Tag Archive for: internet governance

The battle for the internet

Democracies and authoritarian states are battling over the future of the internet in a little-known UN process.

The United Nations is conducting a 20-year review of its World Summit on the Information Society (WSIS), a landmark series of meetings that, among other achievements, formally established today’s multistakeholder model of internet governance. This model ensures the internet remains open, global and not controlled by any single entity.

This model is now at the centre of a fierce geopolitical struggle. Authoritarian countries are pushing for a multilateral governance approach—one that shifts control of the internet firmly into the hands of governments. This shift would legitimise crackdowns on dissent, expand online surveillance, enable internet shutdowns, weaken human rights, and accelerate the global spread of digital authoritarianism.

Unfortunately, the WSIS+20 review comes as this approach to internet and digital governance is increasingly popular. In recent years China and Russia have made significant inroads in the UN in advancing their interests for greater state control over the internet and digital governance. In 2024, the UN Cybercrime Treaty granted governments new powers over online activity, sparking concerns it could facilitate digital surveillance and legitimise restrictions on human rights and freedoms, while the UN Global Digital Compact also shifted toward a larger state role in digital governance issues.

These developments set a troubling precedent as WSIS+20 unfolds, raising the question of whether the internet remains free and open, or whether the UN will legitimise digital authoritarianism on a global scale.

What is WSIS?

WSIS, held in two phases in 2003 and 2005, was a landmark UN summit that brought the international community together to ‘build a people-centred, inclusive and development-oriented Information Society.’ It established 11 action lines to use information communication technologies for global development and tasked various UN agencies with overseeing their implementation.

In 2005, WSIS’s Tunis Agenda formally established the multistakeholder model of internet governance that had emerged since the internet was created, emphasising the inclusion of governments, civil society, technical experts, academia and the private sector. This recognised that the internet is a network of networks, with multiple stakeholders facilitating its operation. This model—by design—also prevented any single entity, particularly states, exerting undue control or influence over the internet’s architecture. Among WSIS’s achievements was the creation of the UN’s Internet Governance Forum (IGF), a platform where governments, civil society, the private sector, technical experts and academia could engage and collaborate on internet governance issues.

Two decades later, the 2025 WSIS+20 review will revisit established principles and assess progress against the WSIS action lines. The review will consider the extension of WSIS’s mandate, the future of the IGF (whose mandate also expires in 2025) and, potentially, the expansion of WSIS’s mandate to cover emerging technologies such as AI.

The review process has multiple components. UN agencies are conducting reviews of their respective WSIS action lines. The UN Commission on Science and Technology for Development is coordinating input from stakeholders and preparing a report to be released in April. This report will inform negotiations at the UN General Assembly, culminating in a resolution to be presented for adoption by the UN in December. Throughout the year, events such as June’s IGF in Norway (the last before the forum’s mandate expires) and July’s WSIS+20 High-Level Event in Geneva will also provide important opportunities for the multistakeholder community to provide input into the review process before intergovernmental negotiations ramp up.

WSIS and geopolitical competition

With digital technologies playing an ever-growing role in the modern world, the WSIS+20 review is an opportunity to shape the future of the internet and ensure it remains open, inclusive and development-oriented. The aims and ideals of WSIS have never been so important. However, WSIS has become a complicated geopolitical battleground because of its central role in the multistakeholder model of internet governance.

For years, countries such as China and Russia have pushed for a multilateral approach, arguing that internet and broader digital governance should be controlled by states rather than through the multistakeholder model.

Some criticism of the multistakeholder system is warranted. While the model has fostered an open and innovative internet for decades, it has been dominated by Western governments and major corporations, leaving many countries—particularly in the Global South—feeling sidelined in discussions. Its fragmented and complex processes can be difficult and expensive to navigate, limiting meaningful participation. As digital challenges such as AI governance grow more urgent, many countries also see a need for stronger state engagement to protect national sovereignty and counter the unchecked power of Big Tech. Even democracies, historically the strongest proponents of the multistakeholder model, are increasingly drawn to multilateral approaches to rein in tech giants and address digital challenges more effectively.

China and Russia have skilfully and strategically used these criticisms to advance their own agendas, framing multilateralism as a more inclusive and equitable alternative to the multistakeholder model.

