Server Side 1: The Industry Threat Landscape With David Snead
Looking to catch up on the critical issues affecting the Internet’s infrastructure without the exhaustive research? Every month, i2Coalition Co-Founder and Executive Director Christian Dawson sits down with experts to discuss issuing facing the Internet and its future. Topics include Intermediary Liability, Internet Governance, Abuse Reporting, Standards Setting, Privacy, Cyber Security, industry social issues, and more.
This interview has been edited for length and clarity.
Christian Dawson: Welcome to the first monthly entry of this new content series. To kick off we’ll be discussing an overview of the biggest issues that could lead to industry disaster. We’ll show why that’s not hyperbole. Internet infrastructure businesses must become more involved in policy or run the very real risk of losing the industry as we know it.
Joining me is i2Coalition Co-Founder, my friend, former Board Chair, current Policy Chair, cPanel General Counsel, and Internet infrastructure lawyer for over twenty-five years, David Snead. David thank you for joining us.
David Snead: Hello there.
Christian Dawson: You and I have been working on policy issues through the i2Coalition for some time now. How long has it been?
David Snead: Six?
Christian Dawson: Six years. We could do several entries in this series on the fights, the things that we have done to keep the Internet free and open during that time. The goal of this new series is to focus on current threats, but in a future entry, I’d like to come back and do some history. The two of us. People might enjoy that. For now, let’s cover our overarching approach that has made our policy efforts successful.
David Snead: That’s something that distinguishes our organization from a lot of other organizations. There are three things that make us an interesting and effective policy organization for our members. The first is that the organization is completely member driven. When I say member driven, what I mean by that if there is an issue that is important to a member they can bring it to the organization. We’ll then take it forward. That is different than most organizations where you have various specific issues championed by staff members.
Second is that by and large, we are very collaborative. The organization leverages its resources by working with other analog organizations. In fact, some organizations that aren’t even involved in Internet policy. We also take advantage of the member resources we have pooled. This allows us to have a greater voice than the industry would have otherwise.
Third is that we have controlled and low overhead. Due to this, the majority of the funds that raised actually go into advocacy and advocacy issues.
Those are the three major aspects of our approach that have made our efforts successful.
Christian Dawson: I agree with all those things. You’ve encapsulated all those well. We’ve come together as an industry and built a unique organization to fight some real dangers to the Internet. From an overarching perspective, can you talk about some of the major threats in the Internet’s current path?
David Snead: Sure. I will highlight two that I think are very important for us to think about and actually threaten to undermine the industry as a whole.
The first is an effort to change the allocation of liability across the Internet. Currently, those who create and consume content are responsible for their actions. If you create a piece of content that is contrary to law, you’re responsible for that for that piece of content. This is important because the laws that address copyright, trademark, hate speech, and other intermediary liability issues weren’t designed with intermediaries like Internet infrastructure providers. Laws allocating intermediary liability have created a bright line, allowing people to understand their rights and responsibilities around content creation and content consumption.
The second big issue is an unwillingness or inability of the U.S., Europe, or other industrialized democracies to advocate for an open Internet. That is the Internet that we understand today: rules agreed upon by industry, by the government, by civil society, and by the users govern the Internet today.
This plays into the broader issue of Internet governance where we’re invested in the multistakeholder model of Internet governance. I would argue that model underlies our current, open, collaborative Internet. We work with the U.S. and European governments to ensure they understand the importance of that view. We also provide those who would advocate for this approach to the Internet the resources and support they need. We’re firm supporters that the multistakeholder model is beneficial for citizens, civil society, business, and governments as well. These are the largest issues challenging our industry right now.
Christian Dawson: These are very important issues that we need to take seriously.
David Snead: They are things we are taking very seriously. Especially, the threat to intermediary liability.
We understand our responsibility as citizens and as businesses. We also understand that it is not realistic to impose on intermediaries obligations that are not imposed on other forms of communication. Proper intermediary liability protections are foundational legal blocks of the open Internet.
Christian Dawson: Could you give some details on the current fight for intermediary liability going on in the United States right now?
David Snead: Sure. There are two large issues with intermediary liability in the United States.
