Cyber Security Basics
📂 Foundation
· 8 of 15
69 min read
The Internet as a Global Commons — Governance, Stewardship, Threats, and the Future of an Open Network
A 22-section walkthrough of the Internet as humanity's most ambitious shared resource. Covers Ostrom's commons theory, ICANN/IETF/IGF stewardship, the multistakeholder model, splinternet pressures, mass surveillance, MANRS routing security, DNS root systems, FIRST.org incident response, Digital Public Infrastructure (UPI, PIX, X-Road), AI commons-vs-enclosure, and Ostrom's eight design principles applied to digital governance.
Section 01
A Commons of Unprecedented Scale
The Internet is the largest cooperative system humans have ever built — and the
numbers behind it tell a story no other shared resource in history can match.
No nation owns it. No company controls it. Every router, every cable, every name
server is part of a resource that humanity has built — and must defend — together.
👥
People Share This Commons
5.5 Billion
More than two-thirds of humanity now uses the Internet. Each user depends on the same shared protocols, the same root DNS system, the same routing infrastructure.
🌊
Submarine Cables Connect Us
574
Roughly 95% of all international Internet traffic travels through undersea fibre cables — quietly carrying everything from banking to family calls.
💾
DNS Root Server Systems
13
A through M. Each is a globally-distributed anycast cluster, totalling 1,500+ physical instances worldwide. They are the navigational backbone of the Web.
🌐
Autonomous Systems
70,000+
Independently-operated networks that voluntarily peer with each other. The Internet is, literally, a network of networks — 70,000 of them.
📐
The Framing for This Tutorial
Across the next 22 sections we ask: what kind of resource is this thing
we call the Internet? Who governs it? What threatens it? Who defends it?
And what futures are at stake right now? The answers borrow as much from
political economy and international law as they do from
computer science — because the Internet is no longer just a technology.
It is shared civilisational infrastructure.
Section 02
What Is a "Commons"?
📖 Working Definition
Resources Communities Govern Themselves
A commons is a resource — natural or constructed — that is
shared by a community and governed by collectively-agreed rules
rather than purely by private property or state command. A village pasture
where every household grazes a few sheep is a commons. So is a coral reef
fished by neighbouring communities. So is the radio spectrum, where users
coordinate to avoid interfering with each other.
For centuries, classical economics insisted that commons either get privatised
or get destroyed by overuse. Then in 2009, an unlikely Nobel Prize laureate
proved otherwise.
🏆
Elinor Ostrom — Nobel Prize in Economics, 2009
Ostrom was the first woman to win the Nobel in Economics. Her field work
across decades — Maine lobster fisheries, Swiss alpine meadows, Nepalese
irrigation systems — showed that communities can sustainably
govern common-pool resources, provided they design institutions
with clear boundaries, monitoring, graduated sanctions, and collective
choice. Her eight design principles (which we revisit in Section 21)
are now the foundational framework for thinking about any commons —
including the Internet.
Examples of Global Commons
🌊
The Oceans
UNCLOS treaty
International waters beyond any nation's territorial sea. Governed since
1982 by the UN Convention on the Law of the Sea — fisheries, shipping,
seabed mining all subject to shared rules.
🌤
The Atmosphere
Paris Agreement
A literal global commons — every breath drawn shares it. Climate has been
governed since 2015 by the Paris Agreement on emissions, the most ambitious
multilateral commons treaty ever.
🛰
Outer Space
1967 Outer Space Treaty
Res communis — "the common heritage of mankind." No nation can
claim sovereignty over the Moon, Mars, or orbits. Increasingly stressed
by satellite mega-constellations and commercial space mining.
📚
Knowledge
open science, Wikipedia
Open science, peer-reviewed publications, public-domain works, Wikipedia
(62M+ articles in 300+ languages). Knowledge is inherently non-rivalrous —
sharing it doesn't diminish it.
🌐
The Internet
the focus of this tutorial
The youngest — and most contested — global commons. Born from a public
research project, now privately operated yet collectively governed,
under pressure from every direction.
👣
Antarctica
1959 Antarctic Treaty
An entire continent designated as a scientific preserve, with all territorial
claims frozen. A standing example that even very valuable real estate can
be governed as a commons when there is political will.
Section 03
Why the Internet Qualifies as a Commons
Six structural properties make the Internet a textbook commons — unique in
human history. Each one matters for understanding what is at stake when the
commons is threatened.
🌍
Shared by All
no membership fee
Anyone with a connection can use it. No nationality test, no creed
requirement, no economic threshold. The barrier to entry is the device
and the link, not the protocol. 5.5 billion users and counting.
</>
Open Protocols
RFC-based standards
TCP/IP, HTTP, DNS, BGP, TLS — every foundational protocol is an open
standard, freely implementable. There is no licence fee to speak HTTP.