However, their push for multilateral governance ultimately serves to entrench authoritarian control over the internet. Both nations promote ‘cyber sovereignty’ or ‘internet sovereignty’ concepts, arguing that states should have absolute control over their domestic internet governance and effectively justifying their digital authoritarian practices.

While their push for increased multilateral cooperation may appear constructive on the surface—multilateral cooperation is normally a good thing—it aims to concentrate power in forums where only nation-states have voting authority, effectively sidelining civil society and other stakeholders. This has serious implications for global human rights and freedoms.

Over the past year, authoritarian states have made significant strides in advancing this multilateral vision within the UN system through processes such as the Global Digital Compact and the Cybercrime Treaty. WSIS+20 is an opportunity for them to consolidate these gains and fundamentally reshape global digital governance in their interests.

What authoritarians want

Authoritarians’ approach to WSIS will likely focus on four broad strategic areas.

First, they will likely push for new initiatives or for inclusion of language that strengthens multilateral cooperation and action, aiming to concentrate power in forums where only nation-states have voting authority, effectively sidelining other stakeholders. This could include attempts to position WSIS as implementing the Global Digital Compact (GDC)—a nation-state negotiated framework—or trying to subordinate WSIS under this framework, despite WSIS’s independent mandate. This could also include attempts to strengthen the newly established UN Office of Emerging and Digital Technologies, an outcome of the GDC. The office has faced controversy over a lack of transparency about its mandate and its potential to not only further centralise internet governance within the UN in New York, but to centre it within the UN secretariat.

Second, they will likely target the IGF. While preventing its extension seems unlikely, authoritarian governments may work to shift its functions to other UN bodies where only states have voting power—a move China has long advocated for. Alternatively, they may seek to weaken the IGF’s effectiveness by maintaining voluntary funding or creating competing multilateral mechanisms that duplicate its functions.

Third, they will likely push to extend WSIS’s mandate to include emerging technologies, particularly through initiatives that emphasise multilateral involvement. This would create opportunities to shape the governance of AI, data, biotechnology and other emerging fields across multiple disparate forums, making it difficult to track developments and coordinate responses.

Fourth, authoritarian states, particularly China, will likely capitalise on WSIS+20’s development-focused agenda. China has promoted the right to development to justify its prioritisation of state-led economic growth over other universal human rights and freedoms, serving as a strategic tool to strengthen China’s domestic authoritarian model in the name of economic progress. WSIS+20’s emphasis on development, and the urgent need to close the global digital divide, creates a risk that this concept could spread to global digital governance. This would provide a framework for other governments to adopt digital authoritarian practices under the guise of national development priorities.

The central role of the Global South in the review process makes this more concerning. China wields considerable influence through this group, including via the G77+China group, which represents 134 of the 193 UN member states—a majority of UN votes if they negotiate or vote as a bloc, as they did in last year’s GDC negotiations.

The structural elements of the WSIS+20 review further tilt the process in favour of authoritarian interests. The outcome document will be presented for adoption by the UN General Assembly’s Second Committee. Beijing has historically wielded significant influence in this forum, increasing the risk that WSIS+20 shifts toward a state-centric model at the expense of the multistakeholder model.

WSIS isn’t happening in a vacuum

While the WSIS+20 review may seem like an abstract UN process, it’s unfolding in a rapidly changing internet and digital landscape.

The internet is becoming less open and less global as national governments—including democracies—assert greater control over digital spaces. Global internet freedom is in decline, with China and Russia advancing their state-centric visions for digital governance—not only within the UN but also through influential groups like BRICS and the Shanghai Cooperation Organisation. Meanwhile, China is exporting its digital authoritarian model worldwide via the Digital Silk Road, embedding rules and technologies that entrench state control.

This shift isn’t just happening at a normative or policy level. Technical standards—long an area of geopolitical competition—are beginning to split. The technical foundations of the global internet are also beginning to fracture. For instance, China’s proposed IPv6+ initiative introduces protocols that enable greater state control over internet traffic, raising concerns about its potential global adoption through the spread of Chinese technology.

The internet’s physical infrastructure is also splintering. Subsea cables, telecommunications networks and satellite systems are increasingly fragmented along geopolitical divides. Efforts to decouple technology supply chains—including critical minerals, semiconductors, and advanced chips—are further deepening these divisions.

