Self-Regulation After WGIG

Peng Hwa Ang

Back in the early days of the public Internet, circa 1994 to 1996, self-regulation was touted as the preferred mode of regulating the Internet. As the Internet Law and Policy Forum (ILPF) observed: “The recurrent mantra was that, ‘the Internet should not be regulated by the government, but should be self-regulated instead.’ Everyone was talking about self-regulation as the obviously preferable alternative to government regulation…”¹

These were the euphoric days of the Internet, a precursor to the dotcom boom of the late 1990s, when the Internet and those who ran it could do “anything”. It was the time of John Perry Barlow declaring cyberspace to be independent of government.² Self-regulation—regulation of industry not by government but by industry—was seen as the best and most enlightened mode of regulation.

In practice, however, this meant, as the ILPF noted: “as far as was evident from these discussions, ‘self-regulation’ equaled lack of government regulation.”³ Indeed, there were, and there still are, those who insist that the Internet should not and cannot be regulated and that therefore governments have no role in regulation. Instead, industries would do the work of government.

Self-regulation occurs when regulatory authority—the power to create and enforce rules—is formally delegated to a private entity. Sometimes, to ensure compliance, the punishment for non-compliance may be meted out by the formal regulatory authority instead of the private body. This in fact is the understanding of self-regulation in the Bertelsmann Foundation’s 1999 study on Internet content when it also called for some government regulation.⁴ That understanding of self-regulation was criticized by the Center for Democracy and Technology as being “an exercise in informal state action”.⁵ But that is precisely what self-regulation is: an exercise in delegated state action.

The question addressed in this chapter is, what happens to self-regulation now that, with the spotlight shone by WGIG on regulation and governance, governments are likely to play a bigger role?

What is Self-Regulation

To begin at the beginning, there are various modes of regulating all of human activity including the Internet. As Lessig has summarized, four such modes are:

• social norms (by expectation, encouragement, or embarrassment),

• markets (by price and availability),

• architecture (what the technology permits, favours, dissuades, or prohibits),

• laws (by government and private sanctions and force).⁶

In this typology, self-regulation would be a “sub-mode” under the mode of “laws”. Larry Irving, the former US Assistant Secretary of Commerce, has noted that the definition of self-regulation varies:

At one end of the spectrum, the term is used quite narrowly, to refer only to those instances where the government has formally delegated the power to regulate, as in the delegation of securities industry oversight to the stock exchanges. At the other end of the spectrum, the term is used when the private sector perceives the need to regulate itself for whatever reason—to respond to consumer demand, to carry out its ethical beliefs, to enhance industry reputations, or to level the market playing field—and does so.⁷

In other words, the historically narrow view of self-regulation as a form of delegated authority has to give way to a broader conception where non-government entities take it upon themselves to regulate with or without the formal backing of government.

Conditions for Self-Regulation

In order to ensure that self-regulation is applied in the right context, it is important to understand the conceptual underpinnings for why self-regulation may be a good mode of regulation for the Internet and when self-regulation works best.

The most significant reason for using self-regulation as a preferred mode of regulation is that the Internet is a new technology that is still evolving. This means that any regulation that assumes certain behaviour on the part of the users may be outdated by the time the legislation is passed. As a rule of thumb, legislation should trail, not anticipate, new technology. One example of why legislative trail-blazing is a poor idea is in the area of digital signatures: the technology-specific laws passed by the first movers, the US state of Utah and the Southeast Asian nation of Malaysia, have been made obsolete by new technologies.

Self-regulation, because it is done by industry, can adapt to changes in a fast-evolving industry much more quickly. In its report on self-regulation in e-commerce, the European Union cited as potential advantages the following:

• it is dynamic, being able to evolve according to need;

• it is adaptive, being less tightly constrained than is legislation;

• it is faster to implement than legislation;

• it can be made sector-specific based on common underlying principles;

• it can apply to a global community across national jurisdictions;

• it is easier to enforce within the “club”;

• industry involvement may make self-regulation more relevant;

• it can respond to market forces;

• the burden of cost falls on those with commercial interest and saves government funds.⁸

While conceptually true, whether the advantages materialize will vary depending on context and circumstance. So for example, the author has been involved in a self-regulatory effort where proposed updates to the rules took many years to be passed.

The Australian Consumers Association, reporting to an Australian Taskforce in Industry Self-Regulation, observed that self-regulation works best when the following elements are present:

• A small number of large players. Some studies suggest that self-regulation work well when the group of asserting the self-regulatory power is relatively small and cohesive. Ideally, the industry association would be active and cohesive and embrace much of the industry players so that enforcement is easier.

• Motivated industry. That is, industry must be willing to police itself. Voluntary self-regulation can have little effect where there are companies that are not prepared to participate.

• Maturity in the market. An industry that is stable in its infancy will not be motivated to self-regulate because many of its players will be fighting competitive battles.

