Welcome to the United Nations | Department of Economic and Social Affairs

FINISHED COPY

NINTH ANNUAL MEETING OF THE
INTERNET GOVERNANCE FORUM 2014
ISTANBUL, TURKEY
"CONNECTING CONTINENTS FOR ENHANCED
MULTI-STAKEHOLDER INTERNET GOVERNANCE"

02 SEPTEMBER 2014
09:00
WS 112
IMPLICATIONS OF POST-SNOWDEN INTERNET LOCALIZATION PROPOSALS



***
The following is the output of the real-time captioning taken during the IGF 2014 Istanbul, Turkey, meetings.  Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the session, but should not be treated as an authoritative record. 
***

>> NICOLAS SEIDLER:  Hi, everybody.  My name is Nicolas Seidler.  I'm a policy advisor at the Internet society.  I'm co-organising this workshop with CDT.  Thanks a lot for coming.  It's great to see a packed room at the very beginning of the IGF.  Before we start I'd like to mention that this workshop is part of a sort of self‑organised IGF fragment issue tract which basically includes our workshop which foxes on localisation but fragmentation might be an outcome or not.  There would be a workshop tomorrow.  And on Thursday the Internet project will have a workshop as well on this issue and on possible frameworks to do transnational legal issues.  So at the very end, Paul and people from CGI can give you information on all those sessions.  
So why are we here?  The past few months we have seen an increasing number of initiatives reflecting a desire to further localize the Internet within national original subsets.  Actually many of these reactions have been a direct full op of disclosures of surveillance.  So today is not necessarily surveillance per se but some of the policy reports that we are actually still seeing to this day under the umbrella of Internet organisation.  What are we talking about in concrete terms?  A few examples.  For example, we have seen measures to making it mandatory for companies to build local data centres, to continue in countries where they provide services, for example, FACEBOOK or Twitter.  
There is an example of a law that was recently passed in Russia in that respect.  Beyond that there is sort of other category of localisation proposals which also relate to cables and routing.  The countries have a project to build a brigs cable.  There has been a big announcement of a new cable between Europe to avoid reliance on the US to route traffic so that's a type of proposal we see as well.  Finally we also see within Europe announcements that there should be maybe a European cloud to better protect citizens at the international level.  Germany has been vocal in saying we can do a national e‑mail system that is secure as well.  So we will get back to these examples during the discussion.  So it really seems that national territories sort of making a comeback on the Internet, if it actually ever left.  
But localisation is a mixed picture I think we will find out in this panel if we take the example of Internet exchange points which allow to keep local traffic local, that can be a very positive force to improve the speed and reduce the costs of Internet traffic.  As well more cables can also generally be a good thing for Internet resilience so it's a really mixed picture.  
And the question is how can we make the difference between good and bad localisation policies as a response to surveillance?  How can we distinguish between those which are useful for the Internet and for users from those that could maybe possibly lead to a fragmentation of the network?  So speakers here will help us hopefully make the difference.  This is my pleasure to introduce you to our speakers on the very left Sunil Abraham, Jari Arkko, Christian Kaufmann from Akamia, and Emma Llanso from CDT.  
So let's dive into it.  Just so you will be prepared, I would like to have a very interactive discussion and I see many people here who will probably have great insights to provide which is the good thing you have as much experience in the audience and on the panel.  I would like to start to ask the panelists their thoughts on this sort of first bucket of localisation proposals.  The first I would like to talk to these requirements to store data within a specific jurisdiction.  So we have seen several examples of making it mandatory to require storing critical data on service physically located into a country.  Just three examples, there are many more but just to give an idea, early 2014 in India, the Indian national security council has proposed to keep the data related to communications among Indians within the country.  So that means all e‑mail service providers may be mandated to host servers for their Indian operations within India.  And all data generated from within India should be hosted in these Indian‑based servers which would make them subject to Indian laws.  
So that's one example.  Another one in Russia in July 2014, president Putin signed a law that would require operators to process and store Russians national personal data within Russia.  The new law would require companies serving traffic within Russia for at least six months starting in September 2016.  The example ‑‑ well, basically in Brazil originally there was the intent to force operators of online services to store Brazilian data only in Brazilian data centre but that didn't make the cut in the final version.  
