James Byrne BBLS jamesddbyrne@gmail.

com

Enforced Cooperation Is The New Internet Governance:

Lessons Learned From Online Child Pornography

James Byrne BBLS

31st May 2010
Word count: 3073 (incl. footnotes)
jamesddbyrne@gmail.com

Is it any longer a shocking statement to say the internet is regulated? Since at least
1979 there exist computer related statutes.1 Today, an EU wide cybercrime unit is
foreseeable.2 Similarly, individual actors create rules enforced by denial of services.3
In this essay with regard to child pornography, I aim to show that currently there is no
universal enforcement solution for internet regulation. Instead, the correct governance
recognises there are idiosyncratic rules requiring individual enforcement methods and
that this is happening under the emerging system of ‘enforced cooperation’.

1. Civilisation and The Internet

Where is the regulation from? Internet regulation is created by both private4 and
public sources.5 But the internet subsists across about 320 sovereign states.6 States, as
is natural, have developed idiosyncratic rules.7 If the internet could be said to be its
own sovereign state8, or indeed a set of many states,9 then self-regulation may be the

1
North Carolina Gen Stat § 14 – 453-457 (1979, c.831, s1); At federal level in the US - Counterfeit
Access Device and Computer Fraud and Abuse Act 1984; In Ireland the first specific reference was in
the Criminal Damage Act 1991.
2
Out-Law, EU Mulls New Central Cybercrime Agency (28/04/2010) <http://www.out-
law.com//default.aspx?page=10974> accessed 28 April 2010.
3
For one of an untold number of examples, see YouTube, ‘Terms of Use’
<http://www.youtube.com/t/terms> accessed 28 April 2010.
4
E.g. www.hotline.ie
5
E.g. Child pornography on the internet in Ireland is prohibited by the Child Trafficking and
Pornography Act 1998.
6
‘Sovereign states’ in this essay is taken to include individual units within federal or quasi-federal
systems. Wood claims they number about 320. Philip Wood, Principles of International Insolvency,
2nd Ed (Suffolk: Thomson 2007) [3-001].
7
Interpol child abuse laws comparison:
<http://www.interpol.int/Public/Children/SexualAbuse/NationalLaws/Default.asp> accessed 01 May
2010.
8
Thereby creating it’s own governance, see John Perry Barlow, “A Declaration of the Independence of
Cyberspace,” February 8, 1996
<http://w2.eff.org/Censorship/Internet_censorship_bills/barlow_0296.declaration> accessed 29 April
2010.
9
“The ‘owner’ of the space is the sovereign” Laurence Lessig, Code - Version 2.0, 2nd ed. (New York:
BasicBooks 2006), 285.

Page 1 of 8
James Byrne BBLS jamesddbyrne@gmail.com

optimal governance mechanism. However, the internet has not superseded states,10
but rather exists within states in both a physical and legal sense.11 Demands within
states (e.g. political desires and lobbying in democratic societies) require actions from
existing governments. These actions are constantly developing and ever-increasing
and are supported by the recognition that national boarders can be recognised on the
internet.12

As the internet matures, Debora Spar’s final ‘rules’ phase in societies exploitation of
new discoveries, in the context of child pornography on the internet, should be said to
be ‘application’ rather than ‘creation’ of the rules.13 The question herein is how to
enforce existing idiosyncratic rules fairly?

2. The Debate on Internet Governance

Who enforces the regulation? Self-regulation as such is self-administered and thereby
operates to the extent desired by the administrator in a contained environment.14 In
this essay the concern is the imposition of existing state regulation to breaches via the
internet, and the changes that a state can make to better achieve enforcement.

In Ireland the Gardaí and the DPP are responsible for investigating and prosecuting
child pornography offences.15 Ideally they would be aware of all such imagery in
Ireland along with the location of senders or receivers over the internet in Ireland and
they would pursue Irish cases.16 Internet access providers transfer this information
and so have become a target to aid enforcement.

