Digital trade protectionism does not protect workers rights and could cost us the Internet

Cross-border data flows and, as a result, the global Internet are being threatened by usual and unusual suspects. Some nation-states have proposed for some time digital sovereignty laws. But now, even governments that have been advocates for the global Internet are changing course. Think tanks and others who were in favor of the global and interoperable Internet also have turned against it. On top of all this, those opposed to digital free trade have once again risen, with the same tired arguments: cross-border data flow is bad for workers’ and people’s rights. This blog is hopefully a first step to start a conversation that reminds us of the myriad benefits of a global Internet that allows cross-border data flow. It will also provide a few counter arguments for the America’s Unions (AFL-CIO) digital trade agenda published recently. Let us be clear: ordinary workers have faced trouble in recent decades. But the AFL-CIO proposals are detrimental to the global Internet and Internet connectivity. Worse, they are not likely to protect the tech workers the AFL-CIO wants to protect.

Back in 2017, some civil society organizations, including some labor unions, allegedly spoke on behalf of “the global civil society” and argued that the prohibition of WTO on data localization as a trade barrier would disallow countries from coming up with laws to protect the public interest and protect privacy and other fundamental rights. These arguments resurfaced again recently as Biden’s administration announced a worker-centered trade policy.

The recent AFL-CIO workers’ agenda starts from the mistaken premise that governments cannot regulate data or big tech companies because of digital trade policies. This, it says, leads to lack of protection for workers. Digital trade agreements do not prohibit countries from regulating data or any digital services and products. Every year, there are myriad of laws and regulations around the world that increasingly regulate data and tech companies: consider Europe’s Digital Market Act and Digital Services Act, or India’s IT Act, for example. As UNCTAD reports, 71% of countries worldwide have come up with data protection and privacy legislation.

The workers’ agenda is filled with assertions that trade agreements do not consider workers and people’s fundamental rights and the agenda presents data localization and more regulation as the solution. One argument is that digital apps and social media platforms have eroded privacy. However, trade agreements, unlike human rights instruments, can be effective and binding. Civil society groups have even used trade agreements and regional economic cooperation groups such as Asia-Pacific Economic Cooperation to advance privacy in cross-border data flow.

Data localization measures tend to work for the benefit of existing, vested interests and against those who might try something new. It is not clear how such measures will make the Internet become a healthier space.

This takes us to the other argument made in the statement that implies to care about workers’ creativity. To protect their creative rights, it asks for more aggressive copyright protection and less fair-use that supports the interest of creators. Fair use is the mechanism used by creators to assert their rights in the face of large, well sourced corporations. It is unclear how eroding fair use through digital trade agreements can help with workers’ rights and creativity. Especially as the statement itself acknowledges that by advancing intellectual property rights of big-tech corporations, the US government expanded their access to the global market at the expense of others.

There are many more arguments in the statement that support a protectionist digital trade agenda to seemingly protect the workers and users’ rights. It even goes as far as supporting contested arguments such as online platforms should be held accountable for the third party user generated content and provision of bulk access to source codes and algorithms for the governments to address harmful practices and content is necessary.

To protect workers and users on the Internet when dealing with digital products and services is a wonderful goal. However, it is unclear how the AFC-CIO solution can actually help with reaching that goal. Fortunately, there are both private and regulatory initiatives around the world that address the well-being of the workers in tech companies. For example, the Digital Trust and Safety Partnership, an industry consortium, includes investing in the wellness and resilience of teams dealing with sensitive materials as part of its Best Practices Framework. Tech workers have also started creating workers’ union inside tech-companies. We need to think about supporting alternatives instead of attacking the critical characteristics of the Internet. It is those characteristics that make meaningful connectivity possible.

Access to the Internet is not just access to another form of communication. It is access to essential services and a lifeline during a crisis. This was quite clear during the years of a global pandemic. We need to stand up against what hampers our interconnectivity. Our solutions should not cost us the Internet.

Defeating Digital Perseus: 2022 Version

2022 was a tough year for the Internet. Digital Perseus came out in full force to fragment the Internet, to stop unfettered access and sometimes even friends turned into Digital Perseuses. But overall, it has been a productive year for Digital Medusa. Despite all the trouble and barriers that Digital Medusa faces, this year was filled with exciting projects.

Sanctions and the Internet

We have been dealing with sanctions and their effect on the Internet for years. Ordinary users of the Internet in sanctioned countries,sanction regulators and those who have to comply have been struggling. As Digital Medusa had done some work on Iran and Afghanistan on sanctions, it made sense to make it an agenda for 2022 as mentioned in Digital Medusa’s last year blog. Little did we know that sanctions became the talk of town and everyone would want to get involved with it one way or another due to the unfortunate barbaric war Russia started in Ukraine. Then the Iranian uprisings happened and more sanctions ensued. As Internet governance organizations and other service providers on the Internet are increasingly dealing with sanctions imposed on many countries, RIPE NCC funded Digital Medusa to undertake some preliminary research on the effect of sanctions on access to the Internet. Read more about the projects and progress here.

Christchurch Call and Global Internet Forum to Counter Terrorism

Digital Medusa was more active this year as a member of CCAN (a network that provides advice to governments about handling terrorist, violent extremist behavior, attending the multistakeholder leaders summit as well as writing a report about the human rights impact of crisis protocols during terrorist attacks with an online angle.

Human Rights Impact Assessment: DNS Over HTTPS (DoH)

The DNS over HTTPS is a protocol that brings privacy to Domain Name System queries. Taraaz and Digital Medusa got involved with a project that assessed the human rights impact of a product that used DNS over HTTPS. Our partners plan to publish this report in the coming months.

