Achieving Internet Order Without Law

In an important new paper, “Internet Security Without Law: How Service Providers Create Order Online,” Dourado convincingly shows just how off-the-mark this narrative is when it comes to online security.

This article was originally published in Forbes

The popular narrative in Internet policy circles these days goes something like this: The early days of the Net were a glorious unregulated nirvana, but eventually governments had to move in and assert more authority over cyberspace or else an unruly “Wild West” would have developed and left us vulnerable to various online pathologies. That narrative is what today drives countless proposals to have governments intervene and regulate to ensure a more “safe and secure” cyberspace.

Not so fast, says Eli Dourado, an economist and colleague of mine at the Mercatus Center at George Mason University. In an important new paper, “Internet Security Without Law: How Service Providers Create Order Online,” Dourado convincingly shows just how off-the-mark this narrative is when it comes to online security.

Dourado documents the many informal institutions that enforce network security norms on the Internet and shows how cooperation among a remarkably varied set of actors improves online security without extensive regulation or punishing legal liability. “These informal institutions carry out the functions of a formal legal system—they establish and enforce rules for the prevention, punishment, and redress of cybersecurity-related harms,” Dourado shows.

For example, a diverse array of computer security incident response teams (CSIRTs) operates around the globe and share their research and coordinate their responses to viruses and other online attacks. Individual Internet service providers (ISPs), domain name registrars, and hosting companies, work with these CSIRTs and other individuals and organizations to address security vulnerabilities. A growing market for private security consultants and software providers also competes to offer increasingly sophisticated suites of security products for businesses, households, and governments.

A great deal of security knowledge is also “crowd-sourced” today via online discussion forums and security blogs that feature contributions from experts and average users alike. University-based computer science and cyberlaw centers and experts have also helped by creating projects like “Stop Badware,” which originated at Harvard University but then grew into a broader non-profit organization with diverse financial support.

Dourado shows how these informal, bottom-up efforts to coordinate security responses offer several advantages over top-down government solutions, such as administrative regulatory or punishing liability regimes.

First, the informal cooperative approach “gives network operators flexibility to determine what constitutes due care in a dynamic environment.” “Formal legal standards,” by contrast, “may not be able to adapt as quickly as needed to rapidly changing circumstances,” he says. Simply put, markets are more nimble than mandates when it comes to promptly patching security vulnerabilities.

Second, Dourado notes that “formal legal proceedings are adversarial and could reduce ISPs’ incentives to share information and cooperate.” Heavy-handed regulation or threatening legal liability schemes could have the unintended consequence of discouraging the sort of cooperation that today alleviates security problems in a swift fashion.

Third, legal solutions are less effective because “the direct costs of going to court can be substantial, as can be the time associated with a trial,” Dourado argues. By contrast, private actors working cooperatively “do not need to go to court to enforce security norms” meaning that “security concerns are addressed quickly or punishment…is imposed rapidly.” For example, if security warnings don’t work, ISPs can “punish” negligent or willfully insecure networks by “de-peering,” or terminating network interconnection agreements. The very threat of de-peering helps keep network operators on their toes.

Finally, and perhaps most importantly, Dourado notes that international cooperation between state-based legal systems is limited, complicated, and costly. By contrast, under today’s informal, voluntary approach to online security, international coordination and cooperation is quite strong. The CSIRTs and other security institutions and researchers mentioned above all interact and coordinate today as if national borders did not exist. Territorial legal system and liability regimes don’t have the same advantage; enforcement ends at the border.

Dourado’s model has ramifications for other fields of Internet policy. Indeed, it is already at work in the realms of online safety and digital privacy. Countless organizations and individuals work together in a cooperative fashion to create empowerment tools and educational initiatives to improve online safety and privacy. And many industry trade associations and non-profit advocacy groups have established industry best practices and codes of conduct to ensure users of all ages have a safer and more secure online experience.

For many years, I compiled a comprehensive list of such initiatives in the online safety space as part of an ongoing compendium entitled, Parental Controls & Online Child Protection: A Survey of Tools & Methods. However, two years ago, after publishing a half-dozen versions of the report, I finally gave up trying to keep that compendium up to date because the sheer volume of tools, initiatives, and cooperative arrangements was growing faster than I could catalog them!

What these efforts prove is that not every complex social problem requires a convoluted legal regime or heavy-handed regulatory response. We can achieve Internet order without layering on more and more law and regulation.