Michael Barrett is the Chief Information Security Officer at PayPal. He is on the advisory board of StopBadware.org, an anti-malware “neighborhood watch” led by Harvard University’s Berkman Center for Internet & Society.

In less than five years, Internet crime has changed from an anomaly of teenage vandals into a multi-billion dollar industry. Just one form of cyber crime, “phishing,” where criminals masquerade as trustworthy entities in e-mails and instant messages to steal private data, reportedly amassed $3.2 billion last year.  Another form, spyware, where software surreptitiously monitors a victim’s online activity, prompted 850,000 U.S. households to replace their computers and inflicted damages totaling $1.7 billion, reported the Consumer Reports National Research Center State of the Net Survey.

At the same time, Internet usage has skyrocketed worldwide with 20 percent of the world’s population, or about one billion people, online today. It’s not hard to understand why the Internet’s popularity has continued to grow in the face of its threats. Could you get through your workday without e-mail or search? Could your kids make it to dinner without checking Facebook or sending a text? If you’re like most people I know, the answer is likely, “no way.”

We are socially and economically dependent on the Internet - a fact that makes us vulnerable in tough financial times. So, it may surprise you to know that no single entity is responsible for regulating the Internet or keeping its users safe.

Historically, Internet safety has relied on the goodwill of a few small actors such as non-profits like StopBadware.org, an anti-malware neighborhood watch led by Harvard’s Berkman Center for Internet & Society. Within the federal government, the Federal Trade Commission monitors Internet fraud and the Department of Homeland Security oversees a national cyberspace response system. The private sector, offering a host of cyber-security products and tools, and consumers also play a powerful role in keeping us all safe online. Companies such as my own employer, PayPal, invest substantially in the security of our own applications and infrastructure; we have state of the art fraud management systems; we work with law enforcement to catch, prosecute, and convict criminals whenever possible. But the persistence of the cyber-crime industry continues.

Although this deregulated approach to Internet safety has largely served us well over the past 15 years, some question whether it’s enough to tackle today’s burgeoning Internet crime industry. Indeed, what’s distressing is there is no reason to believe that Internet crime is under any effective control. This is not due to inertia or lack of interest. All of the trend lines reported by private industry and government continue to show growth “up and to the right.”

President Obama has said that he’ll make cyber security a top priority in his administration and appoint a National Cyber Advisor who will report directly to him.  In a speech at Purdue University last July, Obama said: “We’ll coordinate efforts across the federal government, implement a truly national cyber-security policy, and tighten standards to secure information - from the networks that power the federal government, to the networks that you use in your personal lives.”

Obama’s desire to administer a national cyber-security policy will surely open one or two Pandora’s boxes in the worlds of Washington and business, where many would prefer for the Internet to remain untouched by government. In the longer term, I predict we will start to see Internet governance follow the same legislative paths as automobiles and airplanes.

The Ford Model T’s introduction in 1908 revolutionized the way Americans viewed cars, and innovations in the speed of manufacturing put an unprecedented number of vehicles on the road, followed by an unprecedented number of safety concerns. Out of a need to prevent accidents, the federal and state governments initiated road regulation with speed limits, traffic lights and signage.

Aviation followed a similar history. The Wright Flyer of 1903 set forth a wave of government regulations of airspace and the aviation industry, with the National Advisory Committee for Aeronautics in 1915, the Airmail Act in 1925, and the Air Commerce Act in 1926. Less than 25 years after the Wright brothers’ first flight, the U.S. government had put in place an extensive regulatory infrastructure. Why? To prevent accidents.

The forcing function that accidents represented for road and air transportation has not existed for the Internet - until perhaps now. As cyber-crime continues to rise, I believe that citizens will increasingly request that their elected representatives do something to “make the Internet safe.” It was citizens’ complaints in the early 20th century that forced initial regulation of roads and aviation - they didn’t like carnage on the roads, and bodies and aluminum raining from the sky. The same pressures are starting to rise again for the Internet.

Internet safety should be a shared responsibility among government, private industry and consumers. But almost none of these regulatory elements are in place today. The rise of cyber-crime, with billions in damages to our economy and consumers, should motivate us to make some changes in the same way accidents catapulted new standards for road and airways. We need to develop a model framework for Internet governance, and we need to do it soon.

