The Global Digital Governance Map

Currently, a patchwork of national regulatory regimes, multilateral bodies, corporate policies, and multi-stakeholder organizations governs the various layers of the digital domain. Internet governance has traditionally fallen to the private sector and technical community, as internet service providers and telecommunications companies built and own much of the world’s network infrastructure. Among nations, there is little agreement over the rules of cyberspace. The establishment of the World Wide Web in 1991 came at the start of a short-lived period of American hegemony, and as the internet expanded globally nations mostly deferred to U.S. norms for cyberspace. But as the world has become multipolar in the twenty-first century, governance of the digital domain is an increasingly contested front line in geopolitical power struggles.

Different nation-states now have distinct and divergent digital governance models. The three major standard-setters are the U.S., European Union, and China. The U.S. prioritizes the interests of the firm, regulating lightly and allowing tech companies wide remit to govern, innovate, and acquire power. The EU puts more stock in the interests of consumers, or end users, by using its regulatory might to impose protections and limit anti-competitive corporate practices. In China, the state takes precedence, as the digital economy is made to conform to the ideological and policy goals of the autocratic Chinese Communist Party. Other nations have for the most part followed one of these models, or adopted elements of each, though a distinct fourth approach is emerging in India, which, through public-private partnerships, has developed the world’s most extensive national digital infrastructure to drive economic development and inclusion, at times at the expense of individual rights and liberties.

Multilateral bodies, especially those housed in the UN system, such as the International Telecommunication Union (ITU), play a critical role in setting worldwide technical standards and managing network infrastructure. Increasingly, these fora have become arenas for competition between Western democracies and their allies and authoritarian states, such as Russia and China, which seek to exert greater control over the global internet. Amid this power struggle, good-faith multilateral efforts to develop international treaties and definitions have stalled or failed.

In the absence of global rules, multinational technology companies have created their own governing regimes. Tech behemoths such as Meta and Google, with trillion-dollar-plus market capitalizations and billions of people worldwide using their products, enact policies that would typically be the purview of governments, such as regulating international payments and commerce and determining the limits of free speech.

Because the internet is a public, private, and civic enterprise, many point to multi-stakeholderism as the archetype for governing the digital domain. Already, bodies that bring together governments, civil society, the private sector, and the technical community perform essential governance functions. The preeminent example is the Internet Corporation for Assigned Names and Numbers (ICANN), a nonprofit that manages the address book of the indexed internet and without which the web would cease to work.

The de facto standard-setter for global digital governance is the U.S., which takes a laissez-faire approach that is conducive for innovation and growth but offers scant protection to consumers and allows extensive harm to users and institutions. The internet was developed in the U.S. with government backing in the 1960s. It evolved principally from the Department of Defense Advanced Research Projects Agency Network (ARPANET) project. Its principle inventors sought to be able to quickly and smoothly enable the exchange and transfer of information across remote decentralized networks of computer terminals. Its formation involved universities, companies, and scores of independent researchers and technical experts.

The functional design of the internet’s architecture was open and interoperable, with open protocols allowing different devices and networks to plug in and for anyone to build tools and services. A hands-off approach enabled this ecosystem to flourish, and though the U.S. government has played a governance role—the U.S. Department of Commerce supervised ICANN until 2016, for instance—it generally has allowed the digital domain to remain an open system of information exchange. A techno-utopian libertarianism (what two social theorists in 1996 called the “Californian Ideology”) prevailed in Silicon Valley, furthering the notion that government interference in the digital economy would threaten innovation and growth.¹ This mindset persists: In unveiling a framework for AI legislation in June 2023, Senate Majority Leader Chuck Schumer emphasized, above all else, that AI regulation must “prioritize innovation.”²

U.S. tech regulation reflects this idea that “less is more.” Legal doctrines that have curbed the power of other industries have not applied to internet companies. The consumer welfare standard that informs antitrust law, which defines monopolistic behavior in terms of financial harm to consumers, does not apply to free services such as online search or social media. Section 230 of the Communications Decency Act of 1996 shields tech firms from liability for content posted on their sites and platforms. Though Section 230 facilitated the growth of an open internet by allowing user-generated content to flourish—services such as Wikipedia could not exist without it—it also has enabled tech platforms to elude responsibility for harmful content posted on their sites, not just at home but abroad. Even if these companies are sued by users in other nations, they are free from liability in their home country.