No patent toll on TCP. The protocols are public goods.
📥
Non-Rivalrous Information
infinitely copyable
Bits can be copied without limit. Knowledge shared is not knowledge lost.
My reading this Wikipedia article does not stop you from reading it too.
This is fundamentally different from grazing land or fish stocks.
📦
Decentralised
no single point of ownership
No central server, no master authority, no kill-switch. Thousands of
independently-operated networks voluntarily peer together. Resilience and
governance both emerge from this distribution.
🤝
Built Collaboratively
RFCs, open-source, IETF
The Internet's standards are written by anyone who shows up to an IETF
meeting with a working implementation. "Rough consensus and running code"
is the engineering motto. The protocols were built in the open — and
remain so.
⚠️
Vulnerable to Abuse
the commons can be polluted
Like any commons, the Internet can be polluted (spam, DDoS, malware) or
enclosed (walled-garden platforms, sovereign Internets). The same openness
that makes it valuable also makes it exploitable.
Section 04
The Internet Commons Stack — Four Layers, Four Stewardships
The Internet commons is not one thing — it is a stack of overlapping
commons, each with distinct stewards, distinct threats, and distinct
defenders. Understanding the layered structure is essential to understanding
how the commons can be defended layer by layer.
📚 The Four-Layer Internet Commons
Section 05
The Tragedy of the Digital Commons
📖 Garrett Hardin, 1968
The Grazing Field, Revisited as Internet Backbone
In a 1968 Science essay titled "The Tragedy of the Commons,"
biologist Garrett Hardin argued that shared resources are
inevitably overused because each individual benefits privately while the
cost of overuse is shared by all. His example was a village grazing field:
every shepherd's marginal sheep yields a private gain, but the field's
eventual exhaustion is a cost spread across the community.
The Internet faces structurally analogous pressures. Each spammer benefits
from a sent email; the inbox-pollution cost is paid by every recipient.
Each botnet operator benefits from a successful DDoS; the bandwidth-consumption
cost falls on every transit network in the path. Each surveillance actor
benefits from data collection; the trust-erosion cost falls on the commons
as a whole.
Ostrom's later work showed that tragedy is not destiny — communities
can govern commons sustainably when they design the right institutions. The
question is whether the Internet community will.
Six Tragedies the Internet Faces Right Now
📧
Spam & Phishing
cost externalised to everyone
Senders externalise the cost of unwanted email onto every recipient,
every mail server, every spam filter. Roughly 45–50% of all email sent
globally is still spam, despite three decades of countermeasures.
⚡
DDoS Attacks
bandwidth weaponised
Botnets weaponise the bandwidth of unsuspecting devices against shared
infrastructure. Record sizes keep climbing: 3.8 Tbps in October 2024,
11.5 Tbps in August 2025, 31.4 Tbps from the Aisuru botnet in December 2025.
🛍️
BGP Hijacking
trust abused
Forged route announcements redirect global traffic. A single misbehaving
AS can break the world — as the Cloudflare 1.1.1.1 BGP hijack of June 2024
showed, when a Brazilian ISP's bad announcement affected 300 networks
across 70 countries.
👁️
Surveillance
openness extracted
Both states (Snowden disclosures) and corporations (ad-tech tracking)
extract value from a commons designed for openness. The cost — chilled
speech, eroded trust, concentrated power — falls on every user.
🏭
Hyperscaler Capture
enclosure of a distributed system
A handful of clouds (AWS, Azure, GCP) host most of the Web. Two app
stores (Apple, Google) gate most mobile distribution. One CDN
(Cloudflare) proxies a meaningful share of all HTTP. Concentration is
itself a tragedy of a once-distributed commons.
🚫
Censorship & Walls
enclosure by nation-state
Nation-states fragment the commons by blocking content, throttling
protocols, and constructing "splinter-nets." Each wall is rational from
one sovereign's perspective — yet collectively they degrade the universal
reachability that defines the Internet.
Section 06
Stewards of the Global Commons — A Constellation, Not a Ruler
No single ruler governs the Internet. Instead, a constellation of
bodies — each with a distinct mandate and constituency — stewards
different pieces. Understanding who does what is essential to understanding
how the commons is governed.
