Layerless Internet Governance: In Search of Internet Infrastructure

Content governance at the Internet infrastructure level is gaining some traction and Techdirt, EFF and a few others will hold a session on October 6th. This event is a good excuse for this blog but I have a slightly different approach. I looked at the infrastructure governance with a more holistic lense. It is still possible to make a system of governance for Internet infrastructure – one that ensures an open, interoperable and global Internet. It is still possible to even affect the governance of platforms positively by good governance at the infrastructure level. But first we need to find the Internet infrastructure we keep talking about, determine how it has evolved and how and whether non-infrastructure elements have affected it. 

Facebook/Instagram/WhatsApp went down a few days ago, because of  a Border Gateway Protocol misconfiguration. Facebook had updated its BGP incorrectly. BGP allows one network that is part of the Internet to talk to other networks on the Internet.Since the BGP is a part of Internet infrastructure, there are arguments that this was an Internet infrastructure shortcoming and that centralization of Facebook is the centralization of the Internet. Which I totally disagree with but it sets the scene for addressing a critical issue: what is and where is this Internet infrastructure to govern?

I think Internet layering is partly at fault for making Internet infrastructure obscure. Some believe that the Internet has various layers. Those actors closer to the bottom layers are seemingly the operators of Internet infrastructure. For example, the Internet Service Providers are one operator of Internet infrastructure. Closer to the top of the stack, in the application layer, there are online platforms. Customarily these platforms were not known as Internet infrastructure. The distinction was so popular that we built the field of Internet studies partly based on it: some just study content-moderation/governance on online platforms. Some work on Internet infrastructure governance. The problem is that as the Internet and Internet-related technology evolve, the layers won’t help us much with identifying Internet infrastructure.

Setting the layers aside, I define Internet infrastructure as “Operators and service providers of the Internet that control, modify and affect the entire or substantial part of the presence of users on the Internet”. For now, we can see three kinds of Internet infrastructure emerging: 

1. Internet infrastructure by way of architecture:

Internet infrastructure through architecture: it is infrastructure as a part of the current architecture of the Internet. This kind of Internet infrastructure is more or less easy to identify. Their impact on online presence is immediate and far-reaching on the Internet. Most of the operators of Internet protocols, Internet Service Providers, Content Delivery Networks, domain name registries and registrars, and the like belong to this category of infrastructure. 

2. Internet infrastructure by way of policy:

Some platforms and Internet services can become a part of infrastructure through policy. This is a much harder category to define. For example, Apple (by way of policy) has a set of criteria for the apps in its App Store. If the apps do not meet the criteria, they cannot be on the App Store and iOS users have limited or no access to them on the Internet. In this instance, the App store has become Internet infrastructure because it can limit the Internet presence of certain services and Apps for the entire population of iOS users. Apple here is the gatekeeper for using that service “on the Internet”. When it approves an app, the App operates separately and does not exclusively use the App store’s network. So even if the App store goes down, approved and downloaded apps do not have a disruption in their service. 

Another example is the authentication account provided by tech-corporations. If certain integral online services and apps solely work through authentication accounts that Google or Facebook provide (via the OAuth protocol), these accounts also can be a part of Internet infrastructure. 

3. Internet infrastructure through collective action:

Various actors get together and adopt a policy that affects the Internet and Internet services. This kind of Internet infrastructure can hamper access to services on the Internet through collective action. An example that we have warned against in a blog about upload filter, is tech-corporation consortiums such as the Global Internet Forum to Counter Terrorism that might mandate certain features such as upload filters for online platforms that can become a part of Internet architecture.

Another example (that might be debated) is online payment intermediaries that collectively stop facilitating transactions that are vital for the existence of certain online platforms to function on the Internet. When there are no alternatives, it might lead to the service providers’ diminished Internet presence. 

Inspiring Governance

Early Internet infrastructure governance inspired a lot of the current platform governance models. The take-downs, site integrity and spam, in general, many of the top-down governance mechanisms have remained. Also, content policy dialogues have started paying attention  to multistakeholder governance, which was a fundamental feature of Internet infrastructure governance at least for domain names. 

With innovative governance at the infrastructure level, we can inspire better governance on platform level. Platforms such as Mastodon and Fediserve both have similar design to distributed, open and interconnected Internet infrastructure. 

Good governance of Internet infrastructure because we are not yet at a walled garden stage. A fundamental difference between Facebook’s market infrastructure and Internet infrastructure is that Internet infrastructure allows people to build other Internet services on top. Facebook rents you an office (it chooses the color, desks and everything else), but Internet infrastructure gives you a global virtual land. On the Internet, in an ideal world, people can have their own data servers, can build their own chat function, or can build (who would have thought) their own website. There is still hope for innovative governance at the infrastructure level well beyond content governance. 