Most digital regulation and policy is state- or sector-specific. For example, the federal government has enacted data protection and privacy legislation in sectors such as health and education—through the Health Information Portability and Accountability Act (HIPAA) and the Family Educational Rights and Privacy Act (FERPA), respectively. Regulations like HIPAA have limited applicability beyond medical and insurance providers. If someone searches for a medical condition on Google, HIPAA does not protect that person’s private health data from being collected, stored, and exploited. In the absence of comprehensive federal data protection legislation, a number of states, such as California, Colorado, Connecticut, and Virginia, have enacted their own regulations, with many additional states poised to implement legislation in the coming years.³

The one area where the federal government has taken a more active approach to tech regulation is in national defense vis-à-vis China. In response to what is perceived to be a national security threat, the government banned the sale of equipment produced by Chinese company Huawei in 2022. The U.S. claims that Huawei has violated international sanctions and its equipment could be used to conduct cyber espionage.⁴ The U.S. federal and state governments have also banned Chinese social media platform TikTok on government-owned devices. Montana has banned the app outright, and it will no longer be available for download in the state starting in 2024.⁵ These policies are symptomatic of a fear, perhaps misplaced or exaggerated, that the Chinese government will be able to access commercially-acquired information of American citizens, posing a threat to national security.

American influence on global digital governance stems in part from the expansion of U.S.-headquartered tech firms abroad. The capital power held by American tech companies allows the U.S. to co-govern the digital world. While this growth has historically yielded advantages, such as the promotion of American values like free speech, the concentration of power among American big tech companies marginalizes those who were not initially considered during the system's design, raising concerns about diversity, equity, and inclusivity online. The exportation of the Silicon Valley model has led to a proliferation of harms, leaving users vulnerable and lacking recourse against large multinational tech corporations that operate with limited oversight in areas such as content moderation and data collection. Several nations have undertaken measures to rein in “Big Tech” and assume responsibility in areas where the U.S. government has been absent.

The EU has taken a heavy-handed approach to digital regulation in the interest of protecting the rights of its users. An additional unstated, but widely acknowledged subtext of current EU regulation is the desire to mitigate potential harms posed by monopolistic behavior to the economic interests of European member states that have struggled to innovate in the digital sphere at the same rate of speed as the United States and China. From data privacy protections to AI, the EU has been at the forefront of rights-based digital governance, making it what many would consider the “world’s greatest regulatory superpower.”⁶ Observers talk of the “Brussels Effect,” which refers to non-European governments aligning their digital regulatory frameworks with those of the European market.⁷

The Brussels Effect enables the EU to be a normative power that exerts ideological influence around the world, promoting values such as democracy, respect for human rights, anti-monopolistic free markets, and responsible innovation. For example, the EU’s Digital Services Act (DSA) aims to shape the values of very large online platforms (VLOPs), sites with over 45 million monthly active users in the EU. The DSA bans advertising based on profiling and using categories of special sensitive data (such as sexual orientation or religion); increases transparency in algorithmic content moderation; dictates response mechanisms when illegal content is detected online; informs users about content recommendation decisions; and requires VLOPs to perform due diligence such as risk assessments.⁸ The goal of the legislation is to influence non-EU tech platforms to adhere to European value systems, at least when operating within the borders of the bloc.

Additionally, the EU and its member nations have been appointing tech diplomats to the seat of digital power in Silicon Valley, led by the appointment of the Danish Tech Ambassador in 2017. Instead of engaging with tech company public policy teams in their home country, these representatives seek to influence the firms’ executives and decision-makers. Tech diplomats engage regularly with VLOPs and other companies to discuss topics like digital human rights, responsible innovation, and disinformation. In 2022, the EU appointed a digital envoy to San Francisco to act as a “digital enforcer” to help tech companies comply with legislation such as the DSA.