Body
Founded
Role
How It Works
ICANN (Internet Corporation for Assigned Names & Numbers)
1998
Coordinates the DNS root, IP allocation, and gTLD policy
California non-profit with multistakeholder governance; broke from US gov't oversight in 2016 transition
IETF (Internet Engineering Task Force)
1986
Develops Internet standards via the open RFC process
"Rough consensus and running code" — anyone may submit a draft; standards emerge through working groups
IANA (Internet Assigned Numbers Authority)
1988
Allocates protocol numbers, root zone, IP blocks
Operated by ICANN's Public Technical Identifiers (PTI); the registry of all globally unique identifiers
RIRs (Regional Internet Registries)
1992 onwards
Distribute IP addresses regionally
Five bodies: ARIN (North America), RIPE NCC (Europe + ME), APNIC (Asia-Pacific), LACNIC (Latin America), AFRINIC (Africa)
W3C (World Wide Web Consortium)
1994
Develops Web standards: HTML, CSS, accessibility, payments
Founded by Tim Berners-Lee at MIT; multi-stakeholder member-led standards body
ISOC (Internet Society)
1992
Promotes open development and policy; supports IETF
Non-profit umbrella; chapters in 130+ countries; runs MANRS programme
IGF (Internet Governance Forum)
2006
Multi-stakeholder policy dialogue venue under the UN
Annual UN-convened forum; no decision-making power but agenda-setting influence
ITU (International Telecommunication Union)
1865
UN agency for telecoms; sets some standards and spectrum policy
Traditional treaty-based intergovernmental body; the only Internet steward that pre-dates the Internet
📐
Why This Constellation?
The constellation evolved organically. Each body was created to solve a
specific governance problem at a specific time — IP allocation, standards,
domain names, policy dialogue. The result is not tidy, but it works:
no single failure can break the system, because no single
body can. This is a feature, not a bug.
Section 07
The Multistakeholder Model — Distributed Sovereignty in Practice
🎯 The Governance Innovation
A Deliberate Experiment
Unlike traditional treaty-based international governance — where only
nation-states have seats at the table — the Internet is steered through a
multistakeholder model. Multiple categories of stakeholders
meet as peers. No single voice dominates. Decisions emerge through
rough consensus rather than majority vote.
This is genuinely novel in global governance. It is part of why the Internet
has grown so quickly — innovation is "permissionless" in a way it is not
for, say, civil aviation or maritime trade. It is also part of why the model
is now contested by states that prefer treaty-based, sovereignty-first
governance.
🤝 The Five Stakeholder Communities
Section 08
Six Major Threats to the Global Commons
Six pressures, if unaddressed, would degrade or break the shared Internet.
Each is real, each is current, each is being actively fought over today.
🚩
Fragmentation
States carve the Internet into national sub-networks. Universal
reachability — the founding promise that any host can talk to any
other — gives way to gateways, blocks, and walls. China's Great Firewall
is the canonical case; Russia, Iran, and others are following.
universal reachability lost
👁️
Mass Surveillance
State and corporate interception erode trust, chill speech, and concentrate
power. The Snowden disclosures (2013) revealed the scale of state programs
like PRISM and Tempora. Commercial tracking now covers most of the public
Web through ad-tech telemetry.
trust eroded at scale
🚫
Censorship
Content blocking and protocol-level filtering restrict information flow
asymmetrically — citizens in some jurisdictions cannot reach the same
Web that others use freely. The result is an Internet of unequal access.
information flow restricted
🏭
Market Concentration
Three clouds (AWS, Azure, GCP), two app stores (Apple, Google), one
CDN (Cloudflare) — a handful of private actors now handle a majority of
global Internet activity. The CrowdStrike-Microsoft outage of July 2024
showed what one bad update can do.
single points of mass failure
🧹
Cyber Conflict
State-sponsored attacks treat the commons as a battlespace. Infrastructure
itself becomes a target: SolarWinds 2020, Colonial Pipeline 2021, NotPetya 2017,
AIIMS Delhi 2022. Civilian critical infrastructure is now routinely caught
in geopolitical crossfire.
infrastructure as battlespace
🌍
Climate & Energy
Data centres and networks consume approximately 3% of global
electricity and emit 1.4% of global greenhouse gases.
AI workloads are pushing those numbers up sharply. Sustainability is now
a structural concern, not a side issue.
structural sustainability problem
Section 09
Splinternet — The Fragmenting Commons
📖 The Existential Question
One Internet or Many?
The biggest existential question for the commons: will the Internet remain
one network, or become many? The term
"splinternet" describes the gradual fragmentation of the
once-universal network into national or regional sub-networks with limited
interoperability.
Fragmentation is not just a policy concern — it is a measurable, observable
trend. Five major patterns are reshaping the commons right now.
Five Patterns of Fragmentation
📍 Where Walls Are Being Built
China
Sovereign Internet. The Great Firewall blocks Google, Facebook, X, YouTube, WhatsApp, and most foreign news sites. Domestic alternatives (WeChat, Weibo, Baidu) are mandatory. Estimated to be the largest single-jurisdiction blocklist on Earth.
Russia
Disconnect Drills. The "RuNet" sovereign Internet law (2019) gives the state legal authority and technical capability to disconnect from the global Internet during "emergencies." Drills have been conducted multiple times since 2019.
