14 SEPTEMBER 10
A PROPOSAL FOR SETTING A STANDARD OF CARE IN INTERNATIONAL LAW FOR CROSS-BORDER INTERNET
Note: The following is the output of the real-time captioning taken during Fifth Meeting of the IGF, in Vilnius. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the session, but should not be treated as an authoritative record.
>> WOLFGANG KLEINWACHTER: Ladies and gentlemen, please be seated. Welcome to this session on cross-border Internet. I welcome everybody. My name is Wolfgang Kleinwachter. I'm the Chair of the session. But we are still waiting for the Chair. This is Professor Bill Drake from the Geneva Institute for International Relations. He is chairing another session in the main hall. And he will come here within the next five, ten minutes, because there was an overlapping.
I was asked to substitute him for the beginning. I'm in my main job, I'm also a Professor for Internet policy and regulation at the University of Aarhus in Denmark. But I'm chairing this small Council of Europe committee on cross-border Internet.
So it's my pleasure to give you some opening remarks about this very important activity of the Council of Europe. We are also very pleased to have as an opening speaker here the Deputy Secretary General of the Council of Europe, Maud de Boer-Buquicchio. Thank you very much. Because it was the Council of Europe who initiated an interesting process during the last ministerial conference in Reykjavik, they adopted a resolution which enabled the bureau to create a small expert group which has the mandate to look into the possibility of the elaboration of legal industry for cross-border Internet; and as a result, a small group of five people, which includes Rolf Weber from the University of Zurich, Christian Singer from the Austrian Government, and Richard from Ireland, to start like a think tank to consider what could be the reaction to the new challenges of the Internet, in particular if it comes to cross-border Internet. And so this is work in progress. And the paper which was distributed before this workshop is the result of our discussion.
We hope with this discussion to get more input, and to develop further the idea, because this small expert committee have then to report back to the ministerial committee and to the next conference. Our mandate ends at the end of the year, and probably we will need another year to go deeper into this issue.
But for the moment and the sake of time, I would give the floor now to the Deputy Secretary General of the Council of Europe, and introduce the panelists a little later. But before we hear the speech, I was told that we will see a short video about the Council of Europe, not longer than one minute. Here comes the video now. I hope that the video comes: Freedom to Connect. That's it.
>> Council of Europe in the human rights debate.
>> MAUD DE BOER-BUQUICCHIO: Thank you very much. I hope my voice will pre-dominate over the room next door. I'm the Deputy Secretary General of the Council of Europe. I would like to present myself with my name as well. My name is Maud de Boer-Buquicchio. I'm Dutch. But I also have Italian nationality. But it doesn't matter. It is just that I'm European. And I would like to talk about the Council of Europe.
Thank you very much for your introduction which I think sets the tone for the reasons for our involvement and our action in this field.
We bring together 800 million people and 47 European countries to promote the core values of our organisation: Human rights, democracy and the rule of law. The European convention of human rights, of which we will celebrate this year the 60th anniversary, is the centerpiece of the European system of protection of human rights. And it applies equally offline and online. It applies equally to offline and online activities. For more than 60 years the council of Europe has been developing solutions and providing guidance on the protection of its core values which now also apply to Internet Governance.
The Council of Europe provides state and nonstate stakeholders with two legal standards and corporation platforms, emanation to the freedom of expression and access to information, the protection of children against abuse, and empowering them to make informed information and communication technologies, the protection of personal data and privacy, education and access to knowledge, the strengthening of security through measures against Cybercrime, and racism, the terrorist use of Internet and the counterfeiting of medicines and similar crimes that involve threats to public health. Indeed I'm proud to say the organisation has lain the ground for the governance of the Internet, some of the foundations building back more than 60 years.
We have a successful history of making international law. The Council of Europe standards are reflected to more than 200 binding treaties, and panoply of recommendations, guidelines and other soft law instruments. A number of important treaties are open to nonmember states.
A remarkable example of one of them is the convention on Cybercrime with an increasing number of ratifications and signatures. More than 100 countries in the world use the convention as a reference standard or model for shaping national laws. As we have seen, users rely on the Internet as an essential tool for the every-day activities: Communication, information, knowledge, commercial transaction, and entertainment. And they have the legitimate expectation that Internet will be running and stable, and that services offered through the Internet will be secure and reliable. They rely on governments to sustain public policy goals and Internet policies.
States do have the responsibility to guarantee the protection of fundamental rights and freedoms, in our organisation, in European Court of Human Rights, on a case specific basis, whether Council of Europe member state has complied with the requirements of European convention and human rights in discharging its responsibility to protect rights and freedoms and they are enshrined in this convention.
Our rights and freedoms should be enjoyed without interference and regardless of frontiers. Our freedom of expression and access to information can be challenged, and participation in political, social, cultural and economic life can be smattered by disconnecting people from the Internet or improper interference with the flow of content.
The good news is that these risks can be mitigated through the recognition of the need to preserve the universality and openness of the global Internet and the free and unimpeded transboundary flow of content.
States in cooperation with other actors have the responsibility to ensure that activities within the jurisdiction are controlled, do not cause damage to the connectivity, stability and security and above all openness of the Internet in other states. We believe that a rights-based approach is the best way to build greater unity across borders and to strengthen global cooperation.
Because of its core values, past achievements and its forward-looking activities, the Council of Europe is a Forum of choice for building consensus and achieving results in international cooperation.
With participation of the industry and civil society in shaping and implementing policies, it's a precondition for the exercise of their responsibilities by states. Stakeholder value, such as the one taking place in the IGF, is helping all actors to develop common views and promoting global cooperation.
The Council of Europe is a strong deliverer of multistakeholder processes in Internet Governance. We continue to support cooperation, discussions on Internet Governance, bringing together state representatives and other stakeholders in the framework of European dialogue on Internet Governance, the EuroDIG. This is the background against which the Council of Europe group of experts has been asked, as you have just mentioned, in light of the resolution of Internet Governance and critical Internet resources adopted at the ministerial conference and of development decision of the committee of ministers of the Council of Europe, to examine what should be the international law response and to the question of the preservation and reinforcement of the protection of the crossborder flow of Internet traffic, and the protection of resources which are critical for the ongoing functioning and borderless nature and integrity of the Internet.
I know that the Council of Europe expert group has dedicated a lot of thinking and analysis to these complex but highly important issues. The IGF enables a dynamic multistakeholder interaction. And I wish to all of you fruitful discussion of this topic.
Thank you very much for your attention.
>> WOLFGANG KLEINWACHTER: I thank you very much. And I'm very impressed, in particular, by the fact that the Council of Europe as an intergovernmental organisation put so much emphasis on the multistakeholder nature of the process. And so far the Council of Europe is a very good example that the member states, the governments of the Council of Europe understand that the Internet is moving forward into a new diplomatic environment, and we are a pioneer by giving a good example of the government organisations, how to move into this new territory.
Meanwhile, I have seen that our Chairman has arrived, Bill Drake, and let him know that he has to introduce the panellists. Deputy secretary of the Council of Europe we have listened to, and now....
>> WILLIAM J. DRAKE: Good morning, everyone. I'm sorry that I'm late. I was moderating the main session in the other room and ran little over time. My apologies to the Secretary-General, that I was unable to hear your comments. But I will certainly read them at my first opportunity. This is an interesting initiative.
This is a noisy room. This is like being, when we were in Tunis. (Chuckles.) It brings back memories. I guess we all, do people have headphones? I'll try and talk really loud. How about that?
This is a very interesting initiative that the Council of Europe has been engaged in. I think it is asking a lot of very important questions, and is fairly forward-looking, and of course raises a lot of issues as well that some of us would want to hear fleshed out much more fully before we proceed.