Conclusion

WSIS+20 is not just another review.  It is a crossroads for the future of the internet.

For democracies, WSIS represents the last major opportunity to defend the multistakeholder model of internet governance. Democracies must lead efforts to improve the multistakeholder model, making it more inclusive and responsive to the needs and interests of the Global South with clear ideas about how to harness digital technologies for development. WSIS is an opportunity to genuinely collaborate with these nations to evolve the system and address developmental challenges, all while countering the narratives promoted by authoritarian regimes.

Multistakeholder bodies, such as ICANN, as well as the technical community and civil society, mobilised ahead of the GDC negotiations last year to push back on attempts to erode the open and global internet and shape discussions on how the multistakeholder model could evolve. They are likewise approaching WSIS with the gravity it deserves. Democracies must do the same.

If democracies fail to approach WSIS with the magnitude it deserves, 2025 may well mark the end of the open global internet. The battle for the internet is not just about digital governance- it’s the frontline of the broader struggle over the global order.

Authoritarian states recognise this. It’s time democracies did too.

Removing the risks from a decentralised internet

Increasingly, people worry about the concentration of power in the digital environment, and the control that large companies exercise over users’ data and experiences online. The Australian government has opted to regulate ‘big tech’ for a range of online harms. But more broadly, this concern has led to calls to ‘re-decentralise’ the internet, harking back to the early days of the web before these companies which now serve as gatekeepers to the internet existed.

Under a decentralised internet, often referred to as ‘DWeb’ or ‘Web 3.0’, people’s data, information and interactions are widely distributed. Power is also redistributed, with people able to access online services and platforms without relying on a concentration of large technology companies that operate centralised servers.

While this allows users to protect their information and control their online experiences, it can also make it more difficult to hold users (or the entities behind them) responsible for illegal and harmful content and conduct.

Highly decentralised networks are currently used by a minority of users with special interests—and, unfortunately, some bad actors. However, there’s growing interest within the tech community in developing decentralised platforms and services for messaging, file sharing and social networking. For example, Twitter’s Bluesky project is looking at an open decentralised standard for social media.

At eSafety, we understand the importance of taking a balanced, nuanced and proactive approach to emerging technologies and digital trends. It is incumbent on us, as an agency with a mandate to ensure that Australians have safer and more positive experiences online, to assess risks in emerging technologies. We help prevent harm through research, awareness raising and education. We aim to better protect citizens when harm has occurred via our statutory content, reporting schemes and investigations and to support, guide and assist industry to develop safer online products via our Safety by Design initiative.

Decentralisation has the benefit of improving users’ security, privacy and autonomy because they have greater control over their personal information and online experiences. It can enhance freedom of expression by removing the ability of technology companies and authorities to control who can connect and communicate online, or to control content and conduct. Conceptually, and dependent on a spirit of altruism and benevolence, this could protect diversity of thoughts and opinions and reduce the risk of monitoring, tracking and targeting of at-risk or marginalised individuals or groups, including whistleblowers and advocates for social change.

The risks centre on the absence of centralised servers, the lack of central authority, and the fact that storage and distribution of data are spread across many computers on decentralised services and platforms. These factors make it difficult to moderate, regulate or manage illegal and harmful content and activities. Similar to the dark web, these niche spaces can attract groups with an interest in violent extremism, child sexual exploitation or other forms of crime, particularly when they have been barred from mainstream centralised services.

A range of decentralised services—especially those that are also encrypted—can be used to facilitate the spread of harmful and illegal content and to organise harassment and violence with impunity.

eSafety and other INHOPE member hotlines around the world facilitate removal of child sexual exploitation and abuse material to minimise ongoing harm and re-traumatisation of victims. That’s done by determining where the content is hosted and alerting authorities in the relevant country so they can enforce removal, assuming that the content is illegal in that jurisdiction.

In a decentralised system where content is not hosted by a single server within a particular country, but stored and passed around in many ways from computer to computer, this takedown method is no longer effective.

Child sexual abuse offenders have been observed, in online forums, sharing tips on how to evade detection using peer-to-peer and end-to-end encrypted communications channels. Offenders preoccupied with preserving their ‘collections’ of material may also seek the perceived immutability of decentralised environments built on blockchain and peer-to-peer technology.

