An Endnote on Regulating Cyberspace: Architecture vs Law Author: Graham Greenleaf. Presented by: Oliver Bannatyne, 28th May 2002 The Context Of The Article. The author is a legal academic writing for lawyers, policymakers, and technologists. The article is a critique of Larry Lessig’s techno-legal philosophy of “Code as Law”. “Code As Law” is a theory of Internet Governance that tries to answer the questions: The Issues of Internet Governance 1.) Why should Cyberspace be regulated? 2.) By Whom should Cyberspace be regulated? 3.) How should Cyberspace be regulated? This presentation will mainly focus on the third issue, starting with a brief discussion of first issue. Why Regulate Cyberspace The why issue becomes: Is there a sufficient difference between cyberspace and “realspace” so that the former should be regulated differently to the latter. If the answer is yes, should cyberspace be a A realm of freedom (lightly regulated), or A realm of surveillance (heavily regulated). Why Regulate Cyberspace? Realm Of Freedom Users are anonymous. Information should be free. The Net is decentralised, and beyond control. The Net is international. Cyberspace is different to ‘realspace’. Realm Of Surveillance The net pervades modern life. The privacy of users is being abused. The real/digital persona needs protection. To ensure identity of users and data. Code/Architecture As Law: Regulating Through Architecture Law Market Norms Code Activity being regulated Indirection regulation by law Direct regulation Figure 1 - Regulation as a function of four types of constraints (Adapted from G Greenleaf, L Lessig) The Four Constraints On Human Activity 1. Norms, Morality and Self Regulation. 2. Markets. 3. Code/Architecture. 4. Law. Law as a Direct And Indirect Behavioural Constraint. Law Means – Directly Regulating individual behavior through social compliance/punishment. “Person X must not activity Y, failure to do activity Y causes punishment Z.” 2. Indirectly regulating norms, markets, and the code/architechture. Non-legal Behavioral Constraints cyberspace Norms, Morality and Self Regulation. Means - These regulate by the the fear of social embarrassment. Example Activity - An Email containing racist/sexist jokes. Regulator - Email Monitoring. Greenleaf says: Markets are an ineffective regulator because embarassment lessened by geograhic distance and unlikelihood of getting caught. Non-legal Behavioral Constraints Cyberspace. Markets Means – Markets are a form of economic regulation. Example Activity – choosing a product. Regulator – “Network Effects” – A product (e.g. ICQ) becomes more valuable to consumers the more users it has using it. Greenleaf says: Markets are another powerful regulator in cyberspace. Code/Architecture As Law: Regulating Through Architecture Law Market Norms Architecture Activity being regulated Indirection regulation by law Direct regulation Figure 2 - Regulation as a function of four types of constraints (Adapted from G Greenleaf, L Lessig) Non-legal Behavioral Constraints Cyberspace. Architecture In realspace, Architecture is the physical constraints of nature, which are normally taken for granted since they are nonmalleable as a constraint. However, in cyberspace the architecture is different. The Five Features of Architecture 1. Architecture is More than Software -. It includes software, hardware, standards, & human biology (biometrics). 2. Architecture has Immediacy as a Constraint -. Changes to the architecture can have direct immediate effect. (i.e. Changing an access control system block users access instantaneously.) 3. Most Architecture has High Plasticity -. The architecture is easily altered. The Five Features of Architecture 4. The legitimacy of architecture depends on who controls it If architecture/code is law then have the code-writers become the new sovereign? (e.g. like a state, king, or ruler.) Are they are legitimate sovereign? In whose interests are they working? 5. Default settings give regulation by default. An Example To Illustrate – The Robot Exclusion Standard. Internet search engines use robots (webcrawlers) to catalogue websites. These robots have the potential to break copyright and breach privacy. i.e. robots could be unlawful. website owners have “a right not to be indexed”. An Example To Illustrate – The Robot Exclusion Standard. Copyright law could prevent any site being indexed. (direct regulation.) The Robot Exclusion Protocol (1994) was created to allow website owners to control robot access to the website (indirect regulation through Architecture). The HTML Tag <META NAME=”ROBOTS” CONTENT=”NOINDEX, NOFOLLOW”> prevents a website from being indexed and explored. Conclusion & Question? The function of many Computer Security mechanisms is to control behavior by controlling an individual’s permissions and access. As computer security professionals you will often have to make decision about what is and isn’t appropriate in the security architecture. As your decisions will impact upon the rights and freedoms of individuals. Are you ready for this responsibility? How much guidance do you think the lawmakers should give?