GG2022 – Developing a Code of Conduct for Internet Governance

Yi Shen offers some suggestions to avert the fragmentation of cyber space.

In early June 2013, former CIA contractor Edward Snowden exposed the National Security Agency’s classified PRISM internet surveillance program to the public, thrusting us into a “post-Snowden” world, where we now face the bald-faced realization that there is little or no security or privacy in cyberspace. Since few people are willing to protect their privacy by abandoning the internet completely, governments are forced to reckon with a contemporary security problem that takes place in the virtual world. What is needed is a code of conduct for cybersecurity based on the novel concept of data sovereignty.

The problem comes down to this: the PRISM project tells us that there is now a new form of global competition to gain maximum control over the data stored in cyberspace. Indeed, data takes center stage in the PRISM project and is the lifeblood of cyberspace. But in a world of inherent technological inequalities, what does this global competition imply?

Developed countries enjoy a comparative advantage in hardware, software, infrastructure and technology, but more than half of the world’s internet users currently live in the developing world, according to the International Telecommunication Union (ITU). This asymmetry means that developed countries are currently the most able to spy – on each other, on developing countries as well as on their own citizens. In a world composed of sovereign states of differing development levels, such an imbalance in technological capacity may escalate tensions, potentially leading to conflict in a manner that harks back to the Cold War.

Worried about the security and privacy of the data they store on the internet, state actors today will be sorely tempted to build their own technological defense systems to spy on other actors' data in cyberspace. This could lead to a cyber arms race, in which states try to out-do each other in building firewalls and surveillance systems. Within this game, technologically dominant state actors are in a position to take advantage of or even abuse their advanced capability to further their own security interests. The PRISM project is one such example.

Most states, as already proven in the traditional arms race, cannot afford to engage in such an expensive game. Since we cannot change the technological inequality among countries overnight, and a number of stakeholders would like to revisit the existing order of cyberspace, an urgent task of global governance is to shape a new code of conduct whereby weaker actors should not have to be concerned about the abuse of power by more technologically empowered actors. To this end, state actors need to move beyond signing symbolic treaties pledging that allies will not spy on each other. They need to negotiate how to govern the huge amount of data stored in the global cyberspace based on a code of conduct for cybersecurity based on data sovereignty.

“Sovereignty” here does not imply that state actors should strengthen their sovereign hold on cybersecurity within traditional national borders by erecting firewalls or increasing password protection. Rather, it means that any actor uploading data onto the internet should enjoy the legal rights to and ownership over the data. Thus, data sovereignty would apply to both state and non-state actors.

It is important to note that the traditional notion of state sovereignty, whereby states are separated by geographical borders, is not relevant for governing the global cyberspace. A code of conduct based on data sovereignty means that the global community needs to produce a new governing structure composed of updated perceptions, norms, regimes, legal codes, and formal organizations to manage all the key resources, equipment, and infrastructure that are key to the global cyberspace.

Frist, such a venture will require establishing a common understanding among stakeholders on what kinds of actions are allowed – and prohibited – in cyberspace. This process will also lend itself as a confidence building mechanism and encourage cooperation. A second step is to launch negotiations on more concrete regimes or legal codes of conduct. A third and final step is to establish a formal organization to carry out the task of governing the global cyberspace.

Data sovereignty serves to protect all data providers present in the global cyberspace who are also interconnected with each other, creating a common ground that ensures that individuals all over the world may enjoy the benefits produced by the development of information technology without worrying that technologically dominant actors may abuse their capability. By empowering technologically disadvantaged actors, the concept of data sovereignty should encourage more cooperation among governments to build a stable and secure global cyberspace instead of enhancing the position already enjoyed by stronger actors.

New governance structures based on data sovereignty should ensure that different actors enjoy the same rights in cyberspace regardless of their technological capabilities. Under such a structure, even the weakest actor in the world should not have to worry about the unlawful cyber surveillance that the most powerful state actor in the world can launch. Even without advanced technological capacities, weaker states may still enjoy the benefits produced by the evolution of the global cyberspace.

There are, of course, drawbacks to this approach. When a data provider’s rights are violated by a technologically dominant actor, it is unlikely that non-state actors can defend their data sovereignty as effectively as state actors can. One possible solution is that non-state actors could authorize their government to protect their data rights. This authorization would lead to the birth of the data sovereignty of states. The implication here is that the right to data sovereignty would become a new component of an individual’s human rights. In the same vein, protecting the safety of the data of their citizens would become a new responsibility of the sovereign state. Since all sovereign subjects are equal, all sovereign data providers should also enjoy equal rights in accessing the benefits from the development of global cyberspace free from surveillance and data theft, regardless of technological capability.

In August 2011, CBS writer Zack Whittaker published a report on ZDNet in which he reported that Google admitted to handing EU data stored in European datacenters over to US law enforcement. This is an example of some of the issues that the new code of conduct based on data sovereignty should target. Within this framework, such a data transfer would only be possible if authorization from the European side as well as from the actual owners of these data were obtained.

Pursuing such a code of conduct may seem somewhat idealized, but current practices could lead us down a disastrous path. According to the latest GG2022 scenarios on the futures of global cyber security governance, the lack of strategic trust among state actors in the global cyberspace could lead to a sudden crippling of the internet such that cyberspace as we know it will be separated into different groups of states with heavy firewalls built among them. If that happens, distrust among states would have deprived the cyberspace of its most valued feature – interconnectedness – so that no single actor or group of actors could become a real winner. Negotiations to achieve a globally agreed-upon code of conduct will certainly be difficult, but it is our best option forward.

Yi SHEN is a fellow of the GG2022 program and a faculty member at the School of International Relations and Public Affairs of Fudan Unviersity, China. His main research focuses on cyber security and cyber diplomacy issues. He also serves as the vice director of the Center for BRICS Studies at Fudan. This column is part of a series from the GG2022 fellows. For more information on the GG2022 program, please see here.