Short Guide to Digital Switzerlands—When Companies Act as Countries

Companies are challenging the primacy of governments worldwide

Last year Denmark appointed the first “tech ambassador” to Silicon Valley. On that occasion, Danish Foreign Minister Anders Samuelson justified the role by saying that the U.S. technology companies “affect Denmark just as much as entire countries”. The statement concisely, yet powerfully reflects the evolving relationship between the big technology players, the government, and the technology users.

The new paper by the UCLA School of Law’s Kristen Eichensehr delves into this complex relationship, portraying its history, the novel developments and the way forward. Hoping that her work will reach people who might not have the time to go through all 66 pages of the paper, I’ve done my best to summarize main points and offer some thoughts. To get most out of it, I definitely recommend reading the whole paper, here.

The history

The competing powers — government, technology sector and users — evolved in parallel, occasionally crossing paths. Their histories can be mapped out in three phases: (1) during the Internet’s early days, power was thought to belong to the users; government was to stay out of regulating the cyberspace; (2) discussions of the second phase favored territorial governments as key controllers of the Internet; part of the argument was also that only traditional territorial governments can provide public goods and deal with all the threats harbored within the cyberspace; (3) we’re in the third phase, where technology companies are challenging the power of the state, to the point where this might get us rethinking how the international law applies to the states’ cyber presence and the role of companies and users in shaping policy.

Traditionally, companies were allies of the government, both in the US and abroad. Yahoo infamously turned over email records of two Chinese dissidents, leading to their conviction and imprisonment in 2005. Eichensehr cites Google’s “new approach to China” as the first significant public move by a technology company to challenge a government. This new paradigm was further bolstered by Edward Snowden’s revelations in 2013, and put particular focus on countering the US government. In short, for those less familiar with the documents Snowden leaked, among other things they revealed that the NSA and the FBI were collecting information from servers owned by nine leading US internet companies, including Microsoft, Facebook, Google and Apple. A number of cases that followed were founded on the same strained relationship, such as the dispute between the US government and Apple over the right to access San Bernandino shooter’s iPhone. The fight ended with the government finding a new method to break into the phone, and “no longer requiring assistance from Apple”.

An important inflection point that Eichensehr notes brings us to where we are now was the transition from negative discourse to affirmative role the companies are playing. The transition started in February last year at the RSA conference, where the President and CLO of Microsoft, Brad Smith, called for the creation of Digital Geneva Convention, that would establish tech companies as “Digital Switzerlands”.

[…] we now need a Digital Geneva Convention that will commit governments to protecting civilians from nation-state attacks in times of peace. And just as the Fourth Geneva Convention recognized that the protection of civilians required the active involvement of the Red Cross, protection against nation-state cyberattacks requires the active assistance of technology companies. The tech sector plays a unique role as the internet’s first responders, and we therefore should commit ourselves to collective action that will make the internet a safer place, affirming a role as a neutral Digital Switzerland that assists customers everywhere and retains the world’s trust.

Eichensehr also notes that the U.S. companies are not the first private superpowers, but there are three key characteristics that empower them to take this role of contender to the governments worldwide:

  1. they aspire to be global (and need to be distinguished from the partly government-owned companies),
  2. their user base is global; the user-company relationship is long-term and interdependent,
  3. they are attractive, not extractive; they operate through soft power, and users are not captive audiences (a point that can be debated — I would say depending how you define captive; addiction and peer pressure can be captive in a wider understanding of the term.)

What does it mean for a company to be a “Digital Switzerland”?

First, it suggests the companies and the governments that regulate them are equals; second, it suggests that the companies see themselves as neutral grounds.

Eichensehr assessed all the ways the governments and companies are on par, and where the comparison diverges:

In terms of global constituencies, user bases of the largest tech companies dwarf the populations of the majority of countries (Facebook almost matches China, and Microsoft Office the population of India). This matters because it shows the scale of impact of policy changes a single company can have. In terms of revenue, in a ranking of the top 100 governments and corporation, 31 countries made the list, and 69 corporations. Technology companies have ventured into taking some public functions, particularly related to crime control and cyber operations, as well as making public policy proposals, such as the recent Cybersecurity Tech Accord. The most recent proposal came just three days ago: over 160 companies signed a pledge against autonomous lethal weapons; on this occasion, Max Tegmark, the founder of the Future of Life Institute which organized the campaign, remarked: “I’m excited to see AI leaders shifting from talk to action, implementing a policy that politicians have thus far failed to put into effect.” Yet, there are a number of important distinctions that still hold each player in their traditional places. For one, all companies are located within sovereign states, are subordinate to public authorities; they are not recognized as sovereign entities with “juridicial independence”. Companies do not have the right to legitimate use of the physical force as governments do. This is where the perspective of individual users becomes important in the trifecta of power which Eichensehr pays much attention to: it’s users who adopt technology that treat companies as supplemental sovereign.