The EU’s most recent contribution to the digital governance landscape is its draft AI Act.⁹ The EU is taking an ex ante, risk-based approach to AI, attempting to regulate the technology before a crisis erupts. Jaron Lanier, an American computer scientist and writer, summarizes the Act as “the right to not be manipulated by computation.”¹⁰ Under the proposed legislation, the EU has developed a differentiation of harms dependent on AI risk. For example, AI systems with “unacceptable risks” such as AI for social scoring or predictive policing would be banned outright, while high-risk applications such as consumer products and AI used for socioeconomic decisions would be subject to certain requirements.¹¹ This bill also assigns recommender systems on social media platforms to the “high risk” category, effectively subjecting these sites to more scrutiny and increased liability for their content.¹²

The regulatory power afforded by the size of the EU common market has been a boon for the single-currency bloc, as it lacks the technological supremacy and regulatory frameworks for private industry innovation required to otherwise be a significant player in the digital realm. Research by McKinsey & Company corroborates this point: A 2022 report found that European companies underperform relative to those located in other regions as they are growing more slowly, investing less in research and development, and banking lower returns.¹³ Central to the European approach is an increased desire for digital sovereignty as the bloc seeks to bolster its private sector, which is more inclined to uphold European values compared to foreign multinational corporations.

The Chinese model of digital governance relies on authoritarian control to advance the ideological and policy goals of the state. This model envisions a world not of a single, open global internet, but of an internet fractured along territorial lines. “Within Chinese territory the Internet is under the jurisdiction of Chinese sovereignty,” declared a 2010 white paper from the Chinese State Council Information Office.¹⁴ In practice, the Chinese Communist Party exerts significant technical and social control over cyberspace, mediating the country’s connection to the global internet and maintaining the world’s most comprehensive online censorship regime. At the same time, the Party has set ambitious goals for high-tech innovation, protected and policed technology companies, and driven public and private investment into the tech sector—efforts that a group of New America cybersecurity researchers say “arguably constitute the most comprehensive framework for [information and communications technology] governance currently underway globally.”¹⁵

The government’s digital control starts at the infrastructure level, where the Ministry of Industry and Information Technology strictly oversees the country’s gateways to the global internet and restricts cross-border information requests and access to servers abroad.¹⁶ This enables what Western media calls the “Great Firewall,” a massive online content censorship and surveillance apparatus that relies on deep packet inspection and other tools to block many foreign websites and online platforms and requires domestic companies, websites, and platforms to moderate and remove content deemed harmful or undesirable by the government. Though the Great Firewall has existed since 2000, in recent years it has become more expansive and sophisticated, deploying AI tools for content censorship, cracking down on virtual private networks (VPNs), giving social scores to companies, and blocking a greater array of content.¹⁷ The government will also order ISPs and telecommunications companies to shut down internet and mobile service to quell online dissent and expression in areas ranging from entire regions to individual families.¹⁸ Chinese authorities make extensive use of digital surveillance technologies, ranging from AI-powered cameras to biometric sensors, to both enhance the quality of life for citizens, such as by mitigating traffic congestion, and to advance social governance goals, such as to control the lives of minority populations.¹⁹

An assertive regulatory ecosystem aligns digital technology with state priorities. Closing off the Chinese internet to foreign tech platforms such as Google and Facebook enabled the rise of homegrown companies, such as Alibaba in e-commerce, Baidu in search, and Tencent for social media and other internet holdings. Over the past five years, Chinese regulators have taken steps to constrain the tech sector, including launching antitrust probes and levying fines; enforcing data security protocols intended to ensure that Chinese personal data collected by private companies stays in China; and curbing what leaders called the “disorderly expansion of capital” at the expense of the public interest, including halting approvals for new companies and suspending the initial public offering of financial technology company Ant Group.²⁰ Observers have noted that this so-called crackdown not only asserts the Party’s control over big tech, but it also serves policy goals, such as macroeconomic stability and the reduction of foreign influence over the sector.²¹

