Remarks of Assistant Secretary Strickling at the Internet Society's INET Series

– As Prepared for Delivery –

I. Introduction

Last November, President Obama held an unprecedented town hall meeting with students in Shanghai, China. He was asked a question about the openness of the Internet and in response the President called himself a “big believer” in technology and the free flow of information. He referred to the lack of censorship by our government as a “tradition,” and added that “the fact that we have a free Internet or unrestricted Internet access is a source of strength, and…should be encouraged.”

One of the primary missions of the National Telecommunications and Information Administration (NTIA), the agency I run, is to develop and build consensus around policy approaches to realize the President’s vision of an Internet that is open for innovation and social progress, both domestically and globally. The Internet’s open, end-to-end architecture and the freedom of individuals to make full use of that architecture have fueled tremendous creativity, innovation, and economic growth. We wholeheartedly embrace the message of the Internet Society that the “Internet is for everyone.”

Preserving, enhancing and increasing everyone’s access to an open, global Internet is an urgent policy priority for the Obama Administration and, we know, for governments and communities all around the world. To that end, NTIA and others within the Department of Commerce recently announced the formation of an Internet Policy Task Force whose mission is to identify leading public policy and operational challenges in the Internet environment. While the Task Force is still in the process of receiving and analyzing input from many stakeholders, I want to share some views with you today about what I believe the history of the Internet and its many institutions can teach us about how to face the pressing Internet related public policy challenges that face the world.

II. The Challenge of Success: Internet Policy 3.0

Earlier this year I gave a speech at the Media Institute introducing the notion of Internet Policy 3.0. The gist of my message was that it was imperative for the sustainability and continued growth of the Internet that we preserve the trust of all actors on the Internet. I pointed out that:

• If users do not trust that their personal information is safe on the Internet, they won’t use it.
• If content providers do not trust that their content will be protected, they will threaten to stop putting it online.
• If large enterprises fear that their network will be breached over the Internet, they will be reluctant to take full advantage of the ability to link to their suppliers and customers.
• If foreign governments do not trust the Internet governance systems, they will threaten to balkanize the Domain Name System which will jeopardize the worldwide reach of the Internet.

And then I made what some in the community thought was an audacious statement—that government could play an important role to preserve and maintain trust in the Internet. The response was swift, strong and largely misinformed. A few proclaimed that the US government (or at least I) had rescinded its policy of leaving the Internet alone and that I was calling for the regulation of the Internet. One blogger even compared my speech to the extension of the Patriot Act and cited it as further evidence that the government wanted “to control the thoughts” of the population.

These very strong reactions illustrate the complexity of the challenges we face. To reduce these issues to a simple but false choice of choosing between regulation versus no regulation is really to miss the point.

No one better than the Internet Society knows that what made the Internet what it is today was really a function of who had their hands on the Internet. Specifically, it was a function of who joined the global voluntary efforts that led the creation of the Internet and the Web.

There’s nothing new about the fact that the Internet was created with the help of several key multi-stakeholder institutions. Those who were involved pursued certain design principles. Those design principles have direct policy impact. As the importance of the Web grows, it is imperative that we take maximum advantage of the successful Internet organizational models. We have a responsibility to assure our design principles -- our policies -- are producing desirable outcomes. And the challenge for governments today is to build on that cooperative, global, voluntary spirit. Perhaps government can find ways to help the growing list of Internet stakeholders participate in the development of not only technology, but also public policy solutions that address the Internet’s leading challenges. The model may not be new but what is new is the need to apply this model to a broader range of problems, not just technical or administrative, but also social and legal challenges.

III. Toward a Sustainable Interface Between the Law and the ‘Net – Building on Successful Multi-stakeholder Models

Facing Internet Policy 3.0 challenges will require the use of a broad spectrum of tools: some can be addressed purely by the private sector; many will require some combination of private sector, civil society, technical community and government cooperation with government either as convener or cajoler; and in just a few cases, maybe we will have to resort to laws or regulation to establish fundamental rules of the road. To understand how to deploy these different tools, we can learn a lot from the institutions and approaches that lead to the creation of the Internet and the Web. Let me discuss just a few examples.

