Harvard Law Review Harvard Law Review Harvard Law Review

Harvard Law Review Forum

We Couldn’t Kill the Internet If We Tried

Law, Privacy & Technology Commentary Series

There are many reasons people oppose government regulation of the various bits of software, hardware, and social glue that we call the internet. I write to respond to only one of these: the fear that regulation will have spillover effects and unintended consequences. Regardless of which side one takes in any number of debates about the regulation of the internet, one background view seems to be broadly held: law possesses the power to destroy the internet as we know it.

In communications law, net neutrality regulations are fearsome because they will kill investment in infrastructure.1×1. Larry Downes, Opinion, “Public Utility” Classification Will Destroy the Internet, N.Y. Times: Room for Debate (July 9, 2014, 5:25 PM), http://www.nytimes.com/roomfordebate/2014/05/15/whats-next-for-net-neutrality/public-utility-classification-will-destroy-the-internet [https://perma.cc/T3V2-742N]; Adam Thierer & Berin Szoka, The Day Internet Freedom Died, Forbes (Sept. 22, 2009, 12:54 PM), http://www.forbes.com/2009/09/22/fcc-internet-net-neutrality-opinions-contributors-thierer-szoka.html. Modest proposals to limit online discrimination or online hate speech will scare away innovators and dry up venture capital.2×2. See Scott H. Greenfield, Rep. Jackie Speier Finally Reveals Her Scheme to Destroy the Internet, Simple Just. (July 15, 2016), http://blog.simplejustice.us/2016/07/15/rep-jackie-speiers-finally-reveals-her-scheme-to-destroy-the-internet [https://perma.cc/7BQT-RE86]. Copyright law will destroy everything good on the internet,3×3. Mike Masnick, Lawyers: To Save Newspapers, Let’s Destroy Pretty Much Everything Else Good, TechDirt (May 18, 2009, 6:48 AM), https://www.techdirt.com/articles/20090517/0236594905.shtml [https://perma.cc/HP27-YX22]; Adam Savage, SOPA Could Destroy the Internet as We Know It, Popular Mechanics (Dec. 20, 2011), http://www.popularmechanics.com/science/a7378/mythbuster-adam-savage-sopa-could-destroy-the-internet-as-we-know-it-6620300 [https://perma.cc/QE7H-U9SW]. and limitations on encryption will too.4×4. Rob Price, Bruce Schneier: David Cameron’s Proposed Encryption Ban Would “Destroy the Internet,” Bus. Insider (July 6, 2015, 6:41 AM), http://www.businessinsider.com/bruce-schneier-david-cameron-proposed-encryption-ban-destroy-the-internet-2015-7 [https://perma.cc/LDP4-BN4W].

Apocalyptic predictions about the potential of regulation to kill the internet occur frequently in debates over proposals to protect privacy online. Critics warned that the modest self-regulatory effort to create a “Do Not Track” signal for the web would “kill the internet as we know it.”5×5. Julie Cohn, How “Do Not Track” May Hurt Businesses, Entrepreneur (Oct. 8, 2012), https://www.entrepreneur.com/article/224611 [https://perma.cc/ZKS7-HERG] (quoting Mike Zaneis, Senior Vice President and General Counsel for Public Policy at the Interactive Advertising Bureau). Opponents said something similar about a European measure to require consent for web tracking.6×6. Peter Kirwan, EU Cookie Law: Stop Whining and Just Get On with It, Wired (May 24, 2012), http://www.wired.co.uk/article/eu-cookie-law-moaning [https://perma.cc/UN7Z-RX5G]. Many people worried about the internet-wrecking potential of Europe’s modest implementation of the right to be forgotten in 2014’s Google Spain SL v. Costeja7×7. Case C-131/12, Google Spain SL v. Costeja, 2014 E.C.R. 317. decision.8×8. Wayne T. Brough, A European Decision that Could Dismantle the Internet, FreedomWorks (June 4, 2014), http://www.freedomworks.org/content/european-decision-could-dismantle-internet [https://perma.cc/H7SU-FYVG].