10
It is said to be ‘splitting apart and reflecting national boarders’, Jack Goldsmith and Timothy Wu,
Who Controls the Internet: Illusions of a Borderless World (2006), 41, cited in Lessig, (n. 9), 298.
11
All the functionality of the internet can be shown to occur within a state’s boarders, e.g. users access
the internet, servers reside, intermediaries deliver physical goods, ISPs exists as legal persons,
electronic data is transferred, etc.
12
Yahoo! Inc. v. La Ligue Contre le Racisme, 433 F.3d 1199, 1202 (9th Cir. 2006); Commercial
interests develop technology, e.g. Yahoo Music, Google.cn etc.
13
Debora L. Spar, Ruling the Waves, (USA: Harcourt 2001), cited in Ronald J Mann and Seth R
Belzley, ‘The Promise of Internet Intermediary Liability’ W and M LR, Vol. 47, October 2005, 3.
14
E.g. Terms of use of websites. These require regulation e.g. to prevent the ‘you owe me €10 for
accessing this website’ scenario. Tambini notes regulators try to act on case-by-case basis. Damian
Tambini et al, Codifying Cyberspace (London: Routledge 2008), 117.
15
Section 5 of the Child Trafficking and Pornography Act 1998 creates this offence.
16
With potential for international cooperation. Individual mobility or democratised change in a state is
preferential to a race to the top, as discussed in Lessig’s book, where a commentator suggests America
could protect free speech on the internet, denied otherwise to citizens of other countries, Lessig, (n 9),
295.

Page 2 of 8
James Byrne BBLS jamesddbyrne@gmail.com

Mann and Belzley17 argue for intermediaries or ISPs as gatekeeper to be used as

enforcers. Lessig18 describes how the architecture of the internet might be used to
maintain order, by writing it in the ‘code’ or programming of ISPs. This would
involve identifying the location of the user, and ensuring national restrictions apply.
Zittrain19 indicates a movement towards tethered devices limiting user input to meet
security and functionality concerns and applies this idea to ISPs.20

Previously the cost of making ISPs the enforcer was deemed too high against the
benefit of having a blooming internet industry. ISPs were given immunities in terms
of content hosted and information transferred.21 Now we see ‘enforced co-operation’
in data retention laws,22 takedown notices,23 3-strikes arrangements24 and mandatory
filtering.25 All to be operated by the access provider, but employed by an external
authority.

This extra vertical layer, coupled with its horizontal fragmentation, of the bureaucracy
of internet governance raises concerns over accountability and transparency. However
it recognises that sovereign states with idiosyncratic rules require idiosyncratic
enforcement overseen by the party best placed to determine if an act is illegal. It can
also be used to divide the initial costs of regulation over many participants and allow
the ISP to claim neutrality, as they do not select content.

17
Mann and Belzley (n. 13), part III.
18
“The Many Laws Rule”, Lessig (n. 9), 307-310.
19
Jonathan Zittrain, The Future of the Internet - And How to Stop It (New Haven: Yale University
Press 2008), Introduction;
20
E.g. Cloud Computing; The iPhone example further shows the ambiguous nature of whose rule is to
be applied, see Karl Bode, 'Apple Needs To Offer More, Less Porn, Depending Who You Ask'
(29/04/10) <http://techdirt.com/articles/20100420/1024209108.shtml> accessed 29 April 2010.
21
Tiberi and Zamboni conclude in 2003 that access providers were then generally fully exempt
following the E-Commerce Directive 2000/31/EC and the similar though not identical immunities in
section 230 of the Communications and Indecency Act 1996 and section 512 of the Digital Millennium
Copyright Act in the US. Luca Tiberi and Michele Zamboni, “Liability of Service Providers” (2003)
9(2) CTLR 49, 58.
22
Most recently the Communications (Retention of Data) Bill 2009 implementing an overdue and
obsolescent EU directive (pending legal challenged by DRI), focussing on IP address data, see Richard
Clayton, 'Mobile Internet Access Data Retention (not!)' (14/01/2010)
<http://www.lightbluetouchpaper.org/2010/01/14/mobile-internet-access-data-retention-not/> accessed
30 April 2010.
23
The most prolific is section 512 in chapter 5 of title 17 of the United States Code – The DMCA
takedown order.
24
EMI Records & Ors v. Eircom Ltd [2010] IEHC 108.
25
European Commission, “Proposal for a Council Framework Decision on combating the sexual abuse,
sexual exploitation of children and child pornography, repealing Framework Decision 2004/68/JHA”.