Iran
National Information Network. A domestic intranet with throttled foreign access. During the Mahsa Amini protests of 2022, foreign Internet access was reduced to near-zero for weeks while the domestic intranet stayed available.
EU
Regulatory Fragmentation. GDPR (2018), DSA (2022), DMA (2022), AI Act (2024) create distinct compliance zones — companies must build EU-specific data handling, content moderation, and AI risk management. De-facto sovereignty without infrastructure walls.
USA
Decoupling Pressure. Sanctions, export controls, TikTok and Huawei bans split tech supply chains. The 2022 CHIPS Act, the 2024 TikTok divestment law, and ongoing semiconductor export restrictions formalise the split with China.
What Fragmentation Breaks
🔗
Universal Reachability
the founding promise
"One Internet" means any host can talk to any other. Fragmentation kills this. The same domain may resolve to different (or no) IPs depending on the country of the resolver.
👥
Cross-border Communities
diaspora, science, commerce
Diasporas, families, scientific collaborations, multinational businesses — all depend on a shared substrate. Walls disrupt all of them, often invisibly until the connection breaks.
📚
Free Flow of Knowledge
Wikipedia, journals, Stack Overflow
The open Web — Wikipedia, ArXiv, Stack Overflow, MOOCs — is fragile to balkanisation. Even partial blocking can cut populations off from the global knowledge commons.
🛡️
Collective Cyber Defence
threat intel, incident response
CERT cooperation, threat-intel sharing, vulnerability disclosure — all need open channels. Fragmentation hampers defence against the very attacks that threaten everyone.
Section 10
Surveillance — The Twin Pressures on the Commons
Surveillance comes in two flavours, both eroding the commons. State
surveillance uses legal powers (or quietly bypasses them) for security
and intelligence purposes. Corporate surveillance turns
user behaviour into data products. Both rely on the same plumbing — and both
treat privacy as a resource to be extracted.
🏭️ State Surveillance
Vector
Real Cases
Bulk Interception
Snowden disclosures (2013) revealed PRISM, XKeyscore, Tempora — programmes intercepting traffic at the backbone level
Legal Hacking Powers
Encryption back-door debates ("Going Dark"), lawful-access laws, US CLOUD Act (2018) for cross-border data requests
Cross-Border Requests
Mutual Legal Assistance Treaties (MLATs) strained by global data flows — average response time now years
Targeted Spyware
Pegasus (NSO Group, Israel), Predator (Intellexa) — commercial spyware sold to 30+ states, used against journalists, dissidents, lawyers worldwide
🏢 Corporate Surveillance
Vector
Real Cases
Behavioural Advertising
Real-time bidding (RTB) leaks billions of behavioural profiles per day to thousands of partners — the bidder ecosystem is largely unregulated
Data Brokers
Acxiom, Equifax, LexisNexis trade in location, health, financial, and demographic data — largely without consent or knowledge
Algorithmic Profiling
ML models infer attributes (political view, sexual orientation, mental health, pregnancy) that users never disclosed — and use them for targeting
Platform Lock-in
Data portability is theoretical; the switching cost is real. GDPR's "right to data portability" remains weakly enforced
⚠️
The Convergence Risk
State and corporate surveillance increasingly converge. Governments can
buy commercial data they would never be allowed to collect directly.
Companies routinely receive subpoenas for data they didn't even know they
had. The result is a hybrid surveillance system more invasive than either
pole could have built alone — and largely invisible to the user being
watched.
Section 11
Cyber Norms & International Diplomacy
Beyond the technical commons sits a diplomatic commons: the
evolving set of voluntary norms that govern how states should behave in
cyberspace. There is no treaty, no enforcement mechanism, and no court — but
there is a slowly-thickening web of agreements that constrain state action.
Key Processes & Instruments
Process / Instrument
Origin
What It Did
UN GGE (Group of Governmental Experts)
UN, 2004–2021
Produced 11 voluntary norms for responsible state behaviour in cyberspace, agreed in 2015 and reaffirmed in 2021
OEWG (Open-Ended Working Group)
UN, 2018 onwards
Successor to GGE with broader membership — every UN member state participates
Tallinn Manual
NATO CCDCOE, 2013 / 2017
Independent expert analysis of how international law applies to cyber operations; the de-facto reference work
Budapest Convention
Council of Europe, 2001
Treaty on cybercrime — 70+ ratifications; the only widely-adopted binding cybercrime treaty
Paris Call
France, 2018
Multistakeholder declaration for trust and security in cyberspace — 1,200+ supporters including states, companies, NGOs
Christchurch Call
NZ + France, 2019
Tech companies and states aligned against violent extremist content online, after the Christchurch mosque attack livestream
Examples of Agreed Norms
🏥
Don't Attack Critical Infrastructure
peacetime restraint
States should not knowingly damage critical infrastructure — hospitals,
power grids, financial systems — in peacetime. The norm is widely
violated but has growing moral weight.
