The following are the outputs of the real-time captioning taken during the Tenth Annual Meeting of the Internet Governance Forum (IGF) in João Pessoa, Brazil, from 10 to 13 November 2015. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record.
***
>> VLAD: Five minutes, I think it's time to start. If we need it, we are going to bring more chairs in here. Thank you for coming to one of the last sessions of the IGF, Cybersecurity, Human Rights and Internet Business Triangle. That means we are talking about everything, because it's really a broad area. So some of you, since you came, I hope you didn't get the idea that we are just going to be talking about all these issues in general.
Now, what is the idea of this panel? Often, we have this dilemma whether ‑‑ how do we ensure cybersecurity, and how do we make the balance between cybersecurity and privacy or human rights. Many people, also the IGF, say balance is the wrong word. It's not about balance. It's not about either/or. It's not about reducing one for the other. It's about having both privacy and security, or human rights and security, or economy and privacy and security. I'm not stipulating this is possible, but that's what we want to try.
Now, why don't we have that? One of the observations that we had is, even if you go around the rooms in the IGF, you will see the session on cybersecurity, or you will see a session about freedom of expression, or you will see a session about privacy. They're silos of different people discussing different topics. Rarely, we see that we are actually, at the same time, discussing human rights, that these two different communities sit down together. It's also ‑‑ it also stands for different stakeholders.
We have civil liberty groups, mostly discussing freedoms online, but then we have security groups and even governments discussing security separately. That's what we want to try to bridge today. The question we want to address today is not really the issues. We'll touch upon the issues, of course. But we want to try to decode why there is this gap in communication, how can we improve, also at the IGF. We actually put these groups together, something like that.
Now, the panel will hopefully be interactive. That is why I took this microphone to roam around. And I have the friend back who will help with the microphone, so count that you will be talking a lot, as well. Here in front of us, we have distinguished guests. I'll start from the lady. If you don't mind, I have to read the names just for the sake of not missing the right titles. So, Valentina, from the Association of Technology in Romania. Patrick Curry, a British Business Federation Authority. Also, Dzhokhar, from the University, for privacy of the United Nations, today, as coordinator of the MAPPING project, one of those leaflets you have, very interesting project.
You see at least two spaces more because we have another two ‑‑ I hope we have another two participants who are joining us remotely. And that is, the director of the DiploFoundation, and Desiree, the corporate sector. So, even the school districts of people over there, some are more focused on privacy and human rights, some on security, some more focused on economy and economic aspects. We'll try to mix. Now, before we start, I actually do want to start with you.
So, I'll ask my dear friend to start with a microphone over there. And I want to ask any one of you, just jump in quickly. Give us an example of a specific topic of your interest that you find that there is lack of communication. We discussed yesterday, JoAnn, Patrick and I, the UK surveillance bill now is going on. There might be missing of this communication between the stakeholders. I want to briefly hear, firstly, from you. What should we talk about today? Before we pass the floor to the panelists. Anyone. Would you like to talk about it. And please introduce yourself for the sake of transcripts.
>> VALERIA: Hello. My name is Valeria, I'm from the Association in Argentina, and I'd like to hear about big data regarding the development of that technology, or that group of technologies with economic objectives, but ‑‑ privacy and human rights.
>> VLAD: Big data is an example of merging of economy, security, and human rights.
>> VICTOR: I'm Victor, from the University of São Paulo, I'd like to talk about intelligence and secret services, the law question, like if law permits them to intercept communications, what's the point that they can intercept it, and I think it's that.
>> VLAD: Do you have the impression that some communities are not involved, or there are different discussions between different communities about case of surveillance? The human rights communities discuss on one hand, and the security services on another.
>> AUDIENCE: I think so.
>> VLAD: We can talk about that. Anyone else? Go ahead. Throw your thoughts. What would you like to raise today? Anyone else. Don't be shy. Come on. We have a full room. We don't want to let these guys only talk, eh? Someone. One more, at least. Help me. Okay. Two more, great.
>> AUDIENCE: Well, if we're talking about discourse and in the words of, I think, someone said the limits of my words limits my world. I'm from the privacy invasion network. The discourse on business development, and privacy being an obstacle to innovation is also a limitation, and something we could discuss.
>> VLAD: Patrick, I hope you are taking notes on that one. (Chuckling.) Yes, go ahead.
>> AUDIENCE: Hi, my name is ‑‑ I'm a student, I'd like to hear about ‑‑ it's kind of related and already talked about, but what I see is that there is somehow a discoursive gap between cybersecurity and internet governance, and how these debates somehow ‑‑ I see that there is a gap between the discourses that talk about internet governance and discourses about cybersecurity, because mostly, cybersecurity issues are somehow very related to state participation. So, maybe hear a little bit about how that can work, or how can we bridge this gap.
>> VLAD: Does it mean the other communities should not be involved?
>> AUDIENCE: No. The states have to be involved. That is my personal opinion. States have to be involved. But how do we include, like, these spaces that we're living right now, here, at the IGF, and how do we talk more about it without only thinking ‑‑ like, restricting our views to cybersecurity as something that is only related, so how can we resist to that ‑‑ maybe it's more related to surveillance, yeah.
>> VLAD: Okay. Thanks. I want to check if there is anyone else from the online participants that has anything to raise. Nothing yet. Okay.
>> AUDIENCE: Hi, I'm from the (?), and my topic that I want to discuss is about how the cybersecurity affect the human rights, affect the privacy, and affect our internet rights, too. I think that's my topic that I want to discuss, because we discuss a lot about cybersecurity, but I still see that have some gaps that we need to discuss. So I think that's it.
>> VLAD: Thank you. So one note that I took already is that there is a gap in language and discourse between different communities. And even if we take a look at the terms, the prefaces, cyber is when we talk about cybersecurity. We don't talk about cyber rights. When we talk about security, we don't talk about net or online security, we talk about cybersecurity, but it's net freedoms, so even that is different between the communities.
Let me drop back to the panel. Since we mentioned two times surveillance here, and then we have this kind of a problem between privacy and security, and surveillance, can you put yourself now in the other shoes ‑‑ not as a privacy person, or ‑‑ okay. Be a university professor, but now more kind of looking into business and security aspects. What are your reflections?
>> PANELIST: Is the mic working?
>> VLAD: Yep.
>> PANELIST: If it's okay with you, actually, I'll come back to the answer to the question you asked me via the route of a couple of interventions. So, first of all, let's pick on poor old Wittgenstein. He said, kind of, I'm paraphrasing to make him a bit more comprehensible, if you don't have a word for the concept, then you might not have the concept. I'd just like to say very briefly that some of the research we have been carrying out on privacy with different native peoples and indigenous peoples around the world, even if they live in the rain forest in Borneo, even if they live in the forest in Kenya, and even if they don't have a word for privacy, that doesn't mean that they don't have privacy.
