The Spam Wars and Internet Governance. Again.
Every now and again, the obscure world of Internet administration comes into public view, and invites those of us in academia who have been thinking about the governance of the Internet and its infrastructure to revisit how undeveloped public law in this area is. One such moment occurred two weeks ago when Spamhaus, an important spam prevention service, became the victim of one of the most massive distributed denial of service (DDoS) attacks ever.
Two weeks later, Spamhaus appears to have weathered the attack. Soon after it realized the gravity of things, its administrators enlisted the services of a company that, among other things, protects against spamming and large DDoS attacks. And, while the attack does not seem to have been as dramatic as the NY Times and other media outlets purported late last week, I nevertheless remain uncertain about where we stand. For a phenomenon as essential to public life as email, the Spamhaus attack raises far more questions than it answers. At a minimum, it invites serious reconsideration of the extant approach, particularly when the only measure of legitimacy to administer email is raw technological savvy.
Spamhaus basically administers and publishes a “blocklist” of bad computer servers from which unsolicited emails typically originate. It updates the lists frequently and regularly. The service providers and others, in turn, use the list to keep their users’ free from viruses, malware, and unsolicited emails.
But this all comes at a cost. Spamhaus relegates anyone who uses blocklisted servers to Internet oblivion. Accordingly, over the years, it has been subject to tort-based defamation and interference claims by parties who claim to have been unlawfully censored. It also has been the target of DDoS attacks that sought to shut Spamhaus’s servers down. Historically, however, the white hats at Spamhaus have won.
Evidently, hell hath no fury like scorned computer programmers. While Spamhaus appears to be up and running again, a vindictive group of programmers launched an unprecedented concerted attack on Spamhaus’s servers, and for at least one day, took down a very small but notable chunk of the Internet with it. Fortunately, for most of us, the damage was minor and the white hats again eventually prevailed. But this conflict between mainstream and dissident technologists underscores how an unmediated focus on technological remedies in cybersecurity can quickly descend into a state of anarchy.
Clearly, neither legislators nor government agencies have been particularly effective. The amended 2003 CAN SPAM Act effectively sanctions spamming. Moreover, the Federal Trade Commission, which is empowered under that statute to bring criminal and civil enforcement actions for spamming, rarely brings such actions and, of course, only does so after the damage has been done. (Agencies across the world have commenced investigations of the culprits in the Spamhaus episode.) Finally, the Computer Fraud and Abuse Act is far too fraught these days to be useful.
And, to be clear, I am not talking here about cyberwarfare or cyberterrorism, where the trump card of national security silences nearly all discussion. I am talking about email, one of the most technologically banal Internet applications.
Indeed, even in the context of email, the key questions have not changed in the fifteen years since the Department of Commerce first delegated to ICANN the heady authority to administer domain name assignments. To wit: Is there a political or democratic check on the decision-making about Internet governance generally or email administration in particular? Assuming there isn’t, what is the real system of checks and balances in this area, and how readily are they subject to political or democratic accountability, if at all? For the purposes of answering this prior question, should we distinguish between different Internet-based applications – that is, emailing vs. massive multiplayer online gaming? In any event, what are the principles on which disputes related to something as generic as email are resolved, and how consistently are they adhered to?
A small fraction of these considerations have been bandied about in the past year or so as concerns about governmental participation in Internet governance have become more and more conspicuous. A prescient 2000 Duke Law Review article by Michael Froomkin and much more recent scholarship by Phil Weiser and others on multistakeholder governance offer some clues. Yet, by my lights, these questions remain unanswered, when by all means they should not. At a minimum, to borrow from my current paper project on federal spectrum administration, Internet governance today could at least benefit from the well-trafficked vocabulary of public law administration (e.g., delegation, accountability, expertise). But, first, its main protagonists will have to give up on their nearly ideological view that the Internet is too exceptional or technologically exotic to be subject to public scrutiny or law. It’ll probably take more than a spam-inspired cyberattack to get us there.