So basically two questions for the panel.  The first one can actually focus on the geographic location of data be effective in increasing the privacy of users for surveillance, first question that is effective for the intent that is expressed by these initiatives.  And the second question beyond privacy what are the risks and benefits of these measures on user choice, on innovation, on business discussions and expression online on how Internet works basically.  What are the sort of side effects of those measures whether good or bad?  So please feel free to jump in.  
>> Yeah, if I start quickly on the first one, is it effective in terms of providing privacy and I claim that's actually pretty difficult but countries are basically large entities and there's lots of networking there, lots of people, lots of networking between you and someone else when you communicate, so and in this number of companies and types of equipment involved when you do anything.  So if all you are doing is sort of drawing this border around the network, you're not that secure.  All it takes is one entity somewhere along the path to be compromised in some fashion.  And we have seen examples of countries demanding that their companies, for instance, hand over data even in their overseas options.  
The number of participant in communication I think would be more effective than pure drawing of maps.  But I'm not necessarily 100% opposed.  There's no answer here.  Depends on what you're doing, if you're the government and you are asking for some of your critical services to be done by some contractor, of course you can set your requirements and keep the data of your health care system in the country, that's completely fine.  
>> I do agree with everything that was said.  I want to add to that.  To the extent a lot of things localisation proposals are response to anxiety over US government surveillance but ever government engages in surveillance but for the fundamental privacy of the Internet user I don't think these help a lot.  In many countries I don't think they would even help with surveillance.  
My bigger motivation is the second of the questions for the openness of the Internet.  Mozilla was built to advance the Internet and it's definitely our view that mandatory mandated localisation is contrary to the open Internet.  As an organisation we don't even practice staff localisation in Mozilla.  When we hire someone we want them to say where they are and we work via video conferencing.  We don't want our staff to be localized much less their Internet use.
>> EMMA LLANSO:  And just to add in agreement with Jari and Chris, to the extent these are presented to people as this is a way to keep your data in your country protected by your laws, that really requires the cooperation of the government where the company is located.  And it's not clear that you're always going to be getting that cooperation.  So a good example of this is the current Microsoft Ireland case.  
This is a case where US law enforcement is trying to compel Microsoft to turn over content information for a data centre that it stores in Ireland.  Microsoft is challenging saying this is extra territorial, using law enforcement to cease data that is held in Ireland.  They should be using the multilateral legal assistance treaty to get this data.  
The US government's response in the case is this has nothing to do about us going into Ireland, Microsoft is a US cooperation and we are telling a US corporation in the US to turn over information they have control of.  If you have these two fundamentally different ideas, then I see data localisation mandates not necessarily being responsive to keeping an individual's data private, it's going to put more companies in this position of tension between the laws of two different countries which is not necessarily going to do anything positive for user rights.  
>> NICOLAS SEIDLER:  Thanks, Emma, I'll get back to you.  So Kenneth, you mentioned that creates I guess difficulties for businesses on how they can respond to those question.
>> KEN CARTER:  I wanted to speak directly to that.  My name is Ken Carter.  I work for a company called Cloud Flare. I want to tell you about my business first and what the implications of these changes might mean for us.  Cloud Flare provides web security and a variety of other features.  We do this by having 28 points of presence globally in 20 countries on five soon to be six continents.  From those data centres we broadcast same IP addresses so window can absorb a tax which originate all over the world t network learns from what it sees.  In any given hour we see about seven% of IP addresses.  
So the network grows smarter based on the information it sees and that data is all aggregated.  We can't keep it.  We are generating about an iPhone of data every couple of minutes so we have to aggregate it and purge.  But we cannot provide a global service acting locally.  We see threats emerging some several countries and use them to protect customers in other countries.  So to the extent we were forced to localize, we could not comply with that law and we could not do business in this country.  That's the bad news.  
The good news is, as a starting up company, we are transparency is one of our competitive assets and we tell our customers exactly what we do.  We have a very simple, very readable privacy policy.  We public a transparency report semiannually so our customers know what we do with our data.  
>> NICOLAS SEIDLER:  Thanks, Kenneth. And then Sunil ‑‑ I'm sorry, Christian and then Sunil.
>> CRISTIAN KAUFMANN:  I'm Christian from Akamia. It's good to compare that part.  If you have a global business and roll out your services in a lot of country but every country is differently and that produces costs.  You have to have people to understand what is going on in that particular country, then that adds complexity and costs which at the end of the day either the customer or end user have to pay for.  