I’ll start with one that is pretty quick to discuss, the role that intermediary liability has played in U.S. trade negotiations for many years. In their negotiations for multilateral trade treaties, the U.S. government has included an obligation that participants include intermediary liability in their laws. There is a possible weakening in that obligation.
The second is a weakening of standards allocating intermediary liability. This weakening is due to alarming potential changes to Section 230 of the Communications Decency Act, the law that created the U.S. standard on intermediary liability. The U.S., Congress has passed, and the President signed, a bill that makes changes to the allocation of liability under Section 230.
What this new law will do is give victims of human trafficking the right to sue intermediaries, in some cases, for facilitating human trafficking. It also gives states and their attorney generals the right to sue intermediaries for facilitating human trafficking.
When we were looking at this legislation we were very concerned about the probability that it would lead to significant liability for infrastructure intermediaries due to the term “facilitating.” It is not defined in this legislation. Using a term that is not very well defined removes the certainty that infrastructure providers have seen in their businesses. Until now we had clear, black lines around liability. This may change the way that infrastructure providers look at content, making them more proactive in removing content that as a result of this new law have the real possibility of undermining their businesses. In the future, those with business models not proven or well understood may find themselves disabled by infrastructure providers not willing to take the liability risk of providing services to those who may run afoul of the law.
Christian Dawson: We’ve already seen Craigslist take down some their content to avoid that liability. They likely wouldn’t do that if there wasn’t a real danger attached to that.
David Snead: That is the first example of how the law is going to impact people. We’re first going to see it on the consumer-facing side. Companies who provide services to Craigslist have likely begun analyzing whether they want to assume the risk of doing so. It may mean they would be “facilitating” human trafficking. This is a big concern. At the top of the discussion you asked why companies should get involved in policy, this is a very concrete example of why. This law creates new risks for your business and you will have to adapt your analysis of risks.
This is a good example of the business impact of laws and the process of lawmaking. The i2Coalition makes it possible for your company to provide input on how the making of these laws.
Christian Dawson: David, when we are talking about the threat landscape, I noticed we didn’t mention net neutrality. Could you talk for a moment about that?
David Snead: Sure. The i2Coalition looks at net neutrality in three ways. We look at issues related to blocking, we look at issues relating to throttling, and then issues related to paid prioritization. Net neutrality for the i2Coalition doesn’t mean the same thing net neutrality means in a consumer context. Our position may not even include the last mile.
We’re looking at net neutrality issues created by companies whose desire is to control access to the Internet. They’d like to create impediments to small businesses. We’re talking about preventing two guys and a server in their grandma’s basement from getting online. Those who favor a non-neutral Internet often want to create in themselves a role of economic gatekeeper.
Our primary attention is on U.S. net neutrality issues. We have come to the conclusion that Congress will need to act to ensure a net neutral environment. However, there are concerning net neutrality proposals in Canada as well. We also continue to look at the larger field. Some multinational organizations like the Internet Telecommunications Union (ITU), seek to change the way that the definition of net neutrality. We’re active in all three areas of net neutrality.
Christian Dawson: Another issue that we focus much of our time and advocacy on is government access to data. What we would frame in the U.S. as a Fourth Amendment warrant for content. Could you talk a little bit about our efforts toward clear definitions in that space?
David Snead: Sure. Around the world, the U.S. Fourth Amendment is the gold standard on for measuring government access to data. The Fourth Amendment requires the U.S. government to have a warrant to access data. Our goal is always to support the Fourth Amendment. We want to ensure the inclusion of the Fourth Amendment and similar standards in all laws that allow a government to get access to data.
In the work that we’re doing, we see two issues, but they’re somewhat intertwined. It’s how governments access data stored abroad. I’ll refer to that referred to as the “Microsoft Ireland case.” The Microsoft case is still pending before the Supreme Court has not been resolved.The Microsoft Ireland case involves whether or not a U.S. headquartered provider has to comply with a probable cause warrant for data it administers outside the U.S. That would be Microsoft in this case. In underlying litigation, the i2Coalition submitted amicus briefs. We are supporting Microsoft’s position, in this case, that the U.S. government should not be able to access data that is not in the U.S., based on a U.S. warrant. We’re waiting to see how that will resolve.
