I’ve posted a first draft of my new paper, Lessons Learned Too Well, on SSRN. The paper, which is about the regulation of online anonymity, was written for a conference being held next later this week to celebrate the 10th anniversary of the Oxford Internet Institute, A Decade in Internet Time: Symposium on the Dynamics of the Internet and Society.
I’m the sort of person who prefers to post only more polished drafts — this one has a couple holes I know about and no doubt many I don’t know about too. But the symposium organizers asked us to post our papers on SSRN, and so there it is.
Comments very welcome, either below or in email.
I’m leaving for the UK tomorrow in order to give myself a bit of time to recover from jet lag before it begins, this being my first solo international journey since all my medical excitement. Posting may be light for a few days.
Below I post the introduction, which I thinks gives you some idea of what it’s all about:
A decade ago the Internet was already subject to a significant degree of national legal regulation. This first generation of internet law was somewhat patchy and often reactive. Some legal problems were solved by simple categorization, whether by court decisions, administrative regulation, or statute. Other problems required new approaches: the creation of new categories or new institutions. And in some cases, governments in the US and elsewhere brought out the big guns of direct legislation, sometimes with stiff penalties.
The past decade has seen the crest of the first wave of regulation and the gathering of a second, stronger, wave based on a better understanding of the Internet and of law’s ability to shape and control it. Aspects of this second wave are encouraging: Internet regulation is increasingly based on a sound understanding of the technology, minimizing pointless rules or unintended consequences. But other aspects are very troubling: where a decade ago it was still reasonable to see the Internet technologies as empowering and anti-totalitarian, now regulators in both democratic and totalitarian states have learned to structure rules that previous techniques cannot easily evade, leading to previously impossible levels of regulatory control.
On balance, that trend seems likely to continue. One result that seems likely to follow from current trends in centralization and smarter and more global regulation is legal restriction, and perhaps the prohibition, of online anonymity. As a practical matter, the rise of identification technologies combined with commercial and regulatory incentives have made difficult for any but sophisticated users to remain effectively anonymous. First wave internet regulation could not force the identification of every user and packet, but the second wave regulation is more international, more adept, and benefits from technological change driven by synergistic commercial and regulatory objectives. Law which harnesses technology to its ends achieves far more than law regulating outside technology or against it.
The consequences of an anonymity ban are likely to be negative. This paper attempts to explain how we came to this pass, and what should be done to avoid making the problem worse.
Part One of this article discusses the first wave of Internet regulation, before the year 2000, focusing on US law. This parochial focus is excusable because even at the start of the 21st Century a disproportionate number of Internet users were in the US. And, with only a very few exceptions – the greatest of which involve aspects of privacy law emanating from the EU’s Privacy Directive – the US either led or at least typified most of the First Wave regulatory developments.
The second wave of regulation has been much more global, so in Part Two, which concerns the most recent decade, the paper’s focus expands geographically, but narrows to specifically anonymity-related developments. Part A describes private incentives and initiatives that resulted in the deployment of a variety of technologies and private services each of which is unfriendly to anonymous communication. Part B looks at three types of government regulation, relevant to anonymity: the general phenomenon of chokepoint regulation, and the more specific phenomena of online identification requirements and data retention (which can be understood as a special form of identification).
Part Three examines competing trends that may shape the future of anonymity regulation. It takes a pessimistic view of the likelihood that given the rapid pace of technical and regulatory changes the fate of online anonymity in the next decade will be determined by law rather than by the deployment of new technologies or, most likely, pragmatic political choices. It therefore offers normative and pragmatic arguments why anonymity is worth preserving and concludes with questions that proponents of further limits on anonymous online speech should be expected to answer.
Goaded by factors ranging from traditional public order concerns to fear of terrorism and hacking to public disclosures by WikiLeaks and others, both democratic and repressive governments are increasingly motivated to attempt to identify the owners of every packet online, and to create legal requirements that will assist in that effort. Yet whether a user can remain anonymous or must instead use tools that identify him is fundamental to communicative freedom online. One who can reliably identify speakers and listeners can often tell what they are up to even if he is not able to eavesdrop on the content of their communications; getting the content makes the intrusion and the potential chilling effects that much greater. Content industries with copyrights to protect, firms with targeted ads to market, and governments with law enforcement and intelligence interests to protect all now appreciate the value of identification, and the additional value of traffic analysis, not to mention the value of access to content on demand – or even the threat of it.
Online anonymity is closely related to a number of other issues that contribute to communicative freedom, and thus enhance civil liberties, such as the free use of cryptography, and the use of tools designed to circumvent online censorship and filtering. One might reasonably ask why, then this essay concentrates on anonymity, and on its inverse, identification technologies. The reason is that anonymity is special, arguably more essential to online freedom than any other tool except perhaps cryptography (and one of the important functions of cryptography is to enable or enhance anonymity as well as communications privacy). Without the ability to be anonymous, the use of any other tool, even encrypted communications, can be traced back to the source. Gentler governments may use traffic analysis to piece together networks of suspected dissidents, even if the government cannot acquire the content of their communications. Less-gentle governments will use less-gentle means to pressure those whose communications they acquire and identify. Whether or not the ability to be anonymous is sufficient to permit circumvention of state-sponsored communications control, it is necessary to ensure that those who practice circumvention in the most difficult circumstances have some confidence that they may survive it.