These fears are unfounded. The internet is a resilient, self-healing system, thanks to the power of code.9×9. Others who have made similar points include Natalie Wolchover, Could the Internet Ever Be Destroyed?, LiveScience (Jan. 20, 2012, 9:09 AM), http://www.livescience.com/18030-internet-destroyed.html [https://perma.cc/A7VD-HZPQ]. Professor James Grimmelmann connects the “break the internet” argument to Professor Albert O. Hirschman’s “jeopardy thesis.” James Grimmelmann, The Rhetoric of the Right to Be Forgotten, The Laboratorium (2d ser.) (Aug. 21, 2015) (emphasis omitted) (quoting Albert O. Hirschman, The Rhetoric of Reaction: Perversity, Futility, Jeopardy 7 (1991)), http://2d.laboratorium.net/post/127259057165/the-rhetoric-of-the-right-to-be-forgotten [https://perma.cc/YU7Y-ENET]. Software, as Professor Jonathan Zittrain points out, is a generative force unlike any other technology we have concocted to date.10×10. Jonathan Zittrain, The Future of the Internet: And How to Stop It (2008). In Zittrain’s powerful telling, generativity is something we need to work proactively to protect, opposing efforts — whether by private actors or regulators — to turn our general computing machines into dumb appliances.11×11. Id. at 8. My argument picks up where Zittrain’s leaves off, pointing out that this same generative power can act as an important check on the impact of regulation. An earlier observer of the internet, writing a decade before Zittrain, connected these dots between generativity and resilience in the face of regulation. In 1993, “[i]nternet pioneer” John Gilmore famously said: “The Net interprets censorship as damage and routes around it.”12×12. Philip Elmer-Dewitt, First Nation in Cyberspace, Time (Dec. 6, 1993), http://content.time.com/time/magazine/article/0,9171,979768,00.html [https://perma.cc/8SQK-SNVB]. This early-internet brag seems difficult to square with the way many today treat the internet as fragile and susceptible to destruction through law. I believe Gilmore’s quote is as true today as it was when he first said it. The power of software to evade regulation is more than up to the challenge.

How does software “route around” a regulation? Constrained by a regulation that limits some deleterious aspect of a software system, a solo developer with a few hours can engineer her way around the new rule. A massive team of developers backed by a corporation with endless coffers can remake a global infrastructure to wend its way around a regulation.

Focus on a single step in the lifecycle of software development: recompilation, the conversion of human-readable source code into machine-executable object code. From the point of view of a regulator of code, during the short amount of time it takes to recompile software, everything can change. In that time, a programmer can reshape small worlds. In this way, software is nothing like the industrial processes it has begun to replace. To effect massive, structural, fundamental change to an operating code base, software developers need not erect new scaffolding, dismantle old structures, or create new blueprints — at least not in any literal sense. Coders use metaphors for every one of those industrial-era phrases,13×13. Steve McConnell, Code Complete 8–21 (2d ed. 2004) (discussing the metaphor of software development as building construction). but we ought not be fooled by the metaphor. Coding is never easy, at least not at the industrial scale of today’s modern, multimillion-line codebases. But compared to the industrial processes it tends to replace, coding is far more efficient and far less onerous, in a strict change-per-effort ratio.

