FINISHED COPY
NINTH ANNUAL MEETING OF THE
INTERNET GOVERNANCE FORUM 2014
ISTANBUL, TURKEY
"CONNECTING CONTINENTS FOR ENHANCED
MULTI‑STAKEHOLDER INTERNET GOVERNANCE"
04 SEPTEMBER 2014
09:00
WS82
ALTERNATIVE ROUTES PROTECTING
HUMAN RIGHTS ON THE INTERNET
***
This is the output of the real‑time captioning taken during the IGF 2014 Istanbul, Turkey, meetings. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the session, but should not be treated as an authoritative record.
***
>> ALFONSO ALFONSI: Good morning to everybody. I'm Alfonso Alfonsi from Laboratory of Citizenship Sciences, which is a nonprofit research organization based in Rome, Italy; and I will be moderating this round table to which I am happy to welcome you; that is launched in connection with a European project, MAPPING, Managing Alternatives for Privacy, Property and Internet Governance.
Usually when a European project calls for an event on an occasion such the IGF, it's to showcase the results of their activity. In our case, it's almost the opposite. That's not because we have been lazy, but because MAPPING is a very new born project, it started a few months, even though it is up and running. And so our idea to intervene here is not to showcase results, but to present you with some of our main concerns and some very controversial ideas for which we hope to start a dialogue.
And in fact, a dialogue we're doing is a dialogue that tackles issues that are technically and difficult and complex and that are political value‑oriented and controversial. So that's what we plan to do.
And we want to do on investigating routes to protect human rights on the Internet that be alternative, not necessarily never tried before, but at least that we can do out of some mires, and sometimes we think the issue of human rights is connected.
And as I promised, they are controversial issues. They're not new; they weren't launched sometimes many years ago, but have gained new saliency and ought to have discussion about them.
The first one is the idea of a Magna Charta for Internet, or a framework and vision of protection of human rights. And the other idea that is connected with that is a possibility to have an area in the Internet ‑‑ somebody called it parallel Internet, somebody called it parallel universe, or whatever ‑‑ but an area in the Internet in which human values are better protected, are more respected, and there are maybe legal or technical ways to protect them.
So how human rights can be embedded in the Internet in new fashions that they are not now; how the human rights connected with the Internet in itself, with in the violation that are related to the opportunities that Internet nonetheless offers, and what opportunity for protection of human rights as we are come ‑‑ full stop. Human rights can be protected by the means of Internet.
So this is the discussion. It will be conducted by some of the project partners and other people among the speakers who are not in the project but know more or less about it. And they represent different point of view, different stakeholders, and we hope from the audience, the active audience, the participating audience ‑‑ hopefully so ‑‑ the one present here, and the remote one ‑‑ the remote moderator is John Bonnici from Groningen University ‑‑ to help us and set at least an agenda of issues to discuss that we will carry on for the four years of our project since now, hopefully with some of you.
So to introduce a little bit the project and the issues, I give the floor to Professor Joseph Cannataci, who is a chair in European information, policy, and technology law and is co‑director of STeP, that's Security, Technology & e‑Privacy Research Group at the University of Groningen.
Joe, please.
>> JOE CANNATACI: Thank you very much. Good morning, everybody. I join my friend and colleague, Alfonso, in welcoming you to the session.
We have quite a packed session so far as speakers are concerned. So ‑‑ there are at least eight or nine scheduled speakers; and then we will open the session to the floor. So we will be speaking for five, six minutes each and taking it from there.
As Alfonso mentioned, a part of the themes of the subject we shall be discussing ‑‑ which is, one, should there be an Internet treaty; two, should there be technical means of securing one or more spaces on the Internet ‑‑ are subjects which are actually as old as the hills, or as old as the Internet hills.
Those of you who are, well, as old as I am, would remember that in the early '90s and the late '90s there were several discussions in the United States and in Europe about actually these very subjects. The term "vulcanization" of the Internet was actually born in the 1990s too. And those of you remember the discussion before the very first IGF Forum will remember a big discussion on a treaty for the Internet. And here we are the 9th IGF Forum and there's no treaty yet except the Cybercrime Convention, which covers a number of different areas.
You will have noted that in March of this year Tim Berners‑Lee was reported on the 12th of March as calling for a Magna Charta, a Bill of Rights, for the Internet. And that was followed up also within a week by Jan Kleijssen, writing in his personal capacity ‑‑ though Jon the director of human rights at the Council of Europe ‑‑ and both of them touched on different ways that a legal solution can be found.
A legal solution is one thing; and a technical solution is another thing. The two can go together, or the two can go independently.
I'd like to make it clear, but insofar as the MAPPING project is concerned, we are pretty neutral about it. We have launched the discussion at the European and at the international level. We did so actually before Angela Merkel and President Hollande met in February of this year to discuss the so‑called Shengen zone for the Internet. We did so because as part of the scientific community we think that the discussion is due.
But I'd like to make it clear at the very outset that we don't have a position. We are neither for nor are we against, we are not pushing any agenda except the research agenda. And the research agenda is there to examine what options can exist.
I should say that this is the second public airing of the subject. In May of this year we had a conference, a very well‑attended stakeholders assembly in Rome, where the subject was discussed and which attracted quite a lot of interest, so much so that the discussion is going to be taken forward over the next year or two in the following way:
Firstly, the MAPPING project is setting up two working parties within its work package for as a follow‑up to the Rome conference. The first working party is going to deal with technical solutions, and the second working party is going to deal with legal solutions.
The working party on technical solutions will have a meeting in November of this year, followed by a follow‑up meeting in March of next year, 2015; whereas the legal working party is planned for December of this year to be followed by a second meeting in April of next year.