🧹
Protect CERTs
defenders are off-limits
Don't target CERT / CSIRT teams. They are humanity's incident responders
— attacking them is like attacking ambulances. A relatively newly-agreed
but increasingly respected norm.
🤝
Cooperate on Incidents
respond to requests
States should respond to requests for assistance regarding malicious
activity originating from their territory. The norm fails in practice
where geopolitical adversaries are involved — but holds among most
democracies.
🏭
Don't Allow Your Territory to Host Attacks
due diligence
States have a due-diligence obligation to prevent their territory from
being used for internationally wrongful acts (ICT operations against
others). Strong consensus in principle; weak enforcement in practice.
🔗
Supply Chain Integrity
no back-doors in ICT
States should take reasonable steps to ensure ICT supply-chain integrity
— not insert back-doors, not weaken cryptography, not subvert hardware in
transit.
📋
Report Vulnerabilities Responsibly
don't stockpile zero-days
States should consider responsible reporting of ICT vulnerabilities they
discover. The norm aspires to a "vulnerabilities equities process" — but
most states still stockpile zero-days for offensive operations.
Section 12
Global Incident Response — The Commons Defends Itself
When attacks happen, the commons defends itself through a planetary mesh of
CERT and CSIRT teams (Computer Emergency Response Teams,
Computer Security Incident Response Teams). They cooperate faster than
diplomacy can — often within hours of a new threat appearing — and they
do it through voluntary trust networks rather than treaty obligations.
🧥 FIRST.org — The Hub of Global Incident Response
What Gets Shared (and How)
📢 The Five Streams of CERT Cooperation
IOCs
Indicators of Compromise. STIX/TAXII standardised feeds — malware hashes, command-and-control IPs, attacker infrastructure. The defender's equivalent of a "be on the lookout" bulletin.
CVD
Vulnerability Coordination. Responsible disclosure, CVE assignment by MITRE, coordinated embargoes so vendors can patch before public release. Handled by national CERTs in partnership with researchers.
Takedowns
Takedown Requests. Hosting providers, registrars, and sinkhole operators cooperate to take over malware C2 domains, seize illegal servers, and protect victims.
Forensics
Cross-border Forensics. Mutual aid in attribution and evidence preservation across jurisdictions. Often the only way to attribute state-sponsored attacks.
Capacity
Playbooks & Training. Joint exercises (Locked Shields, Cyber Storm), capacity-building programmes for emerging CERTs, common toolchains. The slow but steady work of building global defensive capability.
Section 13
DNS — A Critical Common-Pool Resource
📙 The Naming Commons
Thirteen Letters That Hold the Web Together
The Domain Name System runs on 13 logically-distinct root server
systems, named A through M and operated by 12 different
organisations across the world (one organisation runs two roots). Each
"letter" is not a single computer — it is a globally-distributed
anycast cluster, with the same IP advertised from hundreds
of locations. The 13 logical names actually map to 1,500+ physical
instances worldwide.
The DNS root is a textbook commons. It is a single global name space — one
root for the whole planet. It is operated by neutral, geographically-diverse
organisations. It is coordinated by IANA functions (now run by ICANN's
Public Technical Identifiers, PTI). And it is funded primarily by registry
fees and voluntary efforts.
📙 The 13 DNS Root Server Systems
✅ Why DNS Is a Commons
Property
Single global name space — one root for the whole planet
Operated by neutral, geographically diverse organisations
Coordinated by IANA functions (ICANN PTI)
Funded primarily by registry fees and voluntary efforts
Standards developed openly through IETF RFCs
🛡️ Threats & Collective Defence
Threat
Defence
Cache poisoning & spoofing
DNSSEC signing
Surveillance of queries
DNS-over-HTTPS (DoH), DNS-over-TLS (DoT)
Censorship via NXDOMAIN injection
Alternative resolvers (1.1.1.1, 9.9.9.9)
Registrar compromise
DNS-CAA records, registry lock
Section 14
BGP & Routing — The Trust-Based Commons
📙 The Most Important Protocol You've Never Heard Of
How 70,000 Networks Coordinate Daily
BGP (Border Gateway Protocol) is the routing protocol that
glues the Internet together. It is how an AS in Singapore knows that an IP
range "belongs" to an AS in Brazil — and that the best path to reach it goes
via Tokyo, Los Angeles, and Miami.