Page 3 of 8
James Byrne BBLS jamesddbyrne@gmail.com

Legislation may then be used to incentivise and regulate these arrangements.26 It is

not necessary that ISPs be threatened with responsibility for the user in default as
alternative penalty schemes within ‘enforced cooperation’ may be formulated. Key to
government action in the ongoing development of internet regulation will be the
introduction of systems such as independent audits, requirements for court orders,
mandatory data breach notifications to the Data Protection Commissioner, privacy
legislation27 and a right to challenge acts and decisions which must be legislated for to
ensure protection for citizen’s rights.28

Zittrain warns however against perfect enforcement, questioning which rules should
be used, highlighting that mistakes are locked-in and laments the lost benefit from
tolerated uses.29 Edwards iterates a concern raised by ISP enforcement succinctly as
“whether they could in practice take any steps to deal with such responsibility and
avoid risk”.30 As discussed in section 3(i) below, enforcement is not perfect and may
not need to be so. Additionally enforced cooperation would aim to retain ISP
immunities, as an administrative authority31 would require “the service provider to
terminate or prevent an infringement”.32 ISPs would not be required to do so
independently.33 This language may even go far enough to inhibit the use of enforced
cooperation for issues not legislated for, creating transparency at the outset.

The ISP industry is maturing and there are relatively stable visible players whose
assistance is forthcoming.34 The open question, and one unfortunately I’m not in a

26
Rather than previous failed attempts at direct regulation for example the Communications Decency
Act as discussed in James Boyle, “Foucault in Cyberspace” (1997) 66 UCLR 177, Part III.
27
Congressman Rick Boucher has published a draft Privacy Bill in the US which may set the tone for
future developments
<http://www.boucher.house.gov/index.php?option=com_content&task=view&id=1957&Itemid=41>
accessed 8 May 2010.
28
Recently Brazil amended proposals for implementing an internet governance regime to provide
notice and takedown by court order only, in response to public consultation.
<http://blog.ericgoldman.org/archives/2010/05/brazils_propose.htm> accessed 6 May 2010.
29
Zittrain, (n. 19) 110-126.
30
Lilian Edwards, ‘The Fall and Rise of Intermediary Liability Online’ in Law and the Internet, ed.
Edwards and Waelde, 3rd Ed, (Oregon: Hart 2009), 48.
31
In this context meaning a state body, e.g. via takedown notices filed pursuant to legislation.
32
Article 12(3) of the E-Commerce Directive (n. 21).
33
A particularly important point given the sheer number of ISPs operating at various standards.
34
As the market changes so will the ISPs, e.g. mobile internet providers. Presently, note the Eircom
Settlement (n. 24) and Google’s recently published government requests overview found at
<http://www.google.com/governmentrequests/> accessed 30 April 2010;

Page 4 of 8
James Byrne BBLS jamesddbyrne@gmail.com

position to answer is, can technology deliver?35 Internet monitoring and blocking and
notice and take down present themselves to be utilised under enforced cooperation.
However, when considering the issue of child pornography, despite the level of
international consensus and transferability of the rules to the internet, gaps appear in
this governance system.

3. The Lessons Learned From Child Pornography36

(i) We’re not doing enough
Though penalties can be significant, e.g. 14 years imprisonment for production or
distribution of child pornography,37 it appears the issue is rampant in light of
Operation Ore.38 The best efforts have only kept the honest, honest.