A. Technical Institutions

The Internet Society, the Internet Engineering Task Force (IETF) and the World Wide Web Consortium (W3C) are rightfully credited for developing the open platform architecture that has been the basis of the social and economic innovation that characterizes the Information Society today. Not only did these multi-stakeholder organizations build the technical foundations of the Internet, but they also pioneered innovative social institutions, embodied in the working groups and architecture boards of the IETF and W3C, that enabled people all over the world to contribute to and shape the Internet we have today.

B. Administrative Institutions

The viability of the Internet’s multi-stakeholder model was tested early on with the need to develop a globally scalable, open system to coordinate critical name and number resources. In what was then an ambitious experiment, the Internet Corporation for Assigned Names and Numbers (ICANN) was created in 1998 as a new approach to the important work of coordinating the technical management of the domain name system (DNS). A very thorough consultative process provided the basis for the development of ICANN and its core principles, which include: preserving the stability of the Internet; promoting market mechanisms to support competition and consumer choice; ensuring private sector leadership with bottom-up policy processes; and encouraging broad international representation. As ICANN continues to evolve, it must work to improve its accountability to its stakeholders and to the broader public interest. Still, it remains one of the foremost models in the world of private-sector led, multi-stakeholder collaboration. From our perspective, it is entirely appropriate that governments participate in ICANN, as they are critical to ensuring that decisions fully reflect the public interest. And we think it is equally appropriate that the role of ICANN’s Governmental Advisory Committee remains advisory.

C. Voluntary, Enforceable Best Practices

Online privacy is an example of the vital role that voluntary, global, multi-stakeholder activity can play in addressing Internet policy questions. Back in the mid-1990s, the agency I run today, NTIA, played a leading role, along with the Federal Trade Commission (FTC), in exploring options for addressing new online privacy issues. Commonly accepted history of privacy policy records that a self-regulatory approach was chosen. It is certainly the case that policymakers wanted to avoid squelching innovation and no one was really sure what privacy challenges would emerge. So, no sweeping privacy legislation was enacted. But to characterize government action taken ten years ago regarding privacy as ‘self-regulation’ is to miss the point. As privacy scholars are now pointing out, what emerged in the late 90’s was a combination of self-regulatory actions taken by the online industry, encouraged by the Clinton Administration, and backed up by broad enforcement authority at the Federal Trade Commission.

Major web sites agreed, at the urging of the FTC, to post privacy policies explaining how they use person information. While the FTC has no specific authority to make rules about privacy, it does have broad responsibility under Section 5 of the FTC Act to investigate and punish companies engaging in ‘unfair or deceptive’ trade practices. In this case, if a company posts a privacy policy and then proceeds to use personal information in more intrusive ways, it can be held accountable by the FTC. At the same time, the then-nascent online advertising industry got together to develop a code of conduct governing the use of personal information and that code became enforceable by the Federal Trade Commission under the same ‘unfair and deceptive’ authority. So, while the FTC did not engage in a traditional rulemaking, it formed a part of a hybrid public-private system in which there are a clear set of rules, enforceable by the FTC.

But how well has this model really worked in the privacy area and should we consider continued reliance on it? As experienced Web users, we all know that no one reads privacy policies. Even if you try, the results are disappointingly vague and confusing. If most individual web users don’t actual read and make choices based on posted policies, then what was the use of this effort toward transparency? Would engaging in a different process at the time, such as having Congress or the FTC enact a set of substantive privacy rules for Web companies to follow, have been preferable? The answer is no. The result of that focus on transparency during the privacy debates in the 90’s was to enable the development of a system or process in which advocates, regulatory enforcers, companies and their customers were able to engage in a dialogue about what constitutes acceptable privacy practice as measured by evolving customer expectations.

