Rising tide of cyber-crime shows why we need Web regulation
Michael Barrett is the Chief Information Security Officer at PayPal. He is on the advisory board of StopBadware.org, an anti-malware “neighborhood watch” led by Harvard University’s Berkman Center for Internet & Society.
In less than five years, Internet crime has changed from an anomaly of teenage vandals into a multi-billion dollar industry. Just one form of cyber crime, “phishing,” where criminals masquerade as trustworthy entities in e-mails and instant messages to steal private data, reportedly amassed $3.2 billion last year. Another form, spyware, where software surreptitiously monitors a victim’s online activity, prompted 850,000 U.S. households to replace their computers and inflicted damages totaling $1.7 billion, reported the Consumer Reports National Research Center State of the Net Survey.
At the same time, Internet usage has skyrocketed worldwide with 20 percent of the world’s population, or about one billion people, online today. It’s not hard to understand why the Internet’s popularity has continued to grow in the face of its threats. Could you get through your workday without e-mail or search? Could your kids make it to dinner without checking Facebook or sending a text? If you’re like most people I know, the answer is likely, “no way.”
We are socially and economically dependent on the Internet – a fact that makes us vulnerable in tough financial times. So, it may surprise you to know that no single entity is responsible for regulating the Internet or keeping its users safe.
Historically, Internet safety has relied on the goodwill of a few small actors such as non-profits like StopBadware.org, an anti-malware neighborhood watch led by Harvard’s Berkman Center for Internet & Society. Within the federal government, the Federal Trade Commission monitors Internet fraud and the Department of Homeland Security oversees a national cyberspace response system. The private sector, offering a host of cyber-security products and tools, and consumers also play a powerful role in keeping us all safe online. Companies such as my own employer, PayPal, invest substantially in the security of our own applications and infrastructure; we have state of the art fraud management systems; we work with law enforcement to catch, prosecute, and convict criminals whenever possible. But the persistence of the cyber-crime industry continues.
Although this deregulated approach to Internet safety has largely served us well over the past 15 years, some question whether it’s enough to tackle today’s burgeoning Internet crime industry. Indeed, what’s distressing is there is no reason to believe that Internet crime is under any effective control. This is not due to inertia or lack of interest. All of the trend lines reported by private industry and government continue to show growth “up and to the right.”
Principles for a better Web
By Colin Maclay, Acting Executive Director, and Caroline Nolan, Research Associate, Berkman Center for Internet & Society at Harvard University
More than one billion people are online, with three times that amount connected via mobile devices, just one indication of how integrated digital technologies are with lives and livelihoods around the globe. While governments have for the most part encouraged these developments, they are increasingly aware of technology’s capacity to disrupt existing power structures and accordingly ambivalent. As governments seek to control information and online activities, private actors – information and communication technology (ICT) firms in particular – are increasingly called upon to assist in those efforts.
Many of us mistakenly assume that Internet governance doesn’t touch us, and maybe it doesn’t – what expression is allowed on the Net and whether your personal information is shared with law enforcement is often governed less by law and more by practice. As Jonathan Zittrain and John Palfrey have long argued, companies providing technology services are important Internet points of control and are under great pressure to comply with local laws and practices, which can be at odds with international standards, corporate values, and social norms.
Facets of these corporate dilemmas have been explored by the OpenNet Initiative, the Citizen Lab, Chilling Effects, and other keen observers like Rebecca Mackinnon, but we are just beginning to understand the scope of this rapidly evolving problem. Most of us remain more familiar with a few infamous incidents in certain countries than with the real challenges arising with less fanfare across the world. The emergent nature of global technologies, business models, and government responses makes these complex problems particularly difficult for law to address effectively , at least in the near term. These networked, distributed issues require a dynamic approach, capable of evolving and scaling alongside the problem, and ideally ahead of it.
Launching this week, the Global Network Initiative is a multi-stakeholder effort – grounded in a set of guiding principles, supported by implementation guidelines, and a governance, accountability and learning framework – that establishes a robust, responsive platform for participating companies, NGOs, investors, academics, and others to work together to protect and advance the rights to free expression and privacy in the ICT sector worldwide. The launch represents the empowerment of a coalition that can support companies as they resist governments that seek to enlist them in acts of censorship and surveillance in violation of international standards.
This ground-breaking approach was developed with Google, Microsoft, Yahoo!, Human Rights Watch, Committee to Protect Journalists, Research Center for Information Law at University of St. Gallen, Switzerland FIR, School of Information at University of California-Berkeley, Calvert, F&C Investments and other organizations – hopefully, with many others introducing still greater diversity to come. Our varied views and experiences can be challenging, they push - and allow – us to consider the problem and approaches to it across multiple dimensions, ultimately helping us to balance aspiration and reality (or near term progress with long-term success) in a way that no one sector would likely achieve.
The actions of (and expectations for) companies will evolve over time. Early commitments center on responsible decision-making, specifically developing the capacity to anticipate and address concerns relating to privacy and expression. Among other steps, companies will form cross-functional leadership teams and train employees; conduct human rights impact assessments before entering new geographical or service markets, developing associated strategies to mitigate those risks; and encourage participation in GNI by relevant partners.
Now if only a talking shop were an effective weapon against cybercrime, which is the only malign Internet issue which affects the rest of us….
I am a successful online entrepreneur(publisher and digital films) who has used paypal for four years now. Merchants never see client card information, it is masked by layers of encryption. We never see any type of proprietary information except email address and shipping address, at clients discretion. While I do agree that there is cybe crime; this type of online rip off is a drop in the ocean compared to the wholesale looting of the Treasury that has occured on Wall Street during the last eight years.
Now those dudes are into some serious criminality . Trillions stolen. Peoples houses stolen, communities targeted and destroyed; whole States left in financial ruin. The biggest heist in history.
We need regulation. But no one needs it as much as the financial services industry does.