I was asked to offer a few thoughts in introducing the panel, from my own perspective of having had some interaction with the expert group and council staff around these issues over the past half year or so. I thought I would point out perhaps seven clusters of issues that I think we could consider as we go forward.
The first one has to do with Internet Governance principles. If you look at the document, the document lays out a set of core guiding principles for the Internet, which in many cases these Internet principles are not codified in any kind of international law. Indeed, many of the core principles that have guided the Internet are really more a matter of community practice, things like the Internet principle, though they might be based in ISCs, technical requirements, etcetera, but they are not international law.
Council of Europe is contemplating this expert group initiative, a list of possible principles, which you can look at in the document, and it is a question we can get our heads around here, which is: Are people comfortable with this list of principles? Do these seem like the right sorts of framework to have and particularly try to address the problems that this particular proposed agreement is speaking to, or is anything missing? Is there anything should be taken out? Is there anything that should be reworked?
The second set of questions has to do with multistakeholderism, and the Council of Europe expert group maintains the state should ensure the participation of industry and society in possible development and implementation.
Is this what the stakeholder groups expect? How do you organise that appropriately? How do you deal in particular with international institutions, where perhaps those groups may not have the full right to participate, but yet play an important role in potentially the kind of environment we are talking about?
This is again something I think we think through. A third set of questions might pertain to the responsibility of states with regard to ensuring trans-national information flows.
There are of course human rights obligations on states that have codified interalia Council of Europe and other instruments as well as pertaining to freedoms on various sites. The Council of Europe expert group maintains the rights should be guaranteed both in offline and online environment in regards to frontiers. And because citizens rely on the Internet, they have a legitimate expectation that it will always be there, reliable, and managed as a public asset for the community as a whole.
What is the role of governance in ensuring that this public asset, if that is how you view it, is continuously available, reliable and so on, to everybody? And how does that relate to the sorts of principles that were put forward in interalia in the Tunis Agenda? These are important questions. If Internet Governance were to entail a system of shared responsibilities, common global resource, how would that relate to the question of sovereignty? That is another related matter there. I think these issues have to be addressed.
A fourth set of questions have to do with international law. The group maintains international law provides concepts and models on how to instruct international cooperation on protection of critical Internet resources.
There is a question, what extent do these areas, or in which areas is international law applicable? Yesterday at the academic network meeting, we had a European international law Professor who came in and said that in fact, there are no effective international requirements concerning cyber text and how these are managed. Others I talk to have different views.
Clearly, there are some questions here as to what the existing laws are, and also how, on what basis one may construct further laws. In particular, the council group has talked about the notion of equitable and reasonable use of critical resources tied to the notion of states having to ensure that the property who is using the Internet does not incur on the others. Much of the challenge there is much of the Internet is privately held.
What obligations might pertain to privately held infrastructure, is an important question. What responsibilities can you reasonably expect states to take on with regard to the use of private infrastructures? And what constitutes harm? And so on; there is a whole bunch of questions there.
The interesting concept paper they did for the EuroDIG meeting tried to base some of the thinking in this international environmental law and how it manages pollution, the responsibility of pollution. There is perhaps some basis there for thinking about these questions.
International telecommunications law has long-standing permissions on mutual responsibility to maintain a nation state's facilities in working condition, to ensure that mutual agreement is there in launching interconnection and transnational services. All these questions have to be taken up.
Fifth, there is the question of how mutual responsibilities might work. What mechanisms and monetary enforcement and conflict resolution would be appropriate? How do you establish these principles with the international level without entailing significant expansion of state surveillance? Because if states are increasingly going to be liable for or at least responsible in some relative if not legal manner for what goes on within the boundaries that may affect other countries, how would they then go about ensuring that nothing goes amiss? Would that involve greater surveillance?
How does that fit with the freedoms you wish to protect? How do we deal with new forms of international cooperation, computer response teams, for example, operating on the basis of trust relationships built up in the Internet community over many years.
Council of Europe's groups suggests states can commit to developing international law in this area, and if there is a question there as to what would be sensible, if that is so.
Finally, I guess there is a question about politics, and the capacity of states engaged in this kind of activity, particularly if we are thinking of something that would go beyond just membership by members in Council of Europe. Is it likely, for example, that the United States and other nonContinental democracies would sign on to such an effort, which might not fit with their own legal and political traditions in every manner? It might entail some opposition from salient political groups.
Is it reasonable similarly to expect developing countries to meet the sort of requirements envisioned in this kind of approach? These are all questions that we talked about at the ICANN meeting and other times as being relevant here, and worth considering as we go forward with this solution.
To deal with this, we have an interesting panel that the council put together, and that will speak for five to ten minutes each on different aspects of the initiative.
First will be Rolf Weber, Professor at University of Zurich, visiting Professor at the University of Hong Kong, and who does work on international legal aspects of the Internet. He will address basics of the Council of Europe proposal and some of the relevant international cooperative. I'll introduce the other speakers as we go. Let's start with Rolf Weber.
>> ROLF WEBER: Thank you very much. My function is to give a short overview of a document which has been lifted out by the expert group and member of this expert group, a couple of things have already decide and luckily I can speak and don't have to repeat.
On the one hand, the adoption has been explained by the establishment of a couple of key principles. I don't know whether we can get the respective slides. Slide number 2, please. I think I'm not running through all the principles, because these principles are indeed well-known in the community of Council of Europe: Human rights of course and security and stability around fair allocation of resources, etcetera.
I'd like to turn to the key work which has been done by the expert group to better meet secretarial and thereby we have elaborate a couple channel principles, and obviously cooperation in respect of taking reasonable efforts to prevent disruption and interference with this ability. Then cooperation could phase in respect of the continuing cross-border Internet traffic.
As far as the specific topics are concerned, we have identified four chapters so to speak; on the one hand, protection of critical Internet resources relative internally, trans-national management of Internet resources, which is in the public interest, third aspect, prevention of cyber attacks and fourth, crossborder flow of traffic.
Let me turn to the first aspect. In this context, the context of critical Internet resources, we are proposing that states should exchange relevant information, engage in consultation, with a view to reaching mutual solution regarding to matters, to respond to technical failures, which can happen, or disruption of this ability. At the top of that we also think this cooperation obligation should be enlarged to emergency situations and incident response policies.
Very generally, there must be some kind of common understanding, and there is a need to establish standards, policies, procedures which will preserve and strengthen this ability and security as well as resilience of the Internet.
A second chapter which I address in the paper concerns the traditional management of critical resources. Again, standards are needed, policies, procedures in particular to the fact that material functions are primarily assumed by the private sector and the actor who does not think this principle should be changed. Nevertheless, some general guidelines which would help to observe human rights and fundamental freedoms seem to be necessary. So development of standards in public areas is a further topic which should be addressed in more detail.
As far as these assignments are concerned, the experts have mentioned already principles of international law, such as fair and equitable allocation of resources. Think of Internet protocols. These principles, are fair and equitable allocation of resources enough, something completely new. We know it, for example, from the outer space GT, and we have to see how we develop these principles into the direction of reasonable framework for Internet Governance.
A third chapter concerns the protection of crossborder flow of Internet traffic. So activities should be taken within the respective positions of the national states in order not to have any impediments for the crossborder flow of Internet content. And furthermore, it would make sense to introduce some kind of information or notification system, if there are any impediments to the crossborder flow of traffic of information.
We know, for example, such kind of classification system from GWTO regime and eventually a reality possible here.
Obviously, openness have to be preserved.
Finally, the fourth chapter is probably the most difficult one: The prevention of response to cyber attacks. So what measures could be taken to prevent Internet users' involvement in cyber attacks and other forms of malicious use of Internet state? Responsibility would have to be assumed, if the leaders or enterprises would engage in such kind of activities. So we talk about indirect effects of human rights. We of course also talk about sovereignty. I'm of the firm opinion that we are not any more living on a treaty. Sovereignty has to be assert in a different way.