The results of both working parties, which will be ‑‑ we will be trying to attract as wide a stakeholder audience as possible will be presented to the MAPPING and the general assembly, which will take place on the 21st of September of 2015 in Hanover in Germany.
Those of you who are interested in following the discussion, please come speak to me at the end of the session. I will be very happy to note your interest and to keep you posted about the various developments.
As we said, this is very much work in progress, and it's not even a subject amongst which the members in the project are necessarily agreed. We are approaching it with an open mind, and we are looking forward to four years of very intense debate.
At the end of these four years we should probably come up with a road map of some sort and present that as a policy brief to both the European Commission and the European Parliament. At least that's our contractual obligation with the European Commission.
What the brief is going to say, what the road map is going to include, I don't have of a clue at this moment in time, which is why we are here, amongst other things, and I would like to leave at least half of the session as an open discussion on the matter in order to listen very carefully to what all of you have to say.
I'll stop here at this moment in time; and I will ask you, Alfonso, to continue moderating. Thank you.
>> ALFONSO ALFONSI: Thank you very much, Joe. And the discussion, of course, in order to be embodied to get fresh and bond has to confront with issues which human rights and the Internet are actually debated, and so a different contribution will present different angles on these.
And so in this regard I'm giving the floor Christian Hawellek from the Leibniz University of Hanover, Germany, who will look at the issues from the angle of privacy and all the complex areas that arise that are connected to it.
>> CHRISTIAN HAWELLEK: Thank you. Thank you, Alfonso. Good morning, everybody.
Yeah, actually, privacy is one of the three main pillars of the MAPPING project. There's intellectual privacy, there's Internet governance, that's the more general than theme than just privacy. And obviously privacy has been, I would say, as much discussed in context with the Internet in the last fourteen months as it has never been before.
Why is that? Well, obviously because of the revelations and context of the NSA affair; but I think now and even on a broader level this is where all the ideas about Shengen routing have come from partly.
And to come back to the theme which we are addressing, this workshop on human rights, I think it's not only privacy which is at stake but also other human rights, freedom of speech, freedom of information, which are all based upon, as it comes to the Internet, a free Internet to some extent. There's always a field of tension which you need to keep in mind.
Privacy in the Internet, in my point of view, is pretty closely related to data. I mean, in the offline world that's not necessarily the same, but in the online world one can say that data protection and privacy are very closely connected if not even possibly identical. But it's not only data protection which is at stake, but also data security. And it's not completely the same, because the perspective is slightly different. I'm going to talk about that at the very end of my speech.
So data protection on the Internet, the first thing which may come to our mind, especially in the context of the most recent debate, is our own government, foreign governments, or even the private sector, spying at our data; getting access to information they shouldn't have access to, or not to the extent that they do have access to, and so on.
So from a legal perspective ‑‑ and I to have a legal background, actually ‑‑ that's the classic status negativa. So you want to protect your fundamental rights, your human rights against the state. That's obviously the one big theme in privacy and Internet which are there.
But I think it doesn't stop there. And this is most probably an interesting thing to address that from another perspective occurs. It's not only that you have the right to defend your human rights, your fundamental rights against the state, but also that the state has to provide an environment where you can exercise your human rights.
So now coming back to, for example, freedom of speech, it's not only that I should not be afraid that if I utter my opinion on the Internet that I will be prosecuted by my government, but also that my government has to make sure that if I utter my opinion, nobody else is going to attack me for that.
And this is a very important discussion in the very last weeks in Germany, because what's happening these days in my country is ‑‑ and possibly that's the same in other countries; I simply don't know ‑‑ because of the conflict that we have in Iraq ‑‑ we have a relatively large Muslim community in Germany also ‑‑ there have been a couple of voices who have been very critical about the Islamistic movements in Iraq. And what actually has happened is that Salafist movements in Germany have attacked certain individuals who have criticized the ‑‑ the Islamistic terrorist groups active in Iraq. And there have been shop burnings and houses have been burned and things like that.
So coming back to the question of privacy on the Internet, it's not only about that I should be safe from being prosecuted for uttering my opinion by prosecution of the state, but also by anybody else. So what I would expect the state to do as well is to get an idea of what's going on in the extremist groups and to the which extent this imposes a threat on my human rights.
And now we come to the critical point here, because that obviously creates a field of tension; it's a trade‑off of privacy to some extent also. Because in order to do so, in the time where most of the communication actually takes place online, there is a certain of need for the state to actually wire tap communications in order to, on the other hand, guarantee me having the possibility to exercise my human rights. Because, for example, they would need to put under surveillance those people who actually, for example did the shop burnings and so on.
So its a question which doesn't find an easy answer. And it's also a question which I'm not going to answer here, but one of the main themes of the privacy pillar of the MAPPING project to kind of balance these two.
Because I have the feeling personally ‑‑ that's my personal opinion ‑‑ that it recently is addressed from the one perspective saying, I don't want the state to listen to my phone calls and to read my emails, but I don't want anybody else to attack me for uttering my opinion. And therefore I also, to some extent, want the state to read their emails ‑‑ which is of course a controversial statement, and I'm aware of that ‑‑ to make sure that the threat is encountered with the right measures.
So all in all I would say there's a triangle ‑‑ and this the outset and the outline of the discussion we have on the privacy pillar ‑‑ a triangle of interests: One is of course the privacy of the civilians; the second is the security, because you need a safe and stable environment for prosperity and also to exercise your own human rights; and the third ‑‑ and this leads me back to the data security theme ‑‑ is ‑‑ to some extent one could put that under the subject of economic well being ‑‑ we have‑‑ that's also something which comes up again and again with the NSA affair, actually ‑‑ we have a lot of innovation in Europe, for example, in small and medium enterprises. And typically they're not necessarily in the position where they can easily defend buyer intellectual property against cyber criminality and cyber espionage, be it by foreign governments, be it by other enterprises, be it by criminals who simply try to sell the information to anybody who is willing to buy it.
