We’re in the middle of an epic battle for power in cyberspace. On one side are the nimble, unorganized, distributed powers, such as dissident groups, criminals, and hackers. On the other side are the traditional, organized, institutional powers such as governments and large multinational corporations. During its early days, the Internet gave coordination and efficiency to the powerless. It made them powerful, and seem unbeatable. But now, the more traditional institutional powers are winning, and winning big. How these two fare long-term, and the fate of the majority of us that don’t fall into either group, is an open question—and one vitally important to the future of the Internet.
In its early days, there was a lot of talk about the “natural laws of the Internet” and how it would empower the masses, upend traditional power blocks, and spread freedom throughout the world. The international nature of the Internet made a mockery of national laws. Anonymity was easy. Censorship was impossible. Police were clueless about cybercrime. And bigger changes were inevitable. Digital cash would undermine national sovereignty. Citizen journalism would undermine the media, corporate PR, and political parties. Easy copying would destroy the traditional movie and music industries. Web marketing would allow even the smallest companies to compete against corporate giants. It really would be a new world order.
Some of this did come to pass. The entertainment industries have been transformed, and are now more open to outsiders. Broadcast media has changed, and some of the most influential people in the media have come from the blogging world. There are new ways to run elections and organize politically. Facebook and Twitter really did help topple governments.
But that was just one side of the Internet’s disruptive character. Today the traditional corporate and government power is ascendant, and more powerful than ever.
On the corporate side, power is consolidating around both vendor-managed user devices and large personal data aggregators. This is a result of two current trends in computing. First, the rise of cloud computing means that we no longer have control of our data. Our email, photos, calendar, address book, messages, and documents are on servers belonging to Google, Apple, Microsoft, Facebook, and so on. And second, the rise of vendor-managed platforms means that we no longer have control of our computing devices. We’re increasingly accessing our data using iPhones, iPads, Android phones, Kindles, ChromeBooks, and so on. Even Windows 8 and Apple’s Mountain Lion are heading in the direction of less user control.
I have previously called this model of computing feudal. Users pledge our allegiance to more powerful companies who, in turn, promise to protect them from both sysadmin duties and security threats. It’s a metaphor that’s rich in history and in fiction, and a model that’s increasingly permeating computing today.
Feudal security consolidates power in the hands of the few. These companies act in their own self-interest. They use their relationship with us to increase their profits, sometimes at our expense. They act arbitrarily. They make mistakes. They’re deliberately changing social norms. Medieval feudalism gave the lords vast powers over the landless peasants; we’re seeing the same thing on the Internet.
It’s not all bad, of course. Medieval feudalism was a response to a dangerous world, and depended on hierarchical relationships with obligations in both directions. We, especially those of us who are not technical, like the convenience, redundancy, portability, automation, and shareability of vendor-managed devices. We like cloud backup. We like automatic updates. We like that Facebook just works—from any device, anywhere.
Government power is also increasing on the Internet. Long gone are the days of an Internet without borders; and governments are better able to use the four technologies of social control: surveillance, censorship, propaganda, and use control. There’s a growing “cyber sovereignty” movement that totalitarian governments are embracing to give them more control—a change the US opposes because it has substantial control under the current system. And the cyberwar arms race is in full swing, further consolidating government power.
In many cases, the interests of corporate and government power are aligning. Both corporations and governments want ubiquitous surveillance, and the NSA is using Google, Facebook, Verizon, and others to get access to data it couldn’t otherwise. The entertainment industry is looking to governments to enforce its antiquated business models. Commercial security equipment from companies like BlueCoat and Sophos is being used by oppressive governments to surveil and censor their citizens. The same facial recognition technology that Disney uses in its theme parks also identifies protesters in China and Occupy Wall Street activists in New York.
What happened? How, in those early Internet years, did we get the future so wrong?
The truth is that technology magnifies power in general, but the rates of adoption are different. The unorganized, the distributed, the marginal, the dissidents, the powerless, the criminal: they can make use of new technologies faster. And when those groups discovered the Internet, suddenly they had power. But when the already powerful big institutions finally figured out how to harness the Internet for their needs, they had more power to magnify. That’s the difference: the distributed were more nimble and were quicker to make use of their new power, while the institutional were slower but were able to use their power more effectively.
All isn’t lost for distributed power, though. For institutional power the Internet is a change in degree, but for distributed power it’s a change of kind. The Internet gives decentralized groups—for the first time —access to coordination. This can be incredibly empowering, as we saw in the SOPA/PIPA debate, Gezi, and Brazil. It can invert power dynamics, even in the presence of surveillance censorship and use control.
There’s another more subtle trend, one I discuss in my book Liars and Outliers. If you think of security as an arms race between attackers and defenders, technological advances—firearms, fingerprint identification, lockpicks, the radio—give one side or the other a temporary advantage. But most of the time, a new technology benefits the attackers first.