United Nations and Internet Governance Syllabus

The Internet Governance Forum at the United Nations commissioned Digital Medusa to do an Internet Governance syllabus as a guide for Internet governance educators. The syllabus can be found here.

Digital Medusa is an organization

I promised Digital Medusa won’t remain a one woman show and I more or less made it happen: GEORGIA EVANS has finalized a report on how Canada upholds its Christchurch Call commitments, ZHENYE (RYAN) PAN helped with mapping the actors in sanction and Internet space and attended the workshop on sanctions at the IGF. LAURA VUILLEQUEZ did some preliminary work on sanctions and the Internet literature review and mapped the European Trust and Safety actors.
ANGIE OREJUELA has helped with so many aspects of preparing and presenting the research update regarding trust and safety and Internet and sanctions and RITHIKA SHENOY works on the humanitarian aspect of access to the Internet and has co-authored a few funding proposals with us. Working with the other Medusans was the best part of 2022. Their ideas, their enthusiasm and words of encouragement got us where we are at.

Future

In 2023, Digital Medusa will continue to protect the core values of our digital space: interconnectivity, interoperability, security and the global and open nature of the Internet. We will do so by promoting decentralization of the Internet, increasing access to the global Internet especially during crises and contributing to governance mechanisms that help connectivity and trust and safety. In order to do that, we will vigorously work on and provide a few services in 2023:

Outreach and engagement: hopefully Digital Medusa will continue with Digital Trust and Safety Partnership’s outreach and engagement but will try to provide this aspect as a service
Research and impact assessment: we will provide various governance impact assessment analysis and do research on the Internet stack.
Policy and advocacy: we will promote policies and work with various vulnerable communities around the world who do not have access to the Internet or are in crisis such as Afghanistan and help them be connected and use the Internet to have access to essential services and education.

Dear Digital Peruses

2022 was only the beginning of Digital Medusa. Despite your every effort in weakening the Internet and Internet governance organizations, the Internet is here to stay: “Don’t ever say it’s over if I am breathing”.

A multistakeholder summit? the case of Christchurch Call

Too many summits are high-level, ineffective meetings filled with well-meaning but empty speeches. But the multistakeholder Christchurch Call summit this year differed greatly from the usual UN General Assembly meetings. New Zealand and France used their political capital in this meeting to bring together representatives of different stakeholders to have a discussion about countering terrorism online.To the participants’ surprise, most of the interventions were conversational and civil society was included on an equal footing.

This blog includes Digital Medusa’s opinions about the summit and the Christchurch Call.

Background

In 2019, New Zealand and France convened Christchurch Call to Action after the terrorist attack that killed 51, and injured 50, Muslims in a mosque in Christchurch. The horrendous attack was live streamed on Facebook and other tech-corporations’ platforms.

When the Call was launched in 2019, civil society globally criticized their own lack of presence and complained of being treated as an afterthought. But for the past 3 years, we have witnessed a slow but sustainable change and a move towards convening a true multistakeholder forum. It has become a forum that can go beyond mere lip service, that is genuinely multistakeholder, and that takes part in the Christchurch Call commitments to preserve a secure, open, interoperable Internet while fighting with terrorist behavior online.

The governments of New Zealand and France convened the Christchurch Call Advisory Network (CCAN) which comprises civil society organizations including impacted communities, digital rights organizations and the technical community that aims to defend a global, interoperable Internet. While the role of civil society organizations in other similar forums is often contested and not very clear, CCAN has made real progress towards meaningful participation. It is important now that progress continues beyond just attending a high level meeting with the leaders of the world.

Crisis Response Management and Internet Infrastructure

During the summit, we discussed the crisis response management and protocols. A lot of progress has been made by various countries to create a voluntary but cohesive protocol management that can also adapt to the global nature of the Internet. However, we increasingly see calls for content moderation at the Internet architecture level (domain names, hosting providers, cloud services etc). A proportional moderation of content at the infrastructure level might not be possible in all cases. Especially during a crisis, we have to be extremely careful with the techniques we use to filter and block access to domains and websites, as it might not be possible to do proportionally. Such techniques might hamper access to other services online. We also need to evaluate the impact on human rights of each at each stage of crisis response. A global interoperable and interconnected Internet needs a holistic approach to safety—one that does not focus exclusively on blocking, take-downs and after the incident responses, but that offers a systematic way of tackling the issues raised by horrific content online.

Researchers Access to Data

Perhaps surprisingly, Digital Medusa deviates from various researchers and civil society organizations in calls for researchers’ access to data. While the Digital Services Act will facilitate such access, I do not believe we have the governance structures in place to validate research, nor to provide the privacy-enhancing structures to diminish abuse of personal and private data. New Zealand, France and a few others announced an initiative that can address this issue while also facilitating researchers’ access to data. The effectiveness of such an initiative remains to be seen, especially as it primarily focuses on fixing problems by focusing on technology.

Internet of the Future

It is natural to think that, if bad content online is the source of danger, then all that is needed is to remove that content and moderation. But content removal does not on its own bring safety to the Internet. For our future efforts, we need holistic approaches. We also need to work with impacted communities and operators on the Internet. Content removal and take-downs on the Internet can have a major impact on the well being of individuals. Careless removal and takedown can affect access to a host of essential online services and it can also hamper uprisings and information sharing online during a crisis. I hope that content moderation will become only one tool (and not even the most important), and we come up with more innovative ways to deal with governance of our conduct on the Internet.

The Domain Name Multistakeholder Theatre

At the early stages of the Internet, domain names (example.com) were the point of entry for the majority of people’s online presence. As a result the allocation of these domain names mattered for the Internet. The general public, using the Internet for personal growth and development and citizen journalism cared about their domain names. Small businesses cared as well about their domain name, if the amusing case of armani.com is any indication.

