    Saudi

    China

    Kazakhstan

    Romania

    Strategic & Financial Plans for 2024-2027

    France

    Kenya

    USA

    Kuwait

    China

    Russia

    UK

    Informal Expert Group on annual World Telecommunications Policy Forum

    Italy

    14

    Source: ITU

    The Impact of Failing Global Institutions

    The lack of effective, global internet institutions has forced global technology policy to be increasingly decided in sub-standard fora. For example, Mark Nottingham, the co-chair of the IETF HTTP Working Group, has argued that regulators in the UK and US are becoming de facto internet-governance institutions by setting or overseeing the implementation of privacy, ad tracking or interoperability standards by large technology companies. These regulators are acting without any of the constraints of the community and consensus-based governance model, and all the incentives of national regulators (which tend towards divergence or power-hoarding).

    Some discussions have also been pushed into “minilateral” trade negotiations, rather than being agreed at a higher or global level. The US, for example, used the United States-Mexico-Canada Agreement (USMCA) to enshrine liability protections for technology services internationally, akin to its domestic Section 230 law that limits intermediary liabilities. This would also likely affect UK plans for an Online Safety Bill, if the US and UK were to begin trade negotiations. Putting the merits of Section 230 aside, bilateral trade agreements are a poor way to achieve alignment on technology regulations with global impact.

    Prospects For Reform

    While there is wide consensus that many internet governance fora are broken, reform is challenging because:

    • The time and costs involved in a sufficiently radical reform process make achieving a successful outcome very hard
    • Broader geopolitical tensions may undermine agreement on a new proposal
    • Existing institutions have strengths and expertise that are critical to the working of the internet ecosystem, and which should not be lost in the process
    • Many nation-states are already over-extended, leading to reluctance to create any new fora that might duplicate existing discussions.

    One promising idea has come from a recent consultation led by the UK–China Global Issues Dialogue Centre at Jesus College, University of Cambridge. This proposed a new ecosystem oversight body modelled on the Intergovernmental Panel on Climate Change (IPCC). Like the IPCC, this would leverage technical expertise from across governments, industry and civil society to increase transparency and common understanding of the issues, threats and opportunities, as well as the specific threats facing the global internet. Given this early-warning system does not yet properly exist, and thus would not duplicate any existing institutions, establishing an “IPCC for the internet” would be a no-regrets move.

    For advocates of broader institutional reform, the IGF is a cautionary tale. Established in 2006, it was supposed to be the new institution that resolved the governance challenges of the day. However, in recognition that it has fallen short of promoting action over debate, diplomatic momentum is now building behind the UN’s 2020 Roadmap on Digital Cooperation proposal of a new “Internet Governance Forum Plus” (IGF+) model. This would include:

    • Formal anchoring of the IGF within the UN, with responsibility for the IGF moved to the office of the UN secretary general
    • New organisational units including an advisory group, cooperation accelerator, policy incubator, and an observatory and help desk. With membership coming from industry, government and civil society, these units intend to promote actionable outcomes by coordinating with, and feeding into, other key governance bodies.
    • A new IGF trust fund to promote financial sustainability. This would be a voluntary funding mechanism, with governments, international organisations, businesses and the tech sector encouraged to sustainably support the IGF for the long-term.

    Support has been building for this proposal, with the European Commission’s Executive Vice President Margrethe Vestager recently calling for a revamped IGF. By seeking to address the lack of policy capability in particular, if the new model can live up to expectations then the internet ecosystem will certainly be better off. These reforms would also be consistent with the results of the 2020 We, The Internet global citizens dialogue, which indicated strong support for a multi-stakeholder and global approach in internet governance among global internet users. However, given that the most geopolitically important technology companies have traditionally taken minimal heed of the IGF, even a reformed version would have a long way to go to establish its authority.

    Figure 15 – Key institutions today fall short on representation and policy, creating a critical governance gap

     

    Standards bodies (e.g. IETF, W3C)

    “Minilaterals” (e.g. G7, Five Eyes)

    ITU (UN)

    IGF (UN)

    IGF+ (UN)

    Technical Expertise

    Policy Capability

    Global Representation

    Effective Structures and Cultures

    Authoritative

    Reliable Funding

    Key:

    No

      Uncertain

    Yes

    Source: TBI summary of analysis and expert interviews

    Domestic Capability

    Domestic Capability

    Domestic state capacity also matters because many government departments – from cybersecurity and military agencies to ministries focused on foreign and digital policy – have a stake in shaping both national regulations and international cooperation.

    Some states, such as the UK, have the necessary expertise to promote their interests in the international institutions that govern the internet ecosystem. But all too often, this expertise either isn’t empowered to shape decision-making or is not connected with other work across government. This is both a structural and a strategic problem.

