FINISHED TRANSCRIPT
EIGHTH INTERNET GOVERNANCE FORUM
BALI
BUILDING BRIDGES – ENHANCING MULTI-STAKEHOLDER COOPERATION FOR GROWTH AND SUSTAINABLE DEVELOPMENT
OCTOBER 23, 2013
8:00 A.M. – 10:32 A.M.
WS209
AN OPEN INTERNET PLATFORM FOR ECONOMIC GROWTH AND INNOVATION
********
This text is being provided in a rough draft format. Communication Access Realtime Translation (CART) is provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings.
********
>> KAREN MULBERRY: Hello. I'd like to welcome everyone to our session this morning. It's the workshop on an open internet platform for economic growth and innovation. I'm Karen Mulberry. I'm with the Internet Society. I'm the moderator of this panel today.
During the past several decades the internet has become a key platform for innovation. It's contributed a lot of economic growth globally, regionally, and locally. And through this, in fostering this open internet and a free flow of information, it increased the transparency and exchange of information between collaborative communities and is built upon the premise of openness, open standards, open collaboration, open innovation.
All of this is very, very important, particularly when you look at the OECD recommendation on the internet policy making principles. It has three very key aspects when you look at the 14 principles. It's the promotion of the global free flow of information, it's the preservation of the open, distributive of the internet and the adoption of a multi‑stakeholder approach to developing internet policies which guarantees transparency and effectiveness.
When you look at these three common themes in the OECD principles, what comes out of that are, in essence, four key areas. It would be technology and open standards and the enablers that open standards create not only for today but for laying platforms into the future. When you look at the economic and what that contributes to open markets when you look at society and the fact that the openness process contributes to the free flow of communication and information. And finally, when you look at governance and the fact that the collaboration actually encourages us all to get together in a multi‑stakeholder dialogue and contribute to the management of the whole. Using that as our opening, I would like to have our panelists introduce themselves and then provide a few remarks.
>> Thank you, Karen. My name's Chris. I'm an external relations officer with a regional internet registry for a service region covering Europe, the Middle East, and Central Asia. It also facilitates the community of policy development. It's a founding member of the Internet Technical Advisory Committee. And in that capacity I work as liaison to the CISP working party within the OECD or ITAC.
Openness is essential to the work we do as an IRI. In a technical sense, the internet is conceived as an open network. The free movement across the network and end‑to‑end connectivity are fundamental. And there are a lot of concerns right now for the continuance of that model. You probably hear a lot about the need to move to IPB6 and the exhaustion of the 4 addresses. A lot of our concerns in that area are driven by the fact that with the exhaustion of 4, suddenly we find network operators are restricted in how many of those addresses they can use and that they need to work around this using technology, network address translation, which allows multiple users on the same IP address.
This breaks the simple end‑to‑end model. With that comes the risk of the characteristics that make the internet so adaptable and dynamic, characteristics like innovation without permission.
The openness in that technical sense also translates then to the way the communities work. In the case of ripe, we make policies regarding the management allocation registration of IP addresses. Openness in that model is very fundamental because the internet is, in a real sense, built on trust. The resuming decisions that network operators make are based on the registration that RARs make publicly available. And that, in turn, is vital to ensuring the uniqueness of IP addresses, which is also vital to ensuring you can actually reach the part of the network you want to reach, whether it's a website or e‑mail address.
In the case of the RAR communities, this is achieved by working on mailing lists through meetings open to any interested party. And like everyone else, the last decade has brought changes to the way that works in practice. While the community has always been community to anyone, the reality was, for many years, that it was essentially a community of techies and network operators. While that's still true to a great extent, we've seen increasing interest in what we do from the public sector, from the law enforcement, from Civil Society and academia. And ensuring that our processes are open to those stakeholders not just technically but in a way that recognizes the challenge that still exists for full participation has been a challenge for us over recent years.
