Bob Kolasky is the managing editor of IntellectualCapital.com. His e-mail address is bob@voxcap.com

In his important new book, Code and Other Laws of Cyberspace, Harvard professor Lawrence Lessig argues that the debate over Internet regulation has entered a "second generation." Irrelevant, Lessig writes, is "the knee-jerk anti-government rhetoric" so popular among the digerati who dominated thinking about the Internet in the mid-1990s -- symbolized by theorists such as Esther Dyson and John Perry Barlow (although Lessig writes that both thinkers "still inspire").

But, as Lessig notes, the other option has not been borne out, either. Statism has not overtaken the Net, and government agencies do not dominate the new medium.

A new dominant Internet regulatory ethos is emerging

Instead, Lessig writes, a new dominant Internet regulatory ethos is emerging, and it is a "future of control in large part exercised by technologies of commerce, backed by rule of law." He readily admits that the blueprint for this future is anything but established and that, as he writes, "cyberspace will present us with ambiguities over and over again." But his writing offers an important glimpse into the challenges that lie ahead as the laws, rules and regulations surrounding the Internet -- and the Net itself -- continue along the maturation process.

The crypto dilemma

Lessig's writings came to mind earlier this month when the Clinton administration announced its decision to loosen regulations on the export of strong encryption. The decision -- which removes most restrictions on technology companies selling encryption software overseas -- was seen as a major victory for commercial interests over government interests, particularly those of law enforcement.

Encryption, or cryptography, is the process by which information being transferred on the Internet is made -- and kept -- secure. By encrypting data, be it a credit-card number, health records or simply a private message, Net users can feel certain that the same data will be viewed only by those who they want to view it -- those who have a "key" enabling decryption. The advantages of strong cryptography, therefore, are fairly obvious. In an environment where such a high premium is placed on privacy, the more certain individuals and corporations can be that their transactions are secure, the more likely they will be to go about their business online.

But some critics say strong encryption has a downside as well. If encrypting keys are only available to a private few, then there is the possibility that encrypted messages being transported over the Internet will contain illegal -- and potentially dangerous -- information. Law enforcement officials are particularly concerned that criminals will take advantage of strong encryption to convey information without the fear of being found out. FBI chief Louis Freeh has long warned about the dangers of strong encryption. In 1997 testimony before Congress, Freeh said:

The looming spectre of the widespread use of robust, virtually unbreakable encryption is one of the most difficult problems confronting law enforcement as the next century approaches. ... We believe that unless a balanced approach to encryption is adopted that includes a viable key-management infrastructure that supports immediate decryption capabilities for lawful purposes, our ability to investigate and sometimes prevent the most serious crimes and terrorism will be severely impaired.

Freeh's argument is not so much against strong encryption, but rather in favor of a strong encryption to which the government holds a key. In the summer of 1999, he further outlined that argument:

The fact is that we're not trying to prohibit the U.S. companies from making [encryption]. What we're saying is that on their own terms, using their own technology, they should have a feature in that product -- or a feature that can be made operable in that product -- that ... should be able to respond to a court order and furnish evidence, or potential evidence, of a crime.

An evolving stance

In 1997, the Clinton administration's position pretty much mirrored Freeh's: Government needed to maintain control over the new technologies to prevent them from being abused. In particular, the administration was worried about allowing U.S. companies to export strong encryption internationally because the administration feared that such exportation would hamper law-enforcement officers' abilities to do their job. Not surprisingly, first-generation Internet thinkers were appalled by the government's stance. Writing in these pages in late 1996, the Electonic Freedom Foundation's Stanton McCandlish decried the "bold plans to wrest control of the Internet away from its millions of participants."

Slowly, the administration's position shifted, and by the announcement earlier this month, it was clear that Freeh's argument had lost weight in the White House. Coming on the heels of an announcement by the president last September that the regulations would be loosened, the new rules allow U.S. companies to export encryption products to businesses and individuals without obtaining a government license. Encryption products available through retail outlets also may be exported to any entity, including most foreign governments -- with the exception of seven "terrorist-supporting" countries, including North Korea, Iraq and Iran.

While some civil libertarians and liberty advocates still say that the administration has not gone far enough in easing standards, technology businesses have greeted the new regulations positively. Upon the administration's announcement, Ed Gillespie, the head of Americans for Computer Privacy (ACP), a trade group representing more than 40 associations and 100 companies, said the ACP was "extremely gratified" with the new regulations. "They are more in step with the economic realities of the Information Age while protecting our nation's vital security and law enforcement needs," Gillespie said. "And they strike a balance between security and America's commercial interests."

The Clinton administration's stance on encryption is more consumer friendly

The Clinton administration's new stance is a good example of how the debate over Internet regulation has advanced over the last three to four years. It is now more nuanced; it is more cognizant of the realities of the technology; and, more than anything, it is more commerce-friendly. In other words, it mirrors the tendency in Net policy circa 2000 at the turn of the new century. That, of course, does not mean that the latest encryption policy is ambiguity-free. Alan Davidson, a staff counsel at the Center for Democracy and Technology (CDT), describes the new regulations as "a full-employment act for export-control lawyers."

The lawyers, Davidson is referring to, will be necessary because of all the questions about how the regulations will be administered. One key question is whether encryption should and can be viewed as constitutionally protected speech. It is also unclear when those exporting encryption can be held responsible if the encryption ends up in the hands of a banned country. And then there are concerns that the sheer complexity of exportation rules will make it impossible for individuals to be certain that in developing and transferring strong encryption they are not somehow violating the law. As the CDT notes, "The regulations do not de-control encryption or remove complex requirements that may prove daunting to many individuals and small businesses."

In search of vision

To borrow Lessig's phraseology, therefore, it seems that the Clinton administration's newly announced encryption policy has gone beyond the first generation of regulating the Net -- it has escaped the dichotomy of no governance vs. pure regulation -- but it has not quite reached second-generation thinking. "It's a reactionary solution," rather than a visionary one says Lawrence Hecht, president of the Internet Public Policy Network.

Many of the current Internet regulatory debates are in the same place. Think about the questions of taxing e-commerce, or how to keep children from seeing indecent material, or even electioneering online.

In all of those cases, the regulatory approach seems to be roughly the same: reactionary rather than visionary. The consensus seems to be to err on the side of less regulation rather than more; to hold out the possibility that more regulation could be forthcoming, while at the same time showing an inclination to let the market take the lead. What has been generally missing, however, are innovative approaches to dealing with the new realities that cyberspace has created.

What is true with encryption is true across the Net. Internet policy -- and regulation questions -- are still amidst an interregnum. The final rules are still a long way from being written.