As it is, I spend a lot of time thinking about systems and issues like architectures, law, policy, and even individual expectations. My 2001 book Developing Trust looked at how we can deal with the policy and technology issues that make our infrastructure trustworthy. Though I dealt with the Internet and Web specifically and showed specific examples of actual failures, some readers have suggested that the discussion was somewhat theoretical, or at the very least, blazing the way for practice instead of reflecting it. My recently-published Brute Force is very different, dealing specifically with the issue of Internet cryptography.

Looking at the fall of the data encryption standard through the lens offered by Lessig's Code is instructive. Consider the state of the world in 1997, when RSA launched its DES Challenge.

As a matter of policy, the U.S. Government promoted a cryptographic standard that would be secure against exhaustive key-search attacks for a relatively short period of time. As a matter of law (in the form of regulation), the Government also limited the strength of the systems that could be exported outside of the United States. As a matter of architecture, the Internet is open and easy to access, in many cases using topologies that will allow anyone in the middle to observe traffic being routed from one system to another. As a matter of expectation, individual Internet users considered their online purchases secured, such that attackers would not be able to intercept and illicitly to use their credit card numbers. As another matter of expectation, many in Congress imagined that even the limited strength of the systems allowed by Government policy were “secure enough.”

The DESCHALL Project (and RSA's 1997 DES Challenge that it answered) used architecture to change expectations of both lawmakers and citizens. When it succeeded, law (in this case, the regulation) changed to allow a much freer use and export of cryptographic products. Policy followed, with the Advanced Encryption Standard (AES) being adopted.

After talking recently with Peter Swire, Esther Dyson, and John Gilmore in Seattle earlier this year at CFP 2005 (with “Panopticon” as its theme), I was reminded of Lessig's Code, in which he argued that it is wrong to imagine as some have that the Internet is inherently impossible to regulate, that it can never be restricted the way that the real world has been.

When I returned from Seattle, I re-read some critical parts of Lessig's book. One part that struck me was its central theme, that four primary forces regulate: law, market, norms, and code.

Limited scope helped to made DESCHALL successful. We didn't seek (directly) to change the law or government policy. The project didn't overreach, attempting to use traditional mechanisms of marketing to affect the expectations (or, in Lessig's words, norms) of individual users. Nor did it preach to the proverbial choir, either in the form of those interested in public policy (law) or those trying to bring their products to international customers who demanded them (market). We were attempting to address an area of architecture (code) that created a vulnerability in the form of an attacker's ability to intercept traffic. While many expected that the issue was addressed through “good enough” cryptography, we used the one tool of our focus (code) to demonstrate that it was out of sync with the demands of the market and the needs to enforce the norms of society.

In the six years since Lessig's book was released, things have changed. Some of the less dramatic changes have come in the form of architecture, the code that implements the global computation and communication infrastructure. Mobile phones and PDAs now have greater utility as gateways to the network and these devices have more tracking capability than in 1999, both in the form of a GPS device to determine the unit's position and in the form of wireless personal area networks such as Bluetooth that have side-effects that can be invasive of privacy.

Norms have not changed significantly; as these deal with the attitudes and expectations of people, norms are always slow to evolve. The market has not changed dramatically for the most part. While a whole dot-com boom and bust took place, the simple fact is that companies that offered good services enabled by the Internet succeeded (eBay and Amazon spring to mind), while those that were using the Internet for its own sake failed—the demand for online haircuts and shoeshines never materialized.

The law is one area where there has been more dramatic change, as local, state, and federal lawmakers strive to update their codes to reflect the world's heavy dependence upon Claude Shannon's binary units. Many laws designed to protect consumers and their digital identities have been passed and now organizations that handle personal information are subjected to civil and criminal penalties for failure to adhere to some norms for protecting information.

Further changes have been ushered in by lawmakers' attempts to show their constituents that they care about the citizenry of this country and are doing all they can to protect them from the threat of terrorist attack. Congress is now debating extension of the Patriot Act and adoption of its successor, Patriot II. In Code, Lessig worries about the impact of law on cyberspace, in particular how regulation will cause infrastructures to be built with new provisions that allow the Government to achive its objective to control its citizenry without being accountable as in a transparent legal system. Given the reaction to the Patriot Act—in particular its provision to search library and bookstore records without a warrant—it would seem that Lessig's concerns have been understood and adopted by a significant number of people working in the area of public policy.

Much of the public debate over digital rights has been in the form of negative reaction to proposed restrictions on personal liberty, privacy, and other rights. Someone proposes that the Patriot Act stay on the books rather then expire (as the Act itself called for as passed in 2001) and people react in the negative. Someone proposes national identification cards for each U.S. citizen and people react in the negative. A cartel proposes a combination of technical and legal standards to limit how consumers can use their products and people react in the negative.

In Code, Lessig argues that society must decide what rights it wants to guarantee, what sort of a society cyberspace is to be, from which implementation in code will follow, shaping both the architecture of the markets and the norms of cyberspace. Despite the passage of six years and the huge number of genuinely bad ideas that have been floated, we have very few good ideas proposed to stave off the flow or influence of the bad. There is very little guidance to show how the Bill of Rights applies in cyberspace. Worse, there is apparently no mechanism by which the government cannot hire private industry to do the work that it, by virtue of the U.S. Constitution, would be forbidden from undertaking. There has been a lot of talking, but remarkably little action, and I suspect that will remain true until there is a clear and concise assertion of what privileges and rights are to be built into cyberspace. As Lessig concludes, if our society fails to take advantage of the opportunity that is now present, liberty will find herself on the losing end of a revolution and it'll be over before any critical mass notices.