I've spoken largely from my own experience with RARs here. But many of the same arguments hold true for organizations like the ITF, IEEE where trust in the process of developing standards in an open way is vital to reaching consensus on the best solutions to whatever technical challenge arise. As the internet grows, it's also vital to ensuring that those standards don't conflict.
I'll leave it there.
>> JEREMY MALCOLM: My name is Jeremy Malcolm. I work for Consumers International. And I also happen to be a member of the Steering Committee of the Civil Society Information Society Advisory Committee to the OECD. So it was a great pleasure for me to be invited to participate in this workshop representing a segment of Civil Society. I would like to take a contrarian position wherever I can. So I'm going to talk about why I hate openness.
[Laughter]
That's an exaggeration, of course. We do agree with the substance of the council recommendation on internet policy‑making principles and we do agree with open standards, open source, open governance. But there are a couple of instances where openness doesn't favor a process that's good for consumers.
I'm going to give a couple of examples of that. And from the workshop description, there was a passage that struck me. And that was that any unnecessary restrictions such as trade barriers can inhibit growth. And I think openness does not equate to no restrictions. We don't think that growth at any costs benefits consumers. There are some limits that are appropriate to protect other values. And one of those values, of course, that's very current at the moment is privacy.
So a couple of areas in which a more closed process or a more closed procedure can protect privacy is in relation to online tracking and the free flow of information. So I'm going to deal with those two separately. They're both about privacy in some sense, but online tracking is a narrower one about tracking people online using the web and generally is in relation to a commercial tracking. And the broader one, free flow of information, is more of a policy that we are finding in trade law about making sure there are no barriers to the flow of information across borders, including for commercial or, indeed, for other purposes.
First, online tracking. This has been a concern on both sides of the Atlantic. Of course the European Commission and the Federal Trade Commission both decided that they wanted to do something about online behavioral advertising and to give consumers a choice about whether they were tracked online. But rather than regulating, they decided to delegate this to the Worldwide Web Consortium which was seen as having an open multi‑stakeholder process that could deal with this problem. Unfortunately they were wrong. The W3C process was open, and yet it is still being described as a colossal failure. And those are not my words. Those are the words of the Digital Advertising Alliance, an industry group. But Civil Society, privacy advocates, are of the same view that this process has completely failed.
So why is that? If it's an open process, surely that's the way governance should work. Well, actually, not in all cases. There are cases when a purely open process can actually be very open to industry capture. That's where we lay the blame for the failure of this issue at the W3C. In our view there are cases where business interests are directly impacted are, such as in the case of online behavioral advertising, where you need to have a firmer regulatory hand before you can knot out the details in an open standards development process. So what we think should have happened is that the commission and the FTC should have given stronger, clearer guidance and basically told it what standard it should be developing rather than leaving it open for a working group that could be captured by industry and ultimately would fall down and fail. Because as a result of leaving it open, the ball is now back in the regulators' court and expect for them to do something ‑‑ and we've lost two years in the process.
That's one case. In fact, the OECD model is a little better. We have the Information Computer and Communication Committee, the ICCP, which is an intergovernmental group. And then we have three quite structured Advisory Councils, including Civil Society, the technical community and business all have their roles to play. And that structured sort of process can actually be more effective than a completely open process like the IETF where it's an open door but there's actually no structure within that.
So that's the first thought I want to give on how a more closed or more structured process can be better than a completely open process in certain policy areas where there are contested issues and commercial interests at stake. The second example of when we don't support openness in its purest form is in relation to the free flow of information across borders. And this is a trade policy that goes back to the gaps which says in Article 14 that nothing prevents a country from implementing measures for the protection of the privacy of individuals in relation to the processing and dissemination of personal data and the protection of confidentiality of individual records and accounts. So this is the kind of provision that allows countries to limit the flow of information across borders.
When we go to the OECD, we find it slightly narrower. So the OECD guidelines on the protection of privacy and transporter flows of personal data, turns the wording on its head and says member countries should avoid developing laws, policies, and practices in the name of the protection of privacy and individual liberties which would create obstacles to transporter flows of personal data that would exceed requirements for such protection.
So it's not actually saying something different. But it's emphasizing it quite differently and saying don't develop privacy laws if they go beyond what they really need to. So this is a shift of emphasis that I would question given that privacy is a fundamental human right and perhaps should come at the top of the consideration of transporter flows of personal data.
It's recognized, of course, in the universal declaration of human rights, the Council on Europe convention 108 and other instruments. So currently, the Trans-Pacific Partnership is under notion and they're hoping to wrap it up this year. The Trans-Pacific Partnership contains new text of the transporter flow of personal data. There is a push from industry to make it even stricter than either under GATS or OECD principles.
The current text in bilateral trade agreements on free flow of information says something like recognizing ‑‑ this is from the Korean, U.S. ‑‑ it says recognizing the importance of free flow information and facilitating trade, the parties shall endeavor to refrain from imposing or maintaining necessary barriers to electronic information flows across borders. But there's pressure from industry to even narrow the scope of restrictions on information flows. For example, by removing the text across borders so that even information flows within the country should not have restrictions to protect personal privacy at the expense of information flow.
So this is a real tension. We want to make sure that in instruments like the Trans-Pacific Partnership, the flow of information across borders is not given a higher priority than the fundamental human right to privacy and confidentiality of personal information. And so this is the second example that I want to give of where openness is not actually the highest value for consumers in such cases. There are higher values that we think should prevail.
So in summary, we do support openness. However, we don't support it blindly. There are areas in which openness is just one interest that has to be balanced against other very important interests to consumers.
Thank you.
>> NEVINE TEWFIK: Good morning. I represent the Civil Society, member of the Asian Chapter and on the board, presenting in general. It's a great topic. It's great to be in Bali for the first time.
The chapter of the Board of Directors. I'm also a member of the Institute of Egypt, and the Board of Trustees of the Information Technology Institute, also part of the Ministry of Communications and Information Technology. Also part of E‑Commerce which helps address obstacles in Egypt that hinder E‑Commerce adoption. And that can be done in different sectors of the economy government and private sector and other entities to overcome these issues.
Addressing in today's topic two aspects: one in terms of citizen participation in policy making and decision making, and then at the end on the issue of business creation and experience of the E‑Commerce so far.
Of course, reflecting what's happening in these times in Egypt and our countries, particularly in the presence or following the Arab spring which is still unfolding.
In the issue of citizen participation and activities and trying to influence policy and the public opinion and the way policies are being made, we have seen evolution of openness over the last two years, particularly in countries like Egypt where the people's opinion is being heard and they can influence to a larger extent how policies are being adopted.
Unfortunately, what happened on the 3rd of July, this was reversed back 180‑degrees. And we see now again a crackdown on online participation as well as, of course, offline activism.
We see this in Egypt, but also in different countries across the region. We see limiting access to websites, putting obstacles in terms of creating websites that have ‑‑ update news information and different points of view than being ‑‑ by government agencies. The process is quite difficult to adopt. As well as blocking internet services such as what's up, viper, and tango in different countries and citing the main reason to be issues of national security which is a very broad phenomenon, also the issue of following online bloggers as well as online journalists and prosecuting them in courts, in some countries actually military courts. So we see this kind of development that is the anti‑openness and anti‑participation of the decision making for citizens and society.
And as I mentioned, it affects what's happening in the real world. We see this reflected in the opinions of activists. In part of the mag for the ‑‑ we had our second in Algeria two weeks ago. And the session openness and content, these issues were quite obviously highlighted from different countries in the Arab region. So there's a plea to Arab governments to try to promote openness and not use issues of security and national security as just a reason to block access and to block content creation and block citizen participation.
In terms of business creation, the issue of E‑Commerce is being seen as an opportunity to propel the economy in different economies in the region, particularly because we have a young population. In some cases, wants to be active online. They are active in social media. So getting the extra mile trying to do commerce and financial transactions online is certainly a possibility.
We see internet at an acceptable level but broadband penetration is quite low, single digits in most Arab countries. Some countries are investing high in infrastructure development that promotes fiber to the home and other broadband access. Access and mobile data is one of the highest areas of growth in the Middle East and emerging markets. But there are obstacles for E‑Commerce to flourish in the short to medium‑term.
We see some challenges, particularly in the work of national commodity that I participate in, issues of payment, particularly lack of credit cards; credit cards in general, and credit cards that have online access allowed. In particular, we see less than 10 million credit cards have been issued. Maybe only 1/4 of them has online access possibility. We see issues of hosting, hosting in‑country, provides hosting capability but the pricing is still quite high.
We see tax issues. Taxes have to be paid services rendered. The consumer is not yet familiar with the issue of paying taxes, particularly off online services so that this has to be addressed with awareness and ‑‑ a consumer awareness and get familiar with doing transactions online to begin with. It needs to be enhanced through different types of campaigns.
And then the ecosystem for E‑Commerce needs to be strengthened. Issues of payment. The creation is there but on a larger scale, because talk about 90 million people in Egypt alone. Payment when the service is on rendered, goods are delivered, can be done but campaigns have to be created. And this is still an obstacle.
So the point here is there is a very strong potential for SME, for small and medium businesses, for consumers to be on the wagon of E‑Commerce and online trading ‑‑ no, online transactions. Government put the right legislation in place as well and have promoted people's faith and trust in online activities.
Thank you.
>> JOSEPH ALHADEFF: Thank you. My name is Joseph Alhadeff. I, too, participate in the OECD through BIAC, the business voice in the OECD. We left one constituency out. There's also TOAC, also an observer in the OECD, ICCP.
Apart from BIAC, I also chair the Digital Economy Commission at the international Chamber of Commerce. Through BASIS helps coordinate participation for business. And then in my day job I seem to work for Oracle.
Openness is a very important concept and has a lot of meanings for a lot of different people. In a way, the concept reads a little bit like modern art in the sense that you bring to the painting something to help interpret it whether it's a woman sitting on a chair or an apple sitting on a table. It's up to the viewer to decide what the painting really imports. But one of the things I think that we see with open is open and association to a multi‑stakeholder process is an important concept and linkage. And they go very well together. And I'm going to use a couple of the examples that have been raised about this. Because there is ‑‑ when you take a look at all of the major documents that deal with privacy, they deal with the combination of two concepts, the importance of the free flow of information and the importance of appropriately protecting individual rights and making sure that trust and security are elements. And too often we consider that a balancing act when we should be considering it mutual optimization. You get the whole is greater than the sum of its parts. And as we look to these issues, that's where the multi‑stakeholder dialogue comes in to be beneficial. Because often when you're anchored into a text, everyone is also bringing into a text a reading of it that has baggage.
When we look at the issues of privacy, when we look at the issues of open, when we look at the way governments do policy- making, we end up looking at from a business perspective what is the level and the detail of the policy-making? Because policy- making and regulation that goes to the what that discusses frameworks related to it and provides guidance to it is actually useful because that helps embody legal certainty. But when you get to the how, you start to create micro‑managing of processes that then can serve to stymie innovation and serve to actually limit the applicability of those rules in various context.
So one of the things we see is, what is the appropriate level of drafting? A number of the OECD instruments are actually wonderful because they stand the test of time because their level of drafting is at a level that people can apply differently over time. So there's an adaptability built into them.
Obviously if you're drafting a regulation, you have to be more specific than that. But when we look at some of the implementations of data protection regulation, for instance, we get to data protection regulators specifying an eight‑digit, alpha numeric pass code. That is not a useful specification. That gets to be an interference with actually the way you develop and design technology.
So part of this openness, part of the ability to use all the resources to make sure they are available to others, is making sure we are looking at them at the right level, to be appropriate in safeguarding rights while not micro‑managing the models and the technology that serve to underpin innovation. And so that becomes one of the parts where the multi‑stakeholder dialogue helps create understanding and helps enhance the concept of openness.