    On the structural, elsewhere we have made the case that countries should have an integrated Digital, Data and Technology Department to better align digital policy and delivery. However, in global internet governance and geopolitics, there are foreign-policy aspects that even this department could not reasonably manage. The internet has created new global power dynamics and new types of conflicts while challenging norms around sovereignty and the liberal idea of global interdependence. It is therefore the responsibility of foreign ministries to articulate a comprehensive, coherent and holistic strategy that grasps this new context, articulates priorities, and resolves the clashes that arise between traditionally siloed government departments.

    To that end, countries including Denmark, Australia, France, Switzerland and the Netherlands have all designed digital foreign-policy strategies to take a more holistic approach to the intersection of tech and foreign-policy objectives. This has included creating new diplomatic structures such as tech ambassadors, improving skills, ensuring collaboration between national government departments and promoting multi-stakeholder initiatives.

    TBI analysis has identified 27 jurisdictions (including the EU) that have established some form of tech-diplomacy initiative to varying degrees of maturity. (In November 2019, the UAE also announced plans to establish an Ambassador for the Fourth Industrial Revolution but the status of this is currently unclear so it is excluded from the list below.)

    Figure 16 – Global tech-diplomacy initiatives

    Country or territory

    Tech diplomat

    Dedicated foreign affairs entity

    Dedicated strategy

    Notes

    Australia

    Yes

    Yes

    Yes

    -

    Denmark

    Yes

    Yes

    Yes

    -

    Estonia

    Yes

    Yes

    Yes

    Estonia's foreign policy strategy contains a Digital Agenda, including a Cybersecurity Strategy.

    Germany

    Yes

    Yes

    Yes

    Cyber Foreign Policy Coordination Unit set up in Federal Foreign Office in 2011.

    Switzerland

    Yes

    Yes

    Yes

    -

    Austria

    Yes

    Yes

    No

    -

    Canada

    Yes

    Yes

    No

    Unit in Global Affairs Canada is focused mainly on cyber security, but SF Consul General is a 'digital diplomat'.

    Czech Republic

    Yes

    Yes

    No

    Special Envoy and his unit in MOFA is focused on cyber security

    China

    Yes

    No

    Yes

    PRC embassies and consulates in 52 countries have 'science and technology diplomats'

    France

    Yes

    No

    Yes

    -

    Finland

    Yes

    No

    No

    Has a cyber security strategy with minor international aspects. Ambassador focused on security

    Hungary

    Yes

    No

    No

    -

    Kazakhstan

    Yes

    No

    No

    -

    Lithuania

    Yes

    No

    No

    -

    Malta

    Yes

    No

    No

    -

    Portugal

    Yes

    No

    No

    -

    Slovenia

    Yes

    No

    No

    -

    United Kingdom

    Yes

    No

    No

    -

    Israel

    Yes

    No

    No

     

    USA

    Planned

    Planned

    No

    Government is planning on establishing Bureau of Cyberspace Security and Emerging Technologies. Will be headed by Ambassador-at-Large.

    EU

    Planned

    No

    Planned

    Estonia, France, Germany, Poland, Portugal and Slovenia produced a non-paper with proposals for EU's future cyber diplomacy.

    India

    No

    Yes

    No

    New Emerging and Strategic Technologies (NEST) Division set up in January 2020.

    Japan

    No

    Yes

    No

    Entity is the Advisoy Board for the promotion of Science and Technology Diplomacy.

    Netherlands

    No

    No

    Yes

    Start-up liaison personnel based in Silicon Valley, but excluded given that it is not a formal diplomatic position or outpost.

    Norway

    No

    No

    Yes

    -

    Spain

    No

    No

    Planned

    Strategy under development. "National Technology and Global Order Strategy will diagnose the role of technology in power relations between States with an effect on conditions of progress and society as a whole."

    Ethiopia

    No

    Yes

    No

     

    Source: TBI

    Crucially, this capability is as much about enabling states to stop initiatives not in their interests as it is about promoting positive initiatives. For example, Russia is currently working to move responsibility for cybercrime from the Council of Europe to the UN, while China would like the ITU to play a greater role in internet governance at the expense of industry-led technical forums that favour the West. Both of these steps would disempower institutions that support Western values, but resistance will fall short without effective state capacity.

    An integrated strategy, which takes technology policy seriously as a foreign-policy priority, can provide a guiding framework that empowers different teams within governments to look ahead and identify capabilities that are missing or will be in demand. It would also highlight whether technical representatives in global governance fora are sufficiently well-equipped to take on geopolitical debates, and where like-minded allies can cooperate to stabilise the internet ecosystem.

    Charts created with Highcharts unless otherwise credited.

    Find out more
    institute.global