Clint Smith '89 is caught between free-speech advocates and law enforcement, but what he's seeking is the security the Internet needs in order to keep growing...

Clint Smith '89 is caught in the middle. Literally.

At a table in a Congressional hearing room on Capitol Hill, Smith--who is vice president and chief network counsel for the communications giant WorldCom--is wedged between John Malcolm, a deputy assistant attorney general, and Alan Davidson, associate director of the Center for Democracy and Technology, a D.C.-based Internet rights group. They are all facing a couple of members of the House Judiciary Committee's subcommittee on crime. Davidson and Malcolm are fighting it out.

At issue is the "Cyber Security Enhancement Act of 2001," specifically the circumstances under which law enforcement officials have the right to force Internet service providers, or ISPs, to divulge information about their customers. Predictably, Malcolm says it's pretty much whenever they want. Davidson says that cops will use strong-arm tactics to pressure ISPs into releasing information even if the situation doesn't warrant it. Smith finally raises a finger in the middle of the back-and-forth. "Who is in a better position to make a judgment about the immediacy and resolution of a threat?" he asks. "Law enforcers are the experts."

So wait: an ISP wants to cooperate with the cops? On its face, that goes against everything the Internet stands for--the Libertarian ethos of university computer centers everywhere, hackers chanting "information wants to be free." But the virtual universe is changing. In the mid-1990s when the Internet began to enter the public consciousness, analysts and the press batted around the metaphor of a new frontier, of the Wild West. Now, the law is coming to town. Even before the terrorist attacks on September 11, the barbed wire was going up. Congress, industry and lawyers are all working on new rules for information security and privacy on-line, but the transnational, pervasive nature of the Internet makes it an easier job to talk about than to do. Smith isn't just stuck between a cop and a free-speech crusader; he's at a crossroads of technology, commerce, law and national security.

When Smith was at Pomona in the mid 1980s, tech stuff wasn't even on his radar. He majored in mass media and political behavior--he designed it himself, a sort of precursor to today's media studies program. "Law school at Berkeley was when I started to focus on technology and the law," he says. Cal had a clinic for students to practice technology law, working with attorneys and corporations in the fast-growing Silicon Valley to the south. Upon graduation he returned to the firm where he'd been a summer associate, Steptoe and Johnson in Washington, D.C., where a former general counsel for the National Security Agency named Stewart Baker turned Smith on the burgeoning legal issues of surveillance and intellectual property online.

"Now it's much more mainstream," Smith says, "but back in the early 1990s, electronic surveillance was not as publicly debated as it is today." It was an easy jump to go from many clients to one; Smith joined UUNET, WorldCom's Internet subsidiary, in 1997; as WorldCom integrated UUNET's business into the larger company, Smith became chief network counsel.

At the same time, information security was becoming more important. A series of attacks on the Internet in the 1990s culminated in 2000 with the LoveLetter worm. It was what's now known as a "blended" or "multivalent" threat, combining different modes of operation. It spread via the e-mail program Microsoft Outlook, and on a pre-set date, all those copies of LoveLetter attempted to launch what's called a denial-of-service attack, sending thousands of requests for communication to one server to paralyze it in a traffic jam of bits. The targeted server was the official White House Web site. One analyst put the cost of cleaning up the LoveLetter mess at $8.7 billion nationally.

"Within the last six months we've seen a major shift in the way attackers assemble their attacks," Vint Cerf, a senior vice president at WorldCom, told a small meeting of security experts last December. Cerf co-wrote the protocols that the Internet runs on; when he talks, techies listen. "They use a combination of multiple methods of breaking into systems. They do new things when they infect a system. ... You no longer have to bug somebody's office. All you have to do is hack into their laptop."

Raw statistics are no more comforting. Eighty-five percent of companies surveyed by the FBI reported some kind of information security breach over the course of a year, with each episode costing an average of $2 million in downtime and clean-up. Yet according to Richard Clarke, President Bush's special advisor for cyberspace security, most companies spend more on coffee every year than on information security. But by the middle of last year, corporate CEOs had begun to realize that cybersecurity wasn't just insurance. If customers perceived a vulnerability, that, in turn, damaged the company's brand and affected its market.

The attacks on September 11 sensitized the rest of us. Congress dusted off the reports of homeland security commissions that predicted cyberterrorists' use of "weapons of mass disruption" against critical infrastructures. The new director of homeland security, Tom Ridge, began to work on cybersecurity with Clarke, a White House infrastructure expert since the first Bush administration. "Our national defense is dependent now on IT systems and IT networks. Our national economy is similarly dependent," Clarke said at a recent conference. "We cannot always count in the future on law enforcement being able to deal with these problems. Nor can we count on the military." With 90 percent of the nation's infrastructure privately owned, industry would have to step up.

But what does that mean? The law isn't well mapped out when it comes to the 'net. The fundamental shift, according to Smith, derives from the global network's spatial dislocation (or non-location). "In the physical world, the perpetrator, victim and evidence were all likely to be in the same political jurisdiction," Smith says. Cybercrimes, though, can originate on a different continent.