BGP runs on trust. Any AS can announce any prefix, and
historically the rest of the Internet just believed it. This was
fine when the network had 50 ASes who knew each other. It is not fine with
70,000 ASes including hostile actors. The result has been a steady drumbeat
of BGP hijacks — sometimes accidental (Pakistan Telecom blackholing
YouTube globally in 2008), sometimes deliberate (Rostelecom's hijack of
8,800+ routes in April 2020).
🧥
MANRS — Mutually Agreed Norms for Routing Security
Launched by the Internet Society in 2014, MANRS is the
collective answer. It is a voluntary commitment by network operators to
implement four pillars that defend the global routing commons. Over
900 ISPs, content providers, and IXPs participate. It is not a treaty, it
is not a regulation — it is a textbook example of an Ostrom-style commons
institution.
The Four Pillars of MANRS
🔒 MANRS Pillars — What Operators Commit To
Section 15
How the Commons Defends Itself — Six Voluntary Mechanisms
Beyond formal bodies and treaty norms, the real immune system of the Internet
commons is voluntary collaboration. Six mechanisms in
particular show what stewardship looks like in practice.
</>
Open-Source Security
shared code, collectively audited
Linux, OpenSSL, OpenSSH, BIND, Nginx, Apache — the Internet runs on shared
code that is collectively read, audited, and patched. The XZ Utils backdoor
(March 2024) was caught by a Microsoft engineer noticing a 500ms delay;
open-source made the discovery possible.
🧹
Bug Bounties & CVD
researchers as immune system
Coordinated Vulnerability Disclosure (CVD) and bounty programmes turn
security researchers into a planetary immune system. HackerOne paid out
$81 million in bounties in FY 2024–25 alone, with an estimated $3 billion
in avoided breach losses.
📢
Threat Intel Sharing
near-real-time IOCs
ISACs (FS-ISAC, H-ISAC, E-ISAC), MISP, AlienVault OTX, the Cyber Threat
Alliance — operators share Indicators of Compromise in near-real-time
across organisations, sectors, and borders.
🚀
Industry Sinkholes
malware C2 taken over
Researchers and ISPs cooperate to take over malware command-and-control
domains and protect victims worldwide. Microsoft's Digital Crimes Unit
has supported takedowns of ZeroAccess, Necurs, LabHost, Lumma Stealer,
and many others.
🔐
Let's Encrypt
free TLS for the whole Web
A free, automated, open Certificate Authority that has issued
6+ billion TLS certificates. Single-handedly turned
HTTPS from a paid luxury into a free default. HTTPS now protects
>95% of Web traffic — directly because of Let's Encrypt.
📚
Standards Bodies' Security Work
security in protocols
IETF, W3C, FIDO Alliance and others embed security into the protocols
themselves — TLS 1.3 (RFC 8446), QUIC (RFC 9000), OAuth 2.0, WebAuthn /
Passkeys. The best defence is the one users never see.
Section 16
Digital Public Infrastructure (DPI) — Building Public Goods on the Commons
🏘️ The Newest Wave
Society-Wide Digital Systems as Public Goods
Digital Public Infrastructure (DPI) is the emerging idea
that society-wide digital systems — identity, payments, data exchange —
should be built as public goods with open standards,
interoperability, and inclusion at the core. Not as walled-garden products
from a single vendor, and not as siloed government IT projects either.
The model is gaining traction worldwide. India, Brazil, Estonia, Singapore,
and the EU all run major DPI programmes, often serving hundreds of millions
of users. They show what governance for the commons looks like when it
works.
The Three Foundational DPI Layers
Layer 1
Digital Identity
Provable identity for citizens — enables KYC, e-signing, public-service access. Aadhaar (India), Singpass (Singapore), EU eIDAS Wallet.
Consent-based, secure data sharing between government systems and citizens. Account Aggregator (India), X-Road (Estonia).
DPI in the Wild
Country
Programme
Scale
What It Delivers
🇮🇳 India
India Stack — Aadhaar + UPI + Account Aggregator
1 billion+ users
National digital ID, instant payments, consent-based data sharing — UPI alone handled over 16 billion transactions/month in 2025
🇧🇷 Brazil
PIX
150M+ users since 2020
Free instant payments, 24/7. Now used for the majority of person-to-person transfers in Brazil
🇪🇪 Estonia
X-Road
nationwide since 2001
Data exchange between government systems with full audit trail. Citizens see every query made about them, by whom
🇸🇬 Singapore
Singpass
5M citizens, 700+ services
Federated digital ID for both public and private services. National authentication backbone
🇪🇺 EU
eIDAS 2.0 / EU Digital Identity Wallet
mandatory by 2026
Cross-border digital ID and credentials wallet — every EU citizen will be able to use one wallet across all 27 member states
Section 17
Net Neutrality & Open Access
Can the commons remain neutral when commercial pressures favour "preferred
lanes" for those who can pay? The principle of net neutrality
says yes — and three sub-principles operationalise it.