So data security is another big issue which has been widely ignored ‑‑ I mean, it has discussed, but like on the substantial level, especially in practice, it has been widely ignored for a very long time.
So these are the three pillars which kind of form the triangle which we consider the field of tension of interests which need to be balanced against other. And within this triangle, circling around the privacy, we would like to frame the dialogue we're going to have over the next four years.
Thank you, Alfonso.
>> ALFONSO ALFONSI: Thank you, Christian.
And it's important to look at privacy as a complex form of protection of the possibility to express oneselves freely and move oneself freely on the Internet, not only negatively but also proactively and positively.
And it was mentioned that another pillar of the MAPPING project is that of protection of intellectual rights. And this is the angle from which Oleksandr Pastukhov participate in the discussion. He's from the University of Malta and an expert in this field.
>> OLEKSANDR PASTUKHOV: Good morning, everyone. And thank you, Alphonso. Thank you for being here this morning.
Whether we like or not, parallel universes or parallel spaces, parallel cyber spaces are a reality. Those spaces can be achieved by using technology, legal regulations, or the combination of the two. If we're talking about the technology, we have the stand‑alone systems, the networks that use their own wires and routers. They have different worlds entirely, they are parallel cyberspaces.
Then we have the networks that use the same underlying infrastructure as the Internet does, but they're using their systems of addressing routing, their own DNS route service zone. So they are the yet another category of parallel universes.
And finally, we have the whole world out there, the world behind the firewalls. All the proprietary networks, such as the VPNs. And we have very little knowledge of what's going on there. Technically speaking they are part of the Internet because they speak the Internet lingua franca, the TCP/IP. But they are their thing of their own, and nobody really knows what's going on over there.
So on the other hand, such parallel universes can be created by the use of legal regulations. If we're talking about intellectual property, those parallel spaces are created by the fact that different governments are prepared to go ‑‑ it depends on how far different governments are prepared to go in enforcing intellectual property rights.
In Europe Internet users don't like intellectual property, just like anywhere else, but at least in Europe intellectual property rights are human rights, just like any other property rights; and the governments are under the obligation to enforce those rights. What is different, though, is that even within Europe there are countries where file sharing won't get into trouble. There is another group where ‑‑ of countries where you can run into some troubles. You can get disconnected from the Internet. I'm not naming those countries ‑‑ and there are countries where you can go to prison for file sharing.
So users in those countries or groups of countries live in a sort of parallel universe.
So to summarize, I would say that I wouldn't be allergic to the very idea of living in several parallel universes at the same time; being able to use them at the same time from the same machine, probably by switching between several open windows. We already do that, actually, with many applications.
My only reservation would be that I wouldn't want government anywhere close to the creation of such a network. I would say that the governments would have to specify the technical requirements for such a network, but governments being governments, they would want to be back doors, they would want things that we saw during the negotiations on the ACTA. ACTA itself would create a whole new parallel universe, a constellation of countries where ISPs would be forced into the role of sort of IP police; where they would be forced by the governments to monitor the Internet for other reasons under the pretext of enforcing IP rights online.
So I would say just let's have governments involved as a night watch, as a trendsetter, as a source of the technical specifications, but nothing further than that.
That's all for me for now. Thank you very much.
>> ALFONSO ALFONSI: Thank you to Oleksandr. And he made an interesting point, the fact that these parallel spaces in Internet are a reality already, not something to discuss; about ‑‑ the issue is how they are taking shape and whether there is also a democratic human‑value‑oriented opportunity for them to even shape, while in other cases they work reverse to some extent.
So this I think can be an interesting point or a next angle that comes from civil society organisation, and Bogdan Manolea from the APTI, Association Technology and Internet in Romania.
>> BOGDAN MANOLEA: Thank you.
I would actually disagree with Oleksandr as regards a parallel universe unless he meant Facebook as a totally cyberspace on the Internet. And we can discuss if that is good or not.
But coming from a civil society perspective, we saw a number of attempts to, let's say, vulcanize the Internet. And we pretty much think that actually we need one Internet, we want to push in that direction.
And of course we've heard about the French and German leaders that met and talked about the Shengen cloud human rights Internet, as they call it. And we have actually no ideas about the details about what they discussed or how exactly they were planning to do that. And we just need to think about how would this perfect human rights Internet look like. And the optimists will see it like this is an Internet where the rule of law is the basis; where human rights are expected; where European Court of Human Rights decisions are being respected; where the European Court of Justice decisions deserve our attention, or the right to be forgotten, are taken into consideration.
But I'm not the optimist. I'm a pessimist. So I remember other things. I remember that one of the presidents of one of the pillar countries in Europe ‑‑ this is former French President Sarkozy ‑‑ wanted to civilize the Internet in 2011. He made a big G8 conference in order to explain how now Internet now is a lawless space and we need to civilize it. So probably he meant that he wants to turn the Internet into a space where government has full control.
But ‑‑ and of course that was very critically received by the civil society and the technical community at that time. And he wasn't reelected, so for the moment we got off the hook.
>> AUDIENCE MEMBER: As for now.
>> BOGDAN MANOLEA: As for now, yes.
And we also remember the fact that in the European event that we ‑‑ I'm not aware exactly where it took place and who said it, someone proposed a vehicle, Schengen border, and with vehicle access points where all the Internet service providers would block illicit content on the basis of EU black list.
And this happened in 2011, and there was a quick reaction from civil liberty groups and ask, what is illicit content in your view, and how would block it? And how would you actually make sure that innocent websites are not included in those black lists?
