Code Is Law
It’s Time to Rewrite the Internet to Give Us Better Privacy, and Security
It’s not too late to restore confidence, writes “digital Cassandra” Lawrence Lessig, but we need to start by asking the right questions.
“The United States government spies on its citizens.” What does that mean?
Almost 15 years ago, as I was just finishing a book about the relationship between the Net (we called it “cyberspace” then) and civil liberties, a few ideas seemed so obvious as to be banal: First, life would move to the Net. Second, the Net would change as it did so. Gone would be simple privacy, the relatively anonymous default infrastructure for unmonitored communication; in its place would be a perpetually monitored, perfectly traceable system supporting both commerce and the government. That, at least, was the future that then seemed most likely, as business raced to make commerce possible and government scrambled to protect us (or our kids) from pornographers, and then pirates, and now terrorists.
But another future was also possible, and this was my third, and only important point: Recognizing these obvious trends, we just might get smart about how code (my shorthand for the technology of the Internet) regulates us, and just possibly might begin thinking smartly about how we could embed in that code the protections that the Constitution guarantees us. Because—and here was the punchline, the single slogan that all 724 people who read that book remember—code is law. And if code is law, then we need to be as smart about how code regulates us as we are about how the law does so.
There is, after all, something hopeful about a future that was smart about encoding our civil liberties. It could, in theory at least, be better. Better at protecting us from future Nixons, better at securing privacy, and better at identifying those keen to commit crime.
Think about this practically. Cyberanarchists notwithstanding, it was clear even in 1999 that there would be government and surveillance in cyberspace just as in real space. But the potential was that it could be better. Not just better only in finding the crook, but in not invading privacy. An FBI agent listening to a telephone call is always tempted to wander or misuse. S/he is human, and bad is in our blood. A computer sniffing for signals of crime only wanders as far as the code allows. And so the key is how and whether we regulate how far the code can wander—and do so both in law and in code.
None of this, it turned out, was obvious in 1999. I was deemed “a digital Cassandra” by David Pogue writing in The New York Times. “If you don’t like the Internet’s system, you can always flip off the modem,” he concluded. Sure. Turn off the machine, move to Iceland, and you’ll be just fine.
But what astonishes me is that today, more than a decade into the 21st century, the world has remained mostly oblivious to these obvious points about the relationship between law and code.
That’s the bit in the Edward Snowden interview that is, to me, the most shocking. As he explained to Glenn Greenwald:
The NSA specially targets the communications of everyone. It ingests them by default. It collects them in its system, and it filters them and it analyzes them and it measures them and it stores them for periods of time simply because that’s the easiest and the most efficient and most valuable way to achieve these ends ... Not all analysts have the ability to target everything. But I sitting at my desk certainly had the authority to wiretap anyone—from you [the reporter, Glenn Greenwald], to your accountant, to a federal judge, to even the president if I had a personal email.
We don’t know yet whether Snowden is telling the truth. Lots of people have denied specifics, and though his interview is compelling, just now, we literally don’t know.
But what we do know are the questions that ought to be asked in response to his claims. And specifically, this: Is it really the case that the government has entrusted our privacy to the good judgment of private analysts? Are there really no code-based controls for assuring that specific surveillance is specifically justified? And what is the technology for assuring that rogues paid by our government can’t use data collected by our government for purposes that none within our government would openly and publicly defend?
Because the fact is that there is technology that could be deployed that would give many the confidence that none of us now have. “Trust us” does not compute. But trust and verify, with high-quality encryption, could. And there are companies, such as Palantir, developing technologies that could give us, and more importantly, reviewing courts, a very high level of confidence that data collected or surveilled was not collected or used in an improper way. Think of it as a massive audit log, recording how and who used what data for what purpose. We could code the Net in a string of obvious ways to give us even better privacy, while also enabling better security.
But we don’t, or haven’t, obviously. Maybe because of stupidity. How many congressmen could even describe how encryption works? Maybe because of cupidity. Who within our system can resist large and lucrative contracts to private companies, especially when bundled with generous campaign funding packages? Or maybe because the “permanent war” that Obama told us we were not in has actually convinced all within government that old ideas are dead and we just need to “get over it”—ideas like privacy, and due process, and fundamental proportionality.
These ideas may be dead, for now. And they will stay dead, in the future. At least until we finally learn how liberty can live in the digital age. And here’s the hint: not through law alone, but through law that demands code that even the Electronic Frontier Foundation could trust.