Lessig and Zittrain opt not for perfect enforcement.39 Furthermore, I suggest that
putting criminals on notice before an act of its illegally may act as a deterrent,
particularly if they believe it may lead to their arrest. Scalable ‘gaps’ in the internet
that require workarounds provide this notice, e.g. internet access monitoring that
queries in pop-up form, rather than blocks, alleged illegal downloads/uploads. This
may notify police and later prove crucial in both showing mens rea and convincing a
jury at trial. Additionally, transparency and due process are protected.

(ii) Website blocking isn’t good enforcement

The reasons are numerous and best presented as a list:
1. Criminals likely do not distribute via websites. It would appear Peer-2-Peer
protocols and emails are currently used.40
2. Blocking does not attack the route of the problem. Takedowns are effective
elsewhere where commercial interests dominate.41 Child pornography sites are

35
Even just to deal with the volume of data sent over the internet. This is not to mention the as yet
unresolved difficulties in identifying the individual behind the keystrokes, and developing optimal
penalty schemes.
36
An in depth review can be found in Robert Clark and Mark Hyland, The Criminalisation of Child
Pornography in Irish Law: A Report to the Department of Justice, Equality and Law Reform (April 16,
2009).
37
Op cit (n. 15).
38
The sheer scale meant the UK did not have the resources to enforce the law. Yvonne Jewkes and
Carol Andrews, “Policing the filth” PS 15, no. 1(3) 2005, 42.
39
Lessig (n. 9) 260; Zittrain, (n. 19) 110-126.
40
Lilian Edwards, “Pornography, Censorship and the Internet,” in Law and the Internet, ed. Lilian
Edwards and Charlotte Waelde, 3rd ed. (Oxford: Hart 2009), 630.

Page 5 of 8
James Byrne BBLS jamesddbyrne@gmail.com

hosted in developed countries with international relations that support

cooperation.42
3. Blocking lists advertise sites when leaked or hacked.43
4. Function creep will move to block gambling, 'terrorism', copyright
infringement, criticism, political opposition and freedom of speech,
particularly without legal obligations for independent audits.44
5. Setting up blocking systems is expensive and diverts funds.
6. Blocking technology is imperfect. It does not stop technically competent
internet users and may over block.
All these reasons speak against the proposed EU Directive.45

(iii) Idiosyncratic rules require idiosyncratic enforcement

An important example of spill over from foreign laws on child pornography is the
mobile internet. The GSMA use the IWF filter list, created with reference to UK
definitions on child pornography, where a country lacks its own.46 Idiosyncratic rules
means resource sharing cannot extend to the identification of illegal content.

Every ISP will not be aware of every country’s laws on all relevant issues. Enforced
cooperation would bridge this gap with relevant authorities raising issues within a
recognised framework. If a criminal act is on an ISP outside our jurisdiction, then
access providers within may be required to monitor, and give notice to end users.

(iv) Lack of reporting immunities inhibit enforcement

Policing models may also be supplemented with citizen participation.47 Clark and
Hyland (2007)48 note the dangers due to lack of immunities. In the UK a
Memorandum of Understanding between the CPS and ACPO on investigating child

41
Tyler Moore and Richard Clayton, “The Impact of Incentives on Notice and Take-down”, presented
at the 7th Workshop on the Economics of Information Security, Hanover, New Hampshire 2008, 9.
42
Edwards, (n. 40) 649.
43
As inevitably happens. TJ McIntyre, 'Danish Censorship List Leaked' (07/01/09)
<http://www.tjmcintyre.com/2009/01/danish-censorship-list-leaked.html> accessed 01 May 2010.
44
Adrian Weckler, 'realityBYTES' (18/04/2009) <http://www.sbpost.ie/technology/realitybytes-
48610.html> accessed 29 April 2010.
45
European Commission, (n. 25) Article 18.
46
GSMA, 'Child Sexual Abuse Content Technical Document' November 2008, Pg.7
<www.gsmworld.com/documents/GSMA_Child_Tech_Doc.pdf> accessed 01 May 2010.
47
Susan Brenner, 'Toward a Criminal Law for Cyberspace-A New Model of Law Enforcement' (2004)
Bu J Sci&Tech L 10(1).
48
Clark and Hyland (n. 36), 40

Page 6 of 8
James Byrne BBLS jamesddbyrne@gmail.com

pornography, though lacking legislative back-up, illustrates the benefit of certainty to

the industry.