As its geopolitical clout has grown, China has become a cyber norm entrepreneur, rallying not just other autocracies but also smaller countries that may feel colonized by American tech giants behind its vision of digital sovereignty.²² Through its “Digital Silk Road” initiative, China has sold digital hardware and constructed network infrastructure in the developing world, often at a lower cost than Western competitors. At the same time, other countries, from Zimbabwe to Venezuela, have purchased Chinese surveillance technologies and sought to construct their own versions of the Great Firewall.²³

A fourth digital governance trendsetter is emerging: India. Though still a lower-middle-income country with a per capita GDP of $2,388 and the world’s largest population (at 1.4 billion), India is undergoing a rapid digital transformation. From 2014 to 2019, the digital economy grew at a rate of 15.6 percent, two-and-a-half times that of the economy overall.²⁴ India has made homegrown digitization a cornerstone of its national development and international identity. The hallmark of its model is a national digital infrastructure, built through public-private partnerships, that is neither laissez-faire nor entirely state-controlled.

The “India Stack,” as the country’s digital infrastructure is called, is a unified, interoperable software platform with government-backed application programming interfaces (APIs) upon which third parties can build applications.²⁵ The base layer is a digital ID system called Aadhar, Hindi for “foundation,” which uses biometric and demographic data to assign each person a 12-digit identity number recognized by government agencies, banks, telecommunications companies, and others. It was developed by a team led by software entrepreneurs working within a government authority under the Ministry of Electronics and Information Technology. Launched in 2009 when only 13 percent of Indians had a verifiable identity, by June 2023 almost the entire population of 1.4 billion had a digital ID.²⁶

Identity verification enables the next layers of the stack, the first of which is the Unified Payments Interface, an interoperable transactions system that links banks, mobile fintech apps, and any other online payment service to enable instant transfers at near-zero cost. Overseen by the central bank and managed by a government-backed nonprofit, the interface is used by the government to deliver welfare benefits and by people to pay bills, transfer remittances, and purchase goods. India is now the world leader in real-time digital payment transactions, recording 65 transactions per capita per year, compared with 12 in China and 8 in the U.S.²⁷ The next layer is a digital database called DigiLocker, in which individuals can store and share paperless documents such as driving licenses, medical records, and academic credentials. Additional layers are in development, such as the Open Network for Digital Commerce, an interoperable e-commerce system that would enable customers to order, pay for, and have delivered goods from services that are all registered to different apps, in contrast to walled-off platforms such as Amazon that control every step from seller to customer.²⁸

The India Stack has driven financial inclusion, improved government capacity to deliver benefits and services, and stimulated entrepreneurship, as open, interoperable systems in payments or ecommerce, for instance, help create a level playing field that diminishes the ability for large companies to dictate terms and acquire monopolistic positions. At the same time, concerns about privacy, data security, and surveillance have arisen, as the government and companies are gathering vast quantities of personal information with few guardrails in place. A recently passed Digital Personal Data Protection Bill will require data fiduciaries to apply adequate security measures to protect user data, but it also grants the government the authority to exempt state agencies from those provisions, a carve-out that digital rights activists argue could lead to increased government surveillance.²⁹

As the holder of the G20 presidency in 2023, India has launched a diplomatic effort to promote the India Stack model and encourage its adoption across the developing world. But though the government champions its open, interoperable digital infrastructure, it also exercises control over aspects of the digital domain to promote government priorities. The government uses digital platforms to spread sometimes inflammatory Hindu-nationalist messaging and often demands those same platforms remove content of opposition parties and groups. India has banned foreign apps—Chinese ones especially—in the name of national security and digital sovereignty. According to Access Now, there were more internet shutdowns in India over the last five years than in any other nation, carried out to silence critics, prevent insurgents from organizing, and to prevent cheating in school exams or government job entrance tests.³⁰

In digital governance, multilateral organizations have played critical roles in setting technical standards, managing network infrastructure, and shaping cyber norms that enable an open global internet to exist. But increasingly, they are battlegrounds in which states with competing visions for the digital future vie for influence. The primary fault line is between the Western democracies and their allies who seek to preserve an open global internet, and the autocracies who wish to see states exercise greater control over the internet and extend national territorial-based sovereignty into the digital domain.