In fact, we have tested it deliberately. Do you have a word for privacy? No. But then as soon as you start asking them, how do you behave, what do you think about this kind of behavior, then you find out that they have a lot of privacy‑related behavior. So, that's the first small point that I wish to make, the fact that you don't necessarily have a word for it doesn't mean that you don't feel that privacy is important. The second point that I'd like to come around to ‑‑ there are many interesting points here which have been raised ‑‑ does deal also with surveillance, right, as you said.
Two points have been raised, or three, about surveillance. And I think it's important that we make a number of important distinctions. First of all, when you are talking about cybersecurity, it is not only about surveillance. It is about ensuring that the infrastructure is secure, and that the infrastructure is safe to the extent that people can trust it. And that is something which is very important, because, of course, then people also need to trust on that environment.
When people are operating on the internet, when they're surfing, discussing, talking, they have to be able to trust the fact that they are going to behave properly there. And that they are not going to be put under surveillance unduly. And I think that this is where we often have a problem between people understanding what actually takes place, and what people actually would like. Let me be, perhaps, a bit more specific on this.
The first point is that we would like to have a clear idea on what actually is used for intelligence. So, first of all, I'd like to point out that according to some of the latest publications and research, actionable intelligence, 80% and over of actionable intelligence does not come from interception. It actually comes from open source internet. In other words, ladies and gentlemen it is very important that citizens are aware that stuff they are putting on the internet, pictures of themselves on Facebook, what they are tweeting, the whole host of content ‑‑ remember, this is user‑generated content ‑‑ the whole host of content that is being put on the internet can be used to generate intelligence, and it is used to generate intelligence to the extent that, as I said, some researchers are claiming that over 80% of actionable intelligence, intelligence which can actually lead to some form of conclusion, intervention, etc., comes from open source.
The second point which it is important to make is that security services have a very important role to play also in ensuring that critical infrastructure is put in. And the internet can be used, and is being used to attack critical infrastructure. And that means that we have to see how to protect citizens in society, because remember, today it's much easier to attack a city than it was 40 years ago, 50 years ago, when you would go in and try to bomb the city to bits.
We saw during the Second World War a famous incident when the Royal Air Force was sent in to bomb dams to remove the ability of the German industry to produce electricity. These days, you don't do that. You don't need to send the dam‑busters in. You go in, you attack a power station through its IP connections, and you bring down ‑‑ and you try to bring down the power station that way. So, when we talk about surveillance on the internet, there is some very essential monitoring ‑‑ not necessarily of individuals ‑‑ but also of critical infrastructure which needs to take place for security and safety in society.
Does that justify everything? Of course not. Does it mean that things have got to be proportioned, of course. You were talking about the links with industry, and this is where I would like to take this whole circle. For citizens to have trust in what their intelligence agencies are doing, or their security agencies are doing, and for the second time at IGF, I'd like to ask people to make a clear distinction between the role of law enforcement and the role of security and intelligence agencies.
In many countries ‑‑ not all, admittedly ‑‑ but in many countries, law enforcement agencies, the normal police, don't have the right to carry out certain surveillance unless they are empowered by a clear judicial warrant. It's a different case with many security and intelligence services, which may need a different kind of warrant, sometimes may need no warrant at all, and sometimes may need a warrant signed by a politician and not by a judge.
I'm saying this because even in my discussions with NGOs and civil society throughout the past four days here at IGF, many of them have expressed this concern. And the concern is, we are concerned that we are reading, on the internet. So they have access to this information on the internet. That our police forces, our secret services, are buying software with which they can hack into our machines and observe things in a manner which is not necessarily appropriate. And, I conclude on this point to give space to others, one of the chief points that was made to me at least ten times yesterday in different sessions by different people was, we are worried about either the lack of proper oversight mechanisms for security forces, or the lack of transparency about these oversight mechanisms.
So, why we have to give the security forces the right tools to be used against the right people. We then have to go to make sure that you have the safeguards that those same tools are not used against the wrong people. And clearly, if you are using those tools, as we've seen in some countries, how many people do you want to put on this list? 100,000, 200,000. Is that really how many terrorists you have in this country? So you begin to ask the question, is the targeting being done on purely law enforcement, or national security guards, or is it also being done for political grounds. Thank you.
>> VLAD: You raise a very interesting thing there, when you mentioned the law enforcement and the security services. We had some kind of a discussion in Geneva this year about cyber crime, and we had a guy from security and a guy from law enforcement. They don't communicate together, either. So even those are examples where the law enforcement guys said, we don't need all this data you're collecting. We need, at the moment, what we need. There is a gap between these communities.
Now, I wanted to pass this on. You mentioned this fact that 80% of what is collected for surveillance is actually what we post online. Is this something that would enter discussions of the civil liberties groups, is it also one of the caveats, don't do that, think about it. Is this something that you talk about with security services, or law enforcement, even? Is there any kind of communication on these kind of issues across this, from your side?
>> PANELIST: Before answering the question, I just want to point out that there are two chairs available here ‑‑ one ‑‑ two this, one over here. If anybody wants to sit down.
>> VLAD: Feel free to sit here, as well.
>> PANELIST: But turning to your question, unfortunately, in Romania, at least, the interaction with the Secret Service or the law enforcement is very, very limited. And, for example, my ‑‑ the NGO I'm part of is called the Association for Technology and Internet, and it promotes digital rights. It's always asking for public debates and for consultations. And unfortunately, some of them, although they are approved by these institutions, when we go there and we openly want to discuss with them, we just face this blackout mentality, like what we're talking to them doesn't reach the officials, because they look at us as disobedient anarchists, and they don't take us seriously because we want to undermine their power.
But we always try to explain the human rights principle. We try to find ways to make some sense to the proposals they confront us with, and unfortunately, this is just the way it is. There is no willingness to have a real debate. Only a mockery of a public discussion, and then everything.
>> VLAD: Did you try to find the picture why maybe the government services simply don't want to talk about human rights aspects? Do you try to make the way to present your arguments to the prism of cybersecurity, or economic environment? How do human rights support security, or how do human rights support economic development? Would that be an angle that, maybe, the government would listen, rather to?
>> PANELIST: I think that would be the best approach to move forward. Unfortunately in my case, we have to go ‑‑ step ways back, and first to educate on human rights. And so, these types of discussions will be at a very high level. And we're not simply able to do that at this moment.
>> VLAD: Trying to map the gaps that we have, we already mentioned, you mentioned trust. Then you mentioned these, kind of, prejudices and perceptions between the different stakeholder groups as another gap. And then you also mentioned education as probably another gap in this communication. I want to throw to you with brief reflections if anyone has questions, before I move back to Patrick and Desiree, and Yovan, they are both on. By the way, is there any remote question? Nothing else.