So if you go for data localisation on a perspective and handle that differently that increases costs for all of us.  On top of that it makes it for startup companies more difficult to do something.  Startup companies rely on a global scale that everything in the Internet works the same.  If you send the data to Germany or the US, it's the same.  There is no difference in that part.  
If you have to do it different in every case, then as a startup you probably can't do it so that certainly hinders innovations.  On top of that as a positive point it properly helps your country and the companies in that country because now they can make a more customized tailored solution but everything which ace global service is certainly a problem.  
Imagine a random social media, something like FACEBOOK, you're using.  The benefit is that you can use it with all your friends, all over the world.  But if everyone has a different social media in every country which are not connected, you either have to be part of 20 of them or you basically just see your local friends.  Imagine that.  
>> NICOLAS SEIDLER:  Christian just a follow-up question.  What are the criteria in general that goes into deciding where you are going to locate the server?
>> CHRISTIAN KAUFMANN:  There is a big difference and talking about me but patiently true for cloud fair as well.  What CDN's do is we bring content closer to the end user but that content for most of the time is not specific.  If the person in India for my example in Germany down loads a particular website the website is really the same.  There's not necessarily understand user data coming with it so we deliver the same picture, the same video.  But if you actually buy something like in a shop, then these personal data your credit card information, where you live, is actually not where the CDN, it's with the owner of the shop for which we distribute the content.  
So we are like an ISP but do not see only your private data.  So when we put service in various countries we do that performance, redundancy, we don't see end user data.  The end user data if you buy something from a customer of us goes to his service but his server might be centralized.  But the server you get the content from is in the particular countries but we do not see the individual data.  That is done since 15‑20 years, since the beginning of the Internet so there's nothing specific there.  But the idea that we are now fragmenting the end user data so the end user data and all your privacy stuff stays in the country is a new country.  
>> NICOLAS SEIDLER:  Thank you, Christian, Sunil, would you like to share?  
>> SUNIL ABRAHAM:  To make things a little more exciting for the people in this room, I will try and disagree.  On the first thing which is surveillance, what our panel members have told us is it makes no difference, surveillance will be exactly the same.  But just compare the people of India and the people of China.  The people of China are surveilled upon by their government.  The people of India are surveilled upon by our government and the US government so that's one government less so it does make some difference if it is technically possible and all of us know that's a really big if.  
Second, in terms of startup companies, I have always believed that evil is a function of size.  The smaller you are, the less potential you have for harm.  And since you have less potential for harm, the governments are less interested in you.  So governments rarely send user data requests to small companies but they do regularly with large companies.  So therefore the argument which distinguishes small companies from large companies perhaps does not hold.  
Number three is mostly about the drama because finally the government wants equal treatment if the US government has such pervasive access to data sets from the global Internet giants then all the Indian government wants is to have roughly the same access.  And what you see mostly is the big dance in the media.  Indian governments want such and such from black birdy and black birdy says that's not technically feasible and all these stories kind of go out and we never hear the end of the story because according to Civil Society some deal is struck.  So a data localisation request is not so much a serious policy proposal as much as a negotiation tract technique.  
Twitter and Google who previously stood before Indian culture and say we are just marketing in this country, we have nothing to do with the servers now saying we will comply with Indian laws.  In that sense we should see drama as anything else.  Taxation.  All our Internet giants have tax evasion, tax avoidance.  Income tax act section 9‑1‑A, income of the business deemed under this clause to accrue or arise in India shall only be part of the income that is reasonably attributed to the operations carried out in India.  
So the data localisation requirement also strengthens the case of the tax authorities because they can then claim that the party providing the service and the party accessing the service and all intermediaries between them, the nation state, and therefore those transactions should be taxed within India.  Finally, what China does with its history of data localisation mandates is really clear to the preferential market access and it helps local companies build of course there are many other aspect to it.  Unfortunately in India because local companies are not that competent, that's not a useful strategy for us.  It isn't as if an Indian organisation can build a globally accepted.  It works in other countries but not in our country.