Finally we need to address liability issues; if the state does not comply with such kind of obligations, what kind of liability could be imposed on such a state. And I'm very clear on this point. It is a politically extremely sensitive item. However, again, we do have similar provisions in other international treaties, mainly in the environment field, such as treaty on hazardous waste and similar treaties.
So why not try to implement some principles having been applied in other fields also in the area of Internet Governance.
Thank you very much.
>> WILLIAM J. DRAKE: Thank you very much, Rolf. The loudest I've ever heard him speak. I'm impressed and hope our other speakers can achieve a similar volume level, as apparently we are on competitive loudness environments here.
Crossborder implications, we should feel free to move to the other rooms without concern of liability or anything else. It's all agreed.
So now we move to our next speaker who is Maeve Dion. Maeve achieved her doctorate in law, preparedness response and accountability issues. Maeve is a consultant to Cooperative Cyber Defense Centre of Excellence, Centre for Infrastructure Protection and Homeland Security at George Mason University in Virginia in United States, so my home neighborhood. Maeve, take it away.
>> MAEVE DION: Thanks very much. Thanks for the invitation to speak here. I think it's important we use multistate environment to understand perspective of each of us. So let me first mention, obviously with the introduction, you can see that a lot of my background is in defense, national security, intelligence. I do not come to this conversation from a human rights perspective, but a slightly different approach.
What would be interesting at the end of my comments, I have a few concluding remarks from a series of workshops we have, and where we set up rules similar to the principles that have been elaborated here, and from that perspective of defense and national security, at least four of them almost exact with four of the principles here, which is a very interesting finding.
With this background, you deal with critical infrastructure and information infrastructure and the investment security. So are we -- open Government laws are important. Again, there is a similarity of information. The security issues are very similar. So I think we find a lot in common.
In the world I come from, when we say state responsibility, which is another way of dealing with crossborder care, there are traditionally two camps. We have military camps and criminal law camps.
And you have, you must therefore ask the question, state responsibility for what? In the international law realm, the phrase "state responsibility" has a pretty well-defined terminology. And you are dealing with state actors, nonstate actors. And you are addressing, if you are concerned about national responsibility, you are concerned about what level of control the country may have over those nonstate actors.
And those types of things have been dealt with in international criminal courts, tribunals and things like that. We have various definitions in that realm. It is not restricted to specific types of activities. So when you say state responsibility for what, we are talking war crimes, taking of property, human rights abuses to some degree.
Then we also have cyber crimes, state responsibility for setting up an enforceable legal network within your own country, for having good cooperation with other countries, when they need to investigate. There is a state responsibility to establish.
In some of the work I do, we are looking at legal relationships that don't necessary exist. That is why we said in the introduction we have trust relationships amongst the operators, among emergency responders, among the CERTs, which may or may not be governmental entities in different countries, but we don't necessarily have legal relationships. We are in governments that are hierarchical by nature. But we are in an incident response environment, with an information infrastructure that is flat.
How does that work? We are a bunch of lawyers. We have to deal with these rules somehow. I agree with Rolf that it's very important to set up these types of frameworks, start talking about this early. In the draft of the paper you will see comments that the conversations on liability is something that is encouraged to all of these countries. But a lot of countries aren't quite there yet, or internationally we are not quite there yet. I'm encouraging everyone to start getting there, because we need to get there soon.
What am I talking about, legal relationships? There is no agreement that we have any type of effective, efficient or enforceable legal relationships, to have concrete obligations to assist, liabilities for failure to assist, minimum cyber-security standards, to have your capabilities, coordinated global watch and warning, minimum cyber incident response capabilities within a country. Coordinated multinational incident response: What type of coordination is there, any type of legal relationships that need to be managed for them, and post-incident accountant, damages, liability discussion.
The existing approaches of under attack in crime aren't necessarily covering all our boundaries when we talk about national security. National security can fit a lot of other areas that lawyers needs to be concerned about before you reach those thresholds of crime and national security.
I would encourage an approach from my previous career in infrastructure protection. Think of three realms: Preparedness in prevention, incident response and post-incident liability. There is lots of different types of legal regimes in there, legal relationships that would be encouraged. One of the reasons for that type of approach, you don't need to know at the onset what is causing it. You don't need to necessarily know that if this incident is occurring, that it's being caused, it's an actual attack versus an accident.
You have very similar incident response and legal relationships for incident response that don't necessarily have to define who is causing it as the first question. You don't have a lot of attribution problems to begin with.
Briefly, I don't have any recommended solutions to this working group or ideas yet. I'm beginning my doctoral work. But I would add to the earlier comments on environmental pollution law and international law. In that realm, obviously international law, in traditional definitions of national security, we can look at help response, pandemics, when we have regional health issues or threats of regional or global health issues, maritime piracy, when there is an inefficient or nonexistent legal structure in a certain geographical area that is affecting either the economy or the traffic around it of other countries. Then there can be some sort of legal framework or legal relationships set up that allows those other countries to manage or police that area where the problem is.
Then natural disasters would be another area to look at international regional response and incident response management for that one. My background is different from this, from this approach, in that critical Internet resources is something that we look at when we say the Internet is a vector, an avenue attack, not just a target or asset of attack. It is also therefore important to national security to be dealing with the state responsibility of incidents via infrastructure under the country's national control. It is not necessarily threatening critical Internet resources. It could be threatening other national assets within a country, via those Internet resources.
My approach might be a little different on that. But to get to the four points, we have been dealing with a lot of things with various countries, national defense forces, working groups within NATO. And we are doing rule sets, rather than principles. But it is a similar concept.
Rule one, each nation should be responsible -- and this is working rules, so again, all comments are more than welcome -- each nation should be responsible for developing laws to ensure the security and resilience of the information infrastructure within its national control. There are a lot of similarities to the working group's document here.
No nation shall knowingly allow the information infrastructure subject to its control to be used to conduct information operations against another nation. Again we have a lexicon, information, operation, cyber incidents, things like that. But it's a similar rule set.
There should be a duty to mitigate. That was also another similar one. That was a duty to assist another country. If there is an incident going through one country's network, that country has a duty to assist another country, if that incident is threatening their national security.
One rule that is slightly different, and it's probably the most controversial one since this working group has been discussing this rule set -- and a bunch of lawyers in the room, I throw this out for conversation and discussion -- the fact that an information operation is using information infrastructure within subject to a nation's control is prima facie evidence that the nation knows of the use and is responsible for that information operation. You are setting up presumption. You are saying if you accept this rule, you consider there is information operation going on against another country; if it's using infrastructure of another country, that country is responsible for that prima facie evidence.
That has been the most controversial. We have to start somewhere in this discussion. So there are similarities coming from different approaches.
I would say in my comments to the working group, concluding comment, I enjoyed meeting you, and I would encourage this group and all the other groups, including the group I'm working on, we are working on language, lexicon. We have big long sentences, and they are very complex, and they are overlapping. As clear as we can get them, the more likely they are going to be adopted and enforced. So working on the clarity of the lexicon, and also possibly addressing the complexity of threat and risk. It is the threat of these incidents that we need to be responding to as well.
We are thinking about preparedness and response. It is not just when an incident is happening. And what one country thinks of as a threat may not be what other countries define as threats. We have some sort of agreement in this lexicon. There is a responsibility to help mitigate, I and this country need to recognize what I call a threat is not necessarily what another country would call a threat. I still may need to have some sort of responsibility to help them.
>> WILLIAM J. DRAKE: Thank you very much, Maeve. Very interesting presentation. I have to say in governance, Internet Governance, we like complicated sentences and obscure language.
