The Other Information Revolution
Modernizing Authentication — What It Takes to Transform Secure Access
Ten years ago, two defining events occurred that altered the course of evolutionspecifically, the evolution of the Internet from an academic experiment to the global infrastructure it has become.
First, President Clinton signed into law the Telecommunications Act of 1996, which, on paper, radically deregulated the provisioning of telephone, data and other information services. A few days later, while attending the annual World Economic Forum in Davos, Switzerland, John Perry Barlowa lyricist for the Grateful Dead and the cofounder of the Electronic Frontier Foundation, among other thingsdispatched a revolutionary document into the ether, a "Declaration of the Independence of Cyberspace."
The two events were related. Added at the last minute, and tucked away in the 1996 Act was a provision titled the "Communications Decency Act," which made it a crime to use the Internet to transmit "indecent" materials to minors. The Congress that wrote the CDA and the President who signed it almost certainly knew this provision was unconstitutional, a violation of long-settled principles of First Amendment law. But telecom reform had been years in the making, and everyone was tired of negotiating. The CDA became law.
Barlow's declaration, addressed to the "Governments of the Industrial World, you weary giants of flesh and steel," represented one man's disgust with politicians who were trying not so much to legislate a new medium (about which they knew nothing), but rather to appear to be legislating. Barlow, paying homage to the ideals of Thomas Jefferson and the other Founding Fathers, declared the Internet off-limits to the governments of the physical world, and promised not a violent revolution but a war of attrition. "You have no moral right to rule us," Barlow wrote, "nor do you possess any methods of enforcement we have true reason to fear."
This last observation has proven prescient. In the ten years since the CDA was enacted (and, as expected, declared unconstitutional by the U.S. Supreme Court a year later), governments at all levels and across geographies have tried with more or less effort, and more or less sincerity, to define, regulate, tax, constrain, ban, encourage or disparage (or all of the above) the thousands of new applications for transmitting information that have been released into the roiling waters of the Internet. In nearly every instance, those efforts have failed.
One thing all this legislating has succeeded in doing has been to solidify resistance among the increasingly numerous, wealthy and powerful residents of what Barlow called the "civilization of the Mind." The declaration, or rather the CDA, launched what we might think of as the other Information Revolutionthe one that struggles to maintain the political independence of the internet.
Today's revolutionaries lobby against bad laws and bad judicial decisions through not-for-profit organizations including the EFF, the Electronic Privacy Information Center and the ACLU. They define and operate their own quasi-governmentsthe governments of open source, of peer-to-peer, of Creative Commons and the blogosphere. They stage acts of civil disobedience and sometimes outright revolt, ignoring threats of enforcement made against them by private and public enforcers from the world of "flesh and steel."
The information revolutionaries can't always hide in the bits, and when captured, many have been dealt with severely. Companies such as MP3.com, Napster and Netscape are either gone or unrecognizable. Identity thieves, spammers, hackers and copyright pirates are picked off individually by governments and corporations. But even before their bodies are carried from the field, ten replacements, even more resistant to the antiviral agents of the physical world, appear, spread and take hold.
Well, here we go again. A few weeks ago, President Bush signed into law a reauthorization of the innocently named Violence Against Women Act, which, like the Telecommunications Act exactly ten years earlier, has hidden inside it an explosive device aimed at the First Amendment. Section 113 of VAWA, which claims to deal with the new crime of "cyberstalking," modifies the exact same section of U.S. telecommunications law, 47 U.S.C. § 223, the CDA tried and failed to change.
Where the CDA outlawed "indecency," the cyberstalking provision has made it a crime to use the Internet to communicate without disclosing your identity and with the "intent to annoy." Think of it as CDA II.
CDA II is one of the worst statutes I've ever read. It applies to any "device or software" that is capable of communicating over the Internet, but not necessarily one that is being used in that way. As one of my more devious students has pointed out, CDA II, in theory, would apply if he threw his PDA at me from the back row of class. Even if he missed meeven if I didn't realize he'd thrown ithe could be looking at two years in a federal prison.
And what does it mean to disclose one's identity in an electronic communication? (CDA II grafts itself onto an earlier provision that applies to obscene phone calls where the caller doesn't give his or her name.) Does my e-mail address identify me? My chat-profile name? Or, to avoid liability, do I need to include my name and address in every reply I post to your (dumb) blog?
The definition of "Internet" the new law uses may also have unintended consequences. It references an older law that limits "the Internet" to software and devices that use the TCP/IP protocol, or its successors or predecessors. Much of what today passes through electronic communications, and which the drafters probably intended to regulate, is arguably outside that definition.
It's important to understand what CDA II does not try to do. It does not criminalize communications that some recipient finds annoying, or which might annoy some hypothetical thin-skinned reader. The sender must intend to annoy (even if she fails), and as a criminal sanction that intent must be proven beyond a reasonable doubt. And so long as you identify yourself in the process, you may annoy with complete abandon.
Popular and trade media reports of CDA II have made some embarrassing mistakes of legal interpretation, but their basic message is rightthis provision, poorly drafted and full of ambiguities as to its meaning, application and enforcement, attempts to criminalize what is almost assuredly protected speech. Just like the CDA.
But aside from some ranting on Web sites (some of it potentially violating the new law!), the revolutionaries have said almost nothing about CDA II. Ten years after "dumping some tea in the virtual harbor," Barlow hasn't issued a statement on the cyberstalking provision. When I asked him why, he told me, sounding a little weary himself, "All I can say is that some things never change."
Or maybe there's no need to rally the troops. No doubt lawsuits to void CDA II are already being drafted. More to the point, the "weary giants of flesh and steel" aren't the real threat anymore. The real threat to the Internet comes from within, from viruses and malicious hacking, and from foolish and greedy individuals and companies whose efforts to exploit the value-generating engine of the Internet sometimes distract and sometimes stall the machinery, though so far, at least, they haven't stopped it.
Congress, meanwhile, grows increasingly shrill and increasingly incoherent in its efforts to police the new world. It's the madness of King George.
Larry Downes is Associate Dean of the UC-Berkeley School of Information Management and Systems. He is the author of Unleashing the Killer App and The Strategy Machine. His next column will appear in May.