>> NICOLAS SEIDLER:  That's interesting because actually many assumptions as well on these data localisation requirements are in a way that's a sore strategy for governments or countries to sort of boost, you know, sort of own national products compared to the international competition.  That's an interesting point as well that you make between big and small companies.  Our big company is going to in any case compromise with government requests to stay in the market.  That can be a case.  I would actually like to open the floor now.  I think that's been a very good overview and good insights already on this topic.  So please, raise your hands and ask questions.  Rudolf?  
>> AUDIENCE:  Yes.  Rudolf van der Berger.  What I think is often forgotten with these data localisation requests are there that are many economic reasons why data is brought outside the country because under normal circumstances you wouldn't necessarily bring the data out of the country for practical purposes you want growth from Mumbai via London that, just doesn't make sense.  In the way the Internet works in many countries at the moment it does make sense.  First of all we have telecommunications companies who refuse to interconnect locally unless they get paid massive transit fees.  That is a problem.  
We have several countries that still do not have Internet exchange points so that makes for major problems.  And we have countries that have very unreliable electricity and difficulty of doing ease of business.  We did a survey that showed, for example, to take two countries which are a bit ‑‑ and a member, Greece, 19% of websites are hosted in Greece out of the top 1 million most popular sites.  81% of Turkish most popular sites are hosted in Turkey.  The countries aren't too far apart so you won't think regional differences make a difference.  But for the Greeks 81% of their sites are hosted in Germany, the US, Netherlands, places like that.  
If you have data localisation rules, well you may first wants to have a look at your own market and see what is wrong there, why the data is outside.  And the same goes for traffic that's routed abroad.  Why does every middle eastern route its traffic via London.  Or when you sent traffic I think it was from Kuwait to Saudi Arabia, it literally goes around the world from one country to another.  That just doesn't make sense.  If you then are afraid for spying, well, maybe you brought it on yourself.  
>> NICOLAS SEIDLER:  Thanks, Rudolf.  Any reactions from the panel?  Otherwise any other questions on the floor?  Yes, please?  
>> AUDIENCE:  John.  I'm interested in your thoughts about what might appear if these are implemented if we see trade disputes forming as a result under the gaps, for example, trading Internet services.  We mentioned a preferential market access of localized service.  We might see world trade organisation settlement distributes resolving these issues and I'm interested in your thoughts about stakeholder resolve meant with those processes.  
>> NICOLAS SEIDLER:  Anybody?  Trade issues?  No?  Okay.  I'll take the next one and you can think about it.  The lady here and then the gentleman offer there.
>> AUDIENCE:  Thanks.  My name is Sarah Ludford; I'm now a member of the UK parliament house.  I'm sorry I missed some of the panel but I came in just as the speaker at the end here was talking.  But it seems to me talking about the example Microsoft and Ireland.  I was involved in negotiations on the new EU data protection legislation where we tried indeed we deliberately in a sense set up that tension to say that data belonging to Europeans could not be handed over to a foreign court without there being an international agreement to govern that.  
So it seems to me and I'm afraid I'm on a learning curve here, I'm not the expert that many of you are, but it's less about this sort of physical localisation of the data, it's about legal jurisdiction.  I mean, it's about claims for territorial and extra territorial jurisdiction and what is the definition of extra territorial.  But from the approach of the European parliament and data protection forum, it's about data belonging to Europeans, doesn't matter where it is.  It's got European jurisdiction over it if it belongs to Europeans.  So to me it is more about the kind of legal jurisdictional issues.  
>> NICOLAS SEIDLER:  So that's a very good question.  Is it less about the physical location of data than the people who own the data?  And then Paul you can jump in on your panel, please.
>> EMMA LLANSO:  I think your comment points to the protection that policy reform is going to come from in this case the US and the EU working out or the US and Ireland in the Microsoft Ireland case coming to an agreement that they're going to use the MLAT process as opposed to this compulsion of data just in the fact that Microsoft is incorporated in the US.  It's important to be very precise about what we mean.  Are you talking about a legal mandate that you cannot serve the people in a particular country without having a server in that country?  
And that is a particular mandate and is what is concerning many of the panelists.  But questions of jurisdiction have always been a challenge for online data flows.  And the considerations that Christian was talking about of, you know, what are the considerations that a company makes when deciding to put a server and to put themselves in the jurisdiction of a particular country?  I mean those are very important and I think that's something that each of these companies is having to work through.  