And on the black lists you will see old and new examples about showing that the problems are being repeated. I'm just remembering the Finnish case when the website that talks about why blocking is bad is being blocked, or the new examples for UK where recent weird and totally untransparent system makes unavailable certain websites just because they do not fit into to the maturity view. But they are just content websites.
And also Broadband providers or ISPs will be concerned by this proposal which will imply more or less Europe‑wide censorship.
Now, luckily that proposal didn't go forward, at least for the time being. So if we're even considering a Shengen border human rights Internet, aren't we actually fueling other initiatives that are going in the opposite direction?
Aren't we actually directly supporting Internet ‑‑ let's say, country that ‑‑ countries that want to base their Internet blocking, filtering, or surveillance ‑‑ like happened in China, in Iran, or in even Turkey ‑‑ and probably if you want to listen more about the Turkey situation, you can go to the governance forum that takes place today and tomorrow.
And situation gets more and more complicated as we see ‑‑ we see clashes between countries that are going closer to Europe and ‑‑ and in my case, in Romania, closer to our country.
And I was just looking at recent Ukraine‑Russia conflict with Crimea, and we found out that actually the Russian ISPs are blocking the ‑‑ are filtering the content from Crimea. I found out yesterday from a friend. Then we found out that once the territory is conquered by another country, the ISPs are changed. So they impose different rules on how to show certain Internet web pages and not show the others.
So in the end I would go back to the vulcanization. Because this has been a bad word for Balkans. But we met yesterday morning with a few friends from the Balkans, and we decided we need to have a positive approach. So let's change the meaning from a negative approach to a positive approach.
Because right now people from the Balkans are just meeting at conferences and other events, and they talking together, they are not divided as it used to be like ‑‑ like in 15 or 20 years.
And the Internet, just show us that and give us the tools and the possibility to do that. So in order to enhance this collaboration and discussion in the future, I think we need to keep the things very simple, which is one universe, one world, and one Internet.
Thank you.
>> ALFONSO ALFONSI: Thank you, Bogdan.
And as I promised, the views are different, and there is a lot of debate in these. And it's important to document all these uses that imperil human rights in the Internet by separating the big challenge or big question, which is can there be uses in which they can instead be made more secure, as least as effectively as those who make it less secure are doing it now.
And to continue the discussion and having ‑‑ bringing in even more points of view, I'm giving the word to Patrick Curry from a different area, they call that the business community, from British Business Federation Authority. Many other experiences as well.
>> PATRICK CURRY: Thank you very much, Alfanso. And welcome to everybody. My name is Patrick Curry, as Alfanso has just said.
Not only do I have this organisation, BBFA, which is to enable federated trusts across supply chains and with governments, but I also lead a new alliance for sharing cyber security information or helping organizations to share.
Because one thing that we worked out collectively is that we have to work in communities. And the Internet is all about communities; which means we have to have some kind of collaborative governance. And I'm going to keep emphasizing this word "collaboration" and "community."
I'm not talking about control. I'm ‑‑ so that it's very much community behavior.
So for me I'm heavily involved in governance, I'm heavily involved in standards, I'm an ISO editor, and I also work with ITU and ITEF. I work in the United States, but I also talk to China.
I chair two of the subgroups that are under the EU cybersecurity strategy on instant notification and risk management, and I will mention more about that in a minute.
So what I wanted to bring out, governance is about policies to meet your objectives and the risks to those policies. It's about behavior.
So a community gets together because it wants to do something, and it agrees collectively what that is, and it agrees codes of behavior ‑‑ which will be based on laws and so on, but not just laws, it's about policy. But I also need to make sure that we have the means to make sure that everybody is abiding by those policies and agreements. Otherwise it doesn't work. That is what governance is about.
And it doesn't mean the state is in control. There are many other ways to do this.
So if we're going to talk about human rights, that's great, and I completely support all of the primary pieces of human rights. Those of you that have met me already know that I'm very involved in child protection. But to make this work, we need ‑‑ the Internet is about interaction in communities by individuals. And those individuals can be individual organizations, people, devices, nations; they are still individuals.
And the community must take control of that. We have a tendency in ‑‑ particularly in western societies where consumerism dominates, to assume that it's somebody else's responsibility all the time. Make it good; it's not my job; somebody must.
So who is somebody?
And are they in my community, or my community of communities?
And within that community we've got to remember that we're talking about the vulnerable, the young, the old, the inexperienced; not the Jedi Knights of the Internet that we have in the room today.
Now, if those people need help, they need guidance, and in many cases they need a carer or a proxy, somebody who can act on their behalf to make sure they don't go into harm's way.
And I give an example. Korea has passed a law to give parents ‑‑ for ISPs have to give parents controls to be able to protect the interests of their children.
So there is an example of a country that has really set a mark for how they want to see behavior in the future. And as a result of that they've taken that to ISO, and there is an age‑verification study taking place ‑‑ I happen to be one of the rapporteurs for it ‑‑ which is looking at how we can get a baseline for age verification, not just for children, but for people of any age ‑‑ old people ‑‑ who need help, who need to have carers.
So looking beyond that, then, if we're going to talk about the Internet, we need to have a concept of normal operation. Because if we can't agree what normality looks like, then we can't agree and we can't identify when things go wrong.
And so what I would bring out in this, any governance must have a risk management component. And there are five primary areas to risk management.
First of all is the risk identification. And unfortunately the young and inexperienced who need to discover and learn put themselves in harm's way a lot. So they are a risk to themselves often. We need to help them.
Once risks are identified, we need to prevent the harmful side of those from occurring, if we can, which is why we have lots of anitvirus software and lots of other things. But we need also to detect when things go wrong. And we're finding more and more as threats change that affect individuals at a very low level, the need to detect policy violations is really vital. And we need to be able to respond to those threats, otherwise there will be harm done.
And ultimately we need to recover back to normality, which is the whole reason why we use the Internet in the first place, whatever that reason was.