1998 saw the creation of a new body that, at a high level, would govern overall the allocation of domain names. It was called Internet Corporation for Assigned Names and Numbers, or ICANN. For the reasons outlined above, ICANN mattered a lot to the Internet, so its policies affected a large number of people on the Internet.

That has changed. The Internet has developed such that, while the Domain Name System is ever more important to technical operation, the role of ICANN (while still critical) has been diminished. Most of the time, people’s point of entry to the Internet does not expose them to domain names anymore.*

Despite this change, some at ICANN still believe that ICANN is in charge of security and stability of the Internet as a whole and believe there is much at stake at ICANN. They also believe that the multistakeholder model that ICANN runs can only be done through bloated layers of processes and bureaucracy. This was evident in the recent ICANN Hague meeting which happened last week.

For any issue that ICANN has to deal with, it comes up with an elaborate process that involves a wide variety of stakeholders (though it is dubious what stakes some have) and a very detailed process that will take months to operationalize. This was obvious from the re-opening of the issue of Closed Generics, a term for an obscure operational wrinkle where allocation of generic names such as .books to corporations like Amazon is disputed. While the policy development group did not come up with a resolution on Closed Generics, the Board (instead of making a decision) sent the issue back to the community to make a decision. The community obviously came up with an elaborate process of having a facilitator, a bunch of representatives and so on.

The problem with having a multistakeholder theater is that it leads ICANN away from its important but narrowly-limited mission. There are a bunch of regulators around the world that want to see things are happening. If ICANN is not doing that narrow, limited mission that it has, then the regulators will regulate. So while it is very gratifying to be transcribed, have high level panels with distinguished stakeholders and talk about issues and reopen them many times, we might have an irrelevant multistakeholder body soon.

*This might be anecdotal but a cursory look at the number of domain name registration (from Verisign report) is indicative of such change: “New .com and .net domain name registrations totaled 10.6 million at the end of the fourth quarter of 2021, compared to 10.5 million domain name registrations at the end of the fourth quarter of 2020.” https://www.verisign.com/assets/domain-name-report-Q42021.pdf we can compare this number to Facebook’s new users which is 500,000 every day. https://backlinko.com/facebook-users, another reason might be that while apps and other Internet services use domain name system extensively, the general Internet user doesn’t use it directly.

How to multistakeholder wash Internet disconnection: On the multistakeholder Internet governance sanction regime

Demilitarization of the Internet is a goal we should all aspire to. This can be done in various ways, such as effective nongovernmental attribution of cyberattacks, emphasizing the importance of bringing in stakeholders other than governments and the military as well as self-governance.

Recently, some have used the awful war Russia has started against Ukraine to come up with a statement and a solution of how we go about imposing sanctions that can demilitarize the Internet and overcome propaganda. I call that statement multistakeholder washing of Internet disconnection. Multistakeholder washing is the process of taking a process controlled by an elite group, and dressing it up in the clothes of multiple stakeholders. The statement about sanctions is a good case study:

1. Stages of multistakeholder washing

First step: In order to multistakeholder wash an idea, a limited set of stakeholders— sometimes excluding affected communities, and frequently including people with a lot of resources and power— get together and come up with their own solution. We can call this group the Wise Ones. They do this initial step behind closed doors, to get the statement out; otherwise it will get too noisy and involve too many people.

Second step: the Wise Ones publish the statement, and use their connections to promote the idea (e.g. ensuring that media outlets have early access) The Wise Ones also tell everyone that they are open to feedback while shutting down opposing views and at the same time starting to operationalize their idea. These kinds of approaches are not unknown to those who practice multistakeholderism. Including only “insiders” preliminary stages of statements is a tactic that serves to control the process as much as possible.

Some consortiums or other unilateral processes start first as single stakeholder initiatives and later on try to adopt a multistakeholder approach. That is not the approach used here. In this model, the Wise Ones claim they are multistakeholder already.

Third step: Save the whole world (which most of the time actually means the West).

2. Who are the stakeholders?

Part of the legitimacy of the Wise Ones depends on a pose of neutrality and inclusion. Usually, the Wise Ones solutions are proposed for highly contentious issues where there is a lot of disagreement. So, the Wise Ones often claim broad legitimacy from unnamed supporters who, unfortunately, cannot name themselves publicly. This step we can call “inclusion of the unnamed”.

In the current example, for instance, we don’t know who the stakeholders are, other than the ones who signed the statement. The ones on the statement are mostly Western, mostly male, and mostly never lived in sanctioned countries, or operated networks there.

We can see the action of inclusion of the unnamed in a claim that one of the leaders of this statement, Bill Woodcock, made on LinkedIn:

“Ten days and 87 authors, from every part of the Internet governance community… This is how we do multistakeholderism, and ensure that the Internet is not used as a tool of war or oppression.

There are 36 people who have signed this open letter. We have no way of knowing who the other 51 are. Perhaps they do bring to the proposal the perspective of people who have lived in sanctioned countries and dealt with the result, but the included list of people who did sign on does not give one a lot of confidence. In this case, Mr Woodcock should have clarified every part of the Internet community that they managed to convince to agree with this initiative! We shouldn’t need to wonder why this document came together so quickly.

3. That unprecedented challenge we knew about for so many years

A third element of multistakeholder washing is the assertion that the issue being confronted is entirely new, which requires the heroic intervention of the Wise Ones to confront. For instance, in the present case, the document makes such an assertion from the very beginning. It says: “The invasion of Ukraine poses a new challenge for multistakeholder Internet infrastructure governance.”