The most powerful multilateral body is the International Telecommunication Union (ITU), which was established in 1865 to regulate the telegraph industry and is now a UN specialized agency with the mandate to ensure “networks and technologies seamlessly interconnect,” as well as to improve worldwide access to information and communication technology.³¹ Among other things, its 193 member-states and 900 private sector members develop policy and regulations that determine the international standards for internet connectivity, 5G technology, and other information and communications networks.

Contests over those standards have intensified, as China, Russia, and other authoritarian states have pushed an agenda at the ITU that experts say would reshape the global internet from an open, largely free network of networks to a fragmented “splinternet” controlled by nation-states.³² China has repeatedly proposed a new internet protocol (IP) that would, among other things, require internet users to register themselves to access many online services and enable governments to more easily and quickly shut off parts of the internet.³³ According to a group of Oxford University researchers, implementation of the new IP would “splinter the global internet’s shared and ubiquitous architecture”; lead to state-dominated internet governance that excludes companies and civil society; and weaken cybersecurity, enable human rights violations, and widen the digital divide.³⁴ The defeat of the new IP proposals, plus the victory of a U.S. representative as secretary general of the ITU over a Russian candidate, after a pitched election that pitted the authoritarian vision against the open one, has meant the preservation of the status quo, for now.

The battle within the ITU is emblematic of the war over digital governance playing out across intergovernmental organizations. Media have reported that China is pursuing a “well-resourced and widespread targeting of key, but low-ranking, positions in global digital standards agencies to push its own agenda.”³⁵ American researchers Jeffrey Ding, Paul Triolo, and Samm Sacks describe how China’s government “views standards as playing a significant role in the country’s aspirations for AI leadership” and has accordingly sought to play a leadership role on the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) subcommittees responsible for developing these standards.³⁶ The fight is also playing out over the norms of cyberspace. In the UN Open-Ended Working Group, a body tasked with negotiating an international convention on cybercrime, autocracies are pushing for a broad and vague definition of cybercrime that digital rights experts say would justify greater government control over online activity and expression.³⁷

A handful of American tech companies are the most highly capitalized, and arguably powerful, corporations in the world. Four of the planet’s five largest companies are U.S. tech firms: Apple, Microsoft, Alphabet, Amazon, and Meta, with a combined market cap of more than $9 trillion³⁸ as of August 2023, larger than the GDP of any single nation save the U.S. and China.³⁹

Big Tech’s products are used by populations greater in size than that of any country. Facebook has 3.03 billion monthly active users as of June 2023; WhatsApp has 2.7 billion as of July 2023; and Instagram has 2.6 billion.⁴⁰ Some 3.6 billion use Alphabet’s smartphone operating system Android.⁴¹ YouTube, which is owned by Alphabet, has 2.7 billion monthly active users.⁴² Alphabet’s Google is the most visited website in the world, with 92 percent of the online search market and an estimated 4.3 billion users.⁴³ The ubiquity of its products means that American Big Tech not only wields market power but it “directly affect[s] the livelihoods, relationships, security, and even thought patterns of billions of people across the globe,” according to American political scientist Ian Bremmer.⁴⁴

These companies now exert geopolitical influence that rivals states and exercise governance over domains that were traditionally the sole purview of governments. The power of Silicon Valley tech giants derives first from highly concentrated corporate control over knowledge and discourse, which in turn shapes both applications and the regulatory environment. Such so-called Big Tech power also stems from the ability of big companies with large capitalization to shape the platforms and infrastructures that facilitate and enable communication and information exchange, including through the purchase or elimination of smaller competitors and the assertion of monopolistic power over technologies that overlap with and rely on the products of multiple industries.