Further lessons can be taken from the American example in the PROTECT our
Children Act 200849 that gives a full list of actions to be taken when reporting. We
must also be wary of mandatory reporting with undesired results as illustrated in
Canada by the Child and Family Services Act amended in 2009.50

(v) ISP immunities inhibit governance development

Arguably positive marginal benefit would result from some level of general
monitoring and data retention. Though I believe this to be the case, further study is
required. Were the technological aspect to become feasible, Article 15(1) of the E-
Commerce Directive51 prohibits member states from introducing a general obligation
on providers to monitor information they transmit. This should be amended to read:

Article 15:
Limited Obligations to Monitor
1. Member States shall not impose a general obligation on providers, when providing the
services covered by Articles 12, 13 and 14, to actively seek facts or circumstances indicating
illegal activity, however a general obligation to monitor the information which they transmit
may be imposed by way of legislation for the purpose of law enforcement within the member
state. Such legislation must include adequate procedural safeguards to ensure the protection of
citizen’s rights.

4. Conclusion
Internet regulation itself is largely recognised as existing, necessary and developing.52
Now we must determine, particularly for existing legislation, the best governance
system for its implementation on-line. Enforced cooperation appears to be settling in
as the expectation for all parties and the Irish Government has made a non-legislative
step in this direction with the Office of Internet Safety but needs to act now with
transparent legislation.53 A focus on access providers, or ‘destination ISPs’ offers ease

49
18 U.S.C. § 2258A.
50
Section 18(1.0.1) which requires everyone to report child pornography they encounter. This would
include an underage child who took a photo of themselves.
51
2000/31/EC (n. 21).
52
Lessig, (n. 9), 336.
53
http://www.internetsafety.ie/

Page 7 of 8
James Byrne BBLS jamesddbyrne@gmail.com

of identification and jurisdiction.54 A regulated enforced cooperation environment

offers the certainty needed for the industry.

The lesson we should take from the issues discussed is that there is no independent
internet state as such. Rather there are numerous sovereign states who communicate
through the internet. Sovereign states rightfully have varying laws, therefore it is up to
state enforcers to act at a state level supplemented with international harmonisation
and resource sharing55 to improve enforcement where possible. We should not
attempt to enforce our laws outside our state, except to the extent provided for by
international agreement.

This approach for child pornography does admittedly regress internet enforcement to
the off-line equivalent of prosecuting a wrong-doer i.e. the internet user.56 This may
be difficult in itself,57 however the move to maturity of internet governance should
focus on improving international cooperation between states and ISPs while aiming to
protect citizen’s rights, rather than trying to create a universal solution making ISPs
liable. The key will be creating safeguards in legislation to regulate the actions of the
parties in ‘enforced cooperation’.

Much more work is needed in this regard and maturity in regulation application will
occur when states accept the costs and spend the time required to establish this form
of governance. In this author’s view, though costly and delayed, that is the only
legitimate path to take. After 30 years, it is time we take the step forward.

54
Jonathan Zittrain, “Internet Points of Control” (2003) 43 Boston College Law Review 1, 19.
55
Eliminating much of the normative critique of regulation at state level in Johnson and Post, “Law
and Borders - The Rise of Law in Cyberspace,” Stanford Law Review 48 (1996)- 1367
56
Described as “nimble, and breed annoyingly quickly” thus inefficient as targets. Peter Swire, “Of
Elephants, Mice, and Privacy - International Choice of Law and the Internet,” The International
Lawyer 32 (1998) 991, Part III(B).
57
E.g the flaws in a ‘Norwich Pharmacal Order’ whereby the IP address only reveals a computer’s
address, not the users identity. Norwich Pharmacal Co. v The Commissioners of Customs and Excise
[1974] RPC 101.

Page 8 of 8