Our next speaker is Shane Tews. Shane is Vice President for Global Public Policy and Government Relations for VeriSign, and represents Government security relations internationally, which must be interesting. Previously, she was involved in many things in Washington, in Caucus Advisory Council, Information Technology Industry Council and so on. She's worked in congress as legislative director and in the first Bush administration as assistant to the transportation secretary, later in the White House. She has a very diverse and interesting background to bring to bear in Internet Governance. Where am I looking?
>> SHANE TEWS: Thank you very much. First of all I'd like to thank the Council of Europe. The work you did on the prevention of Cybercrime was spot on. A lot of what I spend my time doing is on the practical application side: How do we effectively implement the work this group has done?
Where I find myself in my job a lot of times is between the lawyers, cops and policymakers. What I've been trying to do is make them talk to each other at a level where they can actually start to implement a lot of what has been previously discussed, which is if it's illegal offline, how do I make it illegal online in the right setting and allow it to be prosecuted? It has been interesting. One of the first things I did is enlist somebody who speaks Spanish and Portuguese, because I tease my cops that they only talk to people who speak English and not all crimes are done in just English-speaking countries.
We have been going to Latin America, Central America. We have our second Forum here in Europe October 6. So we are working to get policymakers and the legal set, which I call the cops, guys with guns and badges, to dialogue with each other and talk about the digital forensics they need, to get to the next level where they can start to prosecute the crimes, not only locally but cross-borders, and find the best practices.
So we can hopefully get up to the top the few things we may need to change in international law, or maybe some complete overhaul that we need to do in not just only local jurisdictions but in regions.
We have been having good success. A lot of it is from prior relationships. People didn't know each other. They didn't need to know each other. So getting them to understand who they need to talk to, having success, is that success something that can be emulated beyond the borders of Spain or Brazil or United States, is very important. Work with VeriSign, dot-com, dot net, a lot of it gets back to us. A lot of people who talk to me, I know we have activities happening on this domain, we want you to take it down. But the problem is, as my technical guys call it, that is the whack-a-mole way of handling it. As soon as you take one domain name down, it's back up under a different domain name.
If they are one of the smarter ones, they are going to go to something that has a jurisdiction, where they know they are not going to be bothered.
We are trying not to just catch dumb ones. We want to catch the clever ones. It is the beginning of the process for us. The dialogue has been healthy. We hope to have best practices in the next several months we can start to share with our organisations, and along with the Council of Europe, so we can start to make the Internet a place that is safe for everyone.
I always have a concern, that we have seen the best of the Internet. I love it. I use it all the time. We all obviously appreciate its value because we are here. I want to make sure we do what we need to, to prolong that into the next ten, 20, 30 years, rather than seeing laws retract what we are able to do online currently.
We are doing our best to make this actually all function and make sure the convention in Cybercrime gets implemented where we can.
>> WILLIAM J. DRAKE: Thank you very much, Shane.
Now, this is the second time in two days, I moderated in a session, where I get to introduce Everton Lucero, old friend, science technology environment, embassy of Brazil in Washington, D.C.; he has been with the Brazilian foreign services since 1992, executive coordinator of the IGF, Brazil's representative to ICANN's Government Advisory Committee from 2006 to 2009, and served as the Vice Chair in 2008, 2009. And he's also recently concluded a thesis, which we talked about yesterday.
He has interesting perspectives on this topic, I'm sure. Over to you.
>> EVERTON LUCERO: Thank you very much, Bill. The purpose of my presentation here, I believe, is to add a diplomatic perspective, as I have a diplomatic background. So what is expected from diplomats in this debate? We I believe may add value to creating and facilitating the environment to the political environment to produce results that are desired to tackle a common problem.
That is basically the idea that we have in mind. I will start then, having that in mind, with some remarks.
First, I think that it is an uncontestable that networks are vulnerable. With the migration of social, commercial, governmental, economic, cultural and so many other ways of transactions and interactions to network space, it is in fact our civilization that is vulnerable too.
So it brings us to a point that we should consider whether we are not now facing a moral imperative that we as a civilization should act together to reduce such a vulnerability, of course, against the threats that have been mentioned to the continuity, stability and security of all this infrastructure, interconnected infrastructure that we have.
I have two basic ideas to bring to you. These are not completed ideas, because we believe that in this informal exchange, we are supposed to propose a base and participate, and I will be glad to be contested and to have reactions to that, and this is the purpose. So please do not take that as an elaborated thought but just as an initial presentation.
First thing, one thing that I think is also a common ground for us is that the Internet is global, and should remain, should be kept as such. It has international borders for the Internet in its technological aspects. National jurisdictions are irrelevant. However, the international legal system is a system among nations. It is a development, I could say is a second class phenomenon of a world of nations based on the notion of nation states. That is defined by sovereignty within territorial borders. The notion of sovereignty and territorial borders is actually ortological to the very concept of the nation state, and to the national legal system which is created by those states.
So how will this structure, which is different from the one I described first, and the way that Internet technologically was built, how this structure will respond to these threats and to this situation that we have? I believe that there is the need for us to clearly reconcile what is need to do, what is needed to do on a global level. It is up to now, after all the length of the debates that we have and now at the IGF, I think the most important thing is that we keep around some key principles and put them into action, that we do not restrict participation on the grounds of membership or regions or mechanisms, that we put multistakeholderism into action, that we be inclusive and open to participation from all.
And the work around basic principles is I believe the first step to further develop this notion, and create the political conditions that I referred in the beginning.
So I was very glad to see on the paper that was distributed, that because we are working to develop to propose the idea of such principles, because we in Brazil have had our own experience at the international level, and we have in fact something that we are going to be receiving during this conference, is a publication, a very short brochure prepared by our National Steering Committee, CGI, listing ten in our case, ten, not 12, but ten principles for the governance and use of the Internet which are actually not law. They are not turned into the legal system. But they are principles that have been observed by the different stakeholders in the country.
And what is most important, these principles, they were developed within our own multistakeholder environment. That is how the Internet Steering Committee in Brazil is structured.
It is also very important to say that as we have done our own thinking about it in Brazil, and the Council of Europe has done that, and as Mike Jones said, they were also doing that work, that there is such a coincidence, in our case, eight of the principles that are included in the Council of Europe's paper are essentially the same as eight of our own principles.
Of course, there is a difference of language. Of course, we have to work on the lexicon as well. But I believe that the ideas, whenever you have an environment that is inclusive, open, not a stakeholder, the ideas will come up and they will be the same. So there is room for us to keep working on that. I think that is a very positive way of proceeding.
The last comment I'd like to make is the Council of Europe's work, since this has been promoted by the Council of Europe. I think the Council of Europe has shown an outstanding work, an excellent contribution to international normatization by preparing so many international treaties and by having the means to get there, the negotiating means to reach conclusions.
And now, the question that I pose is that within its membership, is the peer membership, is the Council of Europe able to go further and develop rules that to be effective need to have global acceptance? I think this is a question that really needs to be considered deeply, before engaging in a more legislative work, because if the intention is to have something global, we need to have a global discussion.
Presently, what happens is that we do not have such a system. We do not have an environment besides the IGF, but the IGF is not a negotiating body. We do not have an environment that is truly global and multistate, global in which we are able to discuss this very important issues. So the matter of institution, normatization, of the mechanism to proceed with that is the key one in my view.
Traditional law-making processes are not responding satisfactorily to these challenges. That is true. That is a reality. When they didn't ask why the cyber convention has not reached such a level of acceptance worldwide as we would have wished so, or as the Council of Europe would have wished so, perhaps because most of the key players in this area would prefer, would have preferred to be part of negotiating process, since they won, instead of receiving something that is already developed -- it is an excellent contribution -- but instead focus on the needs of the membership of the Council of Europe.