Consider, for example, the nearly perennial reports of the exhaustion of the 4.3 billion IP addresses specified by the internet’s earliest architects. Shortly after the birth of the web, the Internet Engineering Task Force (IETF) began planning for the eventual day when those four billion addresses would run out.14×14. See Address Lifetime Expectations (ale), IETF (Mar. 1995), http://www.ietf.org/wg/concluded/ale.html [https://perma.cc/MXD3-F8VX]. But engineers devised techniques such as Network Address Translation15×15. Informational RFC 2663: IP Network Address Translator (NAT) Terminology and Considerations, IETF (Aug. 1999), https://tools.ietf.org/html/rfc2663 [https://perma.cc/5J48-TLJ9] (specifying protocol that allows many internet-connected devices to share a single IP address); see also Lixia Zhang, A Retrospective View of NAT, IETF J., Oct. 2007, at 14. and Classless Inter-Domain Routing,16×16. RFC 1519: Classless Inter-Domain Routing (CIDR): An Address Assignment and Aggregation Strategy, IETF (Sept. 1993), https://tools.ietf.org/html/rfc1519 [https://perma.cc/GBK7-UYMA] (specifying a system for allocating IP addresses to providers in smaller-sized groups). and some organizations returned gigantic allocations of address space.17×17. Carolyn Duffy Marsan, Stanford Move Rekindles Net Address Debate, Computerworld (Jan. 22, 2000, 12:01 AM), http://www.computerworld.com.au/article/89028/stanford_move_rekindles_net_address_debate [https://perma.cc/BL4Y-9CRH]. Today, the predictions of address exhaustion have quieted. Pundits predicted that email would die under the weight of spam.18×18. Kevin Werbach, Death by Spam, Slate (Nov. 18, 2002, 10:35 AM), http://www.slate.com/articles/technology/webhead/2002/11/death_by_spam.html [https://perma.cc/UX7C-DYFE]. It didn’t, thanks in some measure to a law, the CAN-SPAM Act,19×19. Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003, Pub. L. No. 108-187, 117 Stat. 2699 (codified at 15 U.S.C. §§ 7701–7713, 18 U.S.C. § 1037). but thanks also to people who changed their software with Sender Policy Framework,20×20. Experimental RFC 4408: Sender Policy Framework (SPF) for Authorizing Use of Domains in E-Mail, Version 1, IETF (Apr. 2006), https://tools.ietf.org/html/rfc4408 [https://perma.cc/GCY9-QVHT] (specifying a protocol for making it more difficult to forge the originating address of e-mail). blacklists,21×21. Doreen Carvajal, Defending a Blurred Line: Is It Spam or Just a Company Marketing by E-Mail?, N.Y. Times (Oct. 16, 2006), http://www.nytimes.com/2006/10/16/technology/16spam.html [https://perma.cc/KF4C-DM4S] (describing the Spamhaus Project, which uses volunteers to place addresses associated with spam on a blacklist that automated email systems can use to block messages). and machine learning techniques.22×22. Paul Graham, Better Bayesian Filtering, PaulGraham.com (Jan. 2003), http://www.paulgraham.com/better.html [https://perma.cc/9AAD-ULED]. Some warned that the rise of YouTube and then Netflix meant that the internet would slow to a crawl.23×23. Farhad Manjoo, Will Netflix Destroy the Internet?, Slate (Nov. 2, 2010, 4:47 PM), http://www.slate.com/articles/technology/technology/2010/11/will_netflix_destroy_the_internet.html [https://perma.cc/8XQU-PJ8Y]. It didn’t, thanks to Content Delivery Networks24×24. James Niccolai, Behind the Curtain: How Netflix Streams Movies to Your TV, TechHive (May 22, 2014, 6:10 AM), http://www.techhive.com/article/2158040/how-netflix-streams-movies-to-your-tv.html [https://perma.cc/DTD7-XX57] (describing how content delivery networks reduce bandwidth usage for streaming video by storing cached copies closer to users); Scott Woolley, Netflix Will Ruin the Internet!, Fortune (Nov. 4, 2010, 10:49 AM), http://fortune.com/2010/11/04/netflix-will-ruin-the-internet [https://perma.cc/Z8S4-D4BQ]. and new contractual arrangements.25×25. Shalini Ramachandran, Netflix to Pay Comcast for Smoother Streaming, Wall Street J. (Feb. 23, 2014, 7:47 PM), http://www.wsj.com/articles/SB10001424052702304834704579401071892041790 [https://perma.cc/UE7A-F6J3] (describing deal improving quality of connections between Netflix’s and Comcast’s networks, to assure better streaming video performance).

But do these stories about the power to adapt to technological challenges continue to hold when the requirements come not from the market but instead from regulators? We can model a well-targeted regulation as a simple software requirement — a feature the software ought to have, or a behavior it ought not exhibit, or a challenge it ought to surmount. By abstracting away the fact that the requirement comes from a government body rather than a suggestion from a user or a technical hurdle, we can study the self-healing features of the internet that have occurred over the years.

Consider two examples of the resilience of code in the face of regulatory challenge. In the late twentieth century, the U.S. government sued Microsoft for trying to use its near monopoly in operating systems to unfairly harm competition in the new market for web browsers, by bundling Internet Explorer into Windows 95. Putting to the side the merits of the underlying antitrust case, focus on the clash over the remedy: mandated unbundling. Microsoft protested throughout the proceedings that it would be an expensive if not impossible task to pull out the scattered bits of code that comprised their browser. The government presented expert opinion to the contrary, pointing out that Microsoft could unbundle the browser with relative ease, if ordered to do so by the court.26×26. Margret Johnston, Gov’t Witness Shows Ways to Remove IE from Win 95, Computerworld (Jan. 14, 1998, 10:00 PM), http://www.computerworld.co.nz/article/517495/gov_t_witness_shows_ways_remove_ie_from_win_95 [https://perma.cc/US8E-HQS8]. In the end, Microsoft agreed to offer later versions of its operating system without a bundled browser, providing at least circumstantial evidence that its earlier objections were overstated.27×27. Richi Jennings, How Does Unbundling IE in the EU Solve the Problem?, PCWorld (June 12, 2009, 2:00 PM), http://www.pcworld.com/article/166606/how_does_unbundling_ie_in_the_eu_solve_the_problem.html [https://perma.cc/BXF3-SX3Q].

Then consider an example from a still-simmering fight over privacy, the fight for an enforceable right to be forgotten in Europe. The European Court ordered Google to recognize this right, removing entries from its search engine that satisfied a standard under this right.28×28. Case C-131/12, Google Spain SL v. Costeja, 2014 E.C.R. 317. Again, putting to the side the fundamental merits of such a right as well as the bureaucratic machinery necessary to adjudicate when the right should be recognized, consider only how little Google complained about the technological challenge. Granted, this is a far-from-straightforward story, as Google had already implemented code for deleting entries to comply with copyright takedown notices under the U.S. Digital Millennium Copyright Act (DMCA).29×29. Raegan MacDonald, Three Things You Should Know About the Google Spain Case, AccessNow (July 10, 2014, 5:26 AM), https://www.accessnow.org/three-things-you-should-know-about-the-google-spain-case (“[I]t is important to remember that Google in fact does remove content, de-indexes links, and otherwise alters search results for a wide range of purposes.”). It may be that Google simply repurposed that old code for this task. But even if Google had to implement its compliance mechanism from scratch, the code required likely would have been minimal. As importantly, given the generativity of code, Google could have implemented the change in a streamlined fashion. It could remove the content it was ordered to remove.

