This document provides a framework for analysis of the relationship of Web architecture and the implications of and for governance: policies, laws, regulations, and other ways of societal control.
This document was based on a contribution from Janaki Srinivasan, U C Berkeley, and Larry Masinter and Peter Secor, Adobe.
"It is becoming increasingly evident that the Internet as a rapidly-evolving and inherently global medium, needs quick-footed and timely global solutions and policies, not divergent and fragmented national policies."[[INDIA-UN]]
This document is about the relationship of Web technology and governance: public policies, laws, regulations, and other ways society imposes control.
Governance affects architecture: The Internet is a central communication channel for today's society. Use of the Internet and Web and services built with those are subject to legislation, regulation, contractional obligations, and other expectations. Rules established to accomplish governance goals often have architectural implications for the systems and services used; for example, an oblication to keep records requires system data paths to gather the required records; an obligation to avoid publication of certain categories of material requires some means of distinguishing wanted from unwanted content.
Technology often does not fit previous governance models: To be effective and implementable, rules, regulations, laws and expectations need to align with the technology to which they are intended to apply. However, new technologies often allow novel communication means, where the causality, responsibility, speed of access, and distribution policies are widely different from those available in non-Internet communication. A mismatch of governance and actual usage often leads to mandated requirements which cannot be easily and consisently interpreted.
Local governance vs global internet: The Internet is global: to be "on the Internet" is to potentially interact with anyone in the world. Governance in almost all of its forms is, to some degree, always local and geographically based. Often, the requirements on services to be practical, usable, legal in a given jurisdiction imply architectural and implementation choices. Requirements often vary across jurisdictions. When requirements are in conflict, it limits the potential for growth and can even create situations where providers of Internet content or services face criminal liability.
Standards can help reduce governance mismatches: Standards can play a role in reducing the differences, or at least the uncertainty, and the impact on service providers. For example, accessibility standards from W3C have allowed different jurisdictions to adopt more consistent or more understandable requirements and policies for accessibility of content, content-creation software, and access. While Web standards are voluntary, standards also provide vocabulary.
This document is just an introduction: This document provides a framework for analysis of the impact of cross-jurisdictional governence models on Internet service features. The framework is multi-dimensional. Section "Governance areas" lists some areas of public policy, legal or regulatory or contractual requirements. For each, an overview of the requirements and jurisdictional differences. Section "Technology Areas" lists some different kinds of product or service features and the impact of regulation on those features.
Web and Internet: The document focuses on areas of interaction between the Web and governance. The boundary between the "Web" and the general use of the Internet for user services is blurry, and much of the framework would be useful when considering the interactions of governance to non-Web Internet uses such as telephony.
To understand the interaction of governance and technology, it is useful to enumerate some of the major areas where governance and technology have had difficulties. This section reviews some of those areas.
The Internet allows an unprecedented opportunity for gathering, distributing, and otherwise using information about individuals that might otherwise be considered "private". The increased capabilities, along with the difficulty of understsanding the impact of technology choices, has lead to increased legislative concern for privacy. Simply put, "Privacy" can be defined as "the right to control who knows what about you, and under what conditions." All of these aspects - what is known about you, who knows it and in what conditions – are important in discussions of privacy on the Web. Individuals might be concerned not just with what governments and corporations know about them, but also about the conditions in which they come to know it. For example: individuals may be concerned with whether data collection happens with their consent and awareness; whether this data will be used to track them; who will retain the data, whether it will be passed on to other entities (third party tracking), and who else can see it. A key reason for the concern with privacy in recent times has to do with the sheer volume of data (including that which can be considered "personal" or "sensitive") that is being gathered, shared, or made public by individuals, whether through social networking platforms, e-governance transactions, ecommerce transactions or government surveillance.
As in any other domain, regulating/ensuring privacy on the web involves tradeoffs. For example, there is a tradeoff between privacy as a value, and the benefits that can accrue from adapting based on increased information. Making information public often is a public good, for example, in cases where public records or figures are concerned. An emphasis on insuring privacy might be used to justify censorship. Requirements based on "national security" and "public order" might conflict with privacy.
The expectations around privacy and free expression vary widely between cultures; this may be the basis for some of the wide variability. The European Union, for example, has a comprehensive privacy law. The US has domain-wise privacy laws. India has none. There's also great variety in the actors involved in the privacy debate, including governments, corporations, consumer rights and other civil society organizations, besides individuals who have been personally affected.
Copyright covers the general area where the creators of a work have rights allowing them to limit the distribution and reuse of their work, or to license its use. Piracy is the practice of obtaining and redisstributing works without regard to limitations placed on such distribution by the copyright owner.
Both technological tools (such as digital rights management) and policy regulations (such as copyright law and proposed amendments) have been deployed to better control how digital works and content are obtained, shared and distributed.
DRM and copyright laws have been very controversial, with the companies that use them claiming that they are merely preventing copyright infringement and maintaining artistic control, while others argue that such practices restrict legitimate use and stifle innovation and competition. The primary tradeoff that is involved in legislating copyright and piracy, then, is between restricting access to content and making content widely available.
Copyright laws and the prevalence/definitions of piracy vary around the globe. The US has the Digital Copyright Millennium Act (an amendment to the US copyright act) and more recently, there was a move to pass SOPA and PIPA. Besides these, John Doe orders -- blanket orders to prevent the sharing of certain content -- have also been used to control access to content, especially newly released movies, in India. Besides states, media production houses and civil society actors have been involved in creating and resisting many of these regulations.
Censorship is concerned with restricting unwanted content. Content can be unwanted for many reasons: it is considered offensive (pornography), seditious, defmanatory, or otherwise considered harmful to society. As the availability of content that can be easily shared across large populations increases, attempts at censorship have also increased. Recent news from China, India and the US indicate that there is an increase in demands to remove/take down content.
The most visible tradeoff involved in censorship is between censorship and freedom of speech; this tradeoff has been dealt with differently within different jurisdictions. While freedom of expression has been upheld as a right, censorship may be permitted in order to maintain "public order," to avoid offending the sentiments of a specific demographic, and a variety of other reasons that would differ according to the laws of a jurisdiction. Who is held liable for offensive content, who needs to take action on it and what action needs to be taken, consequently, are also different across jurisdictions.
There is growing concern about making/keeping the web accessible to individuals with disabilities. Web accessibility includes making content and interfaces accessible, as well as providing tools that are accessible. The requirements for web accessibility varies considerably across countries in terms of scope of coverage and the type of policy that governs it. In many countries, web accessibility is mandated only on government websites, while in others, private sector sites too have to be made accessible. The strength of policy also differs, with legislations to ensure accessibility in some countries, while others only have guidelines. Moreover, while countries may broadly subscribe to the Web Content Accessibility Guidelines and Techniques (WCAG), their accessibility laws are also shaped by country-specific disability legislation.
The idea of "open data" -- or making data easily available – has several components. Openness can refer to the public accessibility of databases, but also to data reusability (open formats, machine readability and openness by law) and understandability (through the provision of metadata and annotations if required) (Wright et al. 2010). Open data has been hailed as a way to promote efficiency, transparency and accountability in transactions. While openness has been invoked primarily in connection with government data, it has also come up in the context of financial disclosures in the private sector. As with the earlier themes, open data is seen as an important concern in view of the volume of digital data being generated, especially in e-governance initiatives across the globe.
The choice to make data "open" might conflict with a right to privacy. This is especially so in cases and places where data anonymization is uncommon. Another aspect that needs to be considered in discussions of technological openness is whether a non-proprietary technological option (eg. format) even exists. In its absence, proprietary technology formats may sometimes be adopted with a caveat that the technology will be replaced with an open technology once that becomes available.
The tradeoffs involved in making data "open" can thus vary tremendously across jurisdictions, depending on prevailing privacy laws, Freedom of Information (Right to Information) laws and, especially in the context of governance, on local data gathering and sharing procedures.
All of the governance areas above are implicitly concerned with the question of data sovereignty. Given the variation in laws concerning web transactions, it is critical to understand what laws govern these transactions at any point in time. However, this is not always easy to trace or resolve, since it is not easy to pin down where content or a transaction "resides," especially where cloud solutions are concerned. For instance, if a person in India downloads data using a service offered by a company that has its headquarters in the US, and servers in the EU, is that data subject to Indian, US or EU regulations of privacy, copyright or censorship? In addition, some jurisdictions may also have regulations on specific categories of records that need to be maintained or examined by law enforcement agencies in that jurisdiction for reasons including "national security." If these are in conflict with a service provider's guidelines or even with other laws within the jurisdiction (most commonly, a right to privacy or data protection laws), how will the conflict be resolved and who will resolve it?
Preserving data sovereignty has thus emerged as a key area of concern, especially where cloud services are involved. The use of private, public or hybrid clouds has sparked debates in many countries. This is true especially for cloud use by the public sector, but has also included private sector use. A variety of actors, including states, the corporate sector and civil society advocates, have all been involved in these debates in different countries.
.... requirement to keep data secure, contractual obligation, liability for losing passwords...
... requirements to keep records, allow government to subpoena or request information
The consequences of selling products and services on the web that do not comply with governance requirements can range widely.
Different governence areas affect Web product and service features in different ways. depending on the nature of the clients to which the product or service is offered. For example, in many jurisdictions, a product sold to a government will have to comply with more stringent rules than products sold to the private sector. For example, governments might be required to use non-proprietary data formats where possible. Selling directly to individual customers vs. to a group that then sells to individual customers also modifies which features are affected by regulatory standards and how. Example: cloud based services?
Product and services features in the web space can be broadly classified as those related to user behavior and those related to user content.
Publishing and Linking
Cookies
Traffic analysis
Trust
Identity management