Congress is to review the NSA surveillance program. We should thank Edward Snowden for this extraordinary occurrence. Snowden's revelations have revealed pernicious threats to our freedoms, privacy and, indeed, democracy. But Congress will not resolve them – because it cannot.

Karl Popper argued that the preservation of democracy requires independent courts, legislature and press to check and restrain otherwise overweening authority. Shockingly, Snowden has shown that, today, these mechanisms have failed.

But for Snowden, Congress wouldn't even know what the NSA is doing. Secret Fisa court hearings have served as little more than a rubber stamp in authorizing its activities. Only one or two tough-minded newspapers have taken on the fight.

Relying on occasional brave whistleblowers is scant protection for liberty and democracy. Popper wrote for the world of the 20th century. In the 21st, the internet has changed the game.

Much of our lives is now transacted on line. The data we produce are available to governments and companies in huge abundance. It is horribly clear that both the state and private actors, sometimes in cahoots, have grossly abused this access to intrude into our affairs and exploit information about us.

Congress may draw red lines around bugging Angela Merkel's cellphone, or reading Americans' emails, but a few new, broadly-drafted laws or congressional committees won't be enough. Government's and business's hunger for information is insatiable; their technical abilities to obtain it will only improve. Snowden has shown us that they cannot be trusted with this power.

The balance between the individual and state needs to be more fundamentally altered. New rules, in fact new kinds of rules, are needed. What is required is nothing less than a renegotiation of our contract with the state, and with each other.

The internet is profoundly different from earlier systems of human interaction and information. It is stateless, it is immense, it is a horizontal environment. It works because it permits the many to engage and share with the many, billions of actors in constant interaction. Such complex systems are inherently resistant to top-down management: they are too vast and unknowable; they adapt to changes very quickly and unpredictably.

These characteristics impel governments to respond by sucking up more and more data, as they try desperately to track an immense and multiplying universe of information. At the UN and elsewhere, more authoritarian governments want to put the internet under more coercive control, with laws and treaties to restrict and monitor what happens there.

Governments do not seem able to balance the tensions between privacy, openness and security manifest in the internet. Their innate reaction to its sprawling complexity is to control and to intrude, threatening privacy, freedom of speech or sharing of ideas: the very things that make the internet great.

To protect these things and to regulate the system effectively, we should not look to government but to each other. In complex systems, order emerges from the bottom up, from the collected actions of individual agents. The internet doesn't need new laws from on high, but new standards or norms that are collectively agreed and then enforced.

These standards should comprise strictly defined protections for private data and rules for interaction and conduct on the internet, between us, private companies and governments. Our personal data, for instance, should be held by us, not by others. Companies will need our explicit permission to access it; governments should require tightly limited legal warrant.

These standards would need to be agreed, and evolve, in an open deliberative process that should involve private individuals, companies and indeed government. All should commit to them, and agree to police them. The preservation of our freedoms implies a responsibility to protect them, too.

A company that dishonestly exploits its users' data, for instance, might be publicized and the perpetrators shamed, in the way that Anonymous has begun to do, albeit untidily and arbitrarily. The eBay rating systems have shown that good behavior can be collectively promoted without coercion. For the violent and criminal, enforcement must remain government's preserve.

I am not proposing free-for-all internet vigilantism or mere selfish libertarianism, but a rebalanced contract between people, companies and state, where all make and supervise commitments to privacy, transparency and collective safety: a new social contract, but not between government and us, but between all and all, self-government and regulation that conforms to the nature of the internet itself.

Congress is designed for an earlier world of clearly delineated states and point-to-point communications. It is unlikely to grasp that its methods and laws are ill-suited to the new virtual reality. Any organ of state will inevitably reject rules that are generated and enforced by all, and not a singular authority.

Snowden has shown us many remarkable things. But perhaps, the most important is that the old ways of arbitrating our freedom, privacy and security don't work anymore. The internet is an extraordinary and unprecedented new world. It demands new kinds of rules – not government's, but ours.