Any one of you want to quickly reflect on what we have thus far? Any comment, any suggestion, any question? Any example? Come on, guys. Okay. There is one there. Can you do it from the back? Don't forget to introduce yourself.
>> RODRIGO: Hi. Is it on? My name is Rodrigo, I'm a researcher at a law school. I think that one thing that we might add to the list is the problem of pacing. As a cybersecurity major, it's usually rushed, in the sense that, at least in the surveillance field, they are both not the same thing. But, in surveillance, at least, there is usually an emergency aspect to it. People bring it in a sense like, against terrorism or other threats, it gets either passed too fast, or acts very fast.
And on the other hand, a human rights approach tends to be more cautious, and they should be, because it needs to be implemented in a broad way. So in a sense, this controversial or at least not‑coincidental pace might be a problem.
>> VLAD: Thanks. So we also note the issue of time and emergency, in a way, as a kind of a pressure putting on discussions. Anyone else? Back, back in the right part. Show your hand. Okay. Good.
>> AUDIENCE: Hello. Although human rights ‑‑
>> VLAD: Introduce yourself, please.
>> AUDIENCE: Yes, my name is Jovan. I think that if things like human rights is a good framework, but at the same time, you have to be pragmatic if you want to get the silos to discuss among themselves. And the pragmatic approach would be to go on projects that are common problems to them all. So if it is security, then frame it in that form, and each of the stakeholders can be ‑‑ you can say that they are holders of value of given information. So, civil society can be one holder or contributor to a given set of values.
And then the enforcement community could be another one. And then they can communicate with the information they have, with the value that they give to that information. And then, this pragmatic approach can lead to common results. But if it is within a human rights framework, it is important to civil society, but perhaps not so important to the business community, or to the enforcement agencies. So just, I think that the pragmatic approach is always the most effective. And I think that when you give this kind of an approach of who gives what kind of value to what kind of data, it can be a much more productive way to go.
>> VLAD: I think I'll reveal your identity for the benefit of discussion. The guy is from the government, so he knows what he's talking about. Quick reflection.
>> PANELIST: Just to follow up on the previous intervention, to say how much I agree with you, and how much it works in practice. If I could share for two minutes just the experiences we've had on some of our projects. First of all, we make it a point to, as much as possible, have not only projects which are interdisciplinary, but projects which are involving directly both law enforcement and secret services, right? So, even the project which is organized this forum today, together with Diplo, Diplo is a member of the MAPPING project.
So if you take the leaflet that's on your desk here, and I'll do it here so they can see it on camera, too, and you turn it toot back, you will see that one of the logos of the participating partners, a very active partner indeed, is Interpol, right? So Interpol, which has 190 members around the world, which is practically the whole world, participates directly in many of our projects, because we would like to have the stakeholders there telling us what they need, right?
We have Interpol, for example, has participated with us in the Respect project, which deals with surveillance, including CCTV, RFID, social networking, financial institutions, financial transactions, etc. It has participated with us in the Smart project. And please Google all of these, right. Please search for all of these, because there are websites for all of these which give you more information. I'm just taking advantage of this opportunity to tell you about the fact that they are working with us on smart surveillance, on surveillance, in the MAPPING project, in order that we can come up with laws together.
So, these projects provide a forum. It's not only a closed forum. Every year we hold roundtables, several policy workshops, and also large conferences, a hundred, 200, 300 people, which bring together all the stakeholders in order that they can exchange. So to answer your first question, how to break down silos, our preferred approach, how to break down silos, is precisely by working together in order to introduce ‑‑ not only to learn from each other and develop pragmatic approaches, but also to encourage the development of privacy by design, technologies, procedures, guidelines, and approaches which both secret services and police forces can use.
So, I'll conclude here. In our latest two projects which we have just started this year, the CARISMA project which deals with culture in disaster management, and also the city project which deals with the use of mobile phone apps in community policing. And we're going to actually test this in four European countries over the next three years. So if you see an app belonging to the city, please try to use it. In that project, too, we have four or five police forces from Lisbon and Portugal, so there's going to be a Portuguese version of the app now that we're sitting here in Brazil.
The Italian police from Florence, the UK police represented by Sheffield, the Romanians are going to be there, too. Apart from the police, there are also going to be some secret services involved in order that we can understand how better we can achieve a balance which puts in safeguards for the use of the information, puts in safeguards built into the systems and into the software, while at the same time experimenting with the legal and technical safeguards which can be employed in the use of such systems. Thank you.
>> VLAD: Thanks. You're giving us a little bit of optimism here that this is possible. One thing ‑‑ there is another example of this cross‑community discussion, is the Freedom Online Coalition, basically the coalition of countries that are working freedoms online. There's a bunch of civil liberty groups involved. One of their working groups is actually cybersecurity. So they are trying to look into what are the existing cybersecurity for these players discussing human rights.
Now, I apologize. Or, excuse me for keeping him for a bit more longer on the panel. I see you're anxious to also jump in. I just wanted to bring ‑‑ because we didn't have any comments from the online space, so I wanted to involve the ‑‑ one of the two, then, speakers from the online space here. I don't know if we can get him online. So, he was basically the one who was introducing this idea of the session of trying to go through the triangle between cybersecurity, human rights, and economy.
And he's also the direct of the Geneva Internet Platform, which is another good example of cooperation between different sectors. In this case, specifically, diplomats, which are based in Geneva mostly. I don't know, can we put in ‑‑ do we have on the screen? Okay. Ah, you're on. The floor is yours.
>> PANELIST: Hi. I can hear ‑‑ you can hear me. I missed the IGF, but, from Geneva ‑‑ because the flights are overbooked, because the Africa‑Europe summit. And that summit ‑‑ on the example ‑‑ security, human rights, and business. Basically, what's happened ‑‑ together ‑‑ the European union ‑‑ Europe and Africa to discuss the question of migration. And the reason why I couldn't join you in Joao Pessoa was that we discuss internet aspects of these developments.
And essentially, you have the question of ‑‑ part of this session ‑‑ summit. The major objective of the summit, which gathered the ‑‑ of Europe and Africa was to discuss migration. And if you ‑‑ migration ‑‑ specific issue, you can see that there is this interplay between cybersecurity, business and economy, and human rights. I guess you can see the PowerPoint.
>> VLAD: Yes. We are now on the slide, the triangle.
>> PANELIST: And complete speaking, when it comes to migration, you have a question of security ‑‑ national security, people are coming across the Mediterranean to Europe. And what one of the Brazilian colleagues mentioned is that it was very interesting, is different type of timing of different communities. Cybersecurity community in this case has to find a solution very fast. And then to see how internet is misused by criminal groups, because the whole human trafficking infrastructure.