An example: A WorldCom customer sold a T1 pipe--fast, corporate-scale Internet access--to a Canadian Web host. The Canadian host then sold space to a group using the domain name "boychat.org." The site was what you'd guess; it featured poetry, stories and therapy dealing with pedophilia. A U.S. child advocate accused WorldCom of supporting child exploitation and child pornography. What to do? If WorldCom shut down the site, they'd be open to claims from anyone who had a bone to pick with content carried on the WorldCom network. Smith went to the Ontario police and asked if the content on the site was illegal. "It is offensive to many Canadians, but it is not illegal," the cops told him. The company faced a week of bad press, but Smith stuck to the Canadian standards. "We held to our policy convictions," he says. "If the content is merely objectionable and not illegal we would not shut off access."

Another case, not involving WorldCom: a French court in November ruled that the portal site Yahoo! had to remove Nazi memorabilia from its auction site or face daily fines. Yahoo! is an American company, and its servers--along with all its data--are in the United States. Generally, courts aren't allowed to make rulings about companies in other countries, but the French interpreted the fact that anyone worldwide can access Yahoo! as a case of the company doing business within French borders. The controversy continues to rage. As commerce and communications increasingly cross international boundaries, these kinds of problems are going to crop up more and more, and the companies involved will have to figure out how to respond. "Countries in which we do business can bring pressure against us," Smith says. "They can arrest employees, seize equipment and freeze bank accounts."

It makes sense that the Internet makes law enforcement trigger fingers itchy. Cybercrime has grown in scope: gambling, child pornography and fraud, to name just a few of the nefarious enterprises, not to mention breaches of security, in which a hacker may break into a database searching for something of value, like a list of credit card numbers. And then there's cyberterrorism, activities designed to do damage to the Internet itself, or to some network connected to it, like the national power grid.

To deal with all kinds of cybercrime, new rules and borders are being imposed upon the Internet. As a result, new relationships are being forged between ISPs and their customers. Among the provisions of the USA Patriot Act, signed into law shortly after September 11, were rules that make it easier for the FBI to get information on users from ISPs. But the fact is that many ISPs already cooperate. "We communicate with the FBI pretty much every day," says Tim Wright, chief technology officer of Terra Lycos, a Web host and owner of several popular sites. Eventually, says Wright, the ISPs themselves might automatically search e-mail on their network for government-provided algorithms that sound terrorism-related. "There is no way we can protect every pipeline, gas storage facility and substation out there. The only thing we can do is identify patterns," Wright says. For privacy advocates, it's a chilling notion. A government that wouldn't dream of sending in police to break up a peaceful protest might not have any compunction about asking a small ISP to monitor customer e-mail. "I'm fortunate that my personal bias in favor of free expression lines up closely with my company's objective," says Smith.

On the other hand, protecting against hacking and cyberterrorism--attacks on the network itself--isn't as ethically murky. Thinking since September 11 has moved toward dynamic passwords that change automatically, "smart cards" embedded with computer chips and access that relies on "biometrics" like scans of retinas or fingerprints. But a lot of effective technology already exists and goes unused. "We can build all the technology in the world to secure things, but unless you actually apply it, it doesn't work," says Cerf. "Security is inconvenient. People don't like it. But unless they get into the habit, it won't stick."

Cybersecurity advisor Clarke has floated a proposal for something called GOVNet, a totally separate network for the government to switch to in the event of a catastrophic denial-of-service attack. So far, intelligence agencies and the tech community have had mixed reactions to the idea. Businesses are more interested in Clarke's national strategy for information technology security, due out in April. They're looking for changes in Federal government procurement practices requiring more secure hardware and software. The government buys so much that higher standards could shift the market.

In Congress, Senator John Edwards of North Carolina has sponsored a bill asking the National Institute for Standards and Technology to develop standards for security. New York Congressman Sherwood Boehlert passed a bill in the House lining up funding for the development of advanced computer security curricula in universities, and for scholarships for people who major in the subject. There's even a proposal for a volunteer tech corps, people from the private sector who could be seconded to the government during an emergency. Industry is lining up to participate, for both business and patriotic reasons.

But as Cerf implied, individual users also bear some of the responsibility. Sadly, it's the boring stuff. Don't have the same passwords for everything, and don't write them down. Change them once in a while, and don't make them obvious, like your birthday or your spouse's name. Update virus detection software and, if you have an "always-on" high-speed network at home, get good firewall and intrusion detection software. Read your ISP's privacy statement. Find out what they'll do with your data if the government comes calling. Some, like Terra Lycos, hand it over; some don't. "ISP's can know a great deal about what you do on the Internet unless you are willing to undertake active steps to shroud your activities in secrecy," Smith says. He's talking about Web sites like Anonymizer.com or Zero-Knowledge Systems that provide personal privacy software and anonymous Web surfing. It's hard to get off the grid, but not impossible.

An era ended when the barbed wire went up across the wide-open West, and it's a little sad to see the Internet behave like an industry instead of some caffeine-fueled revolution. "The Internet faces two choices. We can self-regulate or be regulated by the government," says Terra Lycos' Wright. When other media have self-regulated in the face of government pressure--as did movies in the early part of the last century, and comic books in the '50s--they became less artistic and more corporate in content and tone. But there's never been a medium like the Internet, and comic books don't connect to the nation's power systems.

For his part, Smith had a good reason for positioning himself between the government and the privacy advocate in that hearing. It's a tight spot, but he knows the Internet will keep growing only if it's safe.

--Adam Rogers '92 is a reporter for Newsweek and a frequent contributer to PCM.