As mainstream platforms increasingly respond to violent extremist content and activity, it has become clear that extremist groups have started moving to decentralised services to fundraise, share propaganda and organise hate-based violence and harassment.

One of the most notable examples is the migration of Gab—a social network known to have users linked to Nazi ideology—to Mastodon, a decentralised software platform. While Mastodon’s creator has made clear his opposition to Gab’s aims and philosophy, he has also conceded that he can’t ban Gab from the platform because it’s decentralised. Most Mastodon administrators have blocked Gab users, minimising their reach into the broader federation. However, new users continue to join and connect on Gab.

Unchecked online environments could allow bullying, harassment, intimidation, discrimination and other abuses to grow, without providing any way for users to get help or for consequences to be imposed on those responsible. It would be up to the members of individual online communities on each decentralised service or platform, or the nodes within them, to decide and apply standards in their own environment or across their networks.

While decentralised communication systems can protect some marginalised voices from being silenced, these same environments can also allow racism, homophobia, misogyny and other forms of hatred to flourish. eSafety’s research and reporting trends show that online abuse is most often targeted at individuals and groups who are more at risk than others because they are socially, politically or financially marginalised. For these people, the inability to enforce standards for conduct and content within a decentralised internet may harm freedom of expression instead of improving it. The current trend towards decentralisation may push marginalised groups away from the services and platforms that would otherwise allow them to be seen and heard, deepening the divide between those who can enjoy the internet and those who cannot.

To be socially responsible, decentralised services and platforms must commit to protecting the safety of users, and not just their privacy and security. That means being aware of the safety risks in what they provide, informing users about those risks and taking steps to reduce or eliminate them. It means taking a safety-by-design approach to the development of these platforms and broader Web 3.0 infrastructure so that the online safety risks of decentralisation are considered along with the benefits.

Safety protections for decentralised services may include community moderation and incentives where an online community maintains a moderation policy based on agreed rules. Features such as voting systems can allow users to decide acceptable conduct and accessible content. In addition, built in incentives, such as micropayments or other rewards, may encourage positive behaviour and safer environments.

Opt-in governance can be used on blockchain networks to allow users to agree to community standards or rules, without the need for a central authority to manage the agreement. In a blockchain network, these agreements are traceable and transparent. In theory, this means accountability and enforcement measures can be applied to terms of service breaches.

Verifying and storing a user’s digital identity through a decentralised system can allow people to access different services and platforms with multiple identities and pseudonyms without having to reveal personal information to the technology companies that own and operate centralised servers. A socially responsible decentralised community could allow users to endorse content from digital identities or pseudonyms which they trust not to engage in harm or abuse.

Decentralised services and platforms can be built using technology protocols that allow third-party content moderation tools to, for example, scan for child sexual abuse material. Their operation would have to be agreed to by the community of users.

This trend underscores the need to strive for improved safety on centralised services and platforms, ensuring that safety by design is given the same priority as security and privacy by design. We must work across borders and encourage greater international consistency and shared approaches to help counter online risks and harms on decentralised services and platforms.

Given that decentralised services currently have little reach into the general population, many bad actors continue to rely on mainstream platforms to find targets and it remains critical to continue pushing bigger tech companies to enforce their terms of service and collaborate with one another to remove pathways to online harm.

eSafety will continue to work collaboratively across sectors and jurisdictions to ensure that the safety and wellbeing of citizens in digital environments are being addressed. We’ll do that with an  eye to the future, so that we can shape the next-generation internet to be the Web 3.0 that we all want and need.

You can find a more detailed brief on decentralisation, as well as other tech trends and challenges briefs, on eSafety’s website.

How will new cybersecurity norms develop?

Last month, United Nations Secretary-General António Guterres called for global action to minimise the risk posed by electronic warfare to civilians. Guterres lamented that ‘there is no regulatory scheme for that type of warfare’, noting that ‘it is not clear how the Geneva Convention or international humanitarian law applies to it’.

A decade ago, cyber security received little attention as an international issue. But, since 2013, it has been described as the biggest threat facing the United States. Although the exact numbers can be debated, the Council on Foreign Relations’ ‘Cyber Operations Tracker’ contains almost 200 state-sponsored attacks by 16 countries since 2005, including 20 in 2016.