🚫
No Blocking
first principle
ISPs should not block lawful content, applications, services, or
non-harmful devices. The pipe carries what the customer asks for, full stop.
🔄
No Throttling
no preferential slowdowns
Carriers should not impair or degrade lawful Internet traffic based on
content, source, or application. Streaming video and email get the same
treatment.
💸
No Paid Prioritisation
no "fast lanes"
No "fast lanes" or "slow lanes" — traffic should not be sorted by who
pays the ISP. The Internet's competitive innovation depends on a level
playing field for new entrants.
Where Things Stand Globally
🌐 Net Neutrality by Jurisdiction
EU
BEREC guidelines enshrine net neutrality with limited specialised-service exemptions. Among the strongest formal protections in the world.
USA
Policy has oscillated with administrations: enacted 2015, repealed 2017, FCC reinstated Title II neutrality rules in 2024 — currently subject to court challenges. The US has been the most contested major jurisdiction.
India
TRAI banned discriminatory pricing in 2016 — the famous "Free Basics" ruling that blocked Facebook's zero-rated walled garden. Among the strongest net neutrality protections globally.
Brazil
Marco Civil da Internet (2014) enshrines net neutrality as a foundational legal principle — a "constitution" for the Brazilian Internet predating most other countries' formal rules.
Many others
Chile (2010, first in the world to enact net neutrality law), Netherlands (2012), Argentina, Mexico, South Korea — net neutrality protections vary widely but are gradually proliferating.
Section 18
AI and the Future of the Commons
🧠 The Newest Battleground
Generative AI as the Newest Commons-vs-Enclosure Fight
Foundation models — the large neural networks behind ChatGPT, Claude, Gemini,
and Llama — are trained on the Internet commons. They ingested
Wikipedia, open-access papers, GitHub, public web pages, books, conversations.
The commons fed them.
The resulting models, however, are concentrating power in a handful of firms
that can afford the $100M+ training runs. How this is resolved over the next
decade will define whether AI becomes part of the commons — or
enclosed atop it.
🌿 Forces Toward Openness
Force
Examples
Open-weight models
Llama (Meta), Mistral, DeepSeek, Falcon, Qwen — large weights released freely
Open datasets
C4, The Pile, RedPajama — training corpora shared openly
Open evaluation
HELM, MMLU, LMSys Arena, OpenLLM Leaderboard — common benchmarks anyone can run
Open standards
MCP (Anthropic), OpenAI-compatible APIs, ONNX, Hugging Face Hub
Open science
ArXiv preprints, EleutherAI, BigScience BLOOM — research conducted in the open
🔐 Forces Toward Enclosure
Force
Examples
Compute concentration
Frontier training requires $100M+ runs — only a handful of firms can afford them
Closed weights
GPT-4, Gemini Ultra, Claude Opus — weights private, APIs only
Data lockup
Training corpora getting siloed via exclusive licensing deals (Reddit-Google, OpenAI-publishers)
Regulatory capture
Compliance moats benefit incumbents over open models — frontier-model regulations may be easier for $100B firms than open-source contributors
Chip export controls
Geopolitical restrictions on advanced AI accelerators concentrate capability in a few countries
Section 19
Sustainability of the Internet Commons
The Internet has an invisible but enormous environmental footprint. Data
centres are massive consumers of electricity and water. Network equipment
becomes e-waste. AI workloads have pushed all of these numbers up sharply
since 2023.
⚡
Global Electricity Used
~3%
ICT — data centres, networks, devices — consumes approximately 3% of global electricity. AI workloads are pushing this share up rapidly.
🌍
Global GHG Emissions
~1.4%
Carbon emissions from ICT are comparable to the aviation industry. Largely invisible to users — but accumulating fast.
🚀
E-Waste Per Year
55 Mt
Million tonnes of e-waste generated annually. Less than 20% is properly recycled. Devices designed for replacement, not repair.
💰
ICT Recycling Shortfall
$10B+
Annual gap between the cost of proper e-waste processing and what is actually being spent. Most e-waste ends up in developing countries.
Paths to a Sustainable Internet Commons
🍃
Renewable-Powered Data Centres
24/7 carbon-free energy
Hyperscalers (Google, Microsoft, Amazon) committing to 24/7 carbon-free
energy procurement — not just net-zero accounting, but actually matching
consumption with renewable generation hour-by-hour.
⚙️
Energy-Efficient Protocols
do more with less
HTTP/3 over QUIC reduces round-trips. ARM-based servers cut watts per
query. Efficient codecs (AV1, H.265) reduce streaming bandwidth.
Architecture decisions add up to massive aggregate savings.
♻
Circular Hardware
right-to-repair, modular
Right-to-repair laws (EU, several US states), modular phones (Fairphone),
refurbishment markets, e-waste treaties (Basel Convention amendments).