The invasion of Ukraine does not pose a new challenge for multistakeholder Internet infrastructure governance. This is a challenge that those working on the statement want to pay attention to only now and want to do something collectively only now. Many people raised the challenges that faced the Internet during conflicts and wars. Afghanistan and Syria are only two wars that raised very similar challenges.

Let’s reframe this sentence to what it really is about. The invasion of Ukraine reinforced this challenge, which triggered the West to finally pay attention to it in a collective manner. It’s good to have people paying attention to these issues, but only if we actually consider that, like the Internet, this challenge has a global dimension and includes more communities than Western based entities.

4. Adopting tired, old approaches that have been tried and tested and failed

A peculiar element of multistakeholder washing is that it frequently presents, as new and revolutionary, solutions or approaches that have previously been tried and found wanting. This may be because the Wise Ones group excludes too many participants who would have been able to point out the similarity to previous approaches to a problem.

In this case, for instance, the technocrats who make up the Wise Ones claim,

“The effectiveness of sanctions should be evaluated relative to predefined goals. Ineffective sanctions waste effort and willpower and convey neither unity nor conviction.” and “Sanctions should be focused and precise. They should minimize the chance of unintended consequences or collateral damage. Disproportionate or over-broad sanctions risk fundamentally alienating populations.”

Sanctions have to be effective and precise. This is not a unique and ingenious principle. Governmental sanctions were never adopted without predefined goals. (US sanctions had human rights goals in mind.) They didn’t want to be ineffective either, hence they considered fines. There were attempts to be precise too, so they came up with a list. But these lists have historically affected those vulnerable communities oppressed by dictatorships more than the dictators themselves. Those who have worked on the issue have documented this through years of monitoring and observing the situation. Because businesses want to do business, and don’t want to get fined, they automatically act cautiously where sanctions might affect them. This leads to over-compliance with the sanctions, and on the Internet that means the disconnection of whole communities of people. Despite the fact that the US office of treasury emphasized every step of the way that ordinary people should not be affected by sanctions and that the specially designated national (SDN) list was in effect to come up with proportional sanctions to limit collateral damage, businesses (tech and non-tech) just stopped doing anything with the residents of those based in sanctioned countries. Internet companies sometimes even refuse to provide their products to businesses that are not residents of the sanctioned countries but that provide services to such countries. Read more about that here. None of that is a new development, and if there is something truly new in this sanction proposal it is pretty hard to see what.

5. Only military and propaganda agencies and their information infrastructure are potential targets of sanctions

Another odd element of multistakeholder washing is that the proposals usually make exaggerated promises of effectiveness. Part of the reason that multistakeholder processes can be frustrating is because they include so many participants, which can slow progress. But that wide inclusion tends to make for an effective system because, as the open source software advocates like to say, with enough eyeballs all bugs are shallow. When an exclusive group pretends to be multistakeholder, the advantage of different perspectives is lost.

In the example of the sanctions proposal under discussion, part of the supposed virtue is the narrow target. But blocking “propaganda agencies” will not lead to demilitarization of the Internet, but to politicization of the Internet. For some, the Voice of America, is a propaganda agency. For others, other countries’ outlets are. What are the parameters to decide what a propaganda agency is? Who decides, and how?

Also, the claim that the sanctions will only target certain entities and networks is naive. One does not even need the experience to see this. Militaries in dictatorships, and especially in sanctioned countries, will use networks of civilians (by force if necessary). They own many channels of communications and sometimes have their representatives in those networks. It was only today that London Internet Exchange announced that it had to comply with sanctions and suspended the membership of two Russian AS numbers that belonged to telecommunication agencies in Russia. This might be because the owners of those ASes were in the legal sanction list. But the disconnection will potentially hamper many more people.

This is why the “list based approach” never worked when it came to sanctions. Since the powerful in sanctioned countries can navigate around the list, they will not be affected. The sanctions can’t catch the powerful, but they do catch the “small flies” that don’t have the resources of oligarchs or military.

6. The multistakeholder community is here to save the day

Part of the reason multistakeholder washing is attractive is that the idea of a multistakeholder process conveys a certain kind of legitimacy. In the worst examples, that legitimacy is held up against governments asking them not to impose sanctions! This issue shows up prominently in this principle: “It is inappropriate and counterproductive for governments to attempt to compel Internet governance mechanisms to impose sanctions outside of the community’s multistakeholder decision-making process.”

Governments impose sanctions as a means of implementing their foreign policies. So, sanctions are inherently government action. An optional, non-governmental refusal to interact with someone else is not a sanctions regime. It’s a consumer boycott (in this case a military consumer boycott). Which would have been an interesting regime, and if that is what this group means, they should actually clarify it.

But learning from the governments’ experiences about sanctions is crucial. Governments have been imposing sanctions on various countries and groups which hampered the access of ordinary people to services on the Internet and Internet infrastructure. You can’t stop them by having a principle that they shouldn’t impose sanctions. And if you provide the governments with a list, governments will add to their sanction list and fine every network that communicates with the sanctioned networks. This is how sanctions work.

The Networks themselves have already been complying with sanctions or enabling customers to comply with sanctions. Networks on the Internet have to follow the laws of the countries they are based in. In fact, Content Delivery Networks and others have allowed for businesses not to serve certain regions or countries and they don’t consult with any imaginary multistakeholder community, because they have to follow the law. The US regularly confiscates domain names because they were owned or related to some military force and had undertaken disinformation campaigns (see one example). What is this multistakeholder community going to do in the future when the US does something like that again, using this new multi stakeholder-approved list? Is that the outcome this group wants?