So, just to conclude, I believe that we have to engage in an effort of coordination, of harmonization, of finding common denominators, and working around principles is a good start. And we need above all to agree on procedures at global level that will take us further on that path. That is the contribution that I would like to make initially. There are some other comments I would like to make as the discussion proceeds.
Thank you very much.
>> WILLIAM J. DRAKE: Thank you very much for that. It is my pleasure for the second time today to introduce Hong Xue, Professor of Law and Director of the Institute for Internet policy and law at Beijing Normal University, specialist in intellectual property law, used to teach at the university; she is chair in ICANN and also member of the large community in ICANN, various other hats she wears in ICANN as well, and chair of the council of the Chinese User Alliance and Chinese Domain Name Consortium, among other things.
>> HONG XUE: Thanks. It is challenging; I cannot speak as loudly as the others did. My voice does not allow me to do that, so I do as well as I could. If you do not hear, raise your hand. I manage to yell.
I don't know, as Mr. Lucero said, even though this is initiative that is being done by the Council of Europe, the way to think about, it could have a global acceptance, because this is truly great and important for the governance of Internet.
We are talking about international law. For the people who have been studying, researching and practicing laws, the most striking facts is the absence of international law specifically on the governance of Internet issues. Internet is actually defining a life and going to define our future, with appropriate international legal framework is going to be challenging to the future of human being. I do agree such a great initiative is being done by the Council of Europe, and the topic has been assigned to me, ICANN international law. It is an interesting topic.
International law, the definition, is the law between sovereign states, an agreement reached between the sovereign states. ICANN is quite extraordinary. It is not an intergovernmental organisation. It is not an IGO. It is not a treaty organisation. It is actually registered in California in United States, and under California law as a nonprofit organisation.
According to international law or law in United States, it is an NGO, not an IGO. How to frame this NGO into the international legal system is a new issue, even for international lawyers, for international lawyering. I chose to take this challenging task and map ICANN in the international legal system.
ICANN, beginning of ICANN, before going to Internet arena, we think about -- sorry, I don't mean ICANN in China; ICANN is currently registered in United States, California. So legally United States Government can actually regulate ICANN if they wish. So the domestic regulation of ICANN is possible, and actually is acting on some specific issues in these years. That is, the regulation means a kind of upside down approach to traditional regulation.
On the other hand, we also see a sort of white paper reform to produce such ICANNs unique, to cheat the purpose of prioritization. I know the word is inappropriate. The United States Government can privatize ICANN it seems on access of critical Internet resources, but such privatization is intended to create a kind of self-regulation. The Professor strongly criticized the self-regulation of ICANN and is really not possible for such a public policy, such an organisation to be self-regulating.
So we didn't have a perspective to real ICANN regulation. It is co-regulation. This has become quite trendy definition. The co-regulation is different from the upside down regulation, and the self-regulation, kind of middle way. We see a commitment, the AOC, a contractual arrangement between the Government and between private sector, the interesting model. These three regulatory models within the United States, where ICANN is located, and then look at internationally. It seems that it's not possible to map some kind of regulatory model internationally at all. Think about self-regulation, purely by ICANN, on this global network, to have global impact to in fact the key interest of all of us, is quite -- strong voices have been shown to bring ICANN within the framework, so self-regulation is not visible at the moment. Then how about regulation or co-regulation, through the global Government? There is no global central Government at all. It is different.
Now I think about the very new phenomenon of the global regime, the CCTO governments, the member states in United Nations. So it is going to be a kind of regulation to ICANN through sovereign states Government. It will be tremendously complicated and conflict with each other. Think about Russia, China, United States, co-regulate with ICANN. How can ICANN handle its own 250 governments of sovereign states, regions, economies, and specialties. So it is more, what can we do, what would be our approach?
I think of two approach. You can enlighten me to do more. One is make it internationally binding. ICANN has made public commitment announcement, statement that it will be observing any international law. I find very clear statement. It is very interesting. Assume ICANN state that it will observe any pertinent international law, even though there is no specific law, management on critical Internet resources.
So if such a law could be composed and come into effect, and ICANN of course will comply with that. The issue is the complexity to draft, negotiate and implement such international law. But it will take very very long time.
I think about the second option. The second option is kind of international soft law. The idea has been existing in the international law arena for a couple of years.
It is a kind of nonbinding guidelines, principles, jointly accepted, recognized by the people involved, and in the Internet Governance scenario, it means strongly accepted, recognized, followed by stakeholder groups. COE initiative could develop into an international soft law. There would be an interesting thing to follow and observe further.
That is what I want to say.
>> WILLIAM J. DRAKE: Thank you very much. I appreciate your comments. I'm a great fan of soft law. I think Internet Governance, it plays a really important role as do other nonlegally binding arrangements that help to serve as a focal point for collective energies and expectations.
I'm told that we have a discussant that I didn't know there would be. I'm happy to say it's George Sadowsky. George, in order to -- I Googled him and found he is even in wikipedia. That is how famous he is. He is a member of the ICANN Board of Directors. I'm sure he can tell you how great regulation of ICANN will be.
And he's done many things in his career, interalia, he ran the global Internet policy initiative for many years, which played a very important role in helping developing transitional countries to get on the Internet. So it was very useful thing. George, the pleasures of ICANN regulation and all other matters that strike you as worth saying. Over to you.
>> GEORGE SADOWSKY: Thank you very much. I'm not going to talk about ICANN regulation for obvious reasons. First of all, I'd like to say that I am a member of the board, but all of the opinions I'm going to express are my own. They may be shared or not shared by the organisations or people.
The second thing I'd like to say is I am not a lawyer. Looking at these documents, and having the role of a discussant, in U.S. academic life, the role of a discussant in academic conventions is to tear the people who wrote the papers and enhance one's own reputation by doing so. I don't intend to do that. In fact, I can't do it with this paper.
I'm also looking at two papers. One is the paper that is distributed. And the other is I think an equally interesting paper, given the EuroDIG conference in Madrid April 28 and 29, workshop number 6; and you ought to look at this, as it's equally interesting if not more interesting.
From a more technical point of view, not a legal point of view, I read this paper, and the more I read section one, the more I like it. I said this is a good goal. This is a really good goal, and so on.
It's a normative paper. It is a refreshing paper in the following sense: That the organisation starts with goals. What do we want to achieve? Then it moves on to responsibilities. Who is responsible or who are the organisations responsible for achieving those goals? Finally, unfortunately it stops there, but the third part of this is the action. How do we implement? What are the actions that need to be taken? It reminds me a little bit of when I was studying mathematics as an undergraduate. Occasionally in mathematics text, you will see a theorem on mathematical truths supposedly stated, and then the words, "the proof is left to the reader." Here the implementation is left to the reader or the state.
The only problem is some mathematical proofs have taken several hundred years to achieve. I hope we don't take that long with respect to some of these principles.
In 1994, at the ISOC conference in Prague, George Cirrous was the speaker, and he asked the question, he said: How many connections into the former Soviet Union do I have to support, so that we can be assured that information will, the information flow will never be broken between the rest of the world and the Soviet Union?
That is a rhetorical question. But it clearly illustrates the purpose of the goals of this paper, that the Internet is so important for freedom of expression, both for freedom of expression, by the way, because anybody can be an instant publisher, and for freedom of retrieval of content, that is anywhere on the Web.
So it's a terribly important thing that we are looking at here, in codification of principles, which I think we would all agree, or perhaps because I'm not a lawyer, and the codification of the international law. So we know that the Internet is a revolutionary tool with respect to freedom of expression. That is why it's essential to make it available, accessible and affordable, and as well as making sure communications are private and the information on it remains confidential.