As privacy scholars Professors Deirdre Mulligan and Ken Bamberger (University of California, Berkeley I-School and Law School) recently wrote, this type of dynamic, hybrid system in which both private and public stakeholders participate may well yield actual privacy practices that are more responsive to evolving consumer privacy expectations than would a traditional rulemaking system. The rate at which new services develop, and the pace at which users form expectations about acceptable and unacceptable uses of personal information, is measured in weeks or months. We all know that rulemakings at agencies such as the FTC or the FCC take years and often result in rules addressing services that may be long abandoned. As we go forward with our privacy policy review, NTIA will be taking a close look drawing on these learnings to develop a path forward on these issues.

D. Laws

At the far end of the continuum of tools available to address Internet policy issues is the enactment of laws. While we must encourage the type of collaborative process that led to the privacy protections of the 90’s, we should not and cannot conclude that the Internet is beyond the reach of the law. But before we resort to legislative solutions to the challenges we face, we should look carefully at the impact of past statutory efforts. The story of early lawmaking with respect to the Internet is instructive. Very early in its life – in 1996, when less than one percent of the world’s citizens used it, the openness of the Internet was nearly nipped in the bud by the United States Congress. People remember that the Telecommunications Act of 1996 contained a far-reaching Internet censorship provision (the Communications Decency Act) that threatened to stifle both protected speech and legitimate commerce on the new medium before it was struck down by the U.S. Supreme Court. However, in the very same act, Congress also included a provision—Section 230—that I believe has contributed significantly in fostering the growth and evolution of the Internet.

Section 230 has been described as one of the most important guarantors of free speech on the Internet and has been responsible for securing the vibrant culture of freedom of expression that exists today on the Internet. Section 230 provides to Internet intermediaries immunity from liability arising out of content created by third-parties. This limitation on liability has enabled the creation of innovative services such as eBay and YouTube, which host content provided by others, without requiring that those services monitor every single piece of content available on their sites. Absent this protection against liability, it is hard to imagine that these services would have been as successful as they turned out to be.

I think it’s important to note, however, that Section 230 does not discourage responsible cooperation toward compliance with laws online. If illegal activity occurs online, such as the misuse of personal private information, the theft of a copyrighted work, or the intrusion into someone else’s system or network, Section 230 poses no impediment to the enforcement of our criminal laws or the pursuit of justice.

So in this one law, we have an example of one seriously bad policy and one that has helped the Internet develop into the marvel it is. The lesson here is to tread very carefully when considering legislation in this area.

IV. Internet 3.0 Public Policy Issues

So how do we apply these models to the Internet Policy 3.0 issues? First, let me go over the agenda of NTIA and the Internet policy task force. We’re focused on five principal issues: Privacy policy: Our focus at NTIA is to answer the question how can we enable the development of innovative new services and applications that will make intensive use of personal information, but at same time protect users against harm and unwanted intrusion into their privacy? Last week, the Internet Policy Task Force released a broad-ranging Notice of Inquiry. We are especially interested in views on the continued vitality of the hybrid regulatory model combining enforceable codes of conduct with backstop regulatory enforcement by the FTC. Has this model proven useful? Could it be extended to promote greater flexibility in cross-border flow of personal information while assuring governments trustworthy mechanisms to vindicate the rights of their citizens globally?

Child protection and freedom of expression: Here our inquiry focuses on understanding, as more children go online, how we can ensure proper targeting of law enforcement resources against serious crime while remembering that the most important line of defense against harmful content is the well- informed and engaged parent or teacher? Later this year, the Online Safety Technology Working Group, created by Congress and convened by NTIA, will issue a report on the state of the art in child protection strategies online and as part of the National Broadband Plan, we will be looking at the need to continue a working group in this area.

Cybersecurity: How do we meet the security challenge posed by the global Internet which will require increased law enforcement and private sector technology innovation yet respect citizen privacy and protect civil liberties? The Internet Policy Task Force has a cybersecurity initiative that will address these issues, particularly as they relate to improving the preparedness of industry for cyber attacks.