>> NICOLAS SEIDLER:  Thanks, Emma.  At the same time I think it's I guess it's getting increasingly complicated to ‑‑ I mean I can be a Swiss citizen and set up a G‑mail account in Australia claiming that I'm from Germany.  So I guess at the same time finding the jurisdiction that applies is a very difficult thing.  Kenneth, then Sunil, then Paul.  
>> KEN CARTER: I wanted to respond directly with a request and I ask you to do this very judiciously and not not conflicting legal duties.  Cloud fair, we tell our customers what to do with their data.  If I were to get a FIZA order I would have to obey that order.  You may not like FIZA court, it is however a court.  Being a court doesn't ensure great legal jurisprudence necessarily.  It's brought you such cases as Dred Scott and Bush v. Gore.  All those are really bad outcomes but it is a court.  So I ask that just to be mindful of the fact that if I have two conflicting legal obligations I'm not sure how I would resolve that.  
>> NICOLAS SEIDLER:  Sunil?  
>> SUNIL ABRAHAM:  Perhaps a small point on whether data localisation requirements would be in violation of international trade agreements.  I think there are exceptions in these trade agreements specifically for national security and those are the very same exceptions that the US government exercises to prevent equipment from being used in the US Internet so similarly it will be justified and as we know whether it's free speech or data localisation, national security is a magic word and can accomplish absolutely anything.  But of course somebody will have to test this by taking a complaint.  
On the MLAT and mall will be able to talk to this in much more detail because the Internet jurisdiction project is looking at this closely, the one of the members of the central bureau of investigation in India who is not heading some kind of coordination project in Singapore told us that the average length for an MLAT process is two years and by all other evidence has disappeared and very difficult to successfully prosecutes somebody in India if you go through the MLAT process on the large Internet corporations.  Thank you.  
>> NICOLAS SEIDLER:  So first Paul, Jari, and then we take another question.  So Paul is one of the reasons why we see all these requirements a result of a weak MLAT process?  
>> Yes, I think so.  My name is Paul.  I think the problem is the traditional modes of interstate legal corporation we have today are not adapted to the realities of the Internet where most online interactions involve multiple jurisdictions at the same time.  And as Emma, Sunil and the lady from European parliament have alluded to; the MLAT was not designed for this.  It's not designed to handle those realities.  Basically if we want to have a refragmentation of cyberspaces of infrastructure, we need to develop frameworks of national requests for user data in an appropriate manner.  
And this is what the Internet and jurisdiction project wants to achieve.  Something that might be interesting in the debate is also to have a look at democracy.  
There was a long debate whether to include the requirement to store data locally or not.  What is now included is a provision that actually establishes Brazilian jurisdiction for every use data related to a Brazilian citizen regardless of where the data is stored.  So I think this will be the new standard that regardless of where data is stored, we need to find ways that national jurisdictions still apply.  
>> NICOLAS SEIDLER:  So just to follow-up, remarks by Sunil, Jari and sorry, thank, you've been patient.
>> SUNIL ABRAHAM:  I think in 2008 the Indian act made such a claim that if harm is caused to Indians or Indian property that Indian jurisdiction will apply.  But it's mostly a meaningless statement in law because why will law enforcement in another country expect your expansion of jurisdiction some it sounds like a solution but it really isn't until there is heavy overlap in both substantive and procedural law.  Thank you.
>> So many problems.  What to do.  I think it might be useful to try to turn this discussion around a little bit to thinking about what can we do, what are the useful things?  And I agree with Sunil, that pervasive surveillance is a bad thing and we need to do everything we can to reduce its affects.  More IXPs, more cables, those things are very good.  We should do that.  That's a good task for all of us in the industry but they are not always used because of perhaps competition or other issues.  I think there's a role for governments and regulators in competition agencies in countries to look at this, and to make sure there's nothing that blocks their country from employing all of those good things.  Another thing that I think would actually be useful is to have some visibility or understanding to the societies and even individual uses, where their data is so people understand what is happening.  
And related to that I think it would actually be useful instead of thinking about this as government's fighting or in court cases and such, what if this privacy thing, you know the good service, this particular cloud service gives you good protection against, all kinds of bad things.  What if that was something that the users would think about and would pick those things over the ones that have worse performance, I think that is something we should try to generate in the world.  And I think there's possibilities for that.  