I have some disappointment with the paper, in that there was no indication that the state had a responsibility with respect to its telecommunication policy and its competition policy, that would allow it or that would require it or encourage it to make sure that the Telecom policies, the Internet policies, were such that availability and accessibility and affordability did exist in the country.
I have a couple of concerns with respect to the document. There are two points, just to illustrate them. The issue of network neutrality is brought up as a good thing; and in fact it is, if we only knew what it was and had a common definition for it. It also, however, the section also has in parentheses the end-to-end principle with that. The end-to-end principle has very little to do with network neutrality.
One of my colleagues, David Crocker makes a distinction that I think is useful in this respect. He says while the network neutrality is a combination of things, and it's useful to think of participant neutrality as well as service neutrality. Participant neutrality means that I as a person and anybody else here in the room as a person can expect to get the same kind of service, the same kind of response, that is one participant in the network, whether they are a producer of information or a consumer of information, are treated similarly.
Service neutrality is a different thing. Service neutrality is often what is referred to as network neutrality, and it means all are equal and treated equally on the network. The problem with service neutrality, of course, is that you cannot then define differential equalities of service. And if you intend to treat videoconferencing with the same priority as electronic mail, you end up with a really terrible videoconference. You get jittery. You get delay, so on. So there is a conflict there between what we might think of as network neutrality and good Internet service.
The second point was point 9, bridging the digital divide, which is always a good thing, isn't it? I think the digital divide is essentially a political term, and I think it's developmentally misleading. It comes from a static state of the distribution of technology and the ability of people to make use of it.
If you look at a dynamic view of the digital divide, what you find, is if you consider some kind of distribution of knowledge from the most informed to the least informed, over time that is going to shift. And in fact, bringing new technology to people who don't have much of it is likely to increase the digital divide.
That was a point made more eloquently by my colleague Michael who is working on making Government data available in developing countries. If you make data available, those who are most ready to take advantage of it, that is the people who are on the good side of the digital divide, if something like that exists, are going to take it and run with it and do good things; whereas, the people who don't have computers have no way of using it. So for the moment, you have an increase in the digital divide in the static sense, but in the dynamic view, what you have is...
I think that is me.
In the dynamic view, you have a progression, an increase in the capability of the entire country to use intellectual products, computer-based and network-based products. And then you have the possibility of helping both ends of the divide, and increasing the welfare of the country.
Now, what I think this indicates, there is some other examples like this also, and I think what it indicates is that while there was a really good understanding of the issues and the problems and the goals in this paper, and there are really good legal skills that have been used, there might not be enough technical input, that the contributions of the technical community might be able to help sharpen some of the arguments, some of the goals and some of the methods, and some of the views, some of the ways in which these issues are viewed.
And I suggest maybe the Council of Europe could benefit from some increased technical interaction with the technical community, such as the OECD has done in setting up its technical task force six months ago
Those are the end of my comments. Thank you.
>> WILLIAM J. DRAKE: Thank you very much, George. Very interesting comments. I would echo your last point, and add a consultation would be needed for this kind of activity, not only technical community, but certainly society, business, and governments as well.
So we have now heard from all of our panellists, and our speaker. We can throw it open to the floor. Generally, I would say that the views we have heard so far have been fairly positively inclined towards this initiative.
But I would welcome as well people who perhaps have other ways of viewing this set of issues.
With multiple people raising their hand, I'm going to spin around. Say who you are, first.
>> Hello, everybody. My name is Vito. I work for the Ministry of Defense in Lithuania, involved in our cyber-security self-defense, the Lithuanian contact with NATO for cyber-security. This past summer we signed an agreement with NATO for cooperation in cyber defense.
We also are sponsoring a nation of the Estonian Centre of Excellence as well.
I read this document for the first time today. So I really can't go into any deep comments. But I would just like to think about the context of this document. What is the end result that we wish to achieve, which I think is a very good endeavor. But we have already had two important incidents to reflect on and perhaps this document can address.
For example, how will the event that took place in Estonia in 2007, where for a few hours the whole country was disconnected from the Internet, will this document do something to address that issue?
We had another lesson learned in 2008, where a cyber war was undertaken in a conventional attack against Georgia. Will this document address some of the lessons learned from that, so we don't have another incident?
Also context is many of nation's militaries are created cyber defense forces, cyber commands. There is talk in the literature of a cold war, arms race type in the area of cyber. Will this document do something to address those issues? And I hope that the ad Hoc group will be aware of these things, and I just wish them very well in their endeavors. But we have to think about, I think, the context is changing every day.
And thank you very much for your attention.
>> WILLIAM J. DRAKE: Thank you very much. When people ask questions, it would be helpful also if you name them to a particular panelist to indicate that. I'm going to assume the way that was framed that Rolf, being a member of the expert group, should take it on. So Rolf?
>> ROLF WEBER: Thank you very much for the question.
Indeed, in the expert group, we discussed the Georgia case, and a few references in more liberated report which we have presented at Madrid. However, we do think that if you would like to come to a final document, we should not particularly relate to specific cases, of course, specifics, specific serious cases in a relatively short document. But if you, for example, look at this action on cyber attacks, somehow behind the wording of some general intended state obligations, you could also find the Georgia and Estonia case.
But I'm happy to go further into the details maybe bilaterally after the session.
>> WILLIAM J. DRAKE: Thank you, Rolf. Can I ask, I'm unclear on something relating to the document. So in the case of cyber attack, let's say a pimply-faced teenager sitting in a garage somewhere writes some malware, and it goes out across national frontiers. Is it the concept that the Government in whose country this teenager lives is responsible? And would have an affirmative obligation to have somehow prevented this? And if so, how would you do that without massively expanding surveillance? I never quite understood this dimension. This is a point. Perhaps you can explain it to me.
>> ROLF WEBER: Obviously I cannot say yes or no, because a state obligation cannot mean that any kind of loading of malware could be avoided in a specific state.
But indeed, we say that more attention should be paid to the problems in this respect, that states should of course be aware, educate civil society, exchange information in order to avoid such incidents. If you go to the far end, as you correctly say, we would of course have a problem with human rights, because very very strict surveillance would interfere with fundamental rights. And therefore, I do not think that I can give a no. As far as somehow general awareness, general education is concerned, I would say yes.
>> WILLIAM J. DRAKE: Yes, the state is responsible for the pimply-faced teenager.
>> ROLF WEBER: No, I did not say yes. I state we should do everything which could eventually make it more difficult for members of civil society, for teenagers to use this kind of malware, which could have a negative effect on crossborder traffic of information.
>> WILLIAM J. DRAKE: Okay. Maeve, you want to get on? I see several people have their hands up. Don't worry, we have lots of time. I'd like to stick on that particular point for a moment.
>> MAEVE DION: The two questions together tie on to George's comments earlier too. First of all, you say is the state responsible? Assuming it's the state where the garage is located. But this attack, assuming we know it's an attack when it's happening, rather than an accident or anything else, that is very likely going through infrastructure of other countries as well. There is discussion in this paper, that talks about responsibility for observing this traffic, and taking activities to mitigate harmful traffic.
But it's very difficult from a network point of view to know what is bad and what is good unless you are talking about massive dot Nets. So getting the technical operators in on this, the white paper, is important too, because if there is a country sitting there and saying we are being hurt, and then you can start tracking back the traffic, and seeing what is hurting that country.
Then you can start saying which country is responsible for what here, to help mitigate or help lessen the activity. It may not be the country where the garage is located that is the country that needs to take the biggest step.