The term cybersecurity refers to a wide range of problems that were not a major concern among the small community of researchers and programmers who developed the internet in the 1970s and 1980s. In 1996, only 36 million people, or about 1% of the world’s population, used the internet. By the beginning of 2017, 3.7 billion people, or nearly half the world’s population, were online.

As the number of users soared after the late 1990s, the internet became a vital substrate for economic, social, and political interactions. Along with rising interdependence and economic opportunity, however, came vulnerability and insecurity. With big data, machine learning, and the ‘internet of things’, some experts anticipate that the number of internet connections may grow to nearly a trillion by 2035.

The number of potential targets for attack, by both private and state actors, will expand dramatically, and include everything from industrial control systems to heart pacemakers and self-driving cars.

Many observers have called for laws and norms to secure this new environment. But developing such standards in the cyber domain faces a number of difficult hurdles. Although Moore’s law about the doubling of computing power every two years means that cyber time moves quickly, human habits, norms, and state practices change more slowly.

For starters, given that the internet is a transnational network of networks, most of which are privately owned, non-state actors play a major role. Cyber tools are dual use, fast, cheap, and often deniable, verification and attribution are difficult, and entry barriers are low.

Moreover, while the internet is transnational, the infrastructure (and people) on which it relies fall within the differing jurisdictions of sovereign states. And major states differ in their objectives, with Russia and China stressing the importance of sovereign control, while many democracies press for a more open internet.

Nonetheless, the description of ‘www’ as the ‘wild west web’ is a caricature. Some norms do exist in cyberspace. It took states about two decades to reach the first cooperative agreements to limit conflict in the nuclear era. If one dates the international cybersecurity problem not from the origins of the internet in the early 1970s but from the takeoff period since the late 1990s, intergovernmental cooperation in limiting cyber conflict is now at about the two-decade mark.

In 1998, Russia first proposed a UN treaty to ban electronic and information weapons (including for propaganda purposes). With China and other members of the Shanghai Cooperation Organization, it has continued to push for a broad UN-based treaty. The US continues to view such a treaty as unverifiable.

Instead, the Secretary-General appointed a Group of Governmental Experts (UNGGE) which first met in 2004, and in July 2015 proposed a set of norms that was later endorsed by the G20. Groups of experts are not uncommon in the UN process, but only rarely does their work rise from the organisation’s basement to recognition at a summit of the 20 most powerful states. The UNGGE’s success was extraordinary, but it failed to agree on its next report in 2017.

Where does the world go now? Norms can be suggested and developed by a variety of policy entrepreneurs. For example, the new non-governmental Global Commission on Stability in Cyberspace, chaired by former Estonian foreign minister Marina Kaljurand, has issued a call to protect the public core of the internet (defined to include routing, the domain name system, certificates of trust, and critical infrastructure).

Meanwhile, the Chinese government, using its Wuzhen World Internet Conference series, has issued principles endorsed by the Shanghai Cooperation Organization calling for recognition of the right of sovereign states to control online content on their territory. But this need not contradict the call to protect the public core, which refers to connectivity rather than content.

Other norm entrepreneurs include Microsoft, which has issued a call for a new Geneva Convention on the internet. Equally important is the development of norms regarding privacy and security regarding encryption, back doors, and the removal of child pornography, hate speech, disinformation, and terrorist threats.

As member states contemplate the next steps in the development of cyber norms, the answer may be to avoid putting too much of a burden on any one institution like the UNGGE. Progress may require the simultaneous use of multiple arenas. In some cases, development of principles and practices among like-minded states can lead to norms to which others may accede at a later point. For example, China and the US reached a bilateral agreement restricting cyber espionage for commercial purposes. In other cases, such as security norms for the internet of things, the private sector, insurance companies, and non-profit stakeholders might take the lead in developing codes of conduct.

What is certain is that the development of cybersecurity norms will be a long process. Progress in some areas need not wait for progress in others.

The internet of concerning things

The internet of things (IoT) is a network of everyday items, such as fridges, washing machines and even automobiles, that connect to the internet to share and exchange information. Kevin Ashton, who coined the term in 1999, takes the concept one step further, describing it as a ‘ubiquitous sensor network’ that increases automation and thus efficiency.

The IoT has been high on the tech agenda since the early 2000s, and leading technology company Gartner has predicted that 26 billion IoT devices will be connected by 2020. Right now, however, one of the biggest challenges for consumers, manufacturers and regulatory bodies is the lack of universal security standards governing the IoT.