This is ‑‑ basically reduce communication possibilities of the human trafficking, which are very powerful in Europe. And there are many ‑‑ numerous consequences of that. There was also the question of human rights community, of rights of the migrants, development, and various rights related to migration. And here internet plays different role with human traffickers. It is ‑‑ families. And then in this ‑‑ also ‑‑ the question of development in this ‑‑ Africa.
Because ultimately, long‑term solution is ‑‑ development. And creating prosperity, which should reduce the pressure for migration. This triangle which is represented here ‑‑ discussion on migration ‑‑ issue of security. As you can see, there is ‑‑ major issue ‑‑ governments ‑‑ global policy where you don't have this. And ‑‑ you have a different chemistry, organization chemistries. They use different language. They have the different time span. Cybersecurity ‑‑ community ‑‑ human rights community has ‑‑ development of business community (inaudible).
Therefore, you have the challenge of bringing these communities on different levels, using the civil language to ‑‑ frame their problems. And this is a major issue. I'm afraid that we don't have the silver bullet, and anyone who is proposing ‑‑ solution ‑‑ I think is misunderstanding the problem. Reality is that people govern their communities. Human rights people govern their small community. According to that, we have a limited possibility to engage with the people around us.
We can maintain ‑‑ we keep in our community. IGF is one example. I missed this year, this is the first year I missed. And this is a community which is relatively close. We know each other, and it's normal that we ‑‑ human rights practice, business ‑‑ and then from that point, we should try to then identify people who can understand atmosphere dynamics, metabolism of different communities. And probably start with the small steps. Explain to the officials of different communities what they can get.
Just that we can ‑‑ overcome ‑‑ we need to combat (inaudible). We have to have some sort of ‑‑ different communities to engage to make their life simpler, or to achieve more. And that's probably the main challenge. We are facing it every day in ‑‑ more than 50% of ‑‑ and you have very close communities. Dynamics, human rights ‑‑ another group. You maybe didn't have. And, for example, all these communities are discussing data protection, privacy.
They discuss the commercial aspect. Standardization. And my experience from trying to reach these silos, which is one of the main issues, is that one should refrain from making ‑‑ should make many small steps. We should be doing ‑‑ bringing people together and explaining why. Civilization ‑‑ skeptical ‑‑ developing. My experience is ‑‑ have substantive ‑‑ not just ‑‑ substantive engagement of different communities ‑‑ policy of different issue that are discussed.
>> VLAD: Thank you. What I also took from this is, again, going back to what someone mentioned, is the pragmatism. But, you also mentioned understanding across these cultures, which is actually being in other shoes, trying to see what the governments need to take back from this IGF, which is like reporting and understanding, or trying to understand, well, the human rights communities want, or the corporate sector. I will now throw it to Patrick.
I want to go into this third part of the triangle. You will stay with us, Desiree is also there, we will go back and forth. To this third part of the triangle, which is business. And there was a lot of mentioning about timing. I guess for business communities, the timing is really important. It needs to be fast. You can't really waste too much time. But there is also these questions about trust, perceptions towards other communities. I'll just leave it to you to comment the way you wish.
>> PATRICK CURRY: I should explain, first of all. So, I have a background in the sharing of sensitive information, particularly in industry in major defense and aerospace programs. The planes that you came on to come here, some of the technology that makes those planes fly securely, and the information behind it, is protected worldwide by some of the stuff we developed collaboratively, and a lot of those capabilities have gone into other areas, slowly but surely.
I'm very happy to take questions on that. I'm ex‑military. We haven't talked about the military, but I've been involved in counterterrorism, in military operations on the ground, U.N. peace‑keeping operations on the ground, not in an armchair. And I've also been involved heavily in the interaction between government organizations and industries, both nationally and internationally.
And so it was with a Dutch colleague of mine who said to me that the internet is amazing, he says. On the internet, you can do really dumb things on a great scale very fast, and you have no idea what the consequences are, and you can't do anything about it. So, when people say to me, look, the internet, you know, it's exactly the same as what happens in real life, my answer to that is, it's partially true, and it partially isn't.
And there is the problem of cyberspace. So, two points. And this affects everything we're talking about. The first thing is the difficulty of cyberspace is, it is a duality. It is, on the one hand, a global commons with no boundaries where we put stuff and we just trust it's there and we'll get it back, and nobody else can mess it up. Then we have servers that sit in a data center with wires and power that fails. And local rules. And those two don't always sit together very well.
So, obviously, there is work to be done to make those two work more effectively. So we could have a discussion around safe harbor agreements, for example. And the other major area that goes with cyberspace is that we really rely on two big pieces which happen in normal life. Historically, we are about communities. And we have communities of trust. And there is a big difference in the behaviors in countries and between countries where you have countries which have got very good communities, and other countries where it's very consumer‑centric and communities have been broken.
So we have a lot of victims in the latter, whether it's to organize crime, financial abuse, child abuse, and the problem is that the Internet isolates those people. It's not the same as the physical world. So we have some challenges there. So the pieces that we need in there to be able to work with others in business or in government, or between businesses and government and each other, because we are all citizens, employees, consumers, free spirits, whatever you want to be.
We're lots of things, and we behave differently. But what we depend on ‑‑ two things ‑‑ trust, and interoperability. You automatically make a judgment when you meet someone, whether you're a person, an organization, or a government, as to whether or not you trust them. And it's very subjective. And they do the same about you. So you try and look smart. You try and talk nicely and so on, because you want a relationship. It's a dating game.
But if you can't interoperate, if your policies, and particularly your data can't interoperate, you can't understand each other. If you can't understand each other, then there is no way forward. So, what we come down to here ‑‑ the first is primarily a risk judgment. And nearly everything we're dealing with at the moment is phrased in terms of collaborative risk, because we are in a collaborative world.
So if you look at national cybersecurity strategies today, not always the first ones that governments write, because they're not very good sometimes, but the newer ones, they talk much more around collaboration. And as part of that in there, there are typically five major steps for risk management. The first is to identify the risk. And the top issue that we've had globally is decision‑makers in big organizations and governments don't think they have a risk. So they get hit.
We had a mobile phone company the other day, Talk Talk was hit. The immediate reaction was, 4 million records lost, they thought, or hacked. And the CEO, in the press, saying that she didn't have a duty to encrypt that data. So it's got nothing to do with secret service. The bulk of the data that's stolen about people is done by identity fraud, which is the top enabler for all crime. And that comes from corporate environments in the main.
It doesn't come from individuals so much, because that is more expensive for criminals to acquire. So there's lots that companies can do. And what happened in the banking sector in the UK is we changed the regulator, and he issued ‑‑ or they issued ‑‑ a vulnerability questionnaire. 95 questions went to every company in the city of London, and the boards of those companies had to sign off ‑‑ had to answer the questions and sign them off. The side effect of that was, number one, many companies said, we don't understand the questions.