 By Colin Maclay, Acting Executive Director, and Caroline Nolan, Research Associate, Berkman Center for Internet & Society at Harvard University

More than one billion people are online, with three times that amount connected via mobile devices, just one indication of how integrated digital technologies are with lives and livelihoods around the globe. While governments have for the most part encouraged these developments, they are increasingly aware of technology’s capacity to disrupt existing power structures and accordingly ambivalent. As governments seek to control information and online activities, private actors – information and communication technology (ICT) firms in particular – are increasingly called upon to assist in those efforts.

Many of us mistakenly assume that Internet governance doesn’t touch us, and maybe it doesn’t – what expression is allowed on the Net and whether your personal information is shared with law enforcement is often governed less by law and more by practice. As Jonathan Zittrain and John Palfrey have long argued, companies providing technology services are important Internet points of control  and are under great pressure to comply with local laws and practices, which can be at odds with international standards, corporate values, and social norms.

Facets of these corporate dilemmas have been explored by the OpenNet Initiative, the Citizen Lab, Chilling Effects, and other keen observers like Rebecca Mackinnon, but we are just beginning to understand the scope of this rapidly evolving problem.  Most of us remain more familiar with a few infamous incidents in certain countries than with the real challenges arising with less fanfare across the world. The emergent nature of global technologies, business models, and government responses makes these complex problems particularly difficult for law to address effectively , at least in the near term.  These networked, distributed issues require a dynamic approach, capable of evolving and scaling alongside the problem, and ideally ahead of it.

Launching this week, the Global Network Initiative is a multi-stakeholder effort – grounded in a set of guiding principles, supported by implementation guidelines, and a governance, accountability and learning framework  – that establishes a robust, responsive platform for participating companies, NGOs, investors, academics, and others to work together to protect and advance the rights to free expression and privacy in the ICT sector worldwide. The launch represents the empowerment of a coalition that can support companies as they resist governments that seek to enlist them in acts of censorship and surveillance in violation of international standards.

This ground-breaking approach was developed with Google, Microsoft, Yahoo!,  Human Rights Watch,  Committee to Protect Journalists, Research Center for Information Law at University of St. Gallen, Switzerland FIR, School of Information at University of California-Berkeley, Calvert, F&C Investments  and other organizations – hopefully, with many others introducing still greater diversity to come. Our varied views and experiences can be challenging, they push - and allow – us to consider the problem and approaches to it across multiple dimensions, ultimately helping us to balance aspiration and reality (or near term progress with long-term success) in a way that no one sector would likely achieve.

The actions of (and expectations for) companies will evolve over time. Early commitments center on responsible decision-making, specifically developing the capacity to anticipate and address concerns relating to privacy and expression.  Among other steps, companies will form cross-functional leadership teams and train employees; conduct human rights impact assessments before entering new geographical or service markets, developing associated strategies to mitigate those risks; and encourage participation in GNI by relevant partners.

Company relations with law enforcement can be complex, due to obligations to support both legitimate law enforcement aims and commitments to protect user rights (which is also clearly a business interest).  Under GNI guidelines, companies will request written documentation explaining the legal basis for government restrictions; will seek to minimize the impact of any such restrictions; and will challenge governments when faced with requests that appear inconsistent with domestic law or international human rights standards.

These activities will be verified through an accountability and learning framework, in which outside monitors will explore what is working and what is not, ensuring that companies are making progress on their commitments, and developing remediation where they are not.  Companies’ public reporting will foster greater transparency with users and the wider public.

Beyond these internal commitments (which companies are already introducing), we are optimistic about the Initiative’s capacity for collective action that can have a transformative effect on government behavior and lasting impact. 

As a university research center, the Berkman Center will focus on building the GNI’s underlying foundation – its capacity for learning and research and information sharing – developing strategies to identify, understand, and address the threats to and opportunities for privacy and free expression.

We are in the early stages of a long road but are fortunate to have recognized that these are network issues: they emerge from and are characterized by the distributed nature of ICTs. Effective solutions should be built upon the same platform, with efforts that are independent yet coordinated; responses that are tried, evaluated and refined over time; and lessons that are shared and adapted; and all the while, striving for transparency. The Global Network Initiative connects our contention that the digital world not only gives rise to new challenges, but also allows the formation of new institutions that respond effectively to them.