The internet of things is affecting an extensive range of industries, including health care, transportation, construction and retail. The idea of a smart home filled with automated devices such as security gadgets and talking appliances is old news. The Indian government has plans to build 100 smart cities using IoT technology to improve public transport, reduce emissions and enhance security.

IoT technology has been gradually incorporated into the construction industry, helping to reduce fatalities and workplace injuries. Sensors attached to heavy machinery are providing detailed 3D position guides as well as information about electrical lines and water mains. Poor communication and human error—two things that are responsible for construction site mistakes and injuries—will be significantly reduced with additional implementation of IoT technology.

A Fitbit proved invaluable for a man with atrial fibrillation who was taken to hospital after having a seizure last year. The Fitbit data stored on his smartphone showed when the arrhythmia began, which helped doctors determine the appropriate treatment to return his heart to its natural rhythm. Real-Time Innovations believes that integrating IoT technology into the US healthcare system could save 50,000 lives a year by improving clinical data and reducing hospital errors.

On the other hand, security researchers have identified a plethora of IoT vulnerabilities that can be compiled into a compendium of IoT horror stories.

A group of researchers from the University of Michigan hacked a traffic light in 2014, citing a lack of encryption combined with weak passwords as major concerns. The study explains that while traffic lights originally operated on individual timers, they’re now part of a complicated interconnected system that can ultimately save time and reduce carbon emissions. Compromising a traffic light could not only lead to a serious automobile accident, but also gridlock a whole city, resulting in lost wages, wasted time and environmental damage.

Your DVR could, unbeknown to you, be participating in an attack on government websites. The Australian Bureau of Statistics and Census websites crashed while people attempted to fill in their census forms in August 2016. The bureau later revealed that a distributed denial of service (DDoS) attack had overwhelmed the server with requests from many separate sources. Internet-enabled household items such as lights, baby cameras and other electronics can be used for DDoS attacks if they aren’t properly secured. In October 2016, the Mirai Botnet, the largest DDoS attack in history, wreaked havoc in the US and Europe by using IoT devices to attack the internet’s underlying infrastructure and bring down Netflix, CNN and a collection of other websites.

In one of the more disturbing stories, researcher Matt Jackubowski was able to hack a Hello Barbie, a wifi-enabled doll that records conversations with children and stores them as MP3 files. In addition to obtaining the files, Jackubowski got an account ID and network name. He believes that it’s only a matter of time before someone figures out how to replace the doll’s voice and remotely communicate with a child. The playground for cyber predators just got a whole lot bigger.

A major challenge in regulating the IoT is creating protocols that improve security without stifling innovation and increasing costs. Australia represents only a small portion of the IoT market. This means that overregulating IoT security could discourage foreign vendors from selling in Australia, as the required security features may prevent their products from being financially viable.

Having such a wide variety of IoT devices means that security measures will vary. While most devices could be used in botnet or DDoS attacks, some IoT technologies, such as those used in transportation or medicine, should require tighter regulation because they pose additional risks.

In the US, a group of senators has introduced bipartisan legislation that would provide minimum standards for IoT technology purchased by federal agencies. The Internet of Things Cybersecurity Improvement Act of 2017 highlights the importance of built-in security and the provision of security patches for newly exposed vulnerabilities.

ASPI will publish more about the internet of things in the coming months. While there are many questions still to be answered about the IoT, a significant portion of the debate will need to be focused on how to balance security regulations and innovation.

Governing the Net: 10 years on from WSIS

Ten years have passed since the World Summit on the Information Society—better known as WSIS—agreed on a working definition of the concept of ‘Internet governance’. While a number of delicate political agreements were reached at this two-phased United Nations summit (2003 in Geneva and 2005 in Tunis),alongside that definition much was left unresolved.

WSIS brought together governments, civil society, private sector, intergovernmental and international organisations, as well as the technical community, in an important democratising effort to encourage a multi-stakeholder approach to Internet governance matters.

One of the biggest controversies during WSIS was the topic of who controls the Internet and, more specifically, what’s the appropriate role of governments. Central to that debate was a governance model that had long been in place, the model for managing what WSIS labelled as ‘critical Internet resources’. Read more