So yes, we do have some differences of views. And I would just mention here, we need to talk a bit about the Internet itself. Because it means different things to different people. Personally, I think I have to be able to root on the Internet, it must be technically possible ‑‑ I might be blocked ‑‑ but it must be technically possible at the IP level to reach some other network, or it's not on the Internet.
So we can achieve separation, as Bogdan and Olek have said, in many, many other ways, but still be on the Internet. And this, if you like, is the parallel universe concept.
But I'm with Bogdan, I think there's only one universe. We can have that discussion.
The critical thing here is about information. It's not actually about legislation, and it's not about technology. They are enables, they are disrupters, they are part of the problem. But the issue is about information. If the information is not there, or it's not good, why do I want to use the Internet?
So we have this tension, then, between the logical piece, which is this boundriless environment where we have the freedom to discover information. But we also have the fact that it exists on servers that exist in countries. And those countries want to exercise jurisdiction over networks.
How do we deal with that?
Well, this gets complicated more by the fact that there are three primary webs. There's the surface web, which we all know; there's the deep Web, which is much bigger, but is what runs the Internet; and there's the dark web, the like of which tour network where anonymity prevails. So the point being here, if we're going to move forward, is that trust is the critical issue that is going to define the use of the Internet in the future. And that's what communities are partly about.
So the issue now is getting the mechanisms in place for trust, and that's what a lot of the standards work is about, that's what's feeding into the EU activities and the U.S. activities, and also in the Far East.
So we're seeing in MAPPING already, a fully international dialogue ‑‑ not just in EU ‑‑ feeding into this. And so this is going to be a very rich journey and a rich experience.
Thank you.
>> ALFONSO ALFONSI: Thank you very much. Patrick raises a lot of good points, but also it's ‑‑ he brought back the sometimes forgotten other face in the mirror, that information travels in Internet, it's located in some physical place somewhere, under certain physical condition, certain legal condition, and jurisdiction. And this brings big issues related with all that we have been discussing, that of jurisdiction. That will be touched also by the next speaker, that's Meryem Marzouki, who is the National Centre of Scientific Research of France, Centre Nationals Scientific.
>> MERYEM MARZOUKI: Thank you, Alfonso.
Like the previous speakers, I'm not a partner on the project, but external advisor to it. And I'm really grateful to Joe and all the MAPPING project partners for their invitation today.
As Affonso said in his introduction, the MAPPING project relies mainly on three pillars, which are privacy and intellectual property rights, that were presented by previous speakers, but also the third pillar is Internet governance. And one aspect of Internet governance that is still not resolved, and as I see it, it is the main aspect of Internet governance, is the issue of conflicts of jurisdiction.
The question I ‑‑ I'm not sure we can ‑‑ anyone can answer as for now, the question of whether we should only one universe or parallel universe, I would say, many universe, many different universes, not parallel universes. The point ‑‑ we also have to take into account that these different universes already exist; but the main point is that if there are different universes, what is important is that they can be smoothly articulated; from the technical point of view, this is called interoperability. But there are also many different perspectives. And one very important perspective is a legal perspective, and among them one very important perspective is the legal perspective. And we have to think about a way to solve this issue of conflict of jurisdiction.
This is a very old issue. As Joe mentioned, many of these debates are being discussed since the early '90s. And the issue of conflicting jurisdiction has been hugely discussed in the '90s through the Yahoo cases. Maybe if you are as old as I am, you can remember this case, it was a case of freedom of expression and conflicting views of ‑‑ to sum up ‑‑ of freedom of expression between France and the other European countries and the United States' vision.
So have we made progress, any progress since then, 15 years after.
My answer is no, definitely no. And we could consider us lucky if we are not ‑‑ we haven't gone backward since then.
Let me illustrate this quickly with two cases, court cases, one in the U.S. and one in Europe.
In May of this year a New York court ruled that private emails and other personal information of Web users can be handed over to U.S. law enforcement, even if these data are stored on servers outside the United States. So this of course concerns all the cloud companies with their cloud servers that are hosted in different parts of the world when there is a valid search warrant from one country.
This ruling has been issued following a challenge by the Microsoft company of a U.S. government search warrant concerning user information hosted on a server ‑‑ on a Microsoft server located in Dublin, Ireland; in Europe.
This ‑‑ very recently this judgment was upheld by another U.S. court, the U.S. District Court in Manhattan; but the enforcement of the judgment was delayed so that Microsoft can appeal this judgment. And Microsoft said that it will appeal the judgment. And before this appeal, if Microsoft won't to hand over the data to the U.S. government.
And I would like to highlight the fact that in the recent ruling, the judge said ‑‑ and I'm quoting here ‑‑ there is no difference between the company's own records and a customer email. So the U.S. judge considered that this email, this data hosted on a U.S. company's server, can be ruled under the U.S. jurisdiction.
We have here conflicts of jurisdiction while there exists already a treaty, an international convention signed by ‑‑ and ratified by the United States, which is the Council of Europe Convention on Cybercrime, supposed to be able to rule this kind of transborder access to data. We also have mutual legal assistance treaties, but obviously the U.S. court, the New York court, didn't recognize this kind of treaties. So this is the first example.
The second example, in Europe, is the one‑known ruling by the European Court of Justice on ‑‑ in the case opposing Google to the Spanish Data Protection Authority. And this case is better known as the Right to Be Forgotten case. And the problem ‑‑ there are different views and different analysis on this ruling ‑‑ but the problem that I see here is that on the one hand, the Court has decided that the European Union law applies to Google, given it has created an establishment for the promotion and sale of advertising space directed at member state people.