 

Shall we resume dreaming? Decentralized web and decentralized governance 

The Internet and the world wide web are not the same thing. First, there are parts of the Internet that are not the web (the most obvious of which is email). But second, even though the web as a whole is decentralized, the design of the web is not technically a decentralized technology in the way some other Internet services are. That has had many implications for digital governance. 

In a recent paper I co-authored with professors Meares and Tyler, we include a brief history of how, gradually, communities and autonomous decision-making on the Internet turned into a centralized, top-down governance on social media platforms. One reason we have identified is the “centralized” nature of the web. (P.26) Before the web became popular, services such as Usenet operated in a decentralized manner. Multiple Internet site operators had a role to play in governing the space and it was not possible to take control of an entire operation. Attempts to impose central control resulted in people objecting and setting up alternatives.   

When the web started becoming popular, its comparatively centralized technology encouraged centralization of content and a more top-down governance approach. However, note that it was still possible to have a decentralized governance on the web and early on, platforms such as Slashdot and Wikipedia continued using a community-based governance on the web (they still more or less do). Gradually, however, new platforms emerged with a tendency to be more and more centralized. It was the website owners who would decide the governance of that site, and it is costly to set up alternatives to a site if a governance mechanism is not desirable. Economically, it was also in these platforms’ interest to keep users inside their “ecosystems”. It was easy to predict that the centralization and top-down governance approaches and the disappearing communities would eventually happen. But the question is, how innovative are we in our technological and governance approaches that can create a decentralized digital space?  

Perhaps we should be more creative than just arguing for tired content moderation governance systems and arguing with social media platforms about who is “really” in charge and keep bringing up platform responsibility. Maybe decentralized technology can help us with solving some of the contemporary social media platform problems. Last week at the Unfinished Live event Jonathan Dotan (Starling Lab) gave an excellent and powerful presentation on a new paradigm for preserving history and human rights. By creating a new “web” protocol that is decentralized, it might be more feasible to create trust in the digital records of human history— for example to preserve the accounts of a holocaust survivor or an Afghan Taliban victim. They intend to provide a way to create a chain of custody, store data in a decentralized way that cannot be manipulated or altered (but that doesn’t necessarily need consensus) and provide the ability to verify data without having to trust the source. Imagine if, instead of tech-giants, the nodes (i.e. humans) were able to authenticate a piece of data and store it.

These kinds of initiatives are worthwhile to follow as they are very issue specific and, unlike other claims about decentralized technologies, they are not too abstract. However, one thing that I think we should stop doing is to separate decentralized governance from decentralized technology discussions. The combination of decentralized governance and technology might be an answer to some of the digital problems we are facing. Perhaps MacKinnon’s thought piece about governance of Web3 is a step in that direction.

Peripeteia with a song: Afghanistan’s access to IP addresses

As I mentioned in the two previous posts about .AF and generic domain names, sanctions might affect Afghanistan’s access to Internet infrastructure. In this last part of the trilogy, I am going to discuss Afghanistan’s access to Internet Protocol addresses. As a concluding remark, I invite all of us (the Internet community) to address these hurdles to the global Internet more systematically.

Part III: Afghanistan’s Internet Protocol Addresses 

Computers on the Internet address each other through long strings of numbers. Those numbers are Internet Protocol addresses (IP) and Autonomous System (AS) numbers. Sanctions that curtail the distribution of IP addresses might have a much bigger and deeper effect on Afghanistan’s access to technology and the Internet than any sanction on for example domain names. When a domain name goes offline, you can’t get to resources in that domain name, but the computers affected can get out to the Internet. If IP addresses are removed, then they do not work on the Internet at all, which means whole Internet Service Providers can be taken offline.

IP addresses are assigned to those requesting the addresses in blocks. The block assignments are managed by Regional Internet Registries (RIRs), who work in different geographic regions of the world: ARIN for North America and the Caribbean, LACNIC for Latin America, RIPE NCC for Europe and the Middle East, AFRINIC for Africa, and APNIC for Asia-Pacific.  Each of these organizations has a legal corporate existence somewhere. The party who receives the assignment is usually called a Local Internet Registry or LIR.

Suppose that the Taliban are the government of Afghanistan and the entire country comes under economic sanction from other countries. In that case, it may be challenging for an RIR (in this case, APNIC) to deal with people inside Afghanistan. We have seen this already in the RIPE region, which includes Iran and Syria.

