
IN JANUARY 1989, two engineers – Cisco’s Kirk Lougheed and IBM’s Yakov Rekhter – sat down in the cafeteria at a technology conference in Austin, Texas.
The two men were looking to work out a short-term fix to help address problems with the way data flowed across the fledgling internet, which at the time connected about 100,000 computers across the world.
Advertisement
In the spirit of finding a fudge, they scribbled a new protocol across either two or three napkins. (They can’t recall how many and didn’t keep the originals.) This protocol was adopted as the new standard for determining which physical routes data would take to traverse the network.
More than 25 years later, the “three-napkin protocol” is still in place. But in the meantime, the internet has become critical global infrastructure – central to the business operations of many of the world’s largest companies, the planet’s information ecosystem and the daily behaviour of about half the people on Earth.
The protocol that Lougheed and Rekhter devised – known as Border Gateway Protocol (BGP) – in their lunch break was far better than either realised, but it isn’t what you would design for a secure global network that we all rely on.
The process works a little like transponders to guide aeroplanes: computers on the network can tell you whether you are heading in the right direction to get to, for example, Paris. But there is nothing stopping someone from lying.
In one famous example, Pakistani authorities looked to block a YouTube video they had deemed offensive and ordered their internet providers to do this. One company did so by using BGP to direct anyone looking for YouTube in Pakistan to a dead end.
No one had hacked or damaged YouTube, but no one was directed towards it. Unfortunately, this new “route” to YouTube wasn’t restricted only to this firm’s users. Thanks to human error, the Pakistani internet provider recommended its new route across the world, taking down YouTube for millions of users.
This is just a single example of what happened with one protocol. Users can be misdirected, intercepted, blocked and put at risk by numerous vulnerabilities built into the creaking infrastructure of the internet, and efforts to fix it are painfully and dangerously slow.
The internet was born as a US-funded collaboration between universities, with rules agreed by common consent between the academics involved. To this day, the operation of the protocols to make it work are set out not in a rulebook, but in a collection of “Requests For 91ɫƬ”, a passive-aggressive title chosen to avoid conflict, and one that has stuck for five decades.
The internet turned 50 last year. For its first two decades, it grew slowly between institutions that already knew and trusted each other, then exploded through the 1990s and beyond to what we have today. The opportunity to retool the network, if it ever existed, wasn’t taken. We can’t rebuild from scratch; we have to fix what we have.
One of the biggest challenges in doing so is that the internet is largely operated by consent and by slow, grinding consensus. There is no overseeing authority, no one setting global laws.
This has happened not least because, for most governments, the only thing worse than no one controlling the internet is someone else controlling it. Yet this lack of authority is a worry, because our lives, our data, our communications and our physical infrastructure are moving online.
None of these issues will get easier. The best time to decide who runs the internet was decades ago. The second-best time is now.