We saw this in the early days of the Internet. As soon as the Internet started being used for commerce, a new breed of cybercriminal emerged, immediately able to take advantage of the new technology. It took police a decade to catch up. And we saw it with social media, as political dissidents made quicker use of its organizational powers before totalitarian regimes were able to use it effectively as a surveillance and propaganda tool. The distributed are not hindered by bureaucracy, and sometimes not by laws or ethics. They can evolve faster.
This delay is what I call a “security gap.” It’s greater when there’s more technology, and in times of rapid technological change. And since our world is one in which there’s more technology than ever before, and a greater rate of technological change than ever before, we should expect to see a greater security gap than ever before.
It’s quick vs. strong. To return to medieval metaphors, you can think of a nimble distributed power—whether marginal, dissident, or criminal—as Robin Hood. And you can think of ponderous institutional power—both government and corporate—as the Sheriff of Nottingham.
So who wins? Which type of power dominates in the coming decades?
Right now, it looks like institutional power. Ubiquitous surveillance means that it’s easier for the government to round up dissidents than it is for the dissidents to anonymously organize. Data monitoring means it’s easier for the Great Firewall of China to block data than it is to circumvent it. And as easy as it is to circumvent copy protection schemes, most users can’t do it.
This is largely because leveraging power on the Internet requires technical expertise, and most distributed power groups don’t have that expertise. Those with sufficient technical ability will be able to stay ahead of institutional power. Whether it’s setting up your own email server, effectively using encryption and anonymity tools, or breaking copy protection, there will always be technologies that are one step ahead of institutional power. This is why cybercrime is still pervasive, even as institutional power increases, and why organizations like Anonymous are still a social and political force. If technology continues to advance—and there’s no reason to believe it won’t—there will always be a security gap in which technically savvy Robin Hoods can operate.
My main concern is for the rest of us: people who have don’t have the technical ability to evade the large governments and corporations that are controlling our Internet use, avoid the criminal and hacker groups who prey on us, or join any resistance or dissident movements. People who accept the default configuration options, arbitrary terms of service, NSA-installed back doors, and the occasional complete loss of their data. In the feudal world, these are the hapless peasants. And it’s even worse when the feudal lords—or any powers—fight each other. As anyone watching Game of Thrones knows, peasants get trampled when powers fight: when Facebook, Google, Apple, and Amazon fight it out in the market; when the US, EU, China, and Russia fight it out in geopolitics; or when it’s the US vs. the terrorists or China vs. its dissidents.
The abuse will only get worse as technology continues to advance. In the battle between institutional power and distributed power, more technology means more damage. Cybercriminals can rob more people more quickly than criminals who have to physically visit everyone they rob. Digital pirates can make more copies of more things much more quickly than their analog forebears. And 3D printers mean that data use restriction debates will now involve guns, not movies. It’s the same problem as the “weapons of mass destruction” fear: terrorists with nuclear or biological weapons can do a lot more damage than terrorists with conventional explosives.
The more destabilizing the technologies, the greater the rhetoric of fear, and the stronger institutional power will get. This means even more repressive security measures, even if the security gap means that such measures are increasingly ineffective. And it will squeeze the peasants in the middle even more.
Without the protection of feudal lords, we’re subject to abuse by criminals and other feudal lords. Also, there are often no other options but to align with someone. But both these corporations and the government—and sometimes the two in cahoots—are using their power to their own advantage, trampling on our rights in the process. And without the technical savvy to become Robin Hoods ourselves, we have no recourse but to submit to whatever institutional power wants.
So what happens? Is a police state the only effective way to control distributed power and keep our society safe? Or is government control ultimately futile, and the only hope for society an anarchic failed state run by warlords? Are there even any stable possibilities between these two poles? I don’t know, but I do know that understanding the dynamics I’ve described in this essay is important.
We’re at the beginning of some critical debates about the future of the Internet: the role of law enforcement, the character of ubiquitous surveillance, the collection of our entire life’s history, the role of automatic algorithms that judge and control us, government control over the Internet, cyberwar rules of engagement, national sovereignty on the Internet, limitations on the power of corporations over our data, the ramifications of information consumerism, and so on. These are all complicated issues that require meaningful debate, international cooperation, and innovative solutions. We need to decide on the proper balance between institutional and decentralized power, and how to build tools that enable what is good in each while blocking the bad. It’s not clear we’re up for the task.
Today’s Internet is a fortuitous accident. It came into being through a combination of an initial lack of commercial interests, government benign neglect, military requirements for survivability and resilience, and computer engineers building open systems that worked simply and easily. Battles over its future are going on right now: in legislatures around the world, in international organizations like the ITU, and in Internet organizations like the IGF. We need to engage in these debates, or tomorrow’s Internet will be controlled only by those who wield traditional power.