The Wise Ones also recommend due process and consensus to come up with the magic list. Due process usually is provided after the fact. This must mean that they will have a list of organizations, IP addresses and domain names and if those people complain, then there will be a process to unblock them. Which is good, but again another tried and tested method that is not efficient nor fair. (you see a lot of “due process” arguments in content take-down that completely ignore the deprivation of access to crucial services to people) What is not well thought out here is how wrongful disconnection is going to be prevented? What are the remedies? These are the fundamental questions that the proposal assures will be solved by consensus among the multistakeholder community. But waving these problems away as a simple matter of consensus is simple wishful thinking. The entire problem of sanctions is a political one of who is to be sanctioned, by whose authority, and with what effect. In answer to that problem, the Wise Ones offer “due process and consensus”. In other words, on the basic central issue, this proposal makes no proposal at all.

How to move ahead?

Multistakeholder washing creates the illusion of a multistakeholder process when the process is actually exclusionary. It is probably not that surprising that this would be used to build a recommendation for a sanctions regime. For sanctions regimes are inherently exclusionary. They consider nation states as the unit of analysis and if you have decided to sanction some ruling party in a country, you are naturally not going to include them in the discussions. Which is fine, but then your process will not be multistakeholder, you can pick another name for it. You can call it the Networks We Don’t Like!

Many of us agree we need to stop the militarization of the Internet and attempt to demilitarize it. But can we do that with a “sanction regime” and a “list based” approach that can be abused and lead to disconnection of ordinary people from the Internet? The evidence so far would appear to be no, which is what would have been evident to the people who proposed this sanctions model if they had actually engaged the wide range of stakeholders that is a necessary condition to meet all the principles the authors laid out. Businesses, network operators and others are free to take private actions and talk to the networks they like and boycott the networks they don’t. But perhaps it is better to acknowledge that this is not a multistakeholder process and it will not be possible to uphold those principles laid out in the document, i.e. people’s access to the Internet will be hampered.

Sanctions, Global Internet Connectivity and Content Delivery Networks

On Friday, Mykhailo Fedorov, Ukraine’s digital transformation minister, asked Cloudflare and Amazon to stop serving Russian web resources and protecting Russian services.

He said in a tweet that Ukraine was “calling on Amazon to stop providing cloud services in Russia.” He also said that “Cloudflare should not protect Russian web-resources while their tanks and missiles attack our kindergartens.”

Content Delivery Networks might already refrain from serving sanctioned countries, including Russia. However, sanctions that affect Internet traffic have been under-discussed for a long time. It is unclear so far the extent to which any sanctions have affected CDN services and traffic either destined for or coming from Russia. There is some evidence that CDN “geoblocking” has affected Russian sites. It is documented in an excellent paper published in 2018 that discusses geoblocking and economic sanctions in CDNs by validating the observations through Cloudflare. But sanctions might affect CDNs and Internet traffic beyond geoblocking.

In this blog I will provide an analysis of how sanctions may affect Internet traffic. These sanctions have been affecting Internet traffic from countries such as Iran, Cuba, Syria and Russia for a while.

What is a Content Delivery Network?

A CDN is a system of servers located around the globe that facilitate website performance by delivering the content from the closest servers to the users. It provides various services that affect global connectivity through website operators, IXPs, ISPs, web browsers and others. There are different business models that CDNs use and the differences are important in how sanctions affect their services so all the issues I am raising here might not apply to every CDN.

Content Delivery Networks or CDNs help generally with Internet performance by keeping Internet traffic contained within a geographic area or network. They often also provide security services (by combating DDoS attacks, for example). CDNs are very often used by even relatively small website operators. Some of them also provide DNS over HTTPS (DoH) resolution services. They are also often used to make mobile apps work quickly and to provide large-scale software distribution (such as when an operating system update becomes available).

It is important to understand that the consumers of CDN services are ordinary users of the Internet, but that those users are not customers. The customers of CDNs are the website operators, software publishers, and so on who pay the CDNs to distribute content. CDNs nevertheless can have an effect on ordinary Internet users. So, we should examine how CDNs might affect various people around the world.

Not serving people in sanctioned countries at all

It is well known to residents of sanctioned countries that some of the cloud services and CDNs based primarily in the US do not directly serve these residents either as customers or as ordinary users. There was, in fact, an outcry about AWS not serving developers from Iran in 2019. Amazon responded about not providing web services to Iranians:

“We comply with all applicable laws in the countries in which we operate, including any international sanctions and other restrictions that may be in place for certain countries,” an AWS spokesperson told Al Jazeera in an emailed statement. “Because Iran is subject to broad trade restrictions, limiting virtually all business with Iran, we do not serve customers in that country.”

It is not true that sanctions limit virtually all business with Iran and sanctioned countries. Sanctions don’t apply to noncommercial and personal communication. But this over-compliance with sanctions can be observed in many places, and affects not only CDN customers but even ordinary Internet users.

Peering policy and sanctions

CDNs generally benefit from peering, and many of them maintain an open peering policy (Cloudflare is one example). An open peering policy means that any other networks can peer with the open peering network, normally without any monetary cost. But while open peering generally includes any network, it does not mean that networks based in sanctioned countries are not affected by the sanctions. In Cloudflare’s case, for example, if peering is also deemed to be a “transaction”, then sanctions might well affect them. Cloudflare’s policy on peering and sanctions is silent as to their view of these kinds of sanctions, but their policy while allowing open peering also allows them to restrict peering or not peer when they desire to do so.