For instance, in 2021, Meta, in what was later revealed to be a negotiation tactic to thwart a proposed Australian law that would require the company to pay news industry outlets for their content that appeared on Facebook, briefly blocked all news on Australian Facebook as well as Australian government and hospital pages.⁴⁵ The move effectively restricted digital access to public services and information amid the country’s COVID-19 vaccine rollout and wildfire season. Facebook and Twitter (now X) regularly make decisions about the acceptable limits of free speech without democratic process. The growing governance power of big tech has prompted commentators to declare the dawn of a “digital world order” and the fact that “net states [rule] the world.”⁴⁶

“While the U.S. has traditionally been the foremost exporter of democracy, it now exports the technology that has and will continue to disrupt democracies worldwide.”

The highly permissive U.S. regulatory approach has enabled Big Tech to largely govern itself. The companies write their own community guidelines for content moderation, which Georgetown Law Professor Anupam Chander says are “modified only as necessary in the face of enforcement efforts by foreign governments or negative publicity.”⁴⁷ Though at times aligned with and influenced by U.S. national interests and values, these corporations are, above all else, driven to maximize profit or shareholder returns, so their actions have at times led to human rights violations and the undermining of democratic norms. Facebook’s algorithms have amplified disinformation that has subverted democratic elections and led to real-world violence, such as in Myanmar where the spread of hateful content contributed to a brutal ethnic cleansing campaign against Rohingya Muslims that displaced more than 700,000 people and left as many as 7,000 dead.⁴⁸ While the U.S. has traditionally been the foremost exporter of democracy, it now exports the technology that has and will continue to disrupt democracies worldwide.

Much of the global digital commons is governed by multi-stakeholder bodies and processes that include all the players who have a role (or stake) in the functioning, performance, and outcomes of a particular technology. That may include governments, companies, intergovernmental organizations (such as UN agencies), civil society organizations, and technical experts. Multi-stakeholder bodies are inclusive, able to accommodate multiple perspectives in deliberation and decision-making processes.⁴⁹

Governance of the internet depends on a decentralized global network of multi-stakeholder bodies. The most prominent body is ICANN, the organization responsible for managing the Domain Name System (DNS), the phonebook of the indexed internet. In the early days of networking before the global internet, connecting two computers required memorizing their IP address digits. That changed when American computer scientist Jon Postel developed the DNS, which organized the names according to their hierarchical domain (such as .com or .gov) while also storing the information necessary to translate the name into an IP address in various servers located across the globe. The National Science Foundation, a U.S. government agency, had oversight of the system until the growth of the internet in the 1990s prompted the Clinton administration to call for the privatization of DNS management to promote competition and facilitate the internet’s international expansion.

In 1998, ICANN was created as a nonprofit public benefit corporation, with a globally representative governance structure developed in consultation with the government, business, technical, and engineering communities involved in managing the internet. Though it would be privately run, the U.S. government mandated that ICANN operate in a consensus-driven and democratic manner, “reflect the diversity of [the internet’s] users and their needs,” and “reflect the bottom-up governance that has characterized development of the internet to date.”⁵⁰

In practice, the organization is composed of volunteers from 130 countries and territories that form four advisory committees and three supporting organizations.⁵¹ Any member of these groups can raise issues within their organization, which are then assessed for the potential to become consensus policy after public comment. Working groups and task forces then develop policy recommendations, which are subjected to public feedback before final adoption and implementation by ICANN.⁵² Voting within the organization is sometimes performed by humming, in which the side with the loudest hum is taken as the consensus of the membership.

ICANN has been essential for a stable, global internet. And its model carries lessons for multi-stakeholder governance of any digital technology. ICANN had the backing of the U.S. government from the start, which conferred legitimacy and power to the organization. It is not only inclusive, but it also affords its members ownership of processes and decision-making, since all members can introduce and vote on policy. ICANN is focused on performing specific, practical functions. It is not a talk shop, and its mandate is clearly defined. The volunteers who comprise its membership share a common technical language and understanding. Critically, its founders said there was a large amount of goodwill and trust among the various stakeholders who got it up and running.