Table of Contents
Comparing the "Ideal" and Reality
In this section, we offer a mapping of the different elements of our framework through the lens of a free, open, interoperable, secure, resilient internet. In doing so, we create two distinct pictures of the internet. The first column—Idealized Version—in each of the below tables describes what an internet built on the absolutes of these five principles would look like. In the second column—The Global Reality—we describe how the current internet departs from this idealized picture.
Governance Tier
Laws and Regulations
Laws and regulations are the primary tools used by states to shape behavior. They impose sanctions or punishment for (defined) undesirable actions or behaviors and/or provide incentives for (defined) desirable actions or behaviors.
In the context of the internet, laws can both shape the behavior of internet users and provide guidelines on how internet architecture should operate.
| “Idealized” Version | The Global Reality | |
|---|---|---|
| Free | Laws and regulations that enable freedom of access to information and expression via the internet. | All countries have some form of restriction on content, whether bans on child pornography or aggressive censorship of foreign press.{{96}} |
| Open | Laws and regulations that enable or ensure openness (oblivious architecture). | Some countries are not protecting net neutrality; many countries have laws that could allow ISPs to throttle traffic based on the content of that traffic.{{97}} |
| Interoperable | Laws and regulations that do not negatively impact the network’s interoperability. | Some nations mandate data localization and local data routing which can affect resilience.{{98}} |
| Secure | Laws and regulations that criminalize/penalize (a) illicit use of computers (as we define it: computer network attacks, etc.), but do NOT criminalize (b) content and information, etc. | Most countries have laws that criminalize (a), but many also have laws that criminalize (b). In some cases laws criminalize behaviors that would otherwise positively impact the security of the global network.{{99}} |
Social Norms
Social norms are expectations about “appropriate behavior for actors with a given identity.”1 They regulate behavior through societal pressure.
In the context of the internet, social norms typically guide how users interact with the internet and with one another on the internet. However, social norms have in the past also shaped the way infrastructure owners and operators administer internet architecture.
| “Idealized” Version | The Global Reality | |
|---|---|---|
| Free | Norms that enable freedom of access to information and expression via the internet. | There are some norms in place to protect internet freedom,{{101}} but many countries challenge them within their own borders. Further, other nation-states push conflicting international norms to restrict internet freedom.{{102}} |
| Open | Norms that enable or ensure openness (oblivious architecture). | Net neutrality was a norm, but some nations have already contested that fact. |
| Secure | Norms that dictate responsible behavior of internet users (including individuals, states, and other organizations) to not undermine or exploit insecurity of the global network. | Much time and effort has gone into establishing norms, particularly for responsible behavior of states,{{103}} but despite these norms, actors persist in exploiting insecurities. |
Standards
Standards give “specifications for products, services and systems to ensure quality, safety and efficiency.”2
In the context of the internet, standards provide guidelines primarily for using and configuring architecture.
| “Idealized” Version | The Global Reality | |
|---|---|---|
| Interoperable | Standards that ensure interoperability and that devices, systems, and networks are built to connect and interact. | The ideal is mostly the reality. Standards ensure most components of the internet can work with one another. |
| Secure | Standards exist that promote security.{{105}} | Governments around the world can undermine national and international security standards.{{106}} |
Markets
Markets regulate behavior through price. “Through the device of price, the market sets my opportunities, and through this range of opportunities, it regulates.” 3
In the context of the internet, markets shape the creation, acquisition, and configuration of architecture. They also impact the options available to internet users and the way users react to architectural changes.
| “Idealized” Version | The Global Reality | |
|---|---|---|
| Free | The market for internet access and content access is not artificially manipulated. | Content laws artificially manipulate the market for information. |
| Open | Net neutrality. | ISPs violate net neutrality in some countries.{{108}} |
| Interoperable | Markets (global) provide economic incentives for developers/owners/ operators to build/manage interoperable infrastructure. | This appears to hold true. Devices that fail to work with other devices are typically not in great demand. |
| Secure | People will understand what products are and are not secure and make purchases. | This is not the case, as customers continually purchase products with minimal understanding of or care for the security implications.{{109}} |
Architecture Tier
Content
The content element is the result of translating machine-readable code into human-interpretable information. Content is what is presented on the screen of most internet users.