Enabling customers to block access to sanctioned countries

CDNs allow their customers to decide “what content” is served to “which users”. In effect, website operators use the geoblocking features to prevent serving users merely because they are based in a certain country. Often, this is used to enforce various content licenses or to conform to distribution restrictions, such as when a video is available in one country but not another. Sometimes, however, site operators use geoblocking not to serve any content to users in sanctioned countries. It’s a blanket compliance with sanctions that is probably not even required by law. But when users are considered as “legal risks” because of their location, then this discriminatory practice is justified internally. Website operators have already been discriminating based on geographical location for years, including against users in Russia.

Content Delivery Network not serving a certain region or country

A CDN can decide not to serve a country or a region at all because of sanctions. So, it might adopt a policy, for example, not to allow its DoH resolvers to serve IP addresses based in Russia. This would mean that, for example if the Web Browser uses DoH resolvers of that CDN, users of the web browser based in sanctioned countries won’t be able to look up any website on that web browser without reconfiguring the browser.

Domain and website operators

Cloudflare offers a free tier customer account that helps with better access to services that are not large enough to afford full paid service. Residents of sanctioned countries might use these services (especially since they are free). However, these customers might want to hide their origins not to be blocked from the service, and might therefore use various VPNs to hide their actual origin IP address (because they can otherwise be blocked). But this technique also effectively moves the customer’s geolocated IP address, so such customers might also not be served with the most efficient routing service. For example, if Cloudflare thinks a connection is coming from North America, it is likely to use a North American server to answer queries. In reality, the customer might be in Russia. As a result, the website might load at a lower speed for the Internet user.

Internet, sanctions and global connectivity

When it comes to compliance with sanctions, many industries over comply. Services and products related to the Internet, be it the New gTLDs, Content Delivery Networks and other services, are not exempt. But over compliance with sanctions at the Internet infrastructure level can have a devastating effect on ordinary people’s access to the Internet while not having the optimal deterrent outcome on States and their decision-makers. Perhaps we need to rethink the sanction regime for the Internet to keep the Internet global and open, facilitate free flow of information and discuss meaningful remedies during wars and conflicts.

Internet Governance Revenge Fantasy or Helping Ukraine?

sebastian-svenson-vaC0w7XBSXw-unsplash (1)

To the Internet community:
We must empower Ukraine to operate and defend itself on the Internet, and stop arguing over dubious actions against Russia that don’t even affect the perpetrators of this war—the Russian ruling party.
In this blog, I will tell you why many of the ideas about limiting access to Internet infrastructure in Russia won’t work and won’t be effective.

1. Taking the Country Code Top Level Domain (ccTLD) .RU down
In a letter, the Government Advisory Committee Ukraine representative at ICANN has asked ICANN to remove .RU (Russia’s ccTLD) from the root zone. This means that any of the second level domains in that space (example.ru) won’t be accessible. This is a bad idea:
-This does not ‌help Ukraine’s Internet in any way. Russia is not undertaking the cyberattacks through .RU.
-Ordinary people and institutions that run their domain names in that space will lose access.
-Those who have the economic power (eg.. the government and the oligarchs) can register other second level domains while ordinary people with established businesses might have less access to alternatives.
-It sets a bad precedent that can affect future ICANN actions. If ICANN takes action‌, it should also take action when there are claims against other ccTLDs. The precedent, for example, can help attach ccTLD to those who claim it is an asset and have a writ of attachment against a ccTLD.

2. The Autonomous Systems: lets not respond to the Russians
When ISPs and Internet Exchange Points and other network operators want to talk to each other, they talk through Autonomous System Numbers (ASNs or ASes). ISPs on the RIPE mailing list were discussing whether they should respond to announcements coming from Russian ASes. Remember that these ASes connect people to the global Internet. So, if Network Operators don’t respond and connect—if‌ these Russian ASes are “shunned”— the shunned ASes will be effectively cut off. Remember, the Internet doesn’t work like a telephone system: sometimes ASes get their connections through connecting to ASes in other countries. It is not all territorial. It is also not so clear-cut to understand which AS is run by the government and which is run by others. And governments, especially autocratic ones, try to have a hand in every private affair. Also, not all parts of the government are providing services in favor of war against Ukraine. Some provide critical services to the population, and they do interconnect with networks outside of Russia to provide those services.
Removing Russian ASes (that in itself is a debatable concept) from the routing table only makes it less efficient for these ASes to communicate. It is unlikely to create a disconnection. It only creates latency for ordinary people who connect through the ISPs.

Ripe NCC Executive Board announced that it will not take any action with this regard. Note that the community can take some collective action on its own. But RIPE NCC Executive Board as an institution announced will not take any action.

3. Root servers
The Ukrainian GAC member to ICANN requested removal of Russia-located root server instances. ICANN, which operates the “l” root server cluster, has a few root server instances in Russia. So do some other root server operators, and ICANN cannot control them. Even if ICANN shuts down the root servers, other actors root servers can effectively be used. Shutting down the root servers is in any case also not an effective way to disconnect, since Internet service providers in Russia can get access to the root zone in other ways and find other ways to connect. More importantly, in no way does removing root servers from Russia help Ukraine not to be attacked or to have better access to the Internet.

Effective sanctions and punishment can work and should be used to stop the perpetrators of this war. We should wake up from this Internet revenge fantasy that does not help anybody! Instead, let’s help Ukraine’s interconnection and access to the Internet. This is not the time to try and prove our “theoretical” ideas might have some merit!

Turning enemies into allies: what if law enforcement started loving encryption?

Legislators around the world don’t like encryption and actively want to kill it. The activities range from having a campaign against encryption to coming up with laws. The US senate judiciary committee on December 10, 2019 warned tech corporations and social media platforms to find a way for law enforcement agencies to access personal communication of the corporations’ users and customers. Otherwise, the legislators would impose their will on these platforms. Lindsey Graham, the Chair of the committee, said: “My advice for you is to get on with it, because this time next year [in 2020] if we haven’t found a way . . . we will impose our will on you”

It has been two years since the threat of regulation, so it would be interesting to see what sort of activities have taken place since that threat.