Talking as lawyers, talking about the lowest cost avoider, least cost avoider, who can take the best activity quickest without a lot of other collateral damage, because if you take, what about a country that takes activity to stop this one harmful thing, but then there is liability because that activity also happens to do harm to some other entity, whether it's a private sector entity within a country, or it's another country itself? This is where the definitions and our lexicons are very important when we say responsibility; for what? What do we define as an incident that could do harm? What is harm? Is economic harm what we are talking about? Are we talking about harm to critical infrastructures? Are we talking about harm to people?
It's very important that when we have a working group like this, and all the other working groups that are doing this, they are staying within the mandate of the organisation. We have the defense people doing defense, and we have human rights people doing human rights. We are seeing a lot of cross-pollination of these issues. But a lot of the questions need to be discussed in multistakeholder environments because seeing that cross-pollination is what is going to help inform policymakers.
>> WILLIAM J. DRAKE: So we track this, no matter where it's coming from. I'm going to come over here. First, Hong Xue.
>> HONG XUE: I remember when I review this document, and saw the draft, I raise two issues. One is a kind of no harm principle. Another one is CIA should be managed as a global public, as a right. With respect to this gentleman's great point, with respect to cyber law, cyber attack, Cybercrime, this document specifically may not be the very right form for that, for United Nation. There is a possibility of international convention on cyber attack, Cybercrime. We may not like to have duplication of international fora to distract attention on this critical issue.
But of course, this document can address the principles, even though we do not go to the specific details, as Rolf mentioned. But we can set up the principles on this. Especially, the no harm principle, that is one country should not utilize the critically infrastructure of the Internet to do harm to the other countries or regions. That is a very important principle that can be established here.
The draft is still here. Another point is that the critical Internet resources should be managed as a public asset, public assets of international community as a whole. I suggest to add, as a whole. The original wording is just as a public assets. Some countries actually are going to pass a bill to label as a public assets, very possibly within that country. That is very dangerous. So I do believe these principles could serve a great purpose.
>> WILLIAM J. DRAKE: Thank you. You had your hand up.
>> Thank you. My name is Yan, from DiploFoundation. First of all, I would like to congratulate Council of Europe for initiating this discussion. And I express my concern. When I received the paper, I tried to quantify potential consequences of the paper, and we came to the number 33,856 potential court cases in front of International Court of Justice.
If you are in the country, if you make one move, you have to think what can be fourth and fifth move. I think this paper potentially could force us to close the Rubicon. If you move to international public law, international public law has a relatively clear principles.
The cornerstone of this is a case in Barcelona, court cases in front of the International Court of Justice, which introduce principle of so-called legal carrier of responsibility. And it's very simple. Whatever comes from territory of your country, state is responsible, regardless its intention. It is responsible by the fact that the attack or environmental harm that will introduce in environmental law comes from the territory of your country.
Strictly speaking, an exception, any country is involved in attacks, and it causes harms to the other countries or territories. We can open the Pandora box. If you restrict to international law, there is the Barcelona case and people think international law is issue and there are principles. When it comes to the core principle, they are quite clear, and they are well-established, and the rules are established with International Court of Justice.
I think that element is extremely important. And Mr. Rolf Weber indicated one possibility, that states are forced to make proactive steps to prevent or reduce the risk of attacks on its territory. But still, strictly speaking, there is international law, states can be responsible for any attack or environmental harm or whatever else coming from their territories.
We have to be careful. I discuss this with International Commission in Geneva. It is quite clear in international law that this is the principle that exists. When I found in this paper, that it lacked that reflections to the classical international law. It relied a lot on international environmental law, to some extent international private law. But I think it has, if it wants to go in that direction, it has to take into consideration at least these two cases, but I won't go into legal cases, but it is important aspect.
>> ROLF WEBER: Thank you very much. Of course, the group has considered the cases. It has also considered a case in which it says Iran could be liable because it could have been foreseen that damage could have caused. I think that we do not want to cause more than 30,000 new court cases, but to have more stable legal ground because what we know from International Court of Justice is perhaps expert knowledge and it is not common knowledge. If you have a more or less clear rule, it could help to achieve some kind of legal stability and certainty.
But we are of course aware that we do not cross the Rubicon.
>> WILLIAM J. DRAKE: Thank you, Rolf. Who else do we have?
>> I wanted to add a word of caution -- pardon me? I'm Patrice Lyons, and I'm an attorney in Washington, D.C. Area. I'm corporate counsel to the Corporation for National Research Initiatives.
At one point, I was counsel to both Bob Khan and Jim Cerf, who are credited with bringing you the basic Internet.
On this point, I wanted to say that in looking at these principles, in particular the principle number 7, if you adopt laws that are too specific insofar as what your idea of what the technology is, it very quickly becomes obsolete, or it actually impedes progress.
Now, the reason I'm saying this is, in the early Internet, the end-to-end was an expedient choice, and Bob Khan has said this on many occasions, it was never a requirement. It was never a principle. In fact, the Internet has moved well beyond that today.
And the fact that, for example, we say the Internet is a network. Well, actually it is a global information system. And it consists of policies and procedures. Now, why is that important? If you go on to the next part about basic and unrestricted data transport, well, indeed if it's an information system. And the more interesting things that I'm involved in today have to do with managing information, say, in healthcare, or in banking, and in much more interesting environments that are not simply transporting bits.
They are actually managing the information, for very real and important purposes. They don't depend on the edges. It is not what I call the slighter theory of the Internet where you have edges. It is actually information. So in that respect, I would caution that when you adopt the laws, that you be pretty specific and expansive insofar as the actual technology that you are looking at here.
>> ROLF WEBER: Thank you, comment accepted. We had a discussion we should include this into the principles, and we need to ask the technical community, but fully taken. Thank you.
>> WILLIAM J. DRAKE: Thank you, Rolf. Do we have other questions? Anybody? We have another 25 minutes. There is plenty here to chew on, including both from a technical, legal and political nature. Yes, please.
>> Hello, I'm from the university from Poland. My area is international human law, human rights. I find this very effective, and I have some particular questions. I hope they fit into the discussion. If not, I'll ask them later.
First question regards the controversy that has been mentioned regarding the presumption of state responsibility for cyber attack, the third state infrastructure. How are you going to do that?
For presumption to work internationally, it has to be either current or -- how is this going to be introduced? The concept is attractive, but it's difficult to enforce in Internet Governance.
Another question concerns the draft we are discussing. I believe it holds a lot of potential. I'm anticipating further steps. I want to ask whether you are also planning on examining the body of work on the Council of Europe on particular protection of particular rights according to the Internet, because I find this the most difficult.
If we are speaking about the freedom of speech, are we going to be relating the work that has been done on article 10 on to the Internet? I think it is difficult. I think this is the key point to be regarded when we are speaking about the Internet and human rights.
I have one more question, simple question. You were speaking about VeriSign not blocking certain domains, just because someone is saying there is malware on them or something like that, if I understood you correctly. I want to ask your opinion on the latest on that case. If you have any comments on that decision, where you are forced to block certain domains, I very much appreciate them. Thank you.
>> SHANE TEWS: Happy to start on that. The Welback decision around the conflictal work, for those of you familiar with that. The concept was you had this worm virally going around the Internet. We were able to trace it through digital forensics. But sometimes we get to a point where you know the ISP was harbouring somebody who had the worm on their system, that the ISP did not feel they could contact them for privacy reasons.
We worked, VeriSign worked closely with Microsoft and other technology companies to figure out how we best address this. Ultimately Microsoft led and was able to work through the U.S. court system to take it to court.
The key initiative was having to educate the judge, which is often the challenge, is you are dealing with people who are not technically savvy. This guy understood the concern, was able to give the court order, so we could then go to the ISPs and ask, we can block the names that were needed, which helped with the ISPs issue about being able to contact people.
That is part of the challenge, is I was talking about the practical nature of how do you get down to the crux of the problem, without inhibiting anybody's rights along the way? Or basically rolling over them, because you are saying, a lot of times the challenge is people cast too wide of a net. You are trying to delineate down to what is the actual problem and how quickly you can resolve that without doing any other harm in the process.