And now any individual can request Google to remove any search result under the condition of the data protection directive. Not only we have here another conflict of jurisdiction through this affirmation of the right to be forgotten, but its ruling is making a corporation, a private company, is considered ‑‑ as a kind of first level jurisdiction, because it will remain to Google to decide whether this is ‑‑ the request received is a genuine request under data protection laws and that this request should be fulfilled.
So we have ‑‑ although I recognize, of course, the importance of this affirmation of the right to be forgotten, we have a big problem here with a ruling by the European Court of Justice giving these kind of rights and responsibility to a private company to make a decision that obviously might breach fundamental human rights of Internet users.
So with these two examples, what I wanted to really highlight is that, even though we have some treaties already, like the Cybercrime Convention, we ‑‑ the problem is with the application, the recognition in practice by different courts to really realise and to really solve these conflicts of jurisdiction. So when I say with all due respect to Tim Berners‑Lee and his proposal, when I see this kind of proposal, bill of rights, magna carta, whatever you want blossoming and ignoring at the same time the real corpus of text of law, even nonbinding laws through instruments like the Council of Europe Human Guide For Human Rights of Internet Users that has been just adopted, I would like to see people having more realistic position and really work on the application of the existing corpus of documents and instruments that already exist.
Thank you.
>> ALFONSO ALFONSI: Thank you, Meryem.
And to bring together big ideas with a realistic approach, looking at the social, physical, economical, jurisdictional conditions for these ideas to go around is enough time. We are making it important to help ‑‑ we have been returning to the issues of governance that the third pillar, as was said, of our MAPPING projects, and also too the discussion about the frameworks, treaties, agreements that can make the governance of the Internet improve.
And I think this can touch also on the last speaker, but not least, of course, is Nevena Ruzic, who is a vice‑chair of a bureau to a Consultative Committee of the Council of Europe on data protection.
And afterwards we will start the discussion. Thank you.
>> NEVENA RUZIC: Thank you. Good morning, everybody. And thank you for inviting me to join this panel.
Actually, Meryem mentioned something that I already ‑‑ that I wanted to talk about, like should there be an international treaty or if in fact there should be one, whether it could be possible. And here we come to the complexity of making an international treaty in general.
Joe mentioned how little has changed since the beginning of the day, and I also remember in 2003 when the world summit on information society was organised in Geneva and the establishment of the working group on Internet governance was done. We ‑‑ we could see that there is no agreement about the main notions about the Internet. For example, back then spamming was one of the problems, and we couldn't agree how to define spams in general, but to see it only as commercial messages or messages that might also be practicing freedom, freedom of expression.
And it seems like although we don't talk about spam anymore, it seems that we are still agreeing whether we certain notions, and if we do, to what extent. And this is applicable even in those jurisdictions that on this face or because they're belonging to similar legal traditions are being more or less the same.
But this is not ‑‑ this is not the case. Even in ‑‑ under European convention there are so many different opinions, or European Court of Human Rights calls it margin of appreciation for state to state, how they see some expression or somebody's privacy being violated or even breached.
And Christian mentioned something that is also applicable to at least European framework when it comes to human rights. He said that states should provide an environment where human rights can be enjoyed. And that's really the case in Europe, at least.
Because European countries have this paternalistic role towards their citizens, they need to educate and make an environment. And the European court would say they have an obligation to do that. Failing to do that, the state is joining private entities ‑‑ it can be even a natural person ‑‑ in violating one's rights, and ultimately it's the state to be blamed, not the individual that in the first place breached somebody's privacy or freedom of expression, even if that means protecting one's copyright.
So this the positive obligation.
And when Bogdan was mentioning about different barriers, we often come to freedom of expression that is there also when it offends, shocks, and disturbs. And that's quite known in many European courts of human rights decisions. So what might appear shocking in one particular case, by the end of that year it might be a legitimate exercise of one's freedom of expression.
And we come to values and what are the values that we want to protect, or rather to promote, because perhaps Internet is more a forum of promotion, and protection might be dubius when it comes to application of rules and jurisdictions and national laws.
And unfortunately, being a lawyer, I have to agree with Patrick that law often is a problem and can be seen as a problem. But that's because the initial premise was a little bit misplaced, actually.
So when we come ‑‑ when we talk about laws, then we actually first need to see whether there is a problem. And if there is a problem that is bothering us, whether that's solvable in one way or another. And then we come to question whether the law would be an instrument to solve the problem.
We often skip those initial steps, and we take the law as something that will solve the issue, but we don't need to have something legally binding, binding documents.
So this international treaty that we're talking about could be a standard‑setting document, for example, promoting values we want to promote.
And also when we talk about international treaties, if the law is needed, whether that is feasible, taking into account the discussions for like 15 years back, whether that's possible, and who would be involved in that. Of course multistakeholder approach is needed, but how do we achieve it?
This is also the questions that were asked or proposed back in 2003 or 2005 in Tunisia and ever since then.
And then we come to Council of Europe, which I can also represent here, but mainly from the perspective of personal data, data protection, and some other conventions. One of them was already mentioned, Cybercrime Convention. That is open to signatures of nonCouncil of Europe member states, but it's also the case with other conventions.
For example, it's also the case with the Convention on the Protection of Individuals with regard to automated processing of personal data known as Convention 108. Data Convention, the first binding document on data protection in the world, because it's open to ‑‑ to nonCouncil of Europe member states. And perhaps this could be a way to think of international, not umbrella treaty, but maybe separate rules and separate values, and then we can come having a legal framework, international legal framework protecting that.
What is difficult for ‑‑ at least from the perspective of Council of Europe ‑‑ not council in Europe, as I'm not presenting the Council of Europe here, I'm rather more as a member of one of the committees, but as a person also coming from one of the member states of Council of Europe, is for example, this Google case, judged by the Court of Justice of the European Union. And also what Oleksandr was saying about the attempt to adopt an Act that is counterfeit international treaty, that may be potentially possible for ISPs or other intermediaries to act as law enforcement agencies.