Lindsay Graham did not manage to impose his will on these corporations. At least not yet. But he and his colleagues came up with a new bill called Lawful Access to Encrypted Data Act (LAEDA, 2020). When the bill came out, according to the Electronic Frontier Foundation, it was even more out of touch with reality than bills such as EARN IT Act.

The bill is not very sophisticated. The legislator didn’t consider the public comments it received, so it simply recommended a backdoor. And it invoked the usual justifications such as combatting terrorists and criminals’ (mostly child predators’) use of these technologies and apps. The bill also argued that encryption makes it impossible to receive information and evidence, even with a court order.

Why so riled up?

I think one of the most important questions we need to ask is why nation states, legislators, and law enforcement—regardless of their autocratic or democratic natures—hold so many reservations about encryption? Law enforcement personnel, when investigating criminal activities (including cybercrime and cybersecurity attack) need to gather as much evidence as possible. In criminal investigations, since many of our modes of communications have moved online, they have to gather the evidence that is available on the Internet. They cannot, however, access the encrypted texts online, unless they have the access key to the encrypted materials. Access to that key has become impossible since tech corporations have adopted technologies that do not give the corporations the key. Only the users or the users’ devices know what the necessary key is.

How did tech corporations get on with it?

Tech corporations do not take the threat of legislation for granted. Last year Apple decided to install a kind of “upload filter” on its iCloud that would scan photos for Child Abuse Materials. According to Apple Technical Summary Report: “CSAM Detection enables Apple to accurately identify and report iCloud users who store known Child Sexual Abuse Material (CSAM) in their iCloud Photos accounts”. The system Apple suggested included three technologies which would lead to decryption of the message using a “hash database”. For example, if the user image “hash” matches the CSAM hash database, then the server can derive the encryption key and successfully decrypt the message. The digital rights activists were vehemently against this plan and Apple did not go ahead with implementation.

Meta delayed implementing encryption for some of its products. Meta already put encryption in place for WhatsApp messenger in 2016. It had announced plans to implement end-to-end encryption on Facebook and Instagram’s Messenger Service, but Meta delayed the implementation until at least 2023.

What is law enforcement doing?

Law enforcement, for now, relies on social media for intelligence assessments and investigations. The Federal Bureau of Investigation contracts with social media monitoring companies “to obtain early alerts on ongoing national security and public-safety related events through lawfully collected/acquired social media data”. There are some suggestions to hoard metadata. But these collaborations with the private sector and sometimes even with not for profits that are human rights oriented can have dire consequences such as encroaching on the rights of others, financially benefiting from surveillance or just glorifying Open Source Intelligence Techniques and denying their consequences on some of the human rights.

What is the solution?

History teaches that we can’t rely only on sending public comments to Congress to prevent the creation of bad laws. Neither can we have a technocratic view that we can resolve this issue only through technical means. We need governance mechanisms and coalition building.

Turning enemies into allies

There are different ways that we might be able to convince nation states not to come up with encryption threatening laws occasionally.

One way might be by coalition building. For example, when Belgium wanted to impose a backdoor law, the Global Encryption Coalition opposed the law which helped with not having the encryption clauses. It also helped the cause that many global lobbyists are also in Brussels.

The Internet includes giant social systems. We need a system so that all people who are affected by these systems can understand them. To do that we need to engage law enforcement in these conversations about encryption.

Law enforcement agencies exist to uphold the rule of law. Encryption itself is a great tool that helps with upholding the rule of law. Law enforcement and ubiquitous encryption are really not natural enemies. Perhaps turning law enforcement agencies to one of the allies and advocates for encryption might work better. So, the Encryption Coalition can have an intake of members from pro-encryption law enforcement agencies. That way, we might not have to continue playing the game of whack a mole and go after every bad law that threatens encryption on the planet.

Plans for the new year: defeating Digital Perseus

I officially launched Digital Medusa in September 2021. It has been challenging but also very fulfilling, and any step towards defeating digital Perseus is worthwhile. Below, I summarize some of what Digital Medusa has done over the past four months and a limited list of what will happen in the new year:

Social Media Governance

I joined the co-chairs of the Christchurch Call Advisory Committee— a civil society group that advises the New Zealand and France governments on the Christchurch Call commitments, which aim to moderate terrorist, violent extremist content.
We (Jyoti Panday, Milton Mueller, Dia Kayyali and Courtney Radsch) came up with a framework on analyzing multistakeholder governance initiatives in Content Governance. The framework will be published as a White Paper of Internet Governance Project. Let us know if you have any comments.
I joined a panel of the Paris Peace Forum on Christchurch Call. Read all about it. Watch.
My research on Telegram governance became more popular after the Capitol riot in January 2021. NYT piece mentions my research.
I found an amazing network of people who work on prosocial design. Prosocial design and governance are alternative approaches to heavy content moderation and punitive measures for platform governance. We plan to discuss prosocial governance more in 2022.

Internet Infrastructure

I joined a group convened by Mark Nottingham to discuss how legislative efforts can hamper interoperability of the Internet, and the available remedies.
Because of the Taliban reign in Afghanistan, I wrote about how sanctions will affect Afghanistan’s access to the Internet. We also had a webinar (thanks to Urban Media Institute) with the Afghan colleagues to discuss the developments/setbacks. The video will be available on this website.
Fidler and I published an article in the Journal of Information Policy about Internet protocols and controlling social change. We argue that to understand Internet protocols’ effect on society we need to put them in context. Implementation matters and making Internet protocols aligned with human rights without considering context might not bring the social change needed. A lot of discussion went on about this paper on the Internet History mailing list, and there are some very interesting insights (the thread is filled with ad hominem attacks against the authors but even those attacks are good anthropological research materials.)