I think the Waldek decision right now is the key decision for us to watch and see how much we can emulate that. It is working in the U.S. court system. Is that something that we can -- yes, absolutely.
>> ROLF WEBER: A short reply to you, legal question of course, we take into account, because of the work on article 10 and I would say even more on article 8, because privacy data protection is an important topic. It is by the way also my research field and also research field of the Secretary of the Council of Europe. And as I said subsequently, to build a question, very intensive survey, and through of course come into conflict with these fundamental rights. As far as legal drafting of possible norms is concerned, indeed we are not yet there.
I think we have been relatively conscious to present this draft of principles and the draft of possible legal actions which could be considered.
And we wanted to test these results, the results of the expert group and the Secretary in a broader audience.
I'm not so surprised that many comments warrant of being not too liberal, of being cautious, in following the step. We take these comments serious, and we continue our work. And we see what it can really do if you nail down a principle to an actually applicable enforceable legal rule.
>> WILLIAM J. DRAKE: I will ask a question. Okay. First, Everton.
>> EVERTON LUCERO: Thank you, Bill. As additional contribution, as I mentioned, that the document that was produced in Brazil with the ten principles, eight of them are somehow reflected in the paper presented by the Council of Europe. I would like to refer to the two of them that are not here, and that we consider that could be also a valid contribution that should be taken into consideration.
One is our principle number 7, which is accountability of the network, which reads: All action taken against illicit activity to the network must be aimed at those directly responsible for such activities, and not at the means of access and transport, upholding the fundamental principles of freedom, privacy and respect for human rights, of course.
The other one is that, related to legal and regulatory environments, that says that such environments must preserve the dynamics of the Internet as a space for collaboration. I believe that this principle may pose a, may present a reply to the concern that was raised previously regarding not establishing in stone some rules that may very quickly become obsolete.
So if there is the need not to reflect a specific rule, once you say that, you should preserve the Internet as space for collaboration, and I would add, innovation, then you are keeping an open space for further developments regarding the system. Thank you.
>> WILLIAM J. DRAKE: Thank you. I'll be provocative, see if we can get our juices going. I'd like to ask my friends, who are the big thinkers on this expert group -- I'm not a lawyer, I'm a political scientist by background -- if I study the usual ways in which states respond to incentives, it seems to me that if you say to governments that you could potentially have this new responsibility which could include liabilities for ensuring that nothing bad comes out of your country, it would seem to be a completely rational response to greatly expand the level of surveillance that you have, because otherwise you leave yourself in a very vulnerable position.
I would think you would want to try to ensure as much deep inspection as possible, that you want to rejig your national laws, to be able to give you yourself greater access to private infrastructure when necessary, and so on.
And yet, at the same time, the document is saying, but we want to do all this to preserve human rights and freedom of speech. So I'm trying to understand how you balance these kinds of rather competing -- I mean, the objectives are all good. But I think about what the operationalization of them means; it seems like they come up against each other.
Rolf, your response before seemed to equivocate. I'm wondering what that means from that standpoint. So Wolfgang, you haven't spoken for a while. Set me straight. I'm not understanding something obviously.
>> WOLFGANG KLEINWACHTER: Thank you, Bill. The challenge here is indeed when we started the work, we did not plan to open the box of Pandora, but we did it indeed; because if you start to think about the final legal implications of all this Internet Governance issues, you end up in a much more complex world.
You risk really to overreact, and to go through the whole list and to make a proposal for an endless set of regulations.
So far, the first thing we try to discuss was, to define what the role of governmental rights and duties is in the broad Internet Governance policy context. A lot of discussion we had is, should we continue in traditional way, that on the top of the hierarchy, we have a legally binding governmental norm, or should we understand the legal binding norm which is drafted by governments, as a component of the broader system of multistakeholder system with general principles? And so far, the whole construction of the paper, with part 1 and part 2, reflects a little bit this discussion.
We say the intergovernmental regulation which is needed in certain circumstances has to be embedded into a more general principles, and this raises the issues you have just mentioned. Then you have the conflict in the general principles. You have human rights as a general principle. If you come to the very specific regulation, then you have to identify areas where governments probably agree on a norm which undermines human rights. At the end of the day, probably you will have to have a neutral third party, if it comes to conflict in a general principle, and a very specific duty of a Government, how to settle this.
So I think there will be no general standard. And our position is, we have to be very careful and to identify very specific the areas where governmental regulation, let's say intergovernmental regulation to cover issues which results from cross-border Internet needs really a norm. My approach is we have to be very careful to define small spaces, and then probably create a high fence around this small space, but not to have general regulation for the whole field.
It means to look for the various places where we need a specific regulation on this very individual subject. And so far, traditional approaches, like to have international convention on issues like Cybercrime or intellectual property, will not be the answer, because this is too big, too broad. And you open too many smaller boxes of Pandora.
So far, you know, the general principles are important, and then look for the specific arena, where you really have an international agreement that here a regulation is needed, and then try to define it.
So far this will need much more time. It could establish a mandate for one year. It is nearly impossible to do the work in one year. That is why I take this paper as a provocation. This is invitation for comments. We have really entered unknown territory. We feel there is a need to do something. But we have not yet the answer what to do. In a way, very happy that a lot of other people in the room here have offered their services to work as external experts like Michael Roiter, like Milton Mueller and a lot of others say, okay, let's really start a broader discussion. We will have an interim report back to the Council of Europe end of this year.
But I think the real discussion will take place in the future. And this brings me to another point which was raised by Hong. This is Council of Europe. There is 48 member states of Europe, which includes part member states which are not member of the European Union, like Russia, Ukraine, Azerbaijan, Armenia. The question isn't United Nations issue. Shouldn't we do this in United Nations? And so far, yes, it's a global issue, and the Council of Europe probably here has taken the role as a pioneer to push this forward.
But there will be no European answer to these challenges. There will be only a global answer. So far we are very happy that the invitation was accepted to join us here, because they bring the European perspectives and this is needed. If there will be a European proposal for European convention which ignores the specific situations in Africa and Latin America and Asia, this will fail.
I think we have, the Council of Europe has a big achievement with the Cybercrime convention, but it will never become a global treaty, because you know some specific arguments of countries not member of the Council of Europe has been ignored. 90 percent can be subscribed, but probably we need a revision and then adoption in the General Assembly of the United Nations. It could be one way forward.
Mentioning the pioneering work of the council of Europe, and here we do also pioneering work which at the end of the day has to get the consensus of all nations, including the governments of China, Brazil, India and Russia. Russia as a member of the Council of Europe could build a bridge here. I hope that the Russians will use their opportunity here in the Council of Europe to make very good contributions.
But again, this is really investigating unknown territory. But I think the basic point really comes from the Internet Governance definition, which says Internet Governance includes civil society, private sector and Government in their respective roles. That means the overall umbrella is multistakeholder, and part of this you have an intergovernmental component. What we are discussing is the respective role of governments in the multistakeholder environment, and this is really a new approach. We need much more ideas and much more support on the part of the community.
>> WILLIAM J. DRAKE: Thank you. If it is intended as provocation, you succeeded magnificently. It merits much more consideration and discussion. We can even do a book on it. It is so robust as an area. I'm sure we will appeal to Russia and many others. We can have a good discussion going forward.
That was a very good summary. It is almost time anyway. This room is extremely noisy. We probably all have a headache. Why don't we stop there, and thank the Council of Europe for the initiative to organise this, the expert group for providing the report, and the panellists for providing their feedback. Thank you very much.
(Session ends at 130.)
A proposal for setting a standard of care in international law for cross-border Internet