I'm maybe speaking in favor of my own country because in Finland we currently have a situation with regards to surveillance and so forth so services in our country could probably be marketed for these reasons, although the Finnish government may not be clever enough to actually told this considering adding some civil regulation to do further surveillance or do some surveillance.  But I think it will be really, really important thing for the world to start thinking about what is it we are using and is it good enough for our purposes as opposed to just dictating in that country you have to do X.
>> NICOLAS SEIDLER:  Thanks, I think there's going to be many points we can get back to.  Please just hold your thoughts, gentleman, you've been very patient.  You have a question for the panel?  Thank you.  
>> AUDIENCE:  Hi.  I'm Mike Godwin.  I'm speaking in my individual capacity today.  I think one of the questions I would like to see the panel squarely address is what seems apparent to a lot of libertarians which is the data localisation requirements that are being promoted as a response to bulk surveillance by the United States and the united kingdom in fact are being sought by some governments to enable greater surveillance over their own citizens.  Why is this no being squarely addressed as the covert agenda in the post Snowden era?  
In Thailand the royal Thai police were seeking subscriber information of a Thai social network that was based in Japan the thing that stopped them from getting that information about their Thai citizens was Japanese jurisdiction.  They were unable or unwilling to navigate Japanese procedural protections to get the information on Thai citizens using the Japanese‑based Thai social network.  It certainly is a better world for policeman in which data localisation is required everywhere but how is it better for ordinary people?  
>> NICOLAS SEIDLER:  Good question.  
>> So from what I understand, if you look at any of this surveillance measures of the Indian government, this is the central monitoring system, none of them will accomplish 100% surveillance of the population.  They are all targeted surveillance measures.  It must be only the US government that engages in this type of blanket surveillance.  So I don't know enough about China to speak of that question.  But in Indian Indians would prefer target surveillance to blanket surveillance.  That's an easy question to answer.  Thank you.  
>> AUDIENCE:  (Off mic.)
>> I do think I know your point.  To the extent that these are reactions to Snowden it doesn't really help with individual Internet user privacy because ever government engages in surveillance.  Some very, very aggressive surveillance.  I want to see if I can offer a couple of principles here and to get to Jari's point as well that it's not just the localisation law's panel but rather all things localisation.  I think there's an initial question which is whether what is being sought is increased access through legal measures to data for purposes ligament or illegitimate as one interprets based on the context.  And then there's technical.  A lot of the reasons why there was the sort of reaction at the beginning of this panel was from the technical side.  So within the technical side there's also a subdivision which is whether what we are talking about is an additive mechanism per increased technical access locally such as adding Internet exchange points or adding cables and then there's a negative version which is mandates that limit the free flow of information around the world, that's the thing I react most strongly and most negatively to.  
And the legal side is entirely different and there's a subdivision there as well between sort of direct legal jurisdiction like the inclusion that Paul mentioned like what the US and the EU were doing, Microsoft is a good example of this, trying to get direct without going through any countries.  If you are touching my citizens or exist in my country I have jurisdiction over you.  So we have legal and technical.  Within technical we have additive and negative.  Within legal we have direct and international.  
In my head I put a check mark on two of these boxes.  I think technical additive measures, although you could say they increase some country's capacity for surveillance are nevertheless in my book good things because they improve the openness and free flow of information.  I think MLAT reforms are something that most of us in this room would love to see.  We would love to see less than two years to process an MLAT claim.  I have a big red X in my head on technical negative measures, free flow information and overt jurisdictions I have a question mark because I think it's complicated and contextually driven.  
>> EMMA LLANSO:  I wish we had a white board because I think it's what you called the technical additives, things like IXPs, or efforts to use the CDN or other ways of voluntarily localizing data and information in a particular country and to Mike's point, I think when we are thinking even through the technical additive mechanism what's we need is to be able to think not just from the technical side but also from the legal and policy side what are the laws, at this IXP, who is connecting, who controls it, who is able to use it for all of the benefits of bringing an Internet exchange point but ask many governments come in and surveil there.  
I think I guess to Mike's point, as we are looking through these different localisation mandates or proposals to really think not just what would this mean for US surveillance but also for domestic surveillance, I have this instinct of trying to separate them you but these are pro proposals that are brought about yes to pursue surveillance in that country but also to push back against NSA surveillance and to push back against global surveillance.  As much as I want to see that, I mean I really do want to see that for everybody, but I think we are going to just kind of keep coming back into these circular conversations because there are multiple motives to each of these proposals.  
