Memo to the Leviathan

By Lawrence Lessig
The Standard

March 05, 1999

To: Mr. Assistant-Director
From: Lawrence Lessig [ http://www.thestandard.net/people/display/0,1157,1739,00.html ]
Subject: Regulating e-space

Sorry I missed your call. You sounded awful. You can't let this cyberspace stuff get you down. It's true that the Internet remains an essentially "unregulatable" space. But there are many ways to improve things. If you promise to keep these e-mails confidential, I'm happy to send some obvious suggestions along. Herein, two.

First: You must kill this open-source software movement. We've fooled people for a long time with the story that cyberspace could not be regulated. Of course, when it was populated by geeks, it couldn't. But geeks are harmless sorts, and it didn't matter then. The danger came when the "normal" people came to the Net. Only then did we have a regulation problem.

Commerce has alleviated this problem a little. I knew it would. We have slowly displaced the communal (read: communist) projects that built the Net – what Mike Godwin calls "Internet barn-raising" – with good, old-fashioned money. Commercial software has begun to dominate the Internet-application space, and this is key. We can't regulate "hackers" (I'm still amazed you did such a good job at changing the meaning of that word); we can regulate business. The more code business controls, the more we can regulate the code.

So why have you let this open-source software movement take off as you have? And with all this saber rattling about antitrust, why have you encouraged it? This should be obvious: If Internet software remains predominantly open source, there will be no way for you to regulate it. If you impose an encryption standard, it will be a trivial matter for people to take that piece of programming out. Or if you want to assure some identity tracking, the tracking code will be obvious in the source code. Open-source software is like the Freedom of Information Act for the Internet, except this FOIA would work. It would totally disable our ability to bend the Internet into the perfectly regulatable space it could be.

Second: The biggest obstacle to regulating cyberspace is not knowing who people are. This can be changed (too bad about the Intel debacle), and it is changing (Intel notwithstanding). Cookie files are becoming integrated into click-ad databases, which makes it easier to triangulate who someone is (reveal your ID in one place, and you reveal it in every commonly linked place). Profiling, too, is improving nicely. Thus, it is best to continue the rhetoric of "let the market take care of privacy itself." When the market does take care of itself, it will also take care of you.

But there is so much more you could be doing. What about giving digital IDs away? The General Services Administration is exploring the idea with a program called ACES. This is a great first step, but you must push it. What about a tax credit to people who use ACES? The more people who use it, the easier it will be to use the IDs for other purposes. (Remember that malarkey about Social-Security numbers not being used for identification? It took the prols 50 years to catch on.)

Better yet: You must encourage the market to develop these certificate technologies. People won't accept a government- mandated ID, but they won't think twice about a certificate from Sears. (You were right about how well the "public vs. private" rhetoric would sell; I would never have believed it.) For our purposes, it doesn't matter whether the certificates are public or private. Regardless, the more there are, the easier it will be to identify people and zone cyberspace based on identity.

But be warned: There will be some who will argue that certificates could be architected to protect privacy. That they could be built to certify facts (that I am a citizen) without also revealing identity (my name). Thus, the government's "legitimate" purpose, extremists will argue, could be served while respecting privacy.

Luckily, however, these more complex systems are not yet developed, and agreeing on standards will be hard. That's why it's such a good idea to press certificates now, before the civil-liberties community understands the threat. But you must move quickly.

More later. I've got to go make some more lawyers.

Lessig,
Handmaiden to the Leviathan.

Lawrence Lessig (http://cyber.law.harvard.edu/lessig.html) is the Berkman Professor of Law at Harvard Law School.

Copyright 1999