The Internet Reform Trilemma

An "open" Internet faces challenges from autocratic governance models. Policymakers should instead think about creating an Internet that's equitable, inclusive, and secure.

Nick Merrill, Research Fellow, UC Berkeley Center for Long-Term Cybersecurity

April 13, 2023

4 Min Read
a person typing on a laptop with digital internet symbols floating out of the screen
Source: Artur Marciniec via Alamy Stock Photo

In policy circles, we often hear about the need for a "free," "open," and "secure" Internet. This was most recently the case with the White House's Declaration for the Future of the Internet. Ideally, users benefit from all three properties. However, fundamental tradeoffs between them force us to look for other goals. These three properties present a "trilemma" — and we must choose only two.

As a supposedly "open" Internet faces challenges from autocratic governance models, policymakers should think instead about creating an "equitable, inclusive, and secure" Internet — criteria I believe are actually achievable with policy interventions.

"Free," "open," and "secure"? Those are all slippery notions, but they have traditionally been operationalized by three properties.

"Free" has been understood to mean "permissionlessness" — anyone can send anything to anyone.

"Open" has been understood to mean common carriage. Common carriers (traditionally Internet service providers or ISPs) cannot filter content. This notion has been referred to as "net neutrality" in US policy debates.

"Secure" has been understood to mean reasonable protection against attack: Internet users should enjoy reasonable protection against both unfocused attacks (like distributed denial of service, or DDoS) and targeted ones (like ransomware).

Diagram showing

To understand this trilemma, let's start by understanding how security is achieved on the Internet today. Content distribution networks (CDNs) — like Cloudflare — use AI to defend against both large-scale and targeted threats. Due to their efficacy, CDNs have grown in their importance: Per recent estimates, CDNs now deliver three-quarters of traffic directly to users.

However, CDNs are not common carriage: Algorithms inspect content and make a judgment about whether to allow or block it. Let's call this strategy "secure with AI."

Could we have protection against cyberattacks and common carriage? Yes: We could use cryptographic identities to authenticate traffic. Traffic could then be common carriage, and end users could decide which identities to accept (or reject) traffic from. The problem? In such a world, we lose the "free" or permissionless Internet, creating a scenario I call "secure with ID."

Toward an Inclusive and Equitable Internet

Which world do we prefer?

Let's start with the secure with AI world. We sacrifice common carriage: "Stop worrying and love the algorithm." Can AI be made inspectable, regulatable, and directly accountable to policymakers, and also be robust against attacks? These questions would guide us in understanding the workability of this approach.

Now, let's look at the other side: secure with ID. We regain common carriage but open up new avenues for discrimination. A properly engineered system should obfuscate users' exact identity (e.g., one's name), but will reveal which authority granted that identity (e.g., "Is this person American?").

In navigating these two worlds, inclusion and equity must be our north star.

Imagine you live in Ghana. As research on this topic reveals, people from countries like Ghana are regularly prevented from accessing websites, thanks to AI-powered "security" measures from CDNs. How can we make a democratically governed Internet more inclusive while retaining our democratic values?

In the "secure with AI" world, we would need Ghanaians (and others from countries in which connectivity is fast-rising) to sit at the table in which algorithms are governed.

In the "secure with ID" world, we would need to give Ghanaians robust digital identities — not only to hand Ghanaians identities,but to make these identities legible and usable in actual practice, and to give Ghanaians a say in how those identities work.

Which is harder? Which is more inclusive in practice? Which does a better job of assuring a democratic Internet, one subject to the will of the broadest number of people — not in theory, but in practice?

Looking Over the Horizon

Artificial intelligence, quantum communication, bioengineered pathogens: Various near-future technologies will require strict governance and sharp policy thinking.

These threats are — and I'll use a technical term here — scary. Here's where I take solace: If we can manage to govern the Internet, we'll find ourselves many steps closer to managing technology broadly.

The Internet governs the way technologies communicate with one another. As we govern transportation by placing roads and skies under publicly accountable institutions, we can govern technology — particularly AI — by placing Internet infrastructure under the right kinds of public accountability.

Democracy can find an answer here, and that answer will propel us closer to a model of democratically accountable technology.

What does that accountability actually look like? Answers to this question will help shape the future. Will our children, and their children, fear technology, or control it? Will they be watched over by technologies — by technocrats — or will they do the watching?

About the Author

Nick Merrill

Research Fellow, UC Berkeley Center for Long-Term Cybersecurity

Dr. Nick Merrill is a research fellow at the UC Berkeley Center for Long-Term Cybersecurity and director of the Daylight Lab. His work focuses on fostering meaningful, binding, and inclusive popular control over the internet. Dr. Merrill is a founding member of DAO DAO, a digital cooperative that develops tools for managing worker-owned co-ops. His threat identification processes have been adopted by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Meta (formerly Facebook). Dr. Merrill's research on internet fragmentation has influenced policymakers and industry leaders, and his work has been published in numerous peer-reviewed venues. As an advisor, he has consulted for the U.S. Postal Service, Congressional aides, U.S. Executive Branch officials, and large consulting firms, sharing his expertise at the intersection of technology, security, and governance.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights