Sixth Annual Meeting of the Internet Governance Forum
27 -30 September 2011
United Nations Office in Nairobi, Nairobi, Kenya
September 28, 2011 - 11:00AM
***
The following is the output of the real-time captioning taken during the Sixth Meeting of the IGF, in Nairobi, Kenya. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the session, but should not be treated as an authoritative record.
***
>> LEE HIBBARD: Okay. Hello, everybody. Welcome to the Council of Europe Open Forum on the Draft Strategy on Internet Governance for 2012 to 2015. I see a lot of familiar faces in the room. So I thank you very much for coming and sharing I hope. I'm going to pass to Jan Kleijssen, the Director of standard setting in the Council of Europe to say some words to open and frame this Open Forum.
Just to say it's quite instructive --
(Audio lost).
>> LEE HIBBARD: With that I would like to pass the floor to Jan Kleijssen. Thank you.
>> JAN KLEIJSSEN: Thank you very much, Lee. Good morning, everyone. I'm very pleased to see so many of you here to discuss what is very much at the moment a Draft Strategy. Let me stress that from the outset. Nothing has yet been decided. These are ideas for your comments, criticisms and suggestions.
As you know, the Council of Europe was set up to defend and promote human rights rule of law and democracy. We've been trying to do so over the past 60 or so years in I think a pioneering way. With landmark instruments starting with the European Convention on Human Rights in the court but also texts on legal -- Conventions, sorry binding Conventions on issues such as bio ethics and many other legal questions. And of course since the emergence of the Internet and it's related challenges, instruments on cybercrime and data protection to mention the two most important ones.
What is the purpose of the strategy, the Draft Strategy that is before you? The organisation has been dealing over the past years with a lot of issues that touch upon the Internet. But which were not actually brought together. As a result of which, many of our stakeholders to start with our own governments, the 47 Council of Europe governments did not actually have an overview of the impact the Council of Europe was trying to achieve. And the issues it wanted to address as regards Internet and Internet Governance. Hence the idea to, first of all, to set up an interSecretariat Task Force, transversality within the organisation to start with. And what you see before you is the result of that interSecretariat work.
So it's -- everyone from the various sectors of the house of our organisation has been contributing to this draft.
It is set up on around six chapters which you'll see in the flyer. And we would be extremely grateful to have your -- as I said, your comments and criticisms. Because as our Deputy Secretary-General said yesterday we're firmly committed to multi-stakeholder dialogue but also to make multi-stakeholder delivery as she mentioned. And we would like to present this strategy with your suggestions and corrections to a major conference organised by the Austrian authorities at the end of another, which will be at administerial level.
They are also to take comments on board and then present it to our committee of members for adoption in January of 2012.
As said we very much believe in multi-stakeholder dialogue and we very much welcome the opportunity to present these ideas, this draft, to a variety of stakeholders here at the IGF. And we would be very grateful for your comments. Please don't hesitate to criticize or to make additional comments or to disagree perhaps what is proposed. As I said, it's very much a draft. Everything is open. Nothing is decided yet. And without losing much time I would like to pass over the floor to you.
>> LEE HIBBARD: Thank you, Jan. While you're looking at that text just to get a sense of the mood, I think you know -- many of you know the Council of Europe's work or what is part of the Council of Europe's work. I think one of the most important reasons for this strategy is to bring together what we do in any case on a regular basis, whether that be in cybercrime or data protection or freedom of expression to give it sort of an identity. What does the Council of Europe do about the Internet, on the Internet. So it's a packaging of what we do and what we would like to do in the future over four years.
So it's an attempt to be holistic. It's trying to bring together not just taking things one at a time but trying to see overall what does the Internet mean for the Council of Europe. And if you look through the chapters you'll see we have a chapter on the Internet universality, integrity and openness and last week in the Council of Europe there were certainly soft law texts adopted on a new notion of media, on doing no transparent harm to the Internet and on Internet Governance principles. And on domains and name streams and the importance -- domain names and name streams and the importance of freedom of expression. That's one chapter.
The second chapter is on empowering users. Giving users the ability the literacy the tools to take charge of their personal data online, their identity, trying to give users a better understanding of what they are online.
Advancing data protection and privacy. We have a Convention 108 which is a convention used by many states. It's been discussed here already in a workshop. Where does that take us with regard to privacy more generally? And what are we doing in the future?
Of course the rule of law on work on cybercrime you'll know there's also been discussion there will be a workshop today on cybercrime and cybersecurity and we have strategies there. And we have colleagues that can discuss that. There's a chapter on democracy and culture and what does that mean. And children, another chapter at the end. Their impairments not just their protection but their impairment their ability to take charge of themselves online. So on that basis I would like to start with the major pillars of the work of the Council. Cybercrime, cybersecurity. I have my colleague Alexander Seger here. We have a very large conference lined up in November the Octopus Conference. He's dealing with cybercrime on a daily basis. Alexander, a lot of people know what the Council of Europe is doing on the Convention but where are we going, how does that fit with cybersecurity.
Tell us some information. Thank you.
>> Thank you, Lee. I think what we are going to do in the future depends also a bit on the feedback we get today. The feedback we will get in this afternoon when we have a workshop on cybercrime versus cybersecurity strategies just opposite here in room 13 at 2:30 in the afternoon and it will also depend on the feedback and discussions we have in the 21st to 23rd of November where we have the global Octopus Conference where we discuss many of the issues we are starting to discuss today and the 23rd of November the 10th anniversary of the Budapest Convention on cybercrime. And that's to take stock what we have done so far what has worked and how have we failed and from there see what we are going to do in the future. We had last week a meeting of the Bureau of the cybercrime Convention committee we have the Chairman of the committee here.
(Audio lost).
>> Into this process in the -- to decide what to do in the coming years. It's very important to point out that as Jan Kleijssen said the objectives of the Council of Europe are human rights, democracy and the rule of law. We look at cybercrime as undermining these -- cybercrime is undermining the core objectives of the Council of Europe therefore our cybercrime strategies is to contribute to rule of law and democracy and human rights. This is very important. Therefore we promote a criminal justice approach to cybercrime. We make sure that if governments take action based on law, we help governments define contact that is to be made in criminal offense that's very important no punishment without the law it is defined as a criminal offense we make sure governments and parliaments adopt procedural law measures to allows law enforcement to investigate in an efficient manner a cybercrime and together electronic evidence and also to make sure whenever there is an evidence and whenever these powers are provided to law enforcement, that there are conditions and safeguards, issues like proportionality when measures are taken.
We have to make sure -- and for example when deception takes place this is limited to serious offenses we have to make sure that the powers of law enforcement are subject to independent judicial supervision, et cetera. Otherwise, we risk to come to a situation where law enforcement may violate the rights that we want to protect. This is very important.
We do have and of course very important in the cybercrime area is international co-operation cybercrime always also has a transnational element and even if it's just electronic evidence being on a server in another jurisdiction.
And as a framework for that we have the Budapest Convention on cybercrime. It's an option that's available governments may take it simply as a guideline when developing legislation to make sure that legislation of one country of their own country is compatible with that of another country and if governments can make this political decision then actually to succeed to the Budapest Convention to become a full party not only then to use the Budapest as a legal basis for national co-operation but also to participate in future work on the Convention. Future work may for example include for example a protocol on the regression of transporter access to data which is very important in connection with Cloud Computing.
But what we see is very well in sync with the theme of the IGF this year.
The key challenge we see is capacity building. Once countries have legislation they need to be able to apply it. We need to make sure that not only law enforcement but also judges and prosecutors are trained to apply this legislation.
We need to help countries establish hi-tech crime units, investigate cybercrime but also have the forensic capabilities necessary. We need to ensure key measures against cybercrime et cetera so first this is what is ahead in the future. But as I said there's a process going on of defining our future priorities reflected in the Draft Strategy that you have before you here. Whatever feedback you have will be very much welcome.
>> LEE HIBBARD: Thank you very much, Alexander. It's -- I'm going to ask Marco to wait a second while we take some comments from the floor and maybe you can try to respond to some of those comments and also Alexander. What are your opinions and what do you think about cybercrime and cybersecurity where is it going what do you think the Council of Europe should entertain? The floor is open. Alun Michael.
>> ALUN MICHAEL: Thanks I'm a little bit puzzled and I hope you can clarify this you said there was no overview what the Council of Europe wanted to achieve in relation to the Internet and this is an attempt to define that in terms of defining what the Council of Europe I can understand that. But there did seem a little bit of confusion. So you know I was glad to see -- hear what you said about supporting multi-stakeholder approach and so on but there's a reference by your Secretary-General yesterday regarding some of the work led by Council of Europe for instance in EuroDIG as acting as a sort of European IGF which it manifestly isn't. I mean it could grow into that. But it's narrower than that as would be defining the work that the Council of Europe has a natural lead on.
So I'm not clear whether there isn't a little bit of a muddle about trying to perhaps do two things at once. And I think that probably needs some clarification.
Secondly, I'm a little bit puzzled about the different events you've talked about. I wasn't quite sure whether the octopus was an animal that was taking over Austria or whether that was a different conference. And I apologize for not understanding the geography of the sort of events.
And the third thing is looking at the list of the focus, it does seem to me that within the spirit of the IGF process one has to go very wide in terms of exploring and discussing issues. So that if the -- to take one example, advancing data protection and privacy. I can understand that in terms of Council of Europe priorities and you know what has been in worldwide context the leading role of the Council of Europe. But in terms of the IGF priorities, it seems to me that we need a wider more comprehensive approach which looks not just at data protection and privacy but also data sharing and data management in the same place so that you're looking at the comprehensive. For instance I have a great interest in initiatives to reduce violent crime which has been quite successful in terms of making very careful use, careful and appropriate use.
But real use of data in relation to the victims of violence.
And I think on the cybercrime issue, the one question I would like to raise is: Should we be talking about cybercrime? It's always seemed to me rather dangerous to talk about the crime if it's related to the technology. So I think to put it very simply if somebody uses a foot path to reach my house and to burglar it, it isn't a foot path crime it's a theft or a burglary. And therefore we need to be very careful not to create a category which perhaps cuts across for things that happen in Internet-related activity but have a connection to the offline world.
And only define things in relation to the technology, whether it is absolutely -- where there is absolutely no alternative to doing that. If it's the human behavior that we're seeing as the problem, then it's the human behavior that we should identify. And my feeling with legislators is that there's a tendency to think: Well, if we can relate it -- if we can identify it as cybercrime that puts it in a different pot. If we don't understand the technology we don't need to worry about that as legislation and therefore stop regarding it as a problem with human behavior.
And the final point I would make is that the references to serious crime. I can understand why in a sense you want to see interventions relating to what is serious so that you are keeping to a minimum I take it is the implication the intervention with the free flow of the Internet. But actually a lot of low level activity is very often what threatens behavior and makes a place not seem safe if you like taken the broken windows theory into the Internet space.
Last week we had -- sorry; the week before last we had evidence before the Home Affairs Select Committee in the UK we're doing an investigation into the rights in the UK in August. So we had Facebook and Twitter and BlackBerry before the committee talking about the use of social networks during that period.
What was interesting was that some, for instance, the Manchester police have made very good use of those social networks to bring about benefits. So we have moved very, very rapidly away from what used to be a sort of oh we must control this to oh we must understand and live within this space in order to deal with it properly and therefore moving away from it being seen as a technology-based set of interventions to it being about the human behavior and making use of what is the right space.
And I'm very hesitant about us going too quickly down a legislative route in relation to the Internet which is so fast moving. As a legislator I should perhaps argue for legislation. But I don't. I think most of the time laws don't prevent what they forbid. And we end up with regulation and bringing things into a sort of format where actually we lose the development of human behavior, which is what the IGF is quite good at engaging with.
>> LEE HIBBARD: Yes, just perhaps to clarify immediately some of the issues that were not made sufficiently clear at the beginning. First of all, this Draft Strategy brings together what we are doing and what the Council of Europe in our view this is for the moment a Secretariat paper would like to do. And this meeting here is the start of the consultation process of the multi-stakeholder consultation process. Before it's submitted to our governing body which is the committee of members in the Council of Europe. The Vienna event will be second place for consultation it takes forth in 24th and 25th in November and the Octopus Conference by sheer coincidence is in the same week but in Strasbourg the preceding days.
This on the clarification as regard to cybercrime I would leave it to Alexander.
>> I fully agree we have to be very careful we don't identify everything as cybercrime or nothing is cybercrime. We have to be specific. And I think that's what the drafters of the Budapest Convention managed to do after I think of -- after 13 or 14 years of deliberations preceding November of 2001 that was a long process and we have very much a document that shows that today what the Budapest Convention does is it finds offenses against computer systems, illegal access. Confidentiality. That's very clear very specific type of offenses which we don't have in the same way in real life. And then it defines a number of other offenses committed by means of computer system with the nature of the crime and scope of the crime changes dramatically by use of computer system that's fraud and forgery but very specific provisions it doesn't include the real life fraud provisions also apply but some very specific elements that have left the gap in real life fraud provisions that are covered by the Budapest Convention it covers very clearly the issue of child pornography.
I know there's ideological views on the term child pornography we also have the Convention which is much broader over time maybe we can come to a the broader concept but Budapest Convention defines this but it gains different quality through the use of computer systems and the Internet and then there is the issue of issues -- use of issues of intellectual property rights and it's not changing the quality there. It's not a new obligation. It just makes sure that governments implement the Intellectual Property right obligations they have through other treaties and other law also in the online environment and in the computer environment. So it's again a very specific thing. The drafters of the Convention are very, very careful to do each and everything. And the drafters are also careful to avoid overcriminalization and therefore for specific matters it says if you apply this particularly intrusive measures like interception of content data in particular you should limit it to serious offenses and then it leaves it to domestic law how you define serious offenses as to avoid overcriminalization in reality it's -- international treaties always a minimum that you can agree upon.
How then countries implement it in their domestic law is really up to the countries. They cannot go below the minimum but they can of course beyond whatever it is they want to do.
>> LEE HIBBARD: Thank you very much. Thomas, do you want to come in on this?
>> Yes, thank you. I'm Thomas Snyder from the OfCom's Federal office for communications and I represent Switzerland in some of the work of the Council of Europe. But also in other international forums.
I think the Parliamentarian from the UK is right in saying we shouldn't put technology in the centre of deliberations but we should put -- I would not say not only human behavior but human beings in general and their behavior is one part of this but this I think is a fundamental thing which I think -- and if you look at the submissions the Council of Europe has made in the past IGFs, it's something that the Council of Europe has understood. That it's not about technology. It's about the way people interact in a society. It's about respect and freedom.
And I would also agree I would say that basically we should apply the same patterns of thinking of values and principles in the online world as we did in the offline world. So life is not fundamentally -- or the values shouldn't be fundamentally different in the online world.
They might have different technical implications and details. But that is not something that maybe the Council of Europe has to go into these details but especially on the level of principles where the Council of Europe and basic rules where the Council of Europe has a leading role I think I would absolutely agree.
And in one of the first submissions that the Council of Europe made to the IGF which is something I keep quoting, it says something like the aim is to have a society where you have a maximum of freedoms with a minimum of restrictions and limitations that you need in order that everybody is able to profit from these freedoms. And I'm very happy to see that also you see security and fighting against cybercrime not as a goal in itself but as a means to ensure that everybody has equal access to these freedoms and to these rights and not the other way around. Because I think security is not apart from physical security. Security is not a goal in itself but it's a basis that allows you to exercise your freedoms as they are defined in the Convention.
And something that has happened and I experience it with a lot of countries other countries that represent -- are represented in the Council of Europe, with the convergence with Internet Governance not only covering infrastructure aspects but also having effects on the way people access content the way people use media social media and so on and so forth, I think it's necessary and all -- as governments we are all trying to also reorganise ourselves or at least establish new communication channels between ministries and delegates that represent --
(Audio lost).
>> Try to make all of the laws technologically neutral which most of the time works. Not always. So I would strongly agree with this. We should really stick to the values, the principles and then apply them to the different environments that are changing fast and so on and so forth. It also helps Parliaments to be more efficient they don't have to redraft things every two years because they are technically outdated I think that's a very good point. And with regard with what is needed and that's been said by Vince Diamante and others yesterday in the Opening Ceremony there is more and more a consensus that we need some fundamental commonly shared principles when the first attempt or the first thought of this with the WSIS Declaration of Principles but that might be not enough we need to go into a little bit more detail and the work that the Council of Europe has done with these ten Internet Governance principles OECD and others have developed similar ideas from a different point of view.
I think that's a first start. And also the conference that the Council of Europe has organised this spring which has -- the title was something like from principles to a global treaty, which asks -- doesn't give answers or didn't give answers but it asks the right questions.
>> LEE HIBBARD: With a question mark.
>> With a question mark so if we say okay we agree that we should agree on common principles, how do we then implement them? How do we encourage or force or get people and the economy and governments to follow these principles? And I think this probably needs to be answered and I think there won't be one single answer there might be some cases where you need laws and treaties but most of the things or at least we hope you might get people to voluntarily agree they have to commit themselves and mutually watch each other and encourage each other to follow these principles and I think the Council of Europe has by producing a number of interesting soft law has taken a reasonable step as an intergovernmental organisation to work with the Private Sector. There has been work done with guidelines for industries like ISPs work is under way developing guidelines for search engines, social networks, this is I think a good thing.
And just one last comment about EuroDIG. If I remember right, it was the second EuroDIG in Geneva where the participants present including representatives, high level representatives from the European Commission and others agreed that EuroDIG is the European IGF. So -- and that this is an important pillar for the discussion of these issues on European level. And I think the development also of EuroDIG has also shown and also the commitment of the Swedish Government for the next year has shown this is really a Pan-European IGF. It's not an IGF of 27 countries it's an IGF of all of the 47 countries. And I think that this is not contested anymore. It's also not an event of the Council of Europe. It's an event where everybody who wants to be involved can be involved and more and more countries and companies are involved and I think that's a very good process.
Thank you.
>> LEE HIBBARD: Thank you, Thomas. And Alun Michael we haven't forgotten the question about data protection and data management which I think we'll come to in a little bit if that's okay we've been discussing the positive things of ICTs as well for human rights defenders so that's something else important to explore. We have a couple of people who want to speak. First Marco briefly and then Brute and I would like to bring in Marco if you like and also Matthias.
>> Thanks Lee I would like to pick up on something Thomas said this very important aspect of the Council of Europe to balance things to say on the one hand side we definitely want to criminalize and make sure certain conduct is criminalized but on the other hand we would like the maximum freedom of people. And I would like to know a little bit about -- I see how you achieved this within the 47 Member States because you have so many different instruments. You have legal instruments, a lot of soft law Lee as you just mentioned. I'm just wondering when it comes to the global aspect and we are sitting here in Africa the Convention on cybercrime is the instrument that you are promoting globally but it is only the criminal law aspect. I don't see actually where the protection of freedom which is a counter balance is included and promoted in a similar way because there are so many conventions that are protecting these kind of rights that are not globally promoted in the same way.
So I see a certain misbalance when it comes to looking at crime only because there are many countries who would probably be able to implement this document maybe in a different way but who don't have the same rights and don't protect the other side.
And the second point is on legislation and Thomas mentioned the technology neutral provisions might help legislators from avoiding to come up with new legislation every two or three years.
I -- I'm for many years advising governments and implementing legislation and when it comes to those aspects like technology I've come to the conclusion that this is a promise that we can't keep if we tell them: Hey, you're safe for the next ten years. We've seen when this Convention was developed Alexander it was 14 years before it was open for signature so it's now 20 years old the beginning of the process at that time many things we were discussing right now were not known and if you look at what was happening on the national level you'll see governments are implementing legislation on a very frequent basis. The European -- the governments in Europe coming up with new cybercrime legislation every two or three years and the European Union is coming up with new legislation I would say almost every year this shows there's a great need for up to date legislation for changes for having a dynamic instrument and I would like to hear a little bit how you're going to make sure this happens.
>> LEE HIBBARD: Thank you. Before we -- Brute does your question go in line with Marco before we go on? More general. This event shouldn't turn into a cybercrime event by the way either and there's an event this afternoon so we should take the question but I would like to limit it at some point very soon. So Matthias do you want to comment now or general can we have a quick response from -- regarding Marco's comments.
>> Thank you I can also comment that the Convention was drafted in a neutral way and so far it's ten years old and I think most of the definitions are also quite good and fine.
Today they can be applied. Today they can be applied up to -- after five years or even after ten years. But also I have to say that the committee -- this is the committee of the parties established according to the Convention is also reviewing possible ways how to update the Convention. Among other issues, committees analyzing for example jurisdiction, Cloud Computing, transport access to data.
I think these are the issues that we're not for thing ten years ago. These are quite the recent developments. And the committees is reviewing these and Alexander also mentioned that one way to improve the situation is to create additional protocols to the Convention. And committees right now are working to do that. Thank you.
>> LEE HIBBARD: Thank you very much. A quick response from Jan Kleijssen first of all.
>> JAN KLEIJSSEN: Yeah in order to have a real dialogue here I think there was a justifiable comment that perhaps we're promoting more the cybercrime Convention than other treaties in other words we seem to be looking more at criminalizing behavior perhaps than in protecting rights Alexander rightly pointed out of course the purpose is to guarantee rights and therefore we need this Convention. But I would like to draw attention to the data protection Convention, Convention 108 which is very much about protecting rights in which we are promoting. Perhaps we started a bit later than we did with cybercrime but we are very actively promoting worldwide committee ministries have invited a number of countries to consider succession and formally invited Uruguay to succeed so we are trying to balance that more because there's some point in what you're saying we should also promote other instruments globally.
>> LEE HIBBARD: Thank you very much, Jan. Brute, you want to come in.
>> Yeah, thank you very much I'm Brute Claussen from the Ministry of security and justice from the Netherlands let me first say I appreciate your work. I think the Council of Europe is doing an excellent work. For many years already. And if this is an example from how the stakeholder -- multi-stakeholder dialogue goes to multi-stakeholder delivery I think it's a good start already. I would like to reflect on the common principles as has been said with one of the previous speakers. Because weekly I see almost new principles and strategies and one participating -- when participating in this IGF I'm confronted almost every hour with new principles that I didn't know before.
In fact, yesterday Mrs. Cruz announced also a kind of cybersecurity strategy I will just quote. She talked about safer Internet for children. And then she said and I quote finally for confidence in the system as a whole I am working on the Internet security strategy to help us face all sort of cyber threats to information and networks. So that was new for me. Maybe I missed it before. But maybe you could shed some light on how this is related to your work. That's just one question.
And second, I have more -- maybe more a suggestion. Because I saw -- as a matter of fact a law of general principles popping up. Actually I'm also working on a project where we'll deliver some common principles. And they all struggle I think with the problem that we want to apply those principles for everybody. But we don't want to make it like legislation. We don't -- we cannot make it binding.
So on those lines I think the gap there is between what we want to -- what we want to accept on the Internet and what we don't want to accept on the Internet and how we enforce it how we regulate it.
So now my suggestions because a lot of initiatives are struggling on how to go forward with this.
And my -- well maybe it's a question to the Council. Would you be -- well, would it be an idea not to merge all of those principles because I think that's a step too far. But maybe there is some work to get a more connect to each other. Because there are so many initiatives. And if you are -- well, I'm curious about what you think of the idea of view as more natural leading of process to try to connect all of those general principles to each other. Thank you.
>> LEE HIBBARD: Thank you, Brute I wonder whether we should take your comment first Matthias is.
>> Maybe take the answer first because it's not about cybercrime at all.
>> LEE HIBBARD: I can respond to Brute.
>> JAN KLEIJSSEN: We shouldn't turn this into a cybercrime event only although it's the most exciting topic I think. Anyway. But I think we need to work at several levels. There are certain things which have to be defined by law and that's the sort of thing we have in the Budapest Convention and there are many other things where we are either far away from a consensus or where we also don't want to strangle something. You know at the moment you have principles. You can make them more perhaps easily adoptable for everybody than if you put something in a treaty so there's also a risk by turning something into the treaty we had discussions on the prisons issues on the Council of Europe where if you have guidelines you can broadly implement and the function the moment you try to put it in a treaty you narrow many things and it may become very risky in cybercrime/cybersecurity area I see we have on the cybercrime front a clear basis for the Budapest Convention for those who want and on the other level we need to work more on the principle side see if we can come to codes of conduct rules of behavior rules for states in that matter which was also discussed that's from my side.
But maybe Lee or somebody else has more comments on this.
>> LEE HIBBARD: I think personally speaking that regards to principles there are many principles. You mentioned some of them. And there are others to come. Civil Society wanting to have their own principles, too. They definitely need to be brought together and even just last night we were speaking with people from Microsoft I think there will be a need in the EuroDIG to bring those principles together and start looking at what's common to all of them so we have a common basis, a common trunk you would say in French but I think that's something definitely in the future to look at.
But I'm looking at the gentleman from Sweden, Johan Hanenberg when you talk about principles they create a climate a frame that don't necessarily have to be legally binding but they create a traction a momentum a feeling that something is moving the reason I point to you Johan is because Sweden has done a lot of work in the field of Internet freedom and cross country statements regarding Internet freedom with Carl Bildt in particular which is something like you could say a movement towards principle an idea of climates and is that having an effect in your opinion for example I don't know whether you want to come in or not is that work which is similar in ILK principles does it have an effect in terms of Internet freedom I'm switching the conversation on Internet freedom now an away from cybercrime on purpose. Thank you.
>> Thanks very much for giving me the chance to address this workshop. Our work on Internet freedom has evolved through I think the -- saying: Why are bloggers being thrown in jail? Why are people being deprived of their liberty just because of expressing themselves on the Internet? And that prompted us to try to find a few avenues for a policy discussion on these issues.
Based on the international human rights framework we found that the IGF was one arena where human rights needed more emphasis more integration we started only two years ago so this work is still in my view very much in an early stage. So this is only my third IGF but looking back at the two previous ones I would say that human rights is much more prominent now than two years ago in the main sessions as well as in many, many of the workshops and seminars. So in a sense, the climate has changed.
Another avenue which hadn't at all discussed Internet freedom was the main human rights body in the UN, the Human Rights Council. The Human Rights Council may not be the most effective and progressive arena to work but nevertheless it's the main UN policy setting body for human rights. And in our view, in our opinion, that body had to be engaged somehow. We decided to promote and support the work of the Council through it's special Rapporteur. We supported his expert consultations. We arranged two expert meetings in Stockholm on this issue together with Frank LaRue the Council of Europe has been on this trip the whole time actually. A lot of work has gone into these consultations by Lee himself.
One sort of -- one stop on --
(Audio lost).
>> maybe not create a more decisively -- decisive climate but I feel the issue is more now on the agenda. That was a bit too long.
>> LEE HIBBARD: Brute I think just in response and I hope that the Council of Europe principles also help that work you're doing too in the Human Rights Council it's not universal and how it looks overall now Matthias do you want to come in.
>> Yeah, thank you. I want to come back to maybe your original question I short to do a short comment on the Internet Governance Strategy and I think the discussions within IGF mostly when we talk at lunch with stakeholders groups the most important thing is to explain to people what the Council of Europe is really doing when publishing another paper like the OECD and many other organisations initiatives with writing down all of these principles. And I think there's a big misunderstanding amongst stakeholders often.
They see an institution also like the Council of Europe. They produce rules and rules.
And that what really has to be stressed is that when the Council of Europe is dealing with all of these terms we hear today and all of the days before and the next days again about the transparency, the security of the Internet and so on, that they are only prerequisites for the enforcement of human rights. Without let's say all of these standards with the Internet we wouldn't have freedom of association, freedom of expression, freedom of privacy and human dignity and so on why is it so important when we do this for example standard setting even software I said it yesterday in a workshop. Not only the European code on human rights but especially that code on human rights takes up this standard setting which was well within the Council of Europe also by the stakeholder. In this multi-stakeholder approach and asks one question:
Is there a common European understanding? What is it, for example, for a free Internet and so on? For example, the most relevant case of the youngest time was one case against Ukraine where journalists were prohibited to --
(Audio lost).
>> Challenge more in the way that we do not say we invent new rules or whatever. What everybody here in this room knows. But people don't really understand it. Why does the Council of Europe -- why doesn't the Council of Europe come up with this? Last thing another point I can't just from an interesting workshop Johan was a speaker there, as well about the multi-stakeholder topic. And it was more on the intermulti-stakeholder relations. So how do they organise themselves.
And so I think this is also a topic we should concentrate in the Council of Europe strategy, as well. Because I think it is most important that we also see that stakeholders are not stakeholders. There's a lot of diversity of stakeholders. Not only of the interests they have but also of the quality they can deliver. The sources. The resources they have. And so on.
And we should really have also not only say we trust in the multi-stakeholder model as such. But really also to have a look what kind of stakeholders, how do they feel -- do they feel represented and maybe go away sometimes from all of these professional representatives. Thank you.
>> LEE HIBBARD: Thank you, Matthias. I think that the idea -- the attempt of this first draft of a strategy is to try to -- it's work in progress regarding what is a common European understanding is what you said. What do you think, Peter? You're a stakeholder group. The European Youth Forum. More and more active in the Internet Governance work. What do you think.
>> Thank you very much so Peter Matjasic, president of the European Youth Forum. It's a platform of 100 youth organisations in Europe representing millions of young people all over the continent. For us it's essential to stress first the need for involving young people and youth organisations especially as stakeholders in this because we see a lot of young people running around the IGF which is great and they have a lot of things to say but they are not always equipped to follow up on the processes therefore we need to have representative youth who come in and help channel those voices of young people in this.
And we also need to go away from looking at young people only as the vulnerable group but as young people who are daily consuming and using Internet and that they have certain rights in doing so and they should be actively involved in decision making.
Now having said that coming from youth but also I want to touch upon the fact we have the EU on one side and the Council of Europe on the other and we should focus on the fact that both can contribute but both have an added value on their own and this is building on what Matthias was saying the Council of Europe strategy needs to focus on what the Council of Europe was made up for and what it does best which is the rights based approach while EU is set up from the economic point of view it should be much more but at the moment where it does have leverage is over governing certain aspects of access, certain aspects of rights in terms of providers and more the technical details that can help the whole Internet Governance process. So I would like to see it from the European perspective as the youth perspective that the Commission does what it can do and the Council of Europe does what it can do best now coming to the strategy that you're proposing in general there are quite a few very good points to tackle empowerment, protection but it's only focused on children and I'm missing youth here because you need to be a bit consistent also within your own policy within the Council of Europe where recently you had a proposal on the framework Convention on youth rights.
And you were on another recommendation lowering the voting age to 16. So we need to see which ways are we talking about here when we talk about online participation, eParticipation, which is something that is partly missing from our perspective. And it's very important to us in bringing -- using the tools, online tools, to bring in young people to also take part in decision making online. But of course this needs to be coupled with an offline participation. And therefore, again, the need to link the two also in terms of young people as individuals who are active and should be active and voice their concerns online with offline participation that needs to be channelled on an individual basis by encouraging them to take part in elections but otherwise through associations, through representatives that can follow up on their points.
Then also some concrete points. But this is something that we will follow up with you afterwards. And discuss also in Vienna on the details of the strategy. We will give you our input in this.
>> LEE HIBBARD: Thank you very much, Peter. Some good points we will take back.
Another stakeholder group, Telefonica, the Private Sector Chris Steck.
>> CHRIS STECK: Thank you I was at the panel where we discussed the principles and I said clearly yesterday that this was a good set of principles developed by the Council of Europe and I especially value the way they were developed not only that the outcome is good but also that we have a very open transparent and multi-stakeholder process developing these principles and just want to kind of refer to that again because I think this is very important to point that out. It's not always happening.
However looking at the strategy here and now here is the part where I have a little bit of maybe a kind of proposal. I mean coming from business, we like to set priorities.
And I'm missing a little bit when reading this document the clear priorities for the Council of Europe. I see a lot of you know ideas. But some of them are overlapping to a certain degree.
And I think that the Council of Europe should focus on what it does best and this is going back to what the fellow speaker just said. You know, what is --
(Audio lost).
>> Protection of legislation in Europe. And on national levels, on European level. And maybe this is not the core. Just to question that from my point of view if that's really one of the focus areas.
>> LEE HIBBARD: Thank you very much Chris. When you talk about the protection are you referring to the charter which part of the strategy?
>> CHRIS STECK: Yeah it's in Part 1 and 2. I mean there are a couple of -- you talk about the legal instrument for access to the Internet as a fundamental right. There is our preferred subject net neutrality in there there's a chart for rights for Internet users this is where I mean there's a certain overlap to a certain degree I suppose but also if you go to a level into that really I think it becomes more or less Consumer Protection where we have a lot of legislation there and working quite well honestly.
>> Thank you, I would add that this is -- this is a work which is sort of planned in different parts of the organisation. So it's been collected together. It's not exhaustive but it's trying to create a picture of what the different elements are and what we are doing so this is what's being done by services already planned for next year and the year after but yes priorities we take note of et cetera. Yes.
>> CHRIS STECK: I don't want to mistake in the end we like any measure which kind of protects you know or creates more trust and confidence in people using the Internet this is clear and I think I can speak for business here in general but you know you have to make sure that you're not overlapping too much with work already ongoing because this creates a little bit of confusion I suppose in the end. Just a notion from my side.
Whenever we speak about setting priorities.
>> LEE HIBBARD: You have a brief word to say.
>> Yes. Yulan from the Civil Society organisation against cybercrime. I would like to go to another point I have a question how about the inclusion of vulnerable people into the process of Internet Governance issues? I've seen one principle where it's mentioned about the access to information for vulnerable groups. But the problem is from time to time they exceed the information but the information is not comprehensible so in order to give them the possibility to fully enjoy their human rights and yeah, thank you.
>> LEE HIBBARD: So you mean also so literacy impairment.
>> Yes or development -- maybe the development of specific ICT programmes or projects in this area.
>> LEE HIBBARD: Thank you very much. I would suggest that we move to a little bit of data protection and privacy. We have a chapter on that. That's another big block of work. We've talked about it what Alun Michael said which is a good point about data management. We hear a lot about the individual needing to take more control of his or her own data whether it be in a cloud, it sort of links to security I guess too but it's a question of identity, as well, I think.
I know -- thank you. I know that we have -- we have this Convention 108 which is being modernized or there's a review of this text going on now and there is work planned for the future I think I would like to invite Sophie who is working with that thank you.
>> So thank you in the form of privacy, the proposals, it's the third line of action of the Draft Strategy. Some of this work is actually already under way. It's basically the two first points, which is the modernization of our Convention. And revising some of the recommendations.
Then another point would be to focus specifically on children's right to strategy and then I'll come back to what you were saying. I think it's the right of terminology. It's the legal term children. It's any person below the age of 18 but clearly we will work with age groups and we will target young adults. So that will be done. And we'll be happy to have your feedback in that.
So this is something we're going to start. There will be a consultation process. So I think we'll have the feedback of the main subjects as to what their feeling is.
And finally, the last point is it's really an open point where any new topic we will identify, we will try to tackle. So indeed thank you for already some suggestions as to data on the data sharing. We will deal with this there.
Maybe as to the multi-stakeholder format of our work, also underlying that -- underlining that we are producing some standards and the committee that's been entrusted with that task already opens up in it's working methods to several observers several perspectives we launch public consultation so we have other platforms than EuroDIG or IGF to have the feedback from the main stakeholders that's what I would like to say through the introduction and I would be happy to have your views on what is proposed.
>> LEE HIBBARD: Thank you, Sophie I'm looking at some of the examples in the text regarding genetic data privacy by design Internet of things the right to be forgotten geo location issues there are so many things to deal with. It's a lot. And the core is the Convention. I think we start from the Convention 108 and then we move from there. It's a question of priorities, as well, Christophe. So I mean what's first, what's second, what's third? Do you have any comments on this issue of data protection and the wider implications of privacy? What would be your priorities?
Paul Mitchell Microsoft.
>> Okay. So this is a huge challenge. For a couple of reasons. It's the intersection of social and technology in a way that we have never experienced at a rate we have never experienced.
So what I've read is great. It's addressing -- it's trying to address the social issues and the social needs in a proactive way.
What we're focused on is trying to figure out how to do it -- deal with it from a technology perspective.
Because the reality is we're moving into a world where we are all hemorrhaging data. You know, everything we do is leaving footprints somewhere.
And into that we have companies, we have businesses that are, you know, collecting data as a means to provide a service. So that there's a value exchange. We have companies that are collecting data not necessarily to provide a service. And we have entities that are collecting data to be -- to actively harm individuals or cheat them.
Across the industry we've seen a lot of developments in how to try to manage it. The industry started out with this notice and consent idea. And that's essentially what you see on almost everything. Somewhere there's the terms of service that you're supposed to click on. Which nobody ever reads. But almost always clicks on.
And it tries to explain what's going to happen with your data.
I think most of the large Internet service providers, the ones that are operating ethically really do try to do the right things and they have pretty good privacy policies and they have pretty good exchange mechanisms.
Within that framework, companies like Microsoft and Google and others who are dealing with the technology of accessing services and data are trying to work together on things like do not track and tracking protection lists. And other technological means to allow individuals to control. And individuals don't actually have to be people in this new world. Individuals can also be machines and agents. But to allow them to control actually the collection of data in a more perhaps intuitive way.
There are lots of discussions about whether the model is right at all. So the notice and consent model we know that people don't read it. So we know people are surprised. On the other hand, a big brother approach doesn't seem to be effective and causes other you know human rights concerns.
There's discussion about uses and obligations model, which is a little bit different. So as an example in the physical world, in where I live I can't buy any alcohol unless I'm 21 so if I walk into a store and looked you know young enough and picked up a bottle of wine they would ask me for my driver's license and I would hand them the driver's license and the driver's license actually has my height, my weight, my hair colour, my eye colour, where I live. And my birthday and enough information to basically you know let them take my identity. Okay?
They will look at my driver's license and they will take the birth date and they won't record it they will just look at it validate that yes I'm old enough and they will give me the bottle of wine. The transaction is over. And so that's a use and an obligation. I gave them more than they needed. They took what they needed. They engaged in a transaction.
From a technology perspective, how would we do that? I'll just close with one other thought about sort of extending this model. Beyond uses and obligations.
Somebody else here mentioned something around user management of data. I can't remember who. But one of the things we and others are thinking about is actually if there is a technological way to allow users or individuals or agents to manage their data in a way that accrues value to them.
So today data accrues value to Facebook to Google to Microsoft to you know whoever. And to some degree it accrues value to the individual but they don't really have the opportunity to control it. we are thinking about a different kind of a framework that actually managers on behalf of a user, an entity the data that is going anywhere. And you can think of it as kind of a market mechanism. But it's under the users control instead of Microsoft's control or Google's cot or Facebook's control.
-- control.
And I guess one last thing if you haven't seen it some of you know about Spotify at the developer conference which is Facebook's conference the rule now is if you want to set up a Spotify account at least in the United States you can only do so if you are willing to share your Facebook data to Spotify. So it's a complete change in the Spotify terms of service and rules. It's a notice and consent. But it's just one example of how things are moving around in value exchanges.
So if you value the content from Spotify you might be willing to do that. If you don't you might not be willing to the question is could you do it more granularly.
>> LEE HIBBARD: Thank you very much, Paul. Yes. Are users locked in or locked out sort of thing but the use of obligation the example of buying something from a shop there's a monetary value involved in that transaction where a lot of stuff that goes online there's no monetary value and stuff like that it's just clicking I don't know how that sits with things there's lots of things to consider. Do you want to respond.
>> One of the interesting things about the data in the technology, technological universe is that although you might think that some of the data has no value, when you are able to take and aggregate data, you may anonymize it, you may not but when you are able to take and aggregate data you can create statistical models that allow to you create value they allow you to completely change the way you offer services to some extent see it every day in the way Google works binge works Facebook works although they have personally identifiable information they have a lot of information you would probably think is useless but put together it means something if you want to really think in the extreme the mobile phone you're carrying around with you probably has a GPS in it so it's throwing off information wherever you are so it's probably got an accelerometer in it so can probably tell if you're walking fast or slow that data is being continuously spewed out so you can imagine perhaps it could detect gee this person seems to be running a lot maybe they are under stress they seem to be moving around in a herky-jerky manner perhaps they are headed for a heart attack and their human resources rates go up it's farfetched but it's just an example of how much we put into the environment without really knowing about it and that might be data again you think has no value but in a context like that it does.
>> LEE HIBBARD: I tend to shake my leg a lot so it's a bad idea for me to have a phone like this thank you for the tip I think this smacks a profiling of data and of personal data I know some of you might want to come in on this point but before we get there this begs the bigger question on privacy and democracy and who we are online and that's a much bigger question and Alun Michael does that somehow respond to your issue of data management or not.
>> ALUN MICHAEL: Yes it is it's getting into those areas the trouble is very often we deal with one issue so protection of privacy and not -- I gave the example of violence. Medical data about a car that's been attacked up in an emergency unit if it's a question of saying this person was in that bed with this set of injuries that's very personal to that individual but actually knowing where that incident took place, what time of day, what sort of circumstances helps you to profile and therefore prevent victimization in the future.
So I think one has to bring these two areas, the area of privacy, sometimes in relation to sharing of quite personal data but in a way in which it's anonymized and has a public purpose which is in the interest of this case potential victims all of us you have to have that as part of the discussion I think very often we tend to have discussions about silos so there's a silo about the need to protect privacy and a silo of saying how do we anonymize data for public policy purposes actually those two bits of debate need to be in the same room and I think that's the way I would like to see this debate being pursued.
>> LEE HIBBARD: Thank you this is a first step towards that in some respect it's also to create awareness and to create a sense of oh we're actually doing this and that a synergy we need to think about bringing this together. Paul you want to come in.
>> I think that's really important. Because in the end, it's the bits and pieces of technology that are going to ultimately implement whatever these policies, laws and rules are. And when you try to factor them into individual silos, you get in the implementation phase you end up getting something that ends up being unworkable at the pace all of this technology is changing the reality is all of the data I mentioned you were spewing out nobody thought about this they thought GPS would be cool and an accelerometer will let you play games on your phone. And in truth in the hi-tech world that's kind of the mindset you would use to do some innovation you invent and you end up creating a problem and sometimes the problem is really a social problem not a technology problem. And the attempt to --
(Audio lost).
>> Roles for individuals. But to some extent it becomes a game of whack a mole and we would like to stop that if we could.
>> If I can just say I think one of the issues is the definitions which are common sense human definitions and then looking at how they roll out in terms of what the technology can do and what applications might bring. I mean going back to this very simple thing of can you share data, which might be private data for the purpose of crime prevention, I remember in terms of the legislation some about 12 years ago we were having great difficulty because there was a mindset amongst data controllers and data managers if in doubt don't share. And that leads to the sense that there is not a judgement to be made because there's a safe place to which I can retreat where actually there's always a tension. And judgments have to be made.
Now, I think this is where we very often get into difficulties with legislation. If you try -- if you try to define in legislation those matters that have to be made on judgments rather than defining the principles against which you make the judgments, then you end up with bad legislation which is not flexible and doesn't keep up to date. And I'm not talking about keeping up to date with the technology or software applications. I'm talking about the way people behave, as well. So it's -- it's getting into that sort of area of sophisticated discussion of about how you legislate sensibly for the principles against which judgments have to be made. You can't escape from the fact that human beings and administrations have to make judgments.
