What makes a state online?
Refining notions of state power on the Internet
A story last week: Google unilaterally shut down a US ally’s hacking operation.
Google researchers discovered a highly sophisticated, months-long campaign that targeted previously undiscovered exploits in iOS, Android, and Windows. Google patched, and helped Apple and Microsoft patch, those exploits, effectively ending the country’s operation. In the parlance of security, Google burned a US ally's 0-days, knowing full that it was doing so.I think this incident matters because it’s the closest I’ve seen to firms competing with states for power on the Internet.
Of course, now I need to explain (to myself): what does it mean for a state to have power on the Internet? How can we describe or characterize the power states exert over the Internet? My working hypothesis (which I'm happy to refine, expand, or falsify): there are two fundamental properties, conceptually similar to Max Weber's “monopoly on the legitimate use of violence,” that characterize state power online.
1. Direct control over physical properties of the network
One vector of state power online: controlling physical properties of the Internet—things you can describe as “being owned.” The analogy to Weber's notion of a “legitimated use of physical force” here is that direct control allows unilateral action—coercion—conceptually similar to force on the Internet.
Examples include:
Performing on devices, foreign or domestic.
Intentionally slowing down Twitter using state-owned infrastructure.
Cutting (or building) undersea or terrestrial Internet cables.
Shutting down
(or starting) data centers, server farms, the switchboards that connect them.Modifying software or the codebases that power them, which are materially instantiated in space and time as programs run on physical machines.
And, I’m sure, many more.
Commentary
The United States connects to the world’s Internet via undersea cables that run through Point Arena, a small town in Northern California.
Imagine if the US cut those cables! Imagine a revolution in the US in which the revolutionary guard snipped them! In either scenario, the chaos would be considerable.2. Indirect control over physical properties of the network
Another vector of state power online: the ability to coerce (“legitimately”) other institutions to control the physical properties of the network toward some desired end.
Examples include:
The US government demanding that DNS registries transfer DNS control for a domain to the US government.
Controlling allocation of the frequency spectrum (enacted by influence over manufacturers, complaint standards bodies, etc.).
Demanding manufacturers install encryption backdoors into devices—or tricking them into doing so via standards-setting bodies.
And, I’m sure, many more.
Commentary
Even Starlink, Elon Musk’s satellite Internet project, is susceptible to this sort of indirect control. But whose control? If the satellites deliver the Internet to China, bypassing the so-called Great Firewall, would that engender conflict between China and the US? Between China and Starlink? How might China resolve those conflicts?
These questions, in turn, make me wonder: is Starlink itself gaining a state-like power by constructing its Internet satellite constellation? Is that perhaps the goal, or at least a goal, of Starlink?
So what?
State power on the Internet is defined even more poorly in the “cyber domain” than in (quote-unquote) real life. These poorly defined notions make it difficult for states to identify actions that help them accomplish their goals—let alone to understand or contextualize the moves of other states. Understanding these forms of power, in their particulars,
can help us better understand how states (and others) cooperate and compete in this supposedly “new” domain.Back to the Google case: insofar as we can “legitimately” turn our devices on or off or manage our home networks, I suppose we all exert power over the Internet in some limited sense. But Google was able to manipulate physical properties of the network in competition with US allies, and in a way that those within Google’s digital “territory” see as legitimate—that, to me, is noteworthy.
Questions for you (and for me)
Some questions I’m still pondering:
Are these vectors of power fundamentally "new"? Or do they rehash or repackage old types of state power?
If they're new, could new vectors of state power enable qualitatively new types of states?
If they're old, can we use old tools to understand them better than we do today?
Here’s the story from MIT Tech Review. The Risky Biz podcast covered the original Google Zero blog post the week before that story broke; it was clear enough from Google’s original blog post that the operation Google shut down was either a US ally or the US itself.
When it comes to the powers inscribed in web search, data center provision, naming, and other critical Internet infrastructure, states in the West gave their power to firms willingly.
Max Weber defined states as enterprises with a “monopoly on the legitimated use of physical force.” “Legitimated” here is to be understood to mean that the force is seen to be legitimate. Weber also described the limitation of this monopoly to a particular geographic area as one of the defining characteristics of a state. This notion of “geographic area” probably overfits the historical conditions in the 20th century. But the idea of “area” as it applies to the Internet something I need to refine later.
What makes that control “legitimate” or “illegitimate” is muddled by the complex realities of who does or even can control a computer—see Peter Eckersley’s talk on this topic. For now, I assume any direct control over a network is de facto legitimate insofar as it is possible to perform. If you can do it, you own it. That definition coheres to notions of “owning” (boxes, servers, systems) in computer security parlance.
Yes, Russia is intentionally throttling bandwidth on Twitter.
India quite regularly shuts off the Internet to achieve domestic political goals.
Europe is trying to start a state-backed cloud infrastructure, GAIA-X. The goal is partially to compete against US companies. But GAIA-X also embeds and enforces specific ideas of what cloud services should do, what guarantees they should make. That’s a strategic aim. In a sense, the GAIA-X project seeks to compete with the US private sector over the power to circumscribe personhood in data.
Geiger, R. Stuart. “Bots, bespoke, code and the materiality of software platforms.” Information, Communication & Society 17.3 (2014): 342-356.
Ingrid Burrington has a beautiful piece on how this Point Arena site illustrates the discontinuities of US Internet infrastructure.
Perhaps this notion is conceptually similar to the extraterritorial imposition of territorial rules. Can US IP law extend to India? If an Indian pharmaceutical company breaks a US patent, what does the US do? There’s a lot of literature on this issue—think: the US removing access to clearing facilities to get foreign companies to follow US law. Maybe that body of literature could provide a conceptual handrail here.
Wong, Richmond Y., and Steven J. Jackson. “Wireless visions: Infrastructure, imagination, and US spectrum policy.” Proceedings of the 18th ACM Conference on Computer Supported Cooperative Work & Social Computing. 2015.
The US introduced an encryption backdoor via an insecure NIST encryption standard for elliptic curve cryptography.
I’m thinking of Robert Dahl’s definition of power: “a relationship (actual or potential) in which the behavior of actor A at least partially causes a change in the behavior of actor B.” The particulars, then, would be the domain (the number or importance of other actors subject to A’s influence) and the scope (the aspect of B’s behavior affected by A) of those powers, among other considerations.