The Spam Wars and Internet Governance. Again.

Every now and again, the obscure world of Internet administration comes into public view, and invites those of us in academia who have been thinking about the governance of the Internet and its infrastructure to revisit how undeveloped public law in this area is. One such moment occurred two weeks ago when Spamhaus, an important spam prevention service, became the victim of one of the most massive distributed denial of service (DDoS) attacks ever.

Two weeks later, Spamhaus appears to have weathered the attack. Soon after it realized the gravity of things, its administrators enlisted the services of a company that, among other things, protects against spamming and large DDoS attacks. And, while the attack does not seem to have been as dramatic as the NY Times and other media outlets purported late last week, I nevertheless remain uncertain about where we stand. For a phenomenon as essential to public life as email, the Spamhaus attack raises far more questions than it answers. At a minimum, it invites serious reconsideration of the extant approach, particularly when the only measure of legitimacy to administer email is raw technological savvy.

Spamhaus basically administers and publishes a “blocklist” of bad computer servers from which unsolicited emails typically originate. It updates the lists frequently and regularly. The service providers and others, in turn, use the list to keep their users’ free from viruses, malware, and unsolicited emails.

But this all comes at a cost.  Spamhaus relegates anyone who uses blocklisted servers to Internet oblivion. Accordingly, over the years, it has been subject to tort-based defamation and interference claims by parties who claim to have been unlawfully censored. It also has been the target of DDoS attacks that sought to shut Spamhaus’s servers down. Historically, however, the white hats at Spamhaus have won.

Evidently, hell hath no fury like scorned computer programmers. While Spamhaus appears to be up and running again, a vindictive group of programmers launched an unprecedented concerted attack on Spamhaus’s servers, and for at least one day, took down a very small but notable chunk of the Internet with it. Fortunately, for most of us, the damage was minor and the white hats again eventually prevailed. But this conflict between mainstream and dissident technologists underscores how an unmediated focus on technological remedies in cybersecurity can quickly descend into a state of anarchy.

Clearly, neither legislators nor government agencies have been particularly effective. The amended 2003 CAN SPAM Act effectively sanctions spamming.  Moreover, the Federal Trade Commission, which is empowered under that statute to bring criminal and civil enforcement actions for spamming, rarely brings such actions and, of course, only does so after the damage has been done.  (Agencies across the world have commenced investigations of the culprits in the Spamhaus episode.) Finally, the Computer Fraud and Abuse Act is far too fraught these days to be useful.

And, to be clear, I am not talking here about cyberwarfare or cyberterrorism, where the trump card of national security silences nearly all discussion. I am talking about email, one of the most technologically banal Internet applications.

Indeed, even in the context of email, the key questions have not changed in the fifteen years since the Department of Commerce first delegated to ICANN the heady authority to administer domain name assignments.  To wit: Is there a political or democratic check on the decision-making about Internet governance generally or email administration in particular? Assuming there isn’t, what is the real system of checks and balances in this area, and how readily are they subject to political or democratic accountability, if at all? For the purposes of answering this prior question, should we distinguish between different Internet-based applications – that is, emailing vs. massive multiplayer online gaming? In any event, what are the principles on which disputes related to something as generic as email are resolved, and how consistently are they adhered to?

A small fraction of these considerations have been bandied about in the past year or so as concerns about governmental participation in Internet governance have become more and more conspicuous. A prescient 2000 Duke Law Review article by Michael Froomkin and much more recent scholarship by Phil Weiser and others on multistakeholder governance offer some clues. Yet, by my lights, these questions remain unanswered, when by all means they should not.  At a minimum, to borrow from my current paper project on federal spectrum administration, Internet governance today could at least benefit from the well-trafficked vocabulary of public law administration (e.g., delegation, accountability, expertise). But, first, its main protagonists will have to give up on their nearly ideological view that the Internet is too exceptional or technologically exotic to be subject to public scrutiny or law. It’ll probably take more than a spam-inspired cyberattack to get us there.

You may also like...

5 Responses

  1. Thanks for the shout-out to my 2000 article on ICANN. (The URL is actually http://papers.ssrn.com/sol3/papers.cfm?abstract_id=252523 .)

    The major obstacle to the imposition of public-law values on transnational bodies is that someone has to play the role of enforcer, and none of the international bodies that might play that role are both trusted and competent. That leaves national bodies. States are jealous of each other, and don’t want to give that role to a ‘peer’, especially if the state taking on the role is a hegemon or hegemon wannabe.

    I used to say, only quarter-jokingly, that we should put the Canadians in charge of ICANN, but that won’t happen either.

  2. Thanks for the reply, Michael. I fixed the link.

    I agree that neither the ITU nor the UN have the institutional capacity or experience to handle the governance problems here, but I’m not so sure the US or ICANN has a monopoly on trust any more than those international bodies, although I think ICANN is doing a lot to allay anxieties. (Canada is a whole other can of worms.)

    Also, I wonder what you make of this post about ICANN’s answer to the recent Spamhaus spat: http://jl.ly/ICANN/ubrp.html. Spamhaus and StopHaus joining together to review complaints? That certainly would go far towards legitimizing the complaint process. The acronym makes me think its an April Fools joke.

  3. Jim says:

    As with all other seeming calls for more law, I would ask that current law be enforced vigorously before adding more laws.

    When it comes to spam, the simple fact is that the current technological solutions work, while the law (Can Spam) doesn’t even begin to work BECAUSE IT ISN’T ENFORCED!!!!!!

    And before I step off my soap box, I want to know exactly where and when, and by what authority our government, on any level – Federal, State, Local – can pick and choose the laws they enforce. Can Spam – negligible enforcement. Do Not Call – always too litle too late. They needs to stop fining “Rachel,” and instead put her in jail. Penalties should be too stiff to be considered just a cost of doing business.

  4. Jim says:

    Spamhaus and Stophaus joining together to review complaints? Ridiculous! Stophaus is backed by criminals. It has no business being a part of any solution to the problem with spam let alone being involved in the much larger picture involving general Internet governance.

  5. Olivier, I think John Levine is just having some April Fools fun there.