Then they said, okay, we've worked out the questions, but we're not sure we know the answers. So eventually, they get to the answers, and it's changed the culture. So let me move on a little bit, because I don't want to last as long as Joe. And the issue here, now, is we're seeing a lot of new technologies coming into play which are really helping with collaboration. So, I mentioned, first of all ‑‑ and I apologize, I'll just go back a step.
There are five steps. Identify the risk, mitigate, protect against that risk. Protection will not last forever. You need to detect ‑‑ this is not surveillance, this is monitoring ‑‑ you need to detect when things go wrong. And you need to respond depending on what it is that you've detected. But if you don't do detection on your networks, your protection will get broken. You will put people at risk.
Finally, we're about response and recovery. And that response needs to be very quick, otherwise, people are still vulnerable. We call that time‑based security. If you're not doing time‑based security, you've got a problem. So, the introduction of cyber control frameworks with standards underneath to support those, and we've heard mentioned in other meetings here of ISO X1254 from ITU. I would also highlight, coming out of that, we're now seeing new technologies come in around identity management.
We have a lot of high‑assurance public key infrastructure which we can use not just for authenticating to know who you are ‑‑ and you can prove who you are to someone else ‑‑ but also technologies to help you anonymize that. So, technologies like zero knowledge proof, SKP, and attribute‑based credentials. We have either got standards or technology which is starting to be used. It doesn't expose your data, nothing, no data gets passed.
So, going forward from here, we're going to see some changes very soon. The first ‑‑ or a major one is the advent of blockchains. We're seeing a lot of use in blockchains. In my country, we've had a cross‑organizational government initiative to prepare a report for our Prime Minister, and we are coordinating that with other nations. That report will be out in the next few weeks.
And we're looking at blockchains to support many areas, in just about every sector, health, payment records, health records, energy records, and many more. The next major technology in this one is smartphones. So, those of you ‑‑ hands up, whose got an S6? Samsung? Oh, okay, nobody. There's over a hundred million of them. The S6 and other phones contain something called trusted execution environment, which isolate the operating system from the application layer.
This means the nasty malware you let get into operating system, which sees all your contact lists, emails, and applications, can't do that because they're being processed in the trusted execution zone. The software to enable that is going through evaluation right now and can be deployed on any platform. What's the result? You have a phone in your hand that is secure end to end. And nobody can get at your stuff.
I strongly recommend you look at that. It is going to change the relationship between private data, privacy, and organizations. But there's a rub. You need to act responsibly and wisely, and be educated, and look after it, which leads us to the education piece. And I know from Vlad's look that I've probably said enough, but I just want to harness the fact that you have a lot of stuff coming down the pike. The debate is not around privacy, per se. You can't do privacy without authentication. It's a broken concept. If you can't authenticate, you don't have privacy.
And it's money that pays for the development of the internet. So business has to work. And that's what generates taxes, which is one of the prime reasons of government. So, the internet is really helping many of us, but we have to work together. Vlad.
>> VLAD: Thanks, Patrick. I know you're just in a huff, of what you can say, which is excellent. No, education, I noted it down as one of the bold gaps and ways ahead. Before we move on, I wanted, first, to tell to those of you that prefer to sit in the chairs, there are three chairs here. So feel free to join us here. Don't worry, we're not going to hijack you for the panel. If anyone wants to tweet, go to it. There are not too many tweets on this session, go on with tweeting.
And thirdly, before I move on to our very patient fifth panelist, who is online, questions from you, comments, anything? I have to take my microphone. Hands? Anyone? Question, comment? Sure. Introduce yourself, please.
>> RAFAELA: I'm Rafaela, I study International Relations in Brazil. The last speaker told about you were ex‑military and talked about cybersecurity and all of that. So, cybersecurity ‑‑ I have a question. Cybersecurity, sometimes it broke the sovereignty of the state. So, how can we promote the cybersecurity without breaking the sovereignty of any states, and as happened in a the USA broke the sovereignty of some countries, including Brazil. So, you said, cybersecurity is for ‑‑ against terrorism and a lot of stuffs. But what is the dangers of some of these countries that USA, it was being looking at, especially Brazil? What is the terrorism that Brazil could devise for USA? How can we promote cybersecurity without breaking the sovereignty of the states?
>> VLAD: I guess someone would also like to comment, so, any one of you that want to jump in quickly on that? Patrick, sure. But tweet. Tweet.
(Laughter.)
>> VLAD: Not the blog. Tweet.
>> PATRICK CURRY: The first duty of intelligence is, "don't get caught." Every nation does intelligence‑gathering, and they always have, and they always will. The question here is about balance. And in this particular case, I can't answer for what happens in Brazil. What I can say is that Brazil is unique in the way that financial crime operates, and the targets for that are outside Brazil, and there is a lot of international cooperation in order to look at ‑‑ this is purely financial I'm talking about. It's not about state control or anything like that.
And so nations cooperate with each other at the same time, in many, many areas, which is a good thing. So it's just like a family, really. Sometimes you don't get on with each other, and I've now reached 120 characters, so I have to start.
>> VLAD: 120 words. Thanks, Patrick. Do we have someone over there?
>> ELSA: Should I go? Okay. For the record, my name is Elsa, I'm from Lebanon, I work for the Center for Human Rights, I'm an ISOC Ambassador. Patrick, you've seen me in every cybersecurity and human rights workshop. I am doing this on purpose, because as much as I want in on this as a civil society organization, whatever you're talking about, I also like to provoke and say, Saudi Arabia.
Saudi Arabia, again and again. It's like, I know. Like, my part of the region, on that specific thing, is always an issue. And it's very important to have a voice from that region to always highlight this, because if they don't highlight it, most of the time, it's not taken into consideration. So I just want to put it out there, as I always do in every cybersecurity and human rights workshop, just to know a couple of your comments, as well, maybe make them public, and I'd love to take this offline, as you know, as always.
>> VLAD: Any other comment from any of you? I can't see you through the glass, you have to get out. Come on.
(Laughter.)
>> VLAD: Okay. Sure. Go ahead. Yeah, yeah, go ahead. You're on. We hear you. You can go ahead.
>> AUDIENCE: Hello ‑‑ the most recent ‑‑ can you hear me?
(Laughter.)
>> VLAD: Yes. We can hear you. You can go ahead.
>> PANELIST: I hope the transcriber can hear me. Okay. The question of the state and cybersecurity and human rights. Again, the question of overcoming silos. It is important ‑‑ I think we need ‑‑ in everyday life ‑‑ useful. Utopia brings the society forward. But ‑‑ cybersecurity has to be more realistic. And states have the obligation, according to the social contracts ‑‑ international relations. According to the social contract ‑‑ to provide security. We passed some provisions for that.