RIPE NCC has been dealing with political and now bigger legal problems, because it serves countries sanctioned by the government of the Netherlands. RIPE NCC is an association under Dutch law, and so it has to obey sanctions under those laws. That is bad news for Internet operations in Syria and Iran.

APNIC is incorporated in Australia, so it needs to follow Australian laws. If the government of Australia (or the UN Security Council) decides to impose sanctions against Afghanistan, then APNIC will be restricted in the services it can provide to entities in Afghanistan. So, entities in Afghanistan seem likely to have a hard time getting new blocks of IP addresses, and it is even possible that the maintenance of existing blocks could be affected. You can see from this list that Australia already has sanctioned the Taliban when they were in power (or followed the UN rules about that), and in the past had even sanctioned ministries (commerce and agriculture for example).

To clarify the issues APNIC might be grappling with in the future, it helps to break down the nature of services that APNIC offers to the Local Internet Registries:

–  Membership contract: the RIR signs a contract with LIR and charges them an annual fee. This relationship might be categorized as “transactional”. Transactional relationships, especially when banks are involved, are likely to be subject to sanctions.

–  IP addresses as assets: the UN sanctions against Taliban has provided a list which imposes sanctions on some Taliban entities and individuals’ assets. If IP addresses can be categorized as assets, then according to the sanction’s rules APNIC has to freeze them (repossess them in this instance). RIRs generally try to treat IP address assignments as something other than assets. Courts have not always followed that lead, and there is a robust “secondary transfer market” in IPv4 address space.

–  Maintaining registration of IP addresses: it is unclear whether maintenance of the registration service is providing services and affected by sanctions. Since maintenance of registration requires some sort of financial and membership relationship, it may well be classified as an ongoing service and affected by the sanctions.

There are ways to resolve these problems through, for example, asking the UN to delist entities that are not terrorist organizations anymore. The Australian government also allows applications for a permit to serve those countries. Yet even a permit from Australia or being delisted from the UN sanction list might not fully solve the problem.The location of APNIC might not shield them from difficulty if the US decides to impose sanctions independent of any other country (and Taliban is already in the sanction list). Unfortunately, the US sanction system affects a host of intricate networks from banks to transactions with third parties. Many commercial parties are risk averse, and simply close their services to sanctioned countries’ residents even when sanctions do not apply to those residents. It is entirely possible that banks won’t allow transactions with Afghanistan, because no bank in the world can afford to forego operations in the US.

There are other third party problems that might arise. For example, the IP addresses could be reallocated to sanctioned entities via third parties.  This is much similar to working with informal financial organizations that facilitate transfer of money from sanctioned entities. One answer to this might be that APNIC will not be responsible for third party action, but successful investigations might oblige APNIC to repossess the registered IP addresses.

Concluding remarks:

We have known about the problem of sanctions and how they affect access to Internet infrastructure for many years. But we have never addressed it systematically.  Neither have we tried to create a coalition that can help to ensure all people’s access to infrastructure. We need a holistic plan to work with governments in order to overcome these risks, perhaps through granting of general licenses or through transnational solutions. What we must not do is solve these issues one by one anymore.

 

Tragedy part II: the fate of .AF

In the last post I discussed Afghanistan’s access to generic domain names. In this post, I will talk about how the Taliban takeover can affect access to .AF, Afghanistan’s Country Code Top Level Domain Name. 

Country code TLDs (or ccTLDs) were originally assigned on the basis of an International Standards Organization (ISO) standard, ISO 3166. The Internet Assigned Numbers Authority made this decision before ICANN came into existence. The idea was that there was already an existing process in the world that decided what a country was and how it should be identified, so the Internet community did not have to solve that problem. A few years ago ICANN extended the meaning of ccTLD to include internationalized versions of country names (that is, labels that are written in characters other than the ASCII that ISO 3166 uses). Those assignments still rely on the existence of an entry in the ISO 3166 standard, however. The country code TLD for Afghanistan is AF.