To address issues raised by the Microsoft Ireland case, Congress passed the CLOUD Act. The CLOUD Act authorizes federal and state judges to issue warrants compelling companies to disclose content that stored outside the U.S. The location of the user is not considered, provided certain met standards. The U.S. must also have entered into an agreement with the country making the request. The Department of Justice evaluates whether to enter into these agreements based on a complex analysis of whether the country provides sufficient protection for citizens rights. One concerning issue is the possibility of the CLOUD Act permitting the Department of Justice to authorize foreign governments to serve direct surveillance requests on U.S. providers. Looking at the CLOUD Act, the i2Coalition general position is that mutual legal assistance treaties or MLATs should be fixed. We work very closely with law enforcement to help them understand how they can better serve our members with requests for access to their data.
Christian Dawson: I want to shift to one more area where there’s a lot going on and that’s privacy. Particularly, what is going on in Europe with the GDPR going into effect on May 25th, 2018. The General Data Protection Regulation. David, can you talk a bit about what is happening there in regards to privacy?
David Snead: I often say when people talk about GDPR, if you haven’t been paying attention, you’re close to sunk. What this EU regulation does is it requires companies who process or control personal data about an EU individual to comply with a number of statutory requirements. What is difficult for people from the United States to understand is that the EU does not apply this regulation only to EU citizens. It applies to any individual who is in the EU. This is a difference between the way the U.S. and the EU look at laws related to privacy, access to data, governmental, or constitutional issues. The U.S. tends to apply these only to citizens. It’s important to understand in looking at the GDPR that it applies to all EU individuals.
When I look at this from a broad scope GDPR has three major effects. The first is the real potential that it will become the worldwide standard for privacy. That’s neither good nor bad but it appears to be the EU’s intent that this view of privacy will become the worldwide standard. If that is the case, it’s going to be very complex regulation to implement. It will challenge a number of different privacy perspectives around the world. In particular, it challenges the views of the U.S., who have taken a less regulatory approach to privacy than the EU. It also impacts publicly available data. For example, it is impacting WHOIS, a query of domain name registrant information maintains by ICANN. GDPR will have important impacts on security and uses of WHOIS data. ICANN is struggling with how to adapt for GDPR as WHOIS data may not be displayable unless it is compliant with GDPR regulations.
Another point is how GDPR will require companies to flow down provisions to suppliers. You’re required to ensure that your suppliers who are processing data on your behalf only process in ways that are GDPR compliant. This is difficult from an Internet perspective. There isn’t an understanding among infrastructure providers about how they touch data. As such, there is no consensus for how the industry will comply with this. Companies that are not based in the EU and have no operations in the EU don’t have an interest in following EU regulations. For example, a data center provider whose business is wholly in Australia, will not see any need to comply with EU regulations. As a result, these flow down provisions can be very difficult for businesses to enforce or add to their contracts. I’m seeing this as a common problem in the implementation of GDPR.
Christian Dawson: This is something we’ll continue to follow here at i2Coalition. We’ve accomplished a lot in our in our time today. David, we’ve gone over how the i2Coalition looks at policy from a top level perspective. We’ve gone over the major threats. We’ve delved into Net Neutrality, intermediary liability, government access to data, and privacy in GDPR. Now I want to give you the opportunity to hit anything major that we haven’t until now. Are there other issues you want to bring up that readers should know about?
David Snead: I talked briefly about trade and trade issues. This is something that the industry should follow in more detail. Recently, we’ve seen the current U.S. administration target China for tariffs. That is something to keep a real eye on. China imposes very difficult regulations on the providers gaining access to its market. They have the very real ability to restrict that access as a result of trade negotiations and trade considerations going on in the U.S. Understanding how your businesses can receive or lose access to markets is something that is worth a lot of thought.
Christian Dawson: Thank you, David. We’ll close here. I appreciate. I want to thank you for your time today. Thanks for your time today David. As the i2Coalition is the voice of the Internet’s infrastructure and we take an active role in all these important issues.
David Snead: Looking forward to talking again.