Extending device lifetimes is one of the biggest sustainability levers.
📊
Transparency & Metrics
measure what matters
GHG Protocol Scope 3 disclosures, Power Usage Effectiveness (PUE)
reporting, Water Usage Effectiveness (WUE). Investors and regulators
increasingly demand auditable sustainability data.
Section 20
Two Futures of the Commons
The decisions taken this decade will determine which path becomes irreversible.
The two futures are not abstract — they are visible right now in current
policy debates, technical choices, and business decisions.
📋 The Fork in the Road
Section 21
Ostrom's Principles — Adapted for the Digital Era
Recall Elinor Ostrom's eight design principles from her
Nobel-winning work on common-pool resources. They were derived from centuries
of experience with fisheries, grazing lands, and irrigation systems — but
they translate remarkably well to the digital commons. Each principle has a
direct Internet analogue.
📍
1. Clear Boundaries
commons vs private
Define what's commons vs private. Protocols, the root DNS, the BGP table —
these belong to all. Particular products, networks, and content can be
private. Mixing the two creates governance chaos.
🏘️
2. Rules Fit Local Context
calibrate to reality
Norms must be calibrated to actual users and operators — not abstract
principles. The rules that work for a small ISP differ from those for a
Tier-1 carrier. One-size-fits-all governance fails.
👥
3. Participatory Governance
those affected have voice
Those affected by decisions must have a real voice in making them. The
multistakeholder model is the Internet's answer; it works imperfectly but
better than the alternatives have so far.
🔎
4. Monitoring
observable commons
Open measurement, transparency reports, audit trails — the commons must
be observable. RIPE Atlas, M-Lab, Cloudflare Radar, transparency
reports from major platforms all make the Internet measurable.
⚖️
5. Graduated Sanctions
proportional response
Proportional, escalating responses to abuse — not nuclear options as first
response. MANRS-style peer pressure precedes formal de-peering. Suspension
precedes ban. Bans precede legal action.
🤝
6. Conflict Resolution
fast, fair, low-cost
Fast, fair, low-cost ways to settle disputes — arbitration, ombudspeople,
Online Dispute Resolution (ODR). ICANN's UDRP for domain disputes is one
working example. Courts are too slow for Internet-speed conflicts.
🛡️
7. Recognition of Self-Governance
respect autonomy
External authorities must respect the right of stakeholders to govern
their commons. Treaty-based bodies that try to take over technical
coordination from IETF or ICANN have repeatedly failed — for good reason.
📚
8. Nested Enterprises
polycentric, not hierarchical
Layered governance from local to global — polycentric, not hierarchical.
An ISP, a regional registry, a global standards body each handle different
scales of the same commons. No single point of authority. Ostrom's final
principle, and perhaps the most Internet-native one.
Section 22
Key Takeaways — Six Ideas to Carry Home
🎯 The Distilled Lessons
01
The Internet IS a Commons. Open protocols, shared
infrastructure, voluntary governance — the most ambitious commons humans
ever built. It is also the only commons that grew from research project
to civilisational substrate in a single human lifetime.
02
Tragedy Is Possible — But Not Inevitable. Spam, DDoS,
surveillance, hyperscaler capture, fragmentation — all are classic
tragedies of the commons in digital form. Ostrom's lesson is that
well-designed institutions can prevent tragedy. The work is to build them.
03
Governance Is Distributed by Design. No single ruler —
ICANN, IETF, IGF, RIRs, W3C, ISOC, ITU and a constellation of bodies
steward together. The constellation can look messy, but it has proven
far more resilient than centralised alternatives.
04
Defence Is Collective. CERTs (FIRST.org, APCERT,
AfricaCERT), MANRS for routing, open-source security, threat-intel
sharing, Let's Encrypt — the immune system is communal, not central. It
works because people show up.
05
Sovereignty vs Openness Is the Big Choice. Tolerable
safeguards within one Internet, or many splinter-nets? Almost every
current cyber policy debate — content moderation, AI rules, data
localisation, encryption — is a proxy for this larger question.
06
Stewardship Is a Verb. Commons survive when communities
show up — in standards work, policy submissions, code reviews, classroom
teaching, voting, public-interest journalism. The Internet's future is
not predetermined. It depends on whether enough people choose to
steward it.
🎯
The Internet Belongs to Everyone — And Therefore to You
No nation owns it. No company controls it. Every router, every cable,
every name server is part of a resource that humanity has built — and
must defend — together. Whether you are an engineer writing protocols,
a policy researcher writing comments, a citizen showing up to a hearing,
or a teacher explaining how the Internet works — you are part of the
commons' immune system. The commons survives because people
choose to steward it. Be one of them.