What will happen in 2022?

I am helping draft an Internet Governance syllabus that the community can use to convene Internet governance schools and trainings. I am doing this work for the Internet Governance Forum, and it will be in a consultative manner. The plan is to come up with a global syllabus, including core modules but also modules that are elective. There will be a lot of focus on what Schools on Internet Governance (SIGs) do and helping developing countries to more easily convene schools and training on Internet governance.
Digital Medusa will do more vigorous research about sanctions that affect access to the Internet.
Along with the Christchurch Call Advisory Network members, Digital Medusa is planning to be very active and find effective ways to contribute to CCAN and the Christchurch Call community.
Digital Medusa will undertake research and advocate for prosocial governance instead of just focussing on “content moderation” in Social Media Governance

Digital Medusa, for now, includes my (FB) activities. Hopefully, in the new year we can go beyond one Digital Medusa and attract more partners.

Happy new year to all! To a year with fewer Digital Perseus moments and fresher digital governance point of views.

Multistakeholder Content Governance

With multistakeholder governance gaining popularity in content governance, some initiatives have been keen on using the term to describe their governance model. The conversations around the multistakeholder nature of these processes motivated us to provide a draft framework to assess multistakeholder models in content governance.

We also held a session about multistakeholder content governance at the Internet Governance Forum 2021.*

During the session we talked about three initiatives: Christchurch Call to Action, Global Internet Forum to Counter Terrorism and the Facebook Oversight Board. It is of note that the first two initiatives have a narrow mandate: to eradicate and prevent terrorist, extremist content across platforms and online service providers. The Oversight Board however, has a much broader mandate that relates to content in general, but it’s limited to Facebook and Instagram.

There are a few important points that emerged from the session:

Multistakeholder governance goes beyond nation-states
Multistakeholder participation can happen at various stages of decision-making
Authority of the stakeholder groups is not directly related to their influence

Going beyond nation-states in content governance

Imagine if instead of just opening “public policy” offices in different countries, the online platforms would consider using a multistakeholder model to govern their users on their platform. This is not to say that we can or should give a global dimension to every issue and apply the multistakeholder model. But there are some issues that because of the global nature of these platforms, we can address with a multistakeholder model.

The Internet has revealed that the arbitrary nation-states’ borders are not an optimal unit for governance. The multistakeholder models allow us to use other units for governance. Sometimes local issues don’t belong to a certain geography and are shared with many others around the world.

Also, platforms content policies can and will affect the other parts of the Internet and its architecture, so including stakeholders that operate the infrastructure in these discussions can also help with preserving the open and global nature of the Internet.

When does multistakeholder participation start?

The participation of different stakeholder groups in governance processes does not always start from the very beginning. Sometimes the initiatives start as a public-private partnership or by the industry.

During the Christchurch Call, since the governments and tech-corporations negotiated the commitments bilaterally, other stakeholder groups were left out and their role was not clear. The governments then decided to give a more formulated role to civil society. They convened the Christchurch Call Advisory Network that included civil society members and focused on including civil society in the implementation phase of the commitments.

Another example of this is the Global Internet Forum to Counter Terrorism which was an industry led initiative in the beginning and is now trying to infuse some multistakeholder structure to the process.

Converting some or all parts of a top-down led process to a multistakeholder process comes with its own challenges. For example the Christchurch Call Advisory Network has to work with the Christchurch Call text, which has used broad terms such as “online service providers” and terms that have very contested definitions such as terrorism.

Should stakeholder groups have authority or influence?

This is an interesting debate since it’s about soft versus hard power. If we look at the history of Internet Corporation for Assigned Names and Numbers, we might argue that over time stakeholders became more powerful and had a vote in policy-making decisions. But at the same time, the Government Advisory Committee, which supposedly was set up to give “advice” became more and more powerful. This was to the extent that its advice became de facto binding on ICANN board of directors (with some minimal exceptions).

While there is no clear-cut answer to what role should different stakeholders have, authority might not always bring about influence. So the initiative can be very multistakeholder and tick all the multistakeholder boxes, but in the end, the decisions are made by one powerful stakeholder.

So why do we need this framework?

We need to rescue “multistakeholder governance” by demystifying it. “Multistakeholder” processes are not all the same. The degree of involvement of different stakeholders in decision-making differs from one initiative to another. Using a framework to find out about these differences can help us understand what we need to improve and what is working. The framework might help us get a clearer picture of the governance models in content governance. It is not about who is more or less multistakeholder, it is about how these initiatives operationalize multistakeholder models, the effectiveness of these approaches and the future improvements.

*We, a group of academics and civil society actors including Dr. Courtney Radsch, Dia Kayyali, Dr Milton Mueller and Jyoti Panday, suggested a framework for multistakeholder content governance. During the session we had a conversation with Dr. Ellen Strickland from the New Zealand government, Rachel Wolbers, Public Policy Manager at Facebook Oversight Board, and Dr. Erin Saltman from Global Internet Forum to Counter Terrorism, to discuss the framework for multistakeholder content governance.

About The Author

Farzaneh Badii

Digital Medusa is a boutique advisory providing digital governance research and advocacy services. It is the brainchild of Farzaneh Badi[e]i.Digital Medusa’s mission is to provide objective and alternative digital governance narratives.

About The Author

Farzaneh Badii

Recent Posts