We come to privatization of human rights protection and enjoyment. And this is difficult to understand, especially, as I said at the beginning, it's actually the state that would be responsible for the fulfillment or the enjoyment of human rights. So we go in the circle; and there's no answer. I mean it's a good exercise, and whether there is an ultimate answer to that, I don't know; maybe in four year's time we could ‑‑ or you could come up with some suggestions on whether that would be needed and whether that would be feasible, and if so, how.
Thank you.
>> ALFONSO ALFONSI: Thank you very much.
And the issues of a possibility to have a treaty in terms of standard‑setting document, the institutional of feasibility, and this very last point. One start to think of enforcing human rights and the governance of Internet as a mutlistakeholders act, then the relative roles, what stakeholders are empowered to do, what should be empowered to do, that's a huge issue. And we hope to discuss it at least and come to some lines in a multistakeholder discussion as well.
Now this opens I think very well the discussion to the floor. If you can equally stay concise in your intervention, one, two minutes, we can have a meaningful array of point of views, and then the speakers can react in a way.
Please, when you speak, tell your name and your affiliation.
>> AUDIENCE MEMBER: My name is Shreedeep Rayamajhi; I'm currently the ISOC ambassador; I'm a lawyer, and activist.
I strongly believe that protecting human rights on Internet, it has a ‑‑ there's a greater role for the different stakeholders; especially the role of the government is quite crucial. In a country like Nepal where we are growing, the role of government has been pretty rigid. Rigid in terms of recently two ‑‑ two people were arrested just for commenting on the status of a national daily about a corruption issue and writing something about a home minister.
I strongly believe, yes, private stakeholders do play an important role; but most of the times they are either intermediated, or they have their limitations with that, especially looking at the developing countries. I'm talking about the developing countries' perspective.
More than that, Internet is all about freedom. If you take the freedom out of it, then I think there is no use to it. Freedom is what makes it attractive.
So using something like software or, you know, making it more restricted is something that is wrong to itself as well as the coming up generation is more smart. They are more smarter than us; right?
So I think I strongly believe that focussing on core values of how to use Internet, about what to do, when to do, things like this should be more focussed and concentrated; rather than putting, you know, software and blocking it or making it restricted.
Yeah. Apart from that, about international treaties, you know, international treaties certainly help, and certainly help for governance. As we come down to the lower group of the chain, things defer radically on our side of the world; it's the state that counts. It's the state that is working. Because state is in power.
So I believe that with such a platform like this, we can share, we can ‑‑ you know, we can share opinions and we can talk about it and come up to a more better solution of making ‑‑ of creating a better governance with government as the stakeholders.
Thank you.
>> ALFONSO ALFONSI: Thank you very much.
>> PATRICK CURRY: So we all had a little piece of time there; it may have seemed a long period.
I brought up trust because it's come up in nearly every session I've been in since I have been here. And I would like to point out that what underpins this is the requirements for authentication. How do we know that people are who they claim to be, organizations know who they claim to be?
So I give you an example: 76 percent of the organizations that are financially active in the United Kingdom are not registered in the U.K. or they're not registered at all, and we can't tell the difference.
And I suspect the situation in our countries will also be less than they desire.
So what we've got is a lot of fake things happening on the Internet; which creates a lot of economic damage. So our working figure at the moment for cybercrime is well above 2 trillion dollars a year, and for IP theft it's more than 6 trillion dollars a year. So we're seeing new attack vectors every day.
So it will not surprise you, this is a journey of change and of measure and counter‑measure. So we're seeing new technologies.
So the requirements for authentication in these devices ‑‑ and we have more devices with more applications and more data and more users and more change.
So when we go through this journey for MAPPING, we need to be clear on we're going to see a lot more change. We have to anticipate that.
But the cornerstone in any trust environment is the requirements for authentication and authorization. Now, before anybody gets alarmed, that has scope for anonymity, and for partial anonymity. And we need to communicate these concepts to people.
If it's appropriate for you to be Mickey Mouse on the network, that's fine. But if I'm dealing with your health record, it's probably not fine. So we got to get a sense of balance in here. And that underpins a lot of the day‑to‑day realities of the human rights we've been talking about.
So we would welcome any questions on more of the details of some of these features, because they don't exist on the Internet today. You can't authenticate from one country to another very easily across systems.
>> JOSEPH CANNATACI: Yes, I think that it's important to emphasize a couple of things which have been mentioned. And perhaps start going into a bit more detail.
Firstly, when we're talking about communities, and you ask yourself the question ‑‑ and if we can look at the Internet not only as a network of networks, but a community of communities. Right?
When you look at what's going on and you ask yourself, okay, what do you want to fix exactly?
What's exactly the problem?
Which human rights do you feel are particularly being infringed upon, and what legal or technical solutions are you looking at within the MAPPING project?
Well, firstly, I think that when you look at the technical infrastructure, we tend to look at it at the second stage to see if it could offer solutions. And I can get back to that in a minute picking up on what Patrick said earlier on routing. But if you look at the current situation, you say okay, so is privacy covered insofar as mass surveillance is concerned?
Do we have a legal framework which tackles the protection of citizens in the scenarios that were described by Edward Snowden than others?
How do we want to do this if nation states ‑‑ some nation states don't want to play ball?
And frankly, that is not a new problem. As already mentioned by Meryem Marzouki, this problem is an old one which goes back a very long time.
For the lawyers in the room, or for the nonlawyers in the room, perhaps I should remind you what happened in the scenario for copyright. Europe and whole chunks of the world started discussing copyright way back in the 19th century; and tried to do something about it called the Bern Convention; and the United States refused to play ball. Right? It refused to play ball until 1966; almost 100 years past before the universal copyright convention came to be.