>> NICOLAS SEIDLER:  Thanks, and I wish we had a white board.  Just a question, do we have any questions or remarks from remote participants?  No.  Okay.  So I just like to briefly get back to one of the points that Jari made.  I mean, if we now sort of take a positive approach of what can we do to address surveillance, you mentioned that actually offering probably better services would be one thing in terms of government reactions, for example, Germany has stepped up and they said I mean actually they have created a national e‑mail system which they claim is more secure for citizens encrypted so that's one thing.  Me coming from Switzerland we start seeing things with a big push from some companies saying okay we are based in Switzerland, we have a very good legal framework here, we can be a safe haven to store data.  So what are your thousands, first of all, Jari on those claims that can be a more privacy protecting sort of national e‑mail system, for example?  
>> JARI ARKKO:  I'm not a big friend of e‑mail systems in terms of when we had disconnected e‑mails.  A lot of the value from the Internet comes from the global nature.  We all have friends and suppliers and customers in different places.  Instead of geographic localisation I would advocate cryptic localisation, using technology to limit the particular number of people, not the area but the entities having access to your data.  I'm not familiar with the details of the particular proposals in Germany and elsewhere but I think there's technology today that can be turned on like e‑mail server to server encryption is an example that would be useful.  And I think we need to look at those kinds of things, that's one of the additive technical measures, not just IXPs and cables but dealing with high‑level mechanisms.
>> NICOLAS SEIDLER:  So the better our user have to protect themselves with tools?  
>> JARI ARKKO:  I think the users can use that but a lot of the service providers can do, like server to server protect.  End user e‑mail is difficult unfortunately.  
>> SUNIL ABRAHAM:  Even in India there is proposal, I think there's been opportunities on which the Supreme Court has scolded the government saying governments, bureaucrats should stop using Google and other free e‑mail services.  You must use one single government provider and that e‑mail service and that service is not really reliable and therefore bureaucrats don't use it.  What we should have instead is multiplicity both the vibrant local market and vibrant international service provider who can provide secure e‑mail and that's a complication because the years of free e‑mail provision has resulted in a situation where we can't add forward mail administrators anymore and they don't exist.  That breed of professionals.  
15 years ago I could administer my own mail server but today administering a mail server has become quite a complicated thing.  So very difficult to overnight build capacity, whether it's human capacity.  And the solution of centralized national service is as vulnerable as using an international service.  The trouble with crypt graphic solutions unfortunately is they interfere with in India what we call the right to information or public requirements that government should have access to everything that the bureaucrats do.  So if you cover it up so finally then very difficult for the government to know what bureaucrats are doing as well.  
>> NICOLAS SEIDLER:  Thanks.  Marco?  
>> Yes.  Is this on?  Yes.  Marco, Regional Internet Registries.  I'm with Jari in that some of this can be done technically but indeed the customer will pick whatever he thinks is the best service and we shouldn't drive him into a particular direction.  But as far as we can take it technically and I think Paul was on that track as well, there was also a whole other thing.  And we have to acknowledge that the Internet is largely built on trust.  And as far as Jari and people in can take it technically, everything can be broken.  Every encryption sooner or later will give way because computer technology enhances.  And to that sense and back to capacity building I think it's also vital to make users to not only trust on technology, also be smart on where they go.  
And so what I would like to know from the panelists, how far do you think can we take this with technology and how far should we aim our capacity building in raising that awareness and for instance as Paul said adopting other for instance legal matters to the reality of today's Internet?  And it's borderless and technological developments go that fast that it's almost impossible to keep up with legislative processes.
>> Thanks, Marco.  So technology is there but it's not necessarily easy for users to implement, how can we build capacity for users to use the network in a secure way.  Can companies help, can governments help?  
>> I guess to a couple of your points.  First all encryption at any given time is unbreakable, otherwise it's not encrypted.  So this gets to be cat and mouse game which develops every stronger encryption, ever better breaking tools, better, strong, encryption and so forth.  To answer your question there are things that companies can do.  Obviously disclosure and making it easier to use these resources where in the next month or so enabling SSL for free for all of our customers, in the hope that our network will get more secure and reliable.  There was one other point but I'm sorry it escapes me.  I hope it will come back toe to me.