Examples of content include information on websites (not the websites themselves), email messages (not email protocols or applications), text messages, and Voice over Internet Protocol (VoIP).
| “Idealized” Version | The Global Reality | |
|---|---|---|
| Free | Universally, users can access and share any information they want at will. | Countries and sometimes infrastructure operators put laws or policies in place to censor certain content. |
| Open | Users are guaranteed free, immediate, online availability of information coupled with the rights to use that information fully in the digital environment.{{110}} | Countries and sometimes infrastructure operators use technical measures to manipulate architecture to block or limit access to certain content. |
| Secure | Users can trust the validity of the content on the internet.{{111}} | Fabricated content and manipulated content is rife on the internet. Users are often bereft of ways to verify the truth of a given piece of content.{{112}} |
Application and Presentation
The application and presentation element serves to translate character code representations (machine-readable code, what is often referred to as “data”) into physical windows, text, graphics, and other representations that are discernable to an average user. The result of this translation is content.
Examples of application and presentation architecture include internet browsers, websites themselves (search engines, news sites, social media platforms, etc.), email and messaging applications, the Hypertext Transfer Protocol (HTTP), and others, as well as file types (JPG, .doc, .pdf, etc.), encryption protocols (RSA, PGP, etc.), and character code representations (ASCII, Unicode, etc.).
| “Idealized” Version | The Global Reality | |
|---|---|---|
| Free | Any user can use and access any application. | Governments outlaw some applications. |
| Open | Applications do not modify what a user of the application sees. | Application owners, operators, and developers willingly design or are compelled by governments to design protocols to discriminate the content their applications present. |
| Interoperable | Translation infrastructure needs to be able to take any coding language and turn it into something an internet user can read. | This generally holds true. Files are fairly interoperable, although encryption can introduce complications. |
| Secure | Applications are safe to use. In fact, security is built in (secure coding). | Applications are vulnerable to cyberattacks. Files can easily be embedded with malicious code. |
| Resilient | One type of application breaking doesn’t cause all other types of applications to break. | Sometimes applications break, but their failure has not yet led to the entire system failing. For example, a given web browser could break, but that would not prevent the world from accessing the global internet.{{113}} |
Session
The session element is, for the purposes of the global internet, the interaction between an internet user and a host of internet content. A session is initiated by a user on the user’s own device, sending a signal to a host via the transport element. The host then decides to accept or reject the request for access and sends that signal back to the user. The session remains open for as long as the user maintains access to the host’s content.
For example, when an internet user wants to access facebook.com, she enters the URL into her browser, ostensibly sending a session request to a Facebook server. The server chooses whether to accept or deny that request and sends it back to the user.
| “Idealized” Version | The Global Reality | |
|---|---|---|
| Free | Internet users are not blocked via legal or normative means from opening sessions on the global internet and do not need specific permissions to open specific sessions.{{114}} | In some places, governments and/or infrastructure operators block users from opening sessions, usually through manipulations of the application element.{{115}} |
| Open | Session architecture does not prevent internet users from opening sessions. | In some places, infrastructure operators block users from opening sessions.{{116}} |
| Secure | Sessions are alterable only by authorized parties; information is kept secret from other sessions and parties. | Hackers can compromise sessions through such actions as cross-site scripting (XSS) attacks{{117}} and attacks on mountable networked file system (NFS) shares.{{118}} |
| Resilient | Individual sessions can fail (causing failure for the user up the chain), but individual session failures do not cause global session failures. | This generally holds true, but DDoS attacks can prevent users from opening sessions.{{119}} |
Transport
The transport element consists of the processes and protocols that allow devices to communicate to one another over the network (see below).
| “Idealized” Version | The Global Reality | |
|---|---|---|
| Open | Requests are not discriminated against. | Governments and ISPs throttle traffic by delaying response times of transport protocols.{{120}} |
| Secure | Message communications are encrypted; CIA is preserved. | Messaging is still vulnerable to attacks like three-way-handshake hacks,{{121}} TCP spoofing,{{122}} and others. |
| Interoperable | It doesn’t matter what device a user is using or what query a user is sending; the transport protocols can work with them all. | This largely holds true. |
| Resilient | Messages are not dropped, duplicated, or corrupted, and arrive in a timely manner while making fair use of the network. | Some failure occurs, but compared to other messaging protocols, and the central challenges that arise with networked messaging, TCP/UDP/etc. are relatively resilient. |
Network
The network element is the processes and protocols that help internet traffic identify its intended destination. Network processes and protocols help assign identities to users and hosts.