And that has to be kept in mind ‑‑ is no different in that respect from the rest of the history. We sometimes think that ‑‑ said that ‑‑ there is a bit of (inaudible). In that context, governments have a serious role. They should be equipped to perform that role, with the necessary checks and balances. And ‑‑ was instrumental in organizing that ‑‑ interest in meeting ‑‑ for cybersecurity. I was ‑‑ attend that meeting.
And at that meeting, there was a clear message that governments ‑‑ they cannot manage this problem ‑‑ the question, what are you going to do if ‑‑ a hundred thousand people, all claiming that their Facebook doesn't work. And you can get ‑‑ hundred thousand people ‑‑ not for other social groups. What are you going to do with this? We are speaking about Brazil's concerns. And the only way to do it is to start from acknowledging the important role ‑‑ that there is a time that governments don't have any role to play.
That reason ‑‑ endanger all ‑‑ reality, in order to unlock the potential. I will be apologizing, because I'm going in a few minutes to a multistakeholder dinner with the business community, and the security community. And it will be an interesting exercise in discussing the cybersecurity issues. Unfortunately, I'll have to leave the session. I'm sure that I will miss a lot. But, from Geneva, hope to see you soon.
>> VLAD: Thank you. You have spent all of your tweets, so you're free to go, thank you for the contributions. What he mentioned when it comes to the OSC meeting ‑‑ that's an interesting thing, I discussed it during lunch. In some cases, we think a government just doesn't want to do something. Might be some times, when it comes to human rights. In many cases, governments want to do something but they don't know how or that they should.
An example from the OSC meeting was not only that we organized a simulation and mixed the communities, and it worked very well, but we also kind of organized a cyber lab where we put a Bitcoin machine, a 3D printer, so the governments could try, the technical community would show them how it works and the implication. That was the most‑visited part of the conference. Everyone wanted to buy Bitcoin.
There was a bit of a joke from those that were showing the Bitcoin, they said, you can buy Bitcoin here and drugs on that table there. They were happy to see more and learn more. It's not always about someone doesn't want to do something. Now, I want to use the opportunity, if we still have Desiree over there online, because Desiree did a master thesis, actually, on trust in internet governance. Trust is something we mentioned here. While they are putting Desiree on screen and on voice, I want to check also, just voice, that's absolutely fine.
I'll give you floor later on, if it's okay. I just wanted to ask you, a thing that I probably shouldn't ask at this session. How many of you trust the government? Just raise your hand?
(Laughter.)
>> VLAD: How many of you can say that you trust the governments? Raise your hand. Well, at least your government.
(Laughter.)
>> VLAD: How many of you trust your government? Raise your hand.
>> Wow.
>> VLAD: Come on. Is it really like that? Three, four? Okay.
(Laughter.)
>> VLAD: How many of you trust the corporate sector? Let's say, Google, Facebook, the big corporate sector. How many of you trust the corporate sector, that you can say that you trust them? Now we have a serious issue here, eh? Go on.
>> Each other.
>> VLAD: That's a good question. Okay. So we have a serious issue. Desiree, if you are there, I don't know. I think we saw in the room there is quite few trust around. So, how do you see the trust when it comes to this intercommunity discussion, Desiree? Can we hear her? Technology, to enable the microphone.
(Laughter.)
>> VLAD: I think Desiree is actually coming in from the UK, so there might be something related to what you previously mentioned. I hope they're going to take this out of the transcripts.
(Laughter.)
>> VLAD: Where are we with the audio? Should we go on?
>> DESIREE: There has been a huge decline in trust. And while the trust in the sector has actually decreased, from 66 to 63%, it is also interesting to know that ‑‑ has fallen down between 59 to 57%. And trust in government has risen from 45 to 48. Although government was still the least‑trusted institution of the four. And so, I think these are some interesting survey points.
But when you ‑‑ corporation ‑‑ as I said ‑‑ important because we are ‑‑ living in an age of globalization of huge complexity, and so we need to ‑‑ trust not only in different communities, but also in ‑‑ executions that we are building, internet governance institutions. And I do think it's necessary ‑‑ trust of different ways that institutions are approaching the theme of trust between different stakeholders and how trust is being built, because ‑‑ early on ‑‑ internet rose from this small academic community that were mainly working on technical issues, and has become commercial.
And we are here today to solve some of the most difficult components of different interests between different communities. And I would say in addition to trust, there are ‑‑ let's say, for example, we could take cybersecurity people. Obviously, the interest is to amass as much data as possible ‑‑ use later on ‑‑ data from their customers to use ‑‑ services ‑‑ some competitive services. And if you look on the other hand, if you look at the interest of internet, let's say, human rights or digital rights groups that represent internet users, their interests lie in a completely different and opposite direction of those, and those that work in the cybersecurity, national security fields.
And so then, what is important is to be ‑‑ to actually have anonymity of the network, to ‑‑ metadata collection, privacy, data retention, and filtering and content ‑‑ inspection. So ‑‑ and obviously, encryption, and currency enabled. And so how do we find these interests? I see they are opposing. And in such, opposing, we still need to learn to work together, to find some solutions. I have noticed ‑‑ solutions ‑‑ gaps ‑‑ and why is it so hard.
But I think there good examples of communities that are trying to break down the silos, and work together. For example, I think in the U.S., there's been the initiative of global policies trying to get together ‑‑ basis. In unprovoked ‑‑ China ‑‑ Facebook ‑‑ having to get some of their data out of the government. So, that backfired. And as a backfire, we have an initiative, I think, that is a good way of trying to solve some of the hard issues, how to respect human rights principles.
And I have some other, also, examples, perhaps ‑‑ working group that is trying to solve that. And international, and trying to get as many members around the world to participate in this work, where law enforcement agencies as well as business ‑‑ a good example of the online coalition as well ‑‑ community for human rights. So I think what we're seeing is even with the IGF, and the way we organize workshops, beyond trying to find ‑‑ break down these silos.
And I think ‑‑ government ‑‑ digital rights advocacy groups ‑‑ a smarter, if you like ‑‑ how we could get the safety ‑‑ public safety, how to work together and how we can have maybe ‑‑ production of these. That would look after the public safety ‑‑ rights.
>> VLAD: Thank you, Desiree. Thank you, Des. I was hoping that you would maybe help us with some good tips how to raise trust, but, no. It's something that we have to work on. And thanks for two things. The first one, you added another gap to the list, which is also the interest of different communities. But you also added a very good example which I forgot, and we forgot, and it is actually the IGF. Because in preparation of the IGF sessions, we try to encourage different angles of discussions.
And I hope this is going to be trending more and more. I encourage you to help this happen when organizing the sessions at the IGF. Now, we have some, maybe 10‑15 more minutes. There is a pending response to a question that Elsa mentioned about Saudi Arabia. I'll get back to that. But maybe pick one or two more points, questions, comments. Where did I put my microphone? I left it somewhere. Ah, thanks. Okay. So, we'll go from the lady, and then to the gentleman there. Introduce yourself.