Copyright protection: How do we protect against illegal piracy of copyrighted works and intellectual property on the Internet while preserving the rights of users to access lawful content? NTIA and our sister agency at the Department of Commerce, the US Patent and Trademark Office, are beginning a comprehensive consultation process that will help the Administration develop a forward-looking set of policies to address online copyright infringement in a balanced, Internet-savvy manner.

Internet trade and the free flow of information: How do we work with U.S. businesses and other entities to understand the economic impact that restrictions on global flows of information have on U.S. trade and investment? The Internet Policy Task Force has just started looking at this issue and will be reaching out to stakeholders for views in the coming months.

In addition, we cannot ignore that administrative and organizational matters also impact the trust users have in the Internet. We’re involved in several of these matters.

ICANN: In our role administering the U.S. government’s relationship with the Internet Corporation for Assigned Names and Numbers (ICANN), how do we ensure that ICANN serves the public interest and conducts its activities with the openness and transparency that the global Internet community demands? Last fall, NTIA and ICANN set forth a permanent framework for the technical coordination of the domain name system and I am currently engaged in the first of those reviews to ensure that these commitments are carried out in full.

IPv6 adoption: Internet addresses are a critical component of the Internet infrastructure but currently used Internet protocol version 4 (IPv4) addresses will run out – by most estimates – in two years. The U.S. government is working on how to enable government systems to deploy IPv6, but how do we work with the American Regional Internet Registry (ARIN) and others to appropriately engage U.S. companies so they are aware of this important milestone? You will be hearing more from us about this in the near future.

DNSSEC: NTIA and its root zone management partners – ICANN and VeriSign – are in the process of testing Domain Name Systems Security Extensions (DNSSEC), at the authoritative root zone level to facilitate its global adoption. In the coming months, we expect to make DNSSEC at the root a reality by authorizing ICANN to publish the root trust anchor and VeriSign to distribute a validatable signed root zone. NTIA will issue a Public Notice to inform in advance you and others in the DNS community of this landmark achievement.

Finally, I want to address the importance of continuing the Internet Governance Forum (IGF) in its current form. IGF has proven to be a valuable venue for information sharing and international dialogue on Internet related issues, but its initial five-year mandate expires this year. Some have suggested that the IGF should continue, but in a modified format that would inevitably elevate the role of governments. I am concerned about this as changes that place one stakeholder group above another will ultimately undermine this model. We are dedicated to working with global stakeholders to ensure that the IGF continues as a truly multi-stakeholder venue.

IV. Conclusion

Every one of the issues I just identified shares two common characteristics. First, they are global in scope, raising questions about whether a single government or actor could provide comprehensive solutions if it wanted to. And two, they arise in the context of fast-changing technologies, marketplaces, and evolving patterns of social interaction, causing many who study these issues to doubt that traditional government regulatory processes can provide adequate, flexible responses. Nevertheless, if we are to preserve trust on the Internet, it is not an option for governments to merely sit by and hope that these issues will take care of themselves. Does that mean we should take a sharp turn away from the current approach to the Internet that the U.S. government has championed over the years?

Certainly not.

Rather, we should take a careful look at the unique multi-stakeholder, public-private models that have led to the success of the Internet and the World Wide Web and determine how best to bolster them to meet today’s challenges.

All of you can help. The Internet technical community has given the world an extraordinarily valuable gift: the Internet and the World Wide Web.

But your work is not done.

At the opening of the third decade of Internet policymaking, we are at an ‘all hands on deck’ moment. The policy challenges we must deal with are far broader than we have previously faced. In addition to continuing the necessary technical innovation of the Internet, the Internet community needs to work with governments and other stakeholders to share your knowledge about how to build flexible, sustainable, global multi-stakeholder institutions that can help the world face the social and public policy challenges of the global Internet environment. Thank you again for the opportunity to join your conference today and I wish all of you as well as the Internet continued spectacular success.