• A government regulatory backstop. Because self-regulation involves industry policing itself, there may be the recalcitrant offender who refuses to abide by the industry norm. To be most effective therefore, a government regulatory backstop will be helpful to take care of such instances. ⁹

The Taskforce also concluded that self-regulation works best when there are clearly defined problems but no potential for high risk of serious or widespread social harm, so that the failure of self-regulation imposes no great damage.¹⁰

Self-Regulation of the Internet

So where does the Internet stand in terms of the above conceptual framework? Well, the industry is highly competitive in many areas; many aspects of the Internet are still in their infancy; and, perhaps most challenging of all, the industry is disinclined toward regulation. This means that conceptually at least, it would be more difficult to use self-regulation as a mode of regulating the Internet.

This is not to say that self-regulation can never work at all for the Internet. A particularly successful model is the Internet Engineering Task Force (IETF) where industry players meet to set technical standards for new technologies. However, the important distinction is that there are more factors in favour of self-regulation: the players are motivated to self-regulate and there are typically only a few players directly involved in the process. And in place of officially-mandated sanctions from government, the penalty for non-compliance with an IETF standard is the electronic equivalent of the death penalty—the device does not work and the user is denied existence in cyberspace. And so the success of the IETF will, in all probability, lead to its continued existence as a self-regulatory forum.

The Internet Corporation for Assigned Names and Numbers (ICANN) is also a form of self-regulation although there the nature of the organization is such that its link to government is more overt. Like the IETF, those directly involved with domain names are motivated to self-regulate and the number of players although potentially large is fairly well-defined. And like the IETF, non-compliance with ICANN standards and policies is likely to lead to the electronic death-penalty—failure to get onto cyberspace.

Interestingly enough, because of the nature of the sanctions on non-compliance, both the IETF and ICANN do not really need a government regulatory backstop. That is, both entities can, at least conceptually, stand on their own. Of course this assumes that there is proper governance should they be left to run on their own.

The Internet Governance Forum proposed in the WGIG Report would not be a self-regulatory body because as proposed the body would not have any enforcement powers. It would merely be a gathering to exchange views and share best practices.

For other aspects of the Internet, self-regulation would be a more difficult mode of regulation to apply. In areas that have been defined as criminal, such as child pornography and consumer fraud, self-regulation has very little place. Much of the action is taken by the national police with international police cooperation.

For acts that have yet to be universally defined as criminal, such as spamming and invasion of online privacy, much will depend on how the harm from those acts are perceived. Keeping in mind the legal maxim that the law does not deal with the trivial, it would not make sense for industry to stand in the way when Internet users are sufficiently bothered by such acts to petition for laws because by that time, the problem would be such a magnitude that the cost and liabilities are likely to be high.

Privacy protection is a tricky area in light of concerns about terrorism attacks. Until the September 11, 2001, terrorist attacks; it looked like the European view that privacy protection should be comprehensively safeguarded through legislation would prevail. The US approach had been and still is to adopt a sectoral approach where privacy protection standards vary by the industry. Conceptually, based on the factors listed above, it is possible to have self-regulation of privacy protection on a sectoral basis. It is easier to get a small well-defined group of players than for all the corporations of a country to be interested in self-regulating. After September 11, 2001, the perceived harm from invasion of privacy is deemed to be much less than a failure in security. So not surprisingly, the weaker privacy protection under self-regulation in the US will likely continue. The European approach of comprehensive legislation for privacy protection will therefore be slower to be adopted.

However, in areas that attract criminal liability, it is possible for industry to play a self-regulatory role. For example, the European ISP Association has a hotline service to tip off law enforcement agencies that illegal content is in their jurisdiction. Such a hotline could supplement criminal laws regarding the Internet. But these areas will be few and will have to be well-defined.

Conclusion

There was a perception by some in the Internet community even before it was completed that the WGIG Report would strengthen the hand of governments to regulate the Internet. To some extent the Report will do that because it highlights significant areas of the Internet that need special attention in governance, which includes regulation. And it is because the areas highlighted by the WGIG are significant that governments are likely to regulate or exercise governance. Certainly in the current climate where the US government is concerned about security, regulations regarding the Internet in the US are more likely to be promulgated by Congressional legislation than industry self-regulation. Any industry body, almost by definition, will take a measured approach in weighing the pros and cons of regulation, even where there are concerns about security.

Having said that, Governments are also aware of the attendant cost—both financial as well as the spillover impact—of legislation. Such self-regulation requires an industry literally prepared to pay the price. Self-regulation is cheaper and faster than legislation. But it is not necessarily cheap or fast; there are some real financial costs. In all probability organizations that work well with self-regulation, such as the IETF and ICANN, can remain self-regulated, but with some form of government oversight.

It should be borne in mind that the goal of the WGIG Report is to highlight issues preventing an enabling environment for the development and diffusion of the Internet and, ultimately, of society. So governments that legislate injudiciously, and their societies, will end up poorer.