>> NICOLAS SEIDLER:  Sunil, Jari and Christian and a very last round of questions if you have something.
>> SUNIL ABRAHAM:  The purpose of encryption is not to make surveillance impossible but to make surveillance more and more expensive.  So that's all we are trying to do.  
>> JARI ARKKO:  I agree with that.  There's no perfect security completely right but whoa we are trying to do is mitigate some of these threats at least to an extent.  It means reducing the number of parties that have your data, thinking about who you want to have your data with, thinking about what data you want to have to begin with anywhere.  And all of these things, I think there's no silver bullet here; we can't say we most solve this technology.  We also need the aspect of putting in more IXPs, regulatory aspect making sure the country can connect with our IXPs, the legal aspects how can we work in this global world with multiple countries, all of those things.
>> NICOLAS SEIDLER:  Christian?  
>> CHRISTIAN KAUFMANN:  All these kind of things are out.  But just barely anyone is actually using it.  If you look how many people are signed up to social media, to localisation services, they do not just tell your location what you're doing, your hobbies, all that kind of stuff.  Even upload pictures which are afterwards no longer long to you and then you have a discussion about which one is more secure after you've signed up with 20 different companies and 20 different countries where you pass on your private data, then I think the discussion of where you get surveilled and which kind of encryption you use is really not the point.
>> NICOLAS SEIDLER:  So some user responsibility as well.  A last question over there.  
>> AUDIENCE:  Hello.  My question is with the ITU planning board coming out, will binding legal instrument which prevents countries from doing arbitrary mass surveillance of citizens in other countries, will that be a solution?  
>> NICOLAS SEIDLER:  Any thoughts?  
>> SUNIL ABRAHAM:  So I brought this question a couple times before and I would like to request it again.  Give me one example of an individual whose rights have been infringed upon getting addressed through the multistakeholder model.  Multistakeholder is really open of the private legislator.  Governments really don't know how to regulate in this space, they don't have the competence, expertise, and therefore if the private sector can mitigate harm through self‑regulation then that's a good thing and everything should encourage it through the multistakeholder process.  
So if Human Rights cannot be enforced through the multistakeholder process you already know the answer to the question.  The trouble is whether the ITU is the right place for such an instrument.  We need hard law to enforce rights but does ITU have a track record of enforcing Human Rights?  If it doesn't, we might not have a fora where you will get the solution you want.  Thank you.  
>> NICOLAS SEIDLER:  Chris?  
>> I think that's a bit of a false choice there.  I mean, there's a few layers in between there, the multistakeholder processes end up influencing individual legal frame works which end up being the place where people's rights are violated.  So I wanted to make sure the people aren't thinking we need something more directly to protect rights than the systems that we already have.  I mean rights are obviously under threat, but we have a lot of different mechanisms within the multistakeholder stake system that are working very hard at an international layer to help address this problem.  But I think the question is a very good one.  Christian was shaking his head quietly over here and I was pointing to Emma in agreement.  No I don't think there's a prospect have a high likelihood.  I don't think it's that easy or straightforward.  I'm not sure I would mind if that were to happen but it's impossible for me to conceive of it.  
>> NICOLAS SEIDLER:  Thanks, Chris.  I think that's a very interesting discussion that we could start now but it's the hour.  What we got from in issue there's no silver bullet for surveillance definitely.  There are technical legal aspects.  The government may be useful in some cases, more cables, providing privacy protections.  I think user choice to have good options to store that data is very important as well.  So I hope this has been an interesting discussion for you.  The dialogue is not over as I mentioned at the beginning this is part of a tract at the IGF.  Is there anybody from CIJI who is organizing their workshop tomorrow?  Would you like to let us know when your workshop is tomorrow?  
>> Sure.  Tomorrow's workshop is going to look at the costs of Internet fragmentation.  Workshop room number nine starting at 5:00.
>> NICOLAS SEIDLER:  Short and sweet.
>> The project is going to be on Thursday at 2:30 p.m. in room 2 and deal with the question will cyberspace fragment around jurisdiction.
>> NICOLAS SEIDLER:  Thanks Paul.  Please join me in thanking the panel for this discussion.  
(Applause)

***
This text is being provided in a rough draft format.  Communication Access Realtime Translation (CART) is provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings.
***