>> AUDIENCE: Can I start? Okay. My name is Vivian. Before you talk about trust, I will ask some questions to you. In the room, apparently say that the human rights need of cybersecurity, that we don't have human rights without cybersecurity. But we know this is a half‑truth, because the human rights needs cybersecurity to have some protection of data and privacy, and all the rights that we citizens have. But we also know that some government use the excuse of the cybersecurity to spy in the citizens, in other governments, and even spying some activists and trying to censor some opinions that is not good for the government.
And we have these whole groups of minorities, and whole populations of other countries that live in a true terrorism of the government against the population. And without that, we also know that cybersecurity don't ‑‑ how can I say ‑‑ don't help the human rights. Actually, it's like an abuse of the human rights. So we have these two faces of cybersecurity, a cybersecurity that protects the human rights, and another cybersecurity that abuses the human rights. And we have governments that don't trust the citizens, and is always spying on them and censoring them, and going through their contents.
And the question of trust is, how can we trust in a government, how can we trust in this cyber society, Facebook, Google, that don't trust us, who don't trust us? So ‑‑ and the trust something that is mutual. We can't trust if they don't trust us. So that's my opinion. So how can we trust in the government? That's my question.
>> VLAD: Quite a big question. Like a million‑dollar question. We'll get back to the panel later. And I know that in a way, we cut Desiree, the final point. So she will probably also respond to the question of trust, how we are going to trust the governments, at least in this area. Before I pass the microphone to the next gentleman, just a good comment which you mentioned is that we should look into how the cybersecurity actually can help protect human rights, right?
And after all, security is a human right, so there is a strong link there, but we have to look more into that. Yep. Introduce yourself, please.
>> BEN: Hello, I'm Ben from New Zealand, and I'm an information security professional. I guess frustrating me today has been, we've spoken and used the word "cybersecurity" not to describe anything that I would remotely consider cybersecurity. We've been talking about the national security actors of intelligence agents. That's not cybersecurity, which kind of goes to the previous speaker's point. So, we've got ten minutes left. I thought it would be really interesting to hear from the panelists about actual things that information security people, and human rights people, and businesses, can do to improve information security, to stop signals intelligence agencies being able to sniff it all and know it all. So, yeah. That's my ‑‑ sorry.
>> VLAD: No, very good point. We are back to the question of language that we use, as one of the gaps. We have over there ‑‑ I will give a short one to Elsa.
>> ELSA: I just want to follow up on something. Also, you heard ‑‑ I want to hear your answer. Like, also, to echo what the lady there just said, there is also an issue of trust due to the fact that private corporations have ‑‑ can you hear me?
>> VLAD: Yeah.
>> ELSA: Due to the fact that private corporations are also, like Western private corporations, also export technical material that the government is using against human rights defenders in the region, in the UAE, and the UAE government had a deal, and the UAE was capable of harassing a specific human rights defender because of that deal, because of that technical support they sent. So, also, there is this mistrust of the relationship between the private sector and the government, which is also very shadowy, and it would maybe make it easier to have a civil society organization get on that triangle as well, and maybe give some input, you know?
>> VLAD: Good idea. I hope you are taking notes.
(Laughter.)
>> VLAD: I think we will prolong this session for another hour or something.
(Laughter.)
>> Thanks, Vlad. I'm a little skeptical about the notion that human rights activists and cybersecurity professionals and governments are completely in opposition of ideologies about the issues of cybersecurity. I mean, in fact, the name of the session is that it's a triangle, not that these three actors or interests are removed from one another in terms of their interest, but are in some way related to one another. And it's finding the best way of approaching that relationship that we're all here today.
And that is also to see how can, as Ben pointed out, how can we all work together to improve cybersecurity and find an equitable balance between trust and potential issues that, you know, cybersecurity might arouse.
>> VLAD: Thanks a lot. Any other comment from the group here? Is there any comment from the online space? No one? Online participants are quite the quiet today. We do have talkative panelists, though. Okay. Back to the panel. Go on with Desiree. Desiree, if you can join us again to reflect with your final point on that, and maybe a brief comment on these interesting angles of trust, and how do we actually go ahead with that. Desiree.
>> DESIREE: Thanks, I think it's very important to mention ‑‑ authority that will ‑‑ have the domain name locked and encrypted, and I think that's, if you like, a huge effort for several industry players to make that possible. So, it's on (?).org, and I think it talks about initiative of securing the data, and it's something, I think, you should be aware of. We've done a comment from the gentleman about the directions. I think if he was referring to what I said, it's actually different approaches towards data collection.
And I talked about how cybersecurity people and some businesses collect data, ask and what the human rights activists are trying to protect when it comes to privacy and data. But overall, I think some of the points, in terms of building trust, I think what has become obvious from some of the data that I gathered from my research on trust is that the communities, whether they are communities ‑‑ technical community, or if it's an organization that has various stakeholders with different, kind of, approaches, it is important for all of them that they build more cooperation, and further creation of the communities.
And that means that people like to belong to thinking and principles, and ‑‑ principles. And ‑‑ community ‑‑ really difficult to implement any development in policies in such a vacuum. And unless there's development in our ‑‑ others.
>> VLAD: Thank you. Thank you, Desiree. Okay. We have maybe two minutes for each one of you. Try to reflect on whatever you want. Don't forget Elsa's question. She is going to chase you afterwards for the response.
(Laughter.)
>> VLAD: Patrick, maybe you want to start.
>> PATRICK CURRY: Fast, because these issues have come up before. The first thing, we cannot, in the IGF, and internet bodies, solve the problems of interstate diplomacy. What is showing up is the problems that happen at this ‑‑ if you like ‑‑ the higher level of the relationships. I'm back to my family analogy, and I think it's really important that we highlight those things. So that's a part of your answer.
The second thing, if you can't trust governments ‑‑ and most of us can't ‑‑ and part of the reason is that very few governments are homogeneous. Internally, they are in silos. Internally, they compete. They are not reliable. So, what we're seeing is the rise of trusted intermediaries who live or die by their ability to provide independent assurance and protection. And I was really interested to hear Ted Hardy talking about the protocols that Google is going to bring in to secure data at rest, and data in transit.
And the work that's happening on the Android stuff I was talking about earlier will extent that, and it will go into other operating systems, probably within a year. This is going to create some very interesting experiences for governments, some of whom will embrace them, and others of whom who will not. My personal view is we should have encryption everywhere. We should not have backdoors. The Clipper experience was disastrous for industry, because people didn't trust industry, and they lost a lot of money.
So, industry does not want backdoors. What ‑‑ and governments can't afford to hack on scale. It's too difficult. So the only thing you're really left with, I would argue, is key escrow. So the next big decision, how do we manage keys, cryptographic keys in an increasingly complex society? The UE passed a law on the mutual recognition of keys for authentication and signature.