It's an issue we have in the context of free flows information. So clearly information underpins the digital economy and the information society. There's no question about that. Some people call it the new oil or the new currency, whatever term of art you want to use. It is essential. It flows more than ever today. It's likely to flow even more tomorrow.
Artificial constructs which try to keep information in one location actually serve to stymie innovation and don't have benefits. That doesn't mean that issue as fundamental rights shouldn't be considered when you talk about data flows. They have to be considered. Because if you undermine trust in the network, the network will lose its value. But we have to figure out how to develop the win‑win outcome of those where you're looking to optimize the solutions. Because I do believe you can have privacy and security. You don't have to choose between one or the other. And part of the way we do this is by preserving the openness of the internet, preserve the inclusiveness the internet, preserve the multi‑stakeholder conversations. And that gets to the point where when you do develop some protective regime related to the protection of a fundamental right, it's not a question that you're saying, oh, that regime shouldn't exist. But we all have to recognize that that regime probably has four or five different methods of implementation. Many of which might have equal effectiveness. But the effectiveness may come with different levels of burden and different levels of micro‑management of processes. And it is completely legitimate to suggest that if you can find an equally effective way that has less of a burden and less of a disincentive towards innovation, that's the methodology you should choose. In fact, that was one of the concepts that was embedded in the revised explanatory guideline to the OECD privacy guidelines.
If you haven't noticed, they have gone through a revision and a new version of an ‑‑ supplemented version of an explanatory memorandum. And Verena will be happy to give you the website linkage to that.
I should also remember, since Cloud is one of the major topics in the context of open, the OECD has done some very important work on Cloud including an original background paper they did a couple of years ago which actually still stands in great stead as a very good basis for how you should think about Cloud in the context of policy making.
The last comment I'll make is that when we think about the concepts of open and we think about concepts like Cloud and data localization and these other issues, we have to also understand that we have to think of the level of the ecosystem. Because we have lots of moving parts. And you can't just look at this one policy and say how this works. So in APEC there was a document that looked at a number of different factors that governments may think about as they develop policy to help foster innovation and things of that nature. And the concept was that it's a matrix where all of these factors are interconnected. If you hold on to one, you affect all of the others. So we have to think of these things in an ecosystem context so that we can figure out how action in one space is acting upon action in another space, which unfortunately means that we all have to become renaissance individuals now. Because while our current technological society is pushing us towards greater and greater specialization, we need to think as generalists as well. Because you have to consider multiple factors across multiple scenarios to understand the impacts of any action.
So we have now a basis upon which we all need to take our minds for a walk and have a stretch, because too narrow thinking, while it may lead to great expertise, may not actually be what we're looking for. So open is open in the scale of thought and perspective as well.
Thank you.
>> CHRIS HEMMERLEIN: Good morning. My name is Chris Hemmerlein, National Telecommunication and Information Administration, in the U.S. Department of Commerce. At NTIA, I work on a broad portfolio of internet governance issues. I do a lot of work in the multilateral forums, ITU, APEC and other subsidiary bodies of the U.N.
As the lone government representative up here, I take very seriously my responsibility to make the most Adenine and uncontroversial comments this morning. I hope I won't disappoint there.
Broadly speaking, openness, of course, is very important to the United States government in the way that we address internet policy making. From our perspective, openness means inclusion of other parties and stakeholders into our deliberations, and transparency into how those decisions are made.
I'm very happy that the OCD organized this panel. I was fortunate enough to be detailed to the OECD while the policy making principles were being developed. We're very satisfied. We promote whenever possible the policy-making principles. We think they represent a clear articulation of our position as how the internet policy making should be done.
Talking about policy-making processes from a government perspective two are quite relevant. If you're reading from top to bottom, number five which says encourage multi-stakeholders cooperation in policy development processes. Simple enough.