What implications does companies’ “neutrality” have? Eichensehr touches on a number of important points. To appeal to the international user base, the U.S. tech companies are trying to downplay their origins as U.S. companies. One of the ways to do this is to act internationally even when the issues arise locally. A recent example was WhatsApp’s response to mob violence the app enabled in India: the company is changing features both in India and internationally. Neutrality, however, can also imply complicity. Facebook is a good example. They tried to get away with neutrality, but not for too long.

Could having two regulators produce any gains for individual freedom?

Eichensehr explains that this is not a novel idea. It goes back to the Federalist James Madison who argued that “[t]he different governments will control each other”. But what would that mean in practice?

It would mean an additional layer of power over users, which without the important mechanisms of democracy such as voting and representation, can be (and has been) misused. On the other hand, government’s power over users is declining, and in some circumstances, companies stand in between government and users to protect latter’s interests. Their leverage is sometimes the only way certain demands can be fulfilled. In this position, they’re close to becoming “citizen-sovereignties”, and need a push towards the values that would be required from all entities that perform public functions, including the public law values (such as transparency, accountability, due process, protection of privacy).

Talking about democracy and accountability, Eichensehr deems corporate “citizenship” as voluntary, as “[i]ndividuals choose to become part of a company’s user base”. I would argue that this is only partially fair to say. While each of us “chooses” to sign up for a certain app or a service, there is a number of pressure points that manipulate us into doing it. It’s a combination of incentives from our roles in professional and private spheres that get us to use companies’ services and keep using them for years on end. In a similar manner, the choice to disassociate is another concept I don’t completely agree with here; yes, “users can vote with their feet, dollars and service choices” to exit the contract between them and the company, but how easily? Technology addiction is real, yet it’s not a forceful coercion to keep using a certain service. Billions of users each day engage in communications on platforms that manipulate their behavior and trick them into coming back. As the author notes herself, it’s become particularly hard to stay away from all major platforms.

What would it mean for the companies to implement public law values? Eichensehr cites a number of examples, including transparency reports (Google pioneered it in 2010) and companies’ internal procedures to fulfill right-to-be-forgotten requests. For similar practices to become standard, there needs to be a new approach to how and when public law values are extended to private entities. As previously mentioned, currently fulfilling a public function calls for public law implementation, whereas a potentially more comprehensive scenario would include status-based approach, where every entity that attains power over individuals comparable to that of the governments should implement public law values.

In the end, Eichensehr asks the important question of: what happens when the business value of privacy and challenging governments ceases to be?

A number of factors could influence this, including exogenous shocks that would make users more favorable of the government or at least tolerating government’s requests to a greater degree. How do you entrench the new power actor into its role in the trifecta between the government and users no matter the circumstances? Eichensehr sees it derived from four sources: transparency (through transparency reports which are the industry standard), civil society groups, consumers and investors, and the governments themselves (Europe, for example, is making moves towards protecting its citizens online by placing demanding requests in front of big companies).

Kristen’s work is extremely valuable, and this paper, in particular, comes at the opportune moment when we see the relationship at its most questioned and perhaps even at its most hostile. EU keeps going in its efforts to punish large U.S. companies for monopolization (Google being the most recent one), while there continue to be concerns over an array of (un)predictable consequences for technology users (from spreading fake information to inflicting mental health issues). I see the crisis in trust between the three players as an opportunity to weigh our options as users, as government, and company leaders. No doubt, all three are flawed. But the consensus that we can’t keep on going as we have thus far will, hopefully, move us towards a novel contract. Do read Kristen’s paper if you have time.

If you enjoyed reading this, you will definitely like Exponential View—a thoughtful weekly missive about exponential technologies and society. Subscribe