And I think other nations ‑‑ it's going to be really interesting to see what they do. So, those ‑‑ you can be represented in cyberspace, either declaring your identity, anonymously, which means there's no data about you anywhere, but nobody's really going to trust that, or partially anonymously. That means that somewhere, somebody has checked who you are, and you are who you say you are, so you can have confidence, but I don't know who you are.
And if you're into standards, look at ISO 2911, that describes partial anonymity. If you want to talk about other standards, I'd be delighted to help you. I missed a point, sorry. What we're seeing, states, and indeed, third‑party organizations providing high‑assurance identity management now, because people need to be able to use their identity wisely. And I think the biggest change over the next year is going to see how governments provide their citizens with safe identities to use online, or at least enable industry to do that for them, which is what my government is doing, what Australia is talking of doing, what the United States is doing, and many more. Thank you.
>> VLAD: I didn't train my dangerous look well enough so that you recognize it.
>> VALENTINA: Well, I'm sorry we're out of time, because I had some really interesting stories from Romania in respect with the cybersecurity law, which fortunately, was stopped and declared unconstitutional just at the beginning of the year. So, I just want to mention one huge aspect from this experience we had back home. So, this proposal assigned the Romanian intelligence agency as the overarching information security body.
So, everything related to cybersecurity was in charge ‑‑ they were in charge. And one of the ‑‑ the first grounds for unconstitutionality which our court found was that this is a breach of state sovereignty. So, for the international relationship students here, I think this is a very interesting case. And the decision was recently translated into English, if you want to learn more about this. But besides this point on state sovereignty and the rule of law, the court also mentioned the fact that IP addresses are personal information.
So, I'm not sure if other countries have set this in a ruling, but I think we are making serious progress in here. Although the cybersecurity law case was a complete mess, and if anybody is interested in hearing more about this, I'm happy to share the experience we had. Thank you.
>> VLAD: Thank you, Valentina. Joe, you have two minutes to ‑‑ well, we're over time, but I mean, I forgot to warn them if I moderate the panel, it will last for least half an hour more. No, just two final minutes, a final reflection at the end.
>> JOE: Yes. I think that it's important to follow up on what Patrick said. This is that there are many valuable things that IGF can do, but there are some things which IGF was never designed to do. And that includes arriving, negotiating, and finalizing agreements under international law. And some agreements ‑‑ and some parts of international have to do with sovereignty. We have a question about sovereignty. And very often, what happens is at international level, sovereign governments meet, and in some instances, they actually agree to cede part of the sovereignty in return for something.
It doesn't happen easily, but it happens. And that, perhaps, is one of the things we should be looking at. Let's just remember that at this moment in time, when it comes to the internet, we have some governments and some courts which have, for their own reasons, been propagating a certain kind of story, right? And that story is, there is no such thing as cyberspace. Basically, it is not a separate space. Basically, we can apply our law to that part of cyberspace which we can reach.
And I ask you, is that right? Is that reality? Or perhaps, I use a different form of internet than these people do. That approach is taken so that they can lay some claim to extending the reach of their courts, the reach of their police and intelligence services, over that part of cyberspace. But this is why it is such a tricky discussion. Which is why not for the first time this week, I would remind people that it is not the first time that governments have to discuss difference forms of space.
Those of you who look just outside the conference center on the way home will see the sea. We needed to have many years of discussion to have an international law of the sea. And the same applies to space, and outer space. So, we're now in a funny kind of position where we don't ‑‑ not all of us use the sea, but we have a law of the sea. Not all of us fly out into space, inner space and outer space, but we have a law trying to govern it, an international law.
But everybody in the room ‑‑ more than 3 billion people worldwide ‑‑ use cyberspace. Yet some governments refuse to accept that that separate space exists. And what they are trying to discuss, and we hear some governments tell us, no, they want sovereignty over cyberspace, or over their part of cyberspace. Which is why, perhaps, so many people in the room, when asked, do you have confidence or faith in your government, nobody put their hand up.
Because ‑‑ is it sovereignty that people want, or is it the right to control their citizens, to control over that part of cyberspace? And that is a serious question which citizens are asking, and answering in their own way, by trying to get out from certain parts of cyberspace and go into other parts of cyberspace. And I think that as the discussion progresses, that certain other things will have an impact. Encryption, and pervasive encryption, is going to have a role to play.
If everybody uses encryption, then mass surveillance becomes less useful to governments. A final thought. The role of civil society, people here in the room, people outside listening to us, the different groups, right. One thing which has been a bit absent in this discussion today ‑‑ not because people are not interested, but because we haven't had time ‑‑ is actually the question of gender. The ‑‑ when you look at certain countries where women aspire to more things, but where society does not allow them a full freedom of expression, or a full freedom of movement, or a full freedom of ‑‑ I could go on with different freedoms.
Think about the extent to which the internet today is a way ‑‑ place where they liberate themselves. A place where they can express themselves. And yet at the same time, it's a place where they're exposing themselves, where they're exposing themselves to a risk, to meetings they don't want, to torture. And this is why the subject continues to be quite complex. I'm looking forward to other discussions of the sort, the triangle that we've seen, I think can generate a lot more. I thank you very much for coming here.
>> VLAD: Thank you, Joe. Maybe just to conclude with a couple of key words I picked up, I hope you did some, as well. When it comes to gaps, we had the issues about different interests, different language, different communities use, the time element, the education, perceptions, prejudice, and probably above all, trust, which is somehow interconnected to that. When it comes to ways ahead and how we can maybe bridge these, we have the education for all sides about other issues, a holistic view, the pragmatism we mentioned, being in other shoes, trying to understand other cultures and other interests and other language as well.
And framing the problems ‑‑ looking for common problems and trying to frame them so that we can cooperate better. We will have, I think, a more detailed report from the session, both with the MAPPING project and the Geneva Digital Watch, so we invite you to take a look at that. And at the end, I think, since we didn't have any cookies, snacks, and drinks here, I really think you all deserve a round of applause for staying until the end. And thanks for the panelists. Thank you.
(Applause.)
>> PANELIST: There's one thing, since Vlad mentioned the MAPPING project, for those of you who are interested, if anybody inside or outside the room would like to have a session which continues it discussion, there's a save the date which is running around. So, 31st October 2016, through the 2nd of November 2016, in Prague, there's the annual General Assembly of the MAPPING Project. If you want to get on to the agenda, if there's a workshop that you want to organize, please let us know.
The details are there on the brochures you have there, and are online, too. Just let us know. But let us know pretty quickly, because the slots are being organized just now. So we'd like to hear from you over the next week or two, and with that, I thank you once again for that shameless pitch.
>> VLAD: (Chuckling.) Thank you.
(Applause.)
(End of Session, 15:40)