One interpretation of ICANN policies is that sanctions will not affect the ccTLDs, therefore they might not affect the redelegation of .AF. In delegation and redelegation of ccTLDs, ICANN has traditionally maintained a neutral role, and it normally does not adjudicate directly. It prefers to rely on decisions made by local actors. IANA resolutions that declare the delegation or redelegation of a ccTLD are generally rubber-stamping local decisions. IANA has a standard process for this, documented at this link. It does have certain requirements that might not be purely technical (for example, it requires multi-stakeholder support for the redelegation), but it does not proactively negotiate with the parties or facilitate the redelegation. Sometimes if it cannot evaluate the multistakeholder local support, it still goes ahead with the approval of the delegation. Over the years, the operators of ccTLDs ensured this neutrality and hands-off approach so that ICANN and its Government Advisory Committee would not get too involved in delegation and redelegation decisions. Given that the Afghan Ministry of Communications runs the .AF registry, if the Taliban takes over the ministry of communications, there is a possibility that they will thereby receive control of .AF. 

It is also possible that, even if there is a legal dispute against Afghanistan in the US, .AF won’t be affected. There is jurisprudence about the delegation of ccTLDs. Once, in the US, terrorist victims wanted to attach .IR to the victims as an Islamic Republic asset, but the court ruled against the attachement (see Weinstein v. Islamic Republic of Iran et al., No. 14-7193 (D.C. Cir. 2016).  Also see Mueller and Badiei paper about the attachment of .IR

There are, however, other scenarios to think about:

Issue 1: If the operator of .AF is in the Specially Designated Nationals (SDN) list, the legal arguments that worked to protect the .IR operator might not work in this case. At the time of the court ruling, the Iranian registry operator was not in the SDNl list. It is unclear whether the .AF operator will be on the SDN list. But if the Taliban operator is on the SDN list, claimants can use it as a legal argument in court to remove the delegation of .AF. However, it  is unclear whether the court admits such an argument.

 

Issue 2: If there are technical issues or a redelegation request does not provide ICANN with the correct documentation, it is possible that .AF goes dormant, i.e. no one will operate it. In fact .AF went dormant between 2000 and 2003. ICANN in several cases has not delegated or redelegated the ccTLDs due to incomplete requests or simply due to the fact that there was no local person that responded to ICANN and provided documentations. For example, it was not until 2007 that ICANN assigned North Korea’s ccTLD. Their application in 2004 was not complete. In 2007,  a German affiliate of the Korea Computer Center submitted a request for delegation which the Board decided to approve. 

 

All in all even when it comes to ccTLD redelegation, which is supposed to be a more or less straightforward process, the situation is complicated and .AF’s fate is unknown. 

In the next and last part of the trilogy, we will discuss Afghanistan’s access to Internet Protocol addresses.

A Trilogy: the tragedy of Internet infrastructure in Afghanistan

The US and other countries have imposed economic sanctions against certain target countries, such as Syria and Iran. These sanctions have had negative consequences for access by the residents of those target countries to a variety of Internet services. Over the years these  sanction laws applied to the Internet more fiercely. The dream of an open, interconnected Internet is fading. Now that the head of the newly established Taliban government is on the UN sanction list, it seems likely we are now going to add another sanctioned country to the list: Afghanistan. 

There are a few infrastructure elements in Afghanistan that sanctions can affect: generic domain names, country code domain names, and Internet protocol addresses. I will cover these areas in three different blogs. For now, we can talk about what will happen to access to Generic Top-level Domain Names.

Part I. Generic Top-level Domain Names 

The Internet uses a system called the Domain Name System (DNS) to make things on the Net accessible to humans. (If you are reading this blog, you likely already know this, but I’ll include it for completeness.) Computers on the Internet address each other through strings of numbers, which are hard for humans to remember. So, for convenience, the DNS maps those numbers to easy-to-remember names like “digitalmedusa.org”. The DNS is hierarchical, so that different people can administer different parts of it. Each “dot” in a domain name is a place where a new person can take over administration in a new “zone” (this is optional, not required). The part at the end (each part is called a “label”) is called a “top-level domain name” because it is at the “top” of the hierarchy. Because on the Internet nobody likes to speak in words when a bit of jargon can make things harder to understand, “top-level domain name” (for example .ORG) is usually shortened to “TLD”.  All the TLDs are in a special zone called the root zone, and this zone is administered by the Internet Corporation for Assigned Names and Numbers, or ICANN, as one of the functions of the Internet Assigned Numbers Authority (IANA).  ICANN is incorporated in the US, which is significant for this topic.

Generic domain names are domain names that are not assigned on the basis of country. Some have been around for a long time, such as .COM. Others are pretty new, such as .MARKET. While the original TLDs were created before ICANN came into being, the new TLDs were all created according to ICANN processes.  Those processes imposed common contractual terms on the registry operators, as well as on the accredited registrars for registering names beneath these TLDs.