These most notable of these processes and protocols are the Internet Protocol (IP) and domain name service (DNS) registries.
| “Idealized” Version | The Global Reality | |
|---|---|---|
| Free | IP addresses are accessible{{123}} and the range of IPs from which a user can request information is not actively restricted. | Countries control entire blocks of IP or restrict IP access. |
| Open | The network does not discriminate (by limiting speed or bandwidth) when routing IPs. | Government and ISPs identify what traffic to throttle based on IP addresses and other network characteristics. |
| Interoperable | Protocols work coherently with one another. | ICANN governs a system which ensures that protocols largely do work coherently with one another. |
| Secure | Routing infrastructure should not be vulnerable to attack. | The network element is vulnerable to some cyberattacks like DNS cache poisoning{{124}} and replay attacks,{{125}} which compromise IP and other protocols. |
| Resilient | There are no SPOFs (single points of failure); systems are configured for redundancy. | Heavy reliance on standard/universal protocols (IP, for example) creates potential single points of failure.{{126}} Single system failures can bring down entire subsections of the global internet (e.g., Mirai).{{127}} |
Data Link
The data link element is oriented around packets themselves rather than users and hosts. The data link processes and protocols dictate how packets are sent and received and how they act when delivered to their destination. Data link processes and protocols play a basic role in ensuring the functionality of the internet by detecting and correcting basic errors in transmitted data.Data link processes and protocols include media access control (MAC) addresses.
| “Idealized” Version | The Global Reality | |
|---|---|---|
| Open | The protocols and access controls in this element will not identify or differentiate between traffic and treat it differently. | This holds true in practice |
| Interoperable | An international system of standards weaves things together so that links (from/to different manufacturers) interact easily with one another (all of the others, in fact). | This is largely true, but as the need to secure the internet moves further from the end user and closer to the physical hardware, so too do challenges to interoperability. |
| Secure | Data links uphold CIA. | Links are still vulnerable in their transmission of data, particularly on confidentiality and availability. Techniques for breaking or bypassing encryption (e.g., frequency attacks) also challenge this ideal. |
| Resilient | Distributed data link infrastructure creates redundancy and resiliency. | This largely holds true. Destroying one data link does not destroy all data links. |
Physical
The physical element is the physical infrastructure and hardware that enables all the other elements.
Physical elements of the global internet include servers, undersea cables, satellites, routers, Ethernet cables, internet exchange points (IXPs), cellphones, tablets, and computers themselves.
| “Idealized” Versions | The Global Reality | |
|---|---|---|
| Free | Any user can plug into any component of the infrastructure and use it to access the global internet. | Governments and corporations can and do purchase/own physical cables and exert control over how and by whom they are used. |
| Open | The physical infrastructure does not identify or differentiate between traffic and treat it differently. | The physical infrastructure itself does not breach openness. |
| Interoperable | Physical components interact easily with one another. | Design standards for physical infrastructure ensure interoperability, for the most part. |
| Secure | Physical components of the global internet are physically secured (e.g., strong access control), and physical infrastructure (hardware) is not hackable. | Physical security of physical infrastructure varies widely. Hardware is also hackable.{{128}} |
| Resilient | If one wire fails, the system still survives. | Because physical infrastructure is not necessarily equitably distributed, physical infrastructure failures have led to internet blackouts across entire nations.{{129}} However, one cable failing does not shut off the global network. The fact that 4 corporations account for 93 percent of CDN traffic poses potential challenges to the resiliency of the global internet.{{130}} |
Citations
- Martha Finnemore and Kathryn Sikkink, “International Norm Dynamics and Political Change,” 1998, source, 891.
- This definition is taken from the International Organization for Standardization (ISO). See: International Organization for Standardization, “About ISO,” n.d., source.
- Lawrence Lessig, “The Laws of Cyberspace,” 1998, source, 3.