Software blunts the power of regulation, but it doesn’t inoculate itself entirely from law. Because people write software and because people are susceptible to things like subpoenas and prison cells, regulation can still be a terrible and powerful force. Gilmore’s “routing around” bromide implicitly acknowledged that internet regulation could have devastating local effects. The regulation will continue to operate on the people most directly within the sphere of the regulator’s power, and those people will be routed around too. To be routed around is to be isolated or left behind, to be excluded from the worldwide network-of-networks. If the regulation results in people being routed around because they are trafficking in caustic hate speech or invidious discrimination, this might be cause to celebrate. If instead the regulation squelches communications for oppressed people, we should worry. Local and direct effects matter a lot, and we should do everything we can to fight against internet regulation with harmful local effects. We still need to write sensible, targeted, and focused laws to fix the parts of the internet that are terrible.

This doesn’t mean we should stop debating the regulation of the internet and start enacting every idea any policymaker has, of course. To wade into very controversial waters, my argument means that SOPA30×30. Stop Online Piracy Act, H.R. 3261, 112th Cong. (2011). and PIPA31×31. Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act of 2011, S. 968, 112th Cong. probably would not have blown up the internet as we know it.32×32. But see Mark Lemley, David S. Levine & David G. Post, Don’t Break the Internet, 64 Stan. L. Rev. Online 34 (2011); Julie Borowski, SOPA and PIPA Would Destroy Internet Freedom, FreedomWorks (Jan. 13, 2012), http://www.freedomworks.org/content/sopa-and-pipa-would-destroy-internet-freedom [https://perma.cc/QRS5-44JV]. But I’m still very happy these very bad laws were defeated because they proposed very bad solutions to an exaggerated harm, resting atop really bad copyright policy, in a manner that was very badly implemented.33×33. See The Berkman Community Responds to SOPA/PIPA, Berkman Klein Ctr. for Internet & Soc’y at Harvard Univ. (Jan. 18, 2012), https://cyber.harvard.edu/node/95336 [https://perma.cc/Z6YY-2CS3] (collecting responses to SOPA and PIPA). The world and the internet are much better without these toxic laws. But the internet would’ve routed around those laws, too, just like it’s routed around other bad copyright laws in the past and will do so in the future.

Regulation can shape the internet, but it is not likely to kill it. If they are wisely designed, net neutrality laws will take a few narrow and innovation-dampening business arrangements off the table; antidiscrimination laws will decrease discrimination; and anti–hate speech measures will decrease hate speech. But the parts of the internet these laws do not directly touch will remain, as ever, generative, burbling founts of innovation and dynamism and economic growth.

The same goes for privacy law. Google responded to Costeja without catastrophic spillover effects or unintended technological consequences. The web survived the EU cookie directive and the FTC’s 2012 rules regulating the Children’s Online Privacy Protection Act of 199834×34. Pub. L. No. 105-277, tit. XIII, 112 Stat. 2681-728 (codified as amended at 15 U.S.C. §§ 6501–6506). (COPPA). The internet will continue to thrive even if the FCC enacts a bold new privacy rule, and even once Europe starts enforcing the new General Data Protection Directive. If the local effects of these regulations are wise, and I happen to think they are in each of these cases, they will accomplish what they set out to accomplish, and the rest of the internet will route around the changes they effect.

Regulators should shake their reluctance about taking important actions to address serious problems leading to true harms if their reluctance is based on fears of breaking the internet. The internet’s essential character and software core make it a powerfully resilient, self-correcting machine. Regulation is still today seen as damage and routed around. Regulatory action will get cauterized, and healthy internet corpora will grow around the wound. Regulators need to move decisively and aggressively to restore their role in the evolution of the internet. This is powerful support for many privacy-related initiatives.

Let’s change the internet, for the better. Let’s encourage countries and states to serve as laboratories of change, testing theories for what might be a better internet or a worse internet. Let’s stop treating the internet like it’s a fragile figurine that we might break through rough handling. We couldn’t kill it if we tried.

 


* Professor of Law, Georgetown University Law Center. Thanks to James Grimmelmann and Alicia Solow-Niederman for their comments. Thanks to John Douglass for research assistance.