And same can be said of a number of other attempts, whether we look at the international Maritime convention, or we look at issues like piracy, or highjacking ‑‑ it's because community comes together and says, I don't want any more hijacking, I don't want any more piracy, or I don't want any more illegal copying of books.
It's when the communities come together and say we have a problem, we want a remedy. And in this particular case, certainly, when we look at the legal framework, the legal framework does not at this moment in time offer remedies in a number of situations. Firstly, the Cybercrime Convention, which is the only treaty which currently exists insofar as the Internet is concerned, it only covers issues of interest to law enforcement. It does not, therefore, respond to the question of what do we do in the case of national security and mass surveillance. It is beyond the scope of that legal instrument. So we have a problem there.
When we look at the Data Protection Convention, which Nevena has mentioned, that was indeed the mother of all legal instruments when it comes to privacy and data protection; but it does have a number of exemptions, derogations, when it comes to national security. But that was the best part of the law 30, 40 years.
Has it been defined further?
We need to define it further.
Certainly in the post Snowden era, it seems to me we need to define it further.
If then we go to the next stage, how are we going to get countries to agree about this, I would tend to disagree with colleagues who see no role for the nation‑state. I think that we have several dozen, possibly hundreds of examples where nation‑states finally got together and did something sensible; and obviously they had to be pushed forward by the community; right?
Up to now, until recently, there weren't no votes in privacy. Right? It's only quite recently that more and more people have started awakening to the implications of what's going on.
When we come to how it can be done, having served as not only chairman of the Council on Experts of Data Protection, but also as a member of the group which drafted the Cybercrime Convention, it can be done. Slowly, very slowly sometimes, but surely; and certainly bringing some countries to the table sometimes is quite difficult.
From the technical point of view, whether this can be helped or not, whether the legal process can be helped or obstructed from the technical point of view, I would say that there are many ways to skin this cat.
Many users of the Internet are not actually aware that when we talk about the Internet, we actually have at least technically, from a routing point of view, two Internets; right?
It's only when we look at IPv4 and IPv6 ‑‑ right ‑‑ and the routing that takes place over there, had it not been for the way most people's browsers work ‑‑ right ‑‑ there would be no bridging between the two.
The way that things are designed to work these days, it's pretty transparent to the user. But in reality, technically we have ‑‑ we have now two separate protocols, and we can add more if we want to, if it's desired.
Whether you bridge them and you connect and you seal, the issue that arises takes us back to what Meryem was saying about jurisdiction; right?
Even when it came to the Cybercrime Convention, if you look at the Cybercrime Convention, you would find out a clause which says, if two countries shall disagree about this jurisdiction, they will talk about it. Basically even then, when the Cybercrime Convention came into being, the countries could not agree about jurisdiction.
And I think we would have a lot more fun about that.
But I suggest we open the discussion further to the floor, and if anybody wants to follow any of those issues, will be more than pleased to do so.
Yesterday I can tell you that it took several mugs of beer before ‑‑ and various other drinks while we weren't discussing this, took much longer than it's taking here.
Thank you.
>> ALFONSO ALFONSI: We are approaching the end, and want the next to last word on this.
If there are not, I can wrap up a little bit.
And first of all, I would like to recall to everybody interested that the MAPPING project, as we said, is a four‑year‑long exercise that is conceived as a forum or a system of fora for informal discussion on the issues that we have been presented in the three areas of privacy, property rights, and Internet governance.
There will be general assemblies of stakeholders; there will be, as Joe was mentioning, working groups. A programme, interested in the inside.
We will be around here today and tomorrow. And also at the counter of DiPLO, there is some materials. Everybody is invited to write to us or to contact us.
Just in a few minutes many points have been presented. I would like to stress at least two things.
First of all, as we have been speaking of the Internet as an area of freedom and possibilities; but also we have been brought out with freedom and with possibilities, but in unprecedented possibilities for human subjectivities, for human communities to express themselves, at least on the surface of the net. These unprecedented possibilities are constantly challenged, anyway, the freedoms are challenged. The opportunities bring together risks that need to be addressed, and remedies need to be found.
So lastly, the option is not to guarantee liberty, per se, but it's also an option to leave some threats, some hazards unchecked and unmanaged. So what we are interested in is to find alternative ways in which these opportunities for humanity and for communities can be protected effectively. This entails agreements, this entails technical solutions in an environment that's constantly changing and transforming.
So the governance of the Internet is a governance of transition, a transition usually as a side that is not very ‑‑ it produce itself as a bridge, as a huge number of factors. And we are a huge number of factors, from technological innovation, the technology made by the different actors, that simply accumulate and create a certain direction.
And then there is the other side trying to give guidance, to go from a regime to another regime in which the opportunities are fully exploited and the risks are better checked. This can take time. And we are interested to documenting both the conditions that are accumulating and the attempts that are done by a multiple array of actors in roles that are being defined in this moment, and get defined and redefined, in which individuals and groups of individuals play different and complex configuration of roles.
Like I say, all of this to try and understand where is it adding and how it can be better added.
The only thing ‑‑ I will take one point is some processes are complex and take time. So the fact that we have little results in this moment of time might not necessarily that they are not going to develop later on in time. And hopefully not so much time as 100 years it took to agree for the U.S., at least with this piece ‑‑ quick piece of Internet, we might have a little less.
So, please, whoever is interested in staying after, thank you very much. And there are, as I will say, leaflets here, there are leaflets at the counter. And we have electronic possibility to stay connected, and hope we will stay connected.
Thank you very much.
(Applause)
***
This is the output of the real‑time captioning taken during the IGF 2014 Istanbul, Turkey, meetings. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the session, but should not be treated as an authoritative record.
***