NTIA ‑‑ the U.S. government in general, the NTIA specifically is very respectful of the multi‑stakeholder process. We're very aware of the legacy from organizations who are so responsible for the growth and success of the internet. And we certainly try to emulate whenever possible the multi‑stakeholder processes that those organizations embody. And we certainly do whatever we can to stay out of their way when necessary.
Also, number eight, which is ensure transparency, fair process and accountability. I like these two together in a way that they draw a distinction between openness and multi‑stakeholder approach. They're not always the same thing. So when the pure multi‑stakeholder approach isn't possible, we certainly like to be transparent and open in the way that our decisions were made to be accountable to our constituents. And allow them to influence our processes to the extent possible at any time.
These principles are reflected in a number of way that we make decisions in the United States. Our Congressional processes are, of course, quite open. Our rulemaking processes of the Federal Communication Commission, their notices and comment processes is very open. And then we have an open advocacy and advisory process for U.S. delegations to the ITU and other organizations like that. Which I think is germane to the discussion that so many of us have had this week on the role of governments in internet policy-making. We certainly think that advocacy for the open internet and wealth creation is very important in our position in these organizations are always informed by consultations with U.S. industry, Civil Society groups, and other interested parties.
I'm going to wrap it up right there. But I look forward to a good conversation.
>> KAREN MULBERRY: Thank you very much. The panelists, particularly Chris, you mention the OECD principles. There are frameworkS for an open and inclusive approach to internet policy making. I'm not sure how familiar everyone is with the 14 principles, but I thought in terms of providing some context for our discussion on openness and inclusiveness and multi‑stakeholder, maybe I would provide, again, some of the ones that I, too, think are important for our dialogue. And then I will ask the panelist some questions. And hopefully the participants will also have questions along those lines.
In particular to me, the most important one is item number one. And that's promote and protect the global free flow of information. The second one is to promote the open and distributed interconnected nature of the internet. Third is promote investment and competition in high‑speed networks and services. Fourth is promote and enable the cross border delivery of services. Fifth is encourage multi‑stakeholder cooperation in the policy development processes. Sixth is foster and voluntarily develop codes of conduct. Seventh, develop capacities to bring publicly available, reliable data into the policy making process. Eight, ensure transparency, fair process and accountability. Nine, strength and consistency and effectiveness in privacy protection at a global level. 10 maximize individual empowerment. 11, promote creativity and innovation. 12, Limit internet intermediary liability. 13, Encourage cooperation to promote internet security. And the last one, give appropriate priority to enforcement efforts.
So those are the 14 principles that were adopted in 2011 through the OECD process. Now, as that relates to what we're talking about in terms of the economic value of openness and the contribution to enabling innovation, I'd like to ask the panelists some questions. And these are questions that were contributed to this topic through the open consultation that the IGF held prior to the start of the IGF in Bali.
The first question in keeping with the OECD principles is, how does the development of the internet's open standards contribute to innovation and economic growth?
So who would like to take that on?
>> I think innovation without permission which I mentioned before, is a really fundamental social benefit that the internet is able to give us and that is facilitated by that openness. I think the second point you mentioned, the second principle, promote the open and distributed interconnected nature of the internet, really speaks to that and is about protecting that and ensuring that there is that ability for stakeholders in any group, working in any environment, you have an internet connection, have access to the internet, are able to innovate, are able to use that end‑to‑end connectivity to develop new ideas. Whether that's, you know, the next Google, Skype, or YouTube or whatever it is. I think that's a really fundamental social benefit in terms of sharing the opportunity.
So it's not something that's just restricted to, first of all, developed economies. It's something ‑‑ we already see this in a lot of the development of payment systems and micro payment systems in developing countries, where people are actually using the internet to be able to develop systems that benefit them, benefit their communities.
>> I don't disagree with any of that, but I do think there also comes some responsibility in the development of standards and applications to make sure that what social impacts they're going to have and that involves bringing in other viewpoints, maybe besides your own.