>> LEE HIBBARD: Human behavior I'm going to jump to another speaker. Human behavior, I mean yeah I think there's the need to talk -- I think we do need to talk about these issues with the companies and for example the Council of Europe. And we tried to do that actually in some of the work. We have done some guidelines with ISPs and the governments talking to together which were a hybrid thing which were a hybrid thing and it was a useful tool that needs to be done profiling is still there. Do you want to come in.
>> Yes, good morning I'm policy manager at the protection authority.
Just one quick comment first we are very glad to see this commitment of the Council of Europe in Internet Governance this is very useful because at a certain moment you talk at a certain moment you have to decide things.
And let's face it, of course maybe it's a little provocative but we were talking yesterday of global public interest. You know I think there's more interest than global public interest we aren't living in a perfect world where there would be one global interest the reality is there's a fight for some economic policy called interest and it sounds logical that Europe tried to bring its voice to this debate. And in the end we hope to at the global edge we -- we have the Convention but the first point is to come up with something. So it's very useful. So thank you to the Council Members.
The other thing is this Part 3 is very complete. It refers to the Convention 108 so we will see what will happen in this review so I don't want to comment on something that will happen but it looks very encouraging and just one quick question there is a list that's very useful on the trends. The thing is when you start a list, you can say why there is no Cloud Computing for example? Which is Cloud Computing -- maybe I didn't read it well privacy by design right to be forgotten -- et cetera, et cetera, et cetera. Yeah. So you see now. Yeah, I think you have to be concrete of course at a certain moment. But the danger is you will still find someone to tell you oh you just forgot this you forgot this. Well maybe a little prioritization of subjects. If you mind it can be interesting.
The other topic I would like to raise is maybe you can mention the thing that governments are maybe asking too much personal data for political repressions in many countries of course outside Europe. Let's hope so.
We have -- we saw that during the last revolution, Internet Revolution. And the best tool to catch a revolutioner is to access his personal data and try to -- where was the connection be? Who are his friends on Facebook and everything? So we just learned that those governments talk to people to have your password and then they can access personal data that's very sensitive. And I think it's really an issue to raise now. Because there will be some temptations for many, many governments to continue that way.
Because as I say yesterday on the panel, information is power. You are the information -- you have the information of someone. You have the power of someone.
So it's logical that those governments will try to get as much information as they can on revolutioners. And let's hope that also it will prevent some European governments to be tempted to gain some information on citizens that maybe -- you know we never know. We are living in troubled times.
So thank you very much.
>> LEE HIBBARD: Thank you. I can see Sweden nodding I would like -- we are running out of time. We have five minutes so Thomas you have 35 seconds perhaps.
>> I'll be very brief. Just two remarks. With regard to the treaties that you're about to develop, you should try to find new ways to make it more open for global -- for other countries to exceed. That means but you have to involve them in some sort of deliberation otherwise you'll run into the same problems you have with the Cybercom Convention and the priority for all of this in the end should be freedom of expression democracy and privacy to the extent it's necessary for freedom of expression and democracy that should be the focus because there's no democracy and no freedom without freedom of expression with a working media system, quality content so on and so forth. Thank you.
>> If I may, I think it was a general remark. But just to give an example. Precisely the data protection Convention was drafted 30 years ago and it was drafted with Canada, United States, Australia, Japan so we already have this open discussion with them.
I think it was reflected in the principles that we agreed. And it's open to any country in the world.
So for this particular Convention we had this open from the beginning now that we're modernizing it again we're associating everyone in the world to contribute to it.
>> LEE HIBBARD: Where is the G 77 that's a good question we should ask that question after we finish.
We have DiploFoundation with us a partner in the EuroDIG process in particular what do you want to say Vladimir what do you want to say.
>> VLADIMIR RADUNOVIC: In the involvement in different actors in building up the recommendations and so on one thing is involvement of them in bringing up the recommendations the second one is involving them or making them capable of reflecting and implementing all of these recommendations at their local levels and when you come out of the European Union countries I don't know what's the case from European Union countries but coming from Serbia the governments and parliamentarians are not aware of what these things are even if they have people participating in bringing the Convention within the Council of Europe and we know Serbia has very good people over there but the parliamentarians the Government isn't capable of following up on them and really putting them into practice so I think building capacities among the parliamentarians and policy Marc in also European countries but also out of Europe is something Council of Europe should have as one of the priority focus and especially having the fact you have a lot of parliamentarians yourself as well and you have this possible impact you can make as a good example to the other parliamentarians and policymakers so capacity building is important.
>> LEE HIBBARD: Thank you Vladimir we'll have to wrap up now. That's another good point another proposal. Priorities have to be made and I'm very glad that we have the Director of standard setting and Director General here so I hope they take good note of the need to make the priority list shorter, longer, I don't know. We'll have to see but it's work in progress we should go to Point 3 of the agenda which is about what is multi-stakeholder dialogue for the Council of Europe of -- what are we trying to do it's rather the question of process how do we get there how much consultation is enough before something is decided in the Council of Europe. We're very much trying to reach out and pull as many stakeholders in I think it's a learning process for many people it shouldn't just be about Europe I think it should be broader and I'm glad the comment from Microsoft Paul in particular.
If there are no urgent burning interventions regarding how to get to a perfect balance of perfect stakeholder dialogue in the Council of Europe I would like to pass to Jan Kleijssen to give a quick two-minute wrapup please.
>> JAN KLEIJSSEN: I'm not going to attempt to wrap up everything that was said just to thank you all very much all those who spoke for your comments and your suggestions. We've taken good note. As I said earlier, it's very much still a Draft Strategy. And it will be amended following your comments as indeed it will be amended following Vienna I hope. I would like to encourage all of you who perhaps didn't speak but would like to contribute to do so in writing. I think our Web site is sufficiently known. It's on the brochures that have been distributed and are available at the Council of Europe stand downstairs. We would very much welcome your comments. We still have about half a year to go. Slightly less before this will be up for formal adoption.
So a lot of changes can be made. We have taken of course lots of them on board already.
And I think on behalf of all of the Council of Europe staff thank you very much for what I think was a very good exercise in multi-stakeholder dialogue.
***