Afghan domain name registrants will most likely face the same problems people in Iran and other sanctioned countries face. Problems that I elaborated some years ago, such as confiscation of domain name or forcing a well established business to move, or just ending the domain name with no proper notice. New generic domains registries often have a direct relationship with the registrants, and so  have to apply sanctions to those registrants. Sometimes the legacy domain names (such as those ending in .COM) also are taken down through court order . 

Unfortunately, due to what might be called private sector over-compliance, the issue is not just limited to the US government block list (or specific sanctioned entities and individuals). Businesses are so risk averse that they don’t even give a chance to normal people living in sanctioned countries to operate their domain names.

Who is going to be cautious from now on dealing with Afghan residents? .NGO, .ACADEMY, .MARKET and a whole host of registrars.

We could have solved this problem by receiving a license from the Office of Foreign Assets Control (OFAC). But unfortunately, many actors I have talked to pass the ball to someone else until it finally gets to ICANN. We asked ICANN in a consensus report to file for a license a few years ago, but nothing seems to be happening on that front.

This was the first of the trilogy. Next time we will talk about the .AF fate.

Farzaneh Badii

Threatening Social Media Platforms With Traffic Throttling

Recently, I prepared a lecture for the Asia Pacific School of Internet Governance. In midst of my research, came across an old piece of news. Last year, Facebook claimed that it had only agreed to comply with the Vietnam requests to take-down anti-state materials, because the government had threatened to throttle traffic to Facebook. Content-removal, automation of take-downs etc are not the only ways that the governments and other actors regulate social media platforms. One aspect that I think we should think more about is the role of governments in regulating social media platforms via Internet infrastructure. When governments have the liberty to use Internet infrastructure to regulate the actors on the Internet, then we need to think about the appropriate ways that social media platforms should respond to this. Should they, like Facebook, agree to government requests in the face of such threats?

US tech sanctions leave all Iranians in the dark

“Sanctions on digital products and services make the ‘foreign enemy’ syndrome more severe and a more effective tool for isolating the country even further. It is the foreign enemy that doesn’t want you to talk to your kids abroad on Google Talk, it is not the government,” said Farzaneh Badiei, director of the Social Media Governance Initiative at Yale Law School.

“Another problem is these kinds of sanctions legitimize the concept of a national internet. The government can argue that we need to be able to assert sovereignty over the internet so that we’d be self-sufficient and not need them. In reality, they want to create a national internet so that civil society’s access to a global internet diminishes,” she told Asia Times.

Kurosh Ziabari

Asia Times

Copyright trolls are out in force around the world. And the pandemic is their perfect excuse

Farzaneh Badii, (former) Executive Director of the Internet Governance Project at Georgia Tech in Atlanta, agrees, saying that the “rationale behind their actions is to generate revenue. They use and lobby for laws they can make profit from and the positive effect of these laws and harsh enforcement on the society is unfounded and mostly anecdotal.”

In Germany, explains Badii, “the wifi providers and ISPs are liable for copyright infringing if their service is used to commit the infringement.” Meanwhile in the US there are several methods lawyers use to go after alleged copyright infringements and users.

“In some jurisdictions they have to get a court order or some other legal order to get the personal information. They might also go through an easier and faster process (like a government agency tribunal). If the personal information is not protected by appropriate laws, the ISP might hand in the personal information even without a court order. And in some jurisdictions the ISP has to send the notice the lawyer has sent to the alleged copyright infringer,” explains Badii.
Badii comments that copyright trolls will tell you that “they want to protect the rights of the authors, that copyright is good for innovation and creativity! Some claim that they are protecting the Internet from dangerous materials, they argue they want to keep us safe.”

But when they use such excuses, Badii notes, “I imagine Fake Gucci bags attacking the Internet.”

Raphael Tsavkko Garcia, CyberNews

Why the NYT thinks Russia hacked Burisma — and where the evidence is still shaky.

Farzaneh Badii, former executive director of Georgia Tech’s Internet Governance Project, classifies weak attribution as “circumstantial evidence that can be technically questioned.” She sees it as a global problem and has advocated for international attribution groups that could solve the deadlock, so observers wouldn’t have to rely on private companies or government intelligence agencies. Without that, the problem of trust can be difficult to solve.

“States mostly fund cyber attacks through individual contractors and do not carry them out themselves,” Badii says, making state actors and private criminals difficult to distinguish. If you’re worried about governments ginning up a case for war or private companies grasping for headlines, that problem only gets worse. “Attribution companies are not forthcoming and transp

arent about all of their methods for undertaking attribution so it is not easy to assess their attribution mechanism.”

Author: Russel Brandom

The Verge