There are technologies that have caused some problems, like think back to the first developer of Netscape who decided to put cookies into the browser. Maybe that was a good idea, but it's caused a lot of problems. So maybe it would have been better if they had actually consulted some privacy people before they did that, and it might have saved trouble in the long run.
So I think, yes, permission innovation but make sure it takes place in a context of consultation and discussion. And the IGF is a very good place where that can happen.
>> I want to go back to the value of open standards and then pick up on the comments. As a company that ‑‑ I'll put my day job hat on. As a company that works in an open standard space, one of the values of open standards is while we make something very large and complex that may not be able to be made by everybody because of the amount of effort it takes to put however million lines of code actually go into one of the major software packages if they're done in open standards, it allows other people to leverage smaller, functional packages that sit off of them. So that actually they don't ‑‑ it's not that they have to innovate the same thing, but it allows them to innovate off what's been made. And we see that as a beneficial, holistic environment. If people make applicationS that are useful that sit on top of our software, then that makes the software more useful and more accessible to other people. So it's an environment and a win‑win situation which is facilitated by open standards.
I would say when we talk about ‑‑ and I think the internet is a perfect example where when you take some of the new applications in Cloud and other things, you actually don't need a whole lot of technical knowledge to start beginning to innovate on those. You can actually leverage the technologies that are there. You don't have to reinvent them. And you can actually use ‑‑ I put some modules together and now I have a solution and it didn't take a lot of code writing or technical knowledge to create something innovative on top of existing technology.
The one thing I would caution, though, it's not the question of whether you need to think about how cookies are used but often technology that is designed for one push is used for a purpose that isn't foreseen when it's designed. So I just want to caution that I've got no problem in saying we have to look at the use of the technology, but we want to make sure that we're not demonizing the technology itself rather than it can be used for something appropriate or inappropriate. That's a conversation that's been had a lot in the RFID space where it's RFID can be evil. Well, no, there are uses of RFID that can be problematic, but the technology itself is not the problem; it's how you use it and do you understand the proper context of its use.
>> I just wanted to respond briefly to Jeremy's point in terms of the Netscape example, just to follow on the example you had. I think that's, perhaps, an area where there are tradeoffs obviously with open processes. And this is one of those that you're going to have elements that emerge that with hindsight may not have been used the way they were intended or may just have been a mistake from the beginning. I think that's where sort of this fits into a broader paradigm of open processes. Because as you say, the IGF, there are other venues as well, where, ok, this system has been developed. We come into an open process where people say, hang on, this is not something we want, not something productive. So in some ways openness can be its own self‑correcting process.
>> I believe the area of open is quite important. From the perspective of developing economies, it allows some other economies, or developing economies to participate in the development of application and tools that address issues of nature to these particular geographies or countries. The example is the issue of addressing economic problems that can be resolved with technology adoption. We have issues of putting subsidies for fewer consumption, for food imports. And if you utilize technologies like machine communication or sensor‑based networks to optimize consumption of fuel and gas, you can really address issues of national scale to these economies.
So if these applications are built in open standards, then developing countries with their scientists can participate in developing applications and tools that address these specific problems. And don't have to rely on tools developed somewhere else and that have to be fine‑tuned or recalibrated to work in a different environment.
As a following point, and we can then participate in putting these open standards together. Once you have the expertise of building your own tools and enhancing protocols, you can then invent a newer protocol and build an open standard on that as well.
So it's a cycle. Starting point is quite good because you have an economic problem to be addressed. You're spending so much money on addressing it. But the money is not spent on developing a solution or technology or tool. It's just spent on importing goods and services.
>> KAREN MULBERRY: Thank you. I think in this conversation and in the point that resonated with me, with what Jeremy said, is that in the context of openness, there's also a balance that must be struck. And that's truly why it's important to have a multi‑stakeholder approach to the conversation, to ensure that you can strike that balance, that you can create enablers that are of value to developing economies. But also need to be aware of the potential unintended consequences. So as things evolve, maybe there's usefulness in continuing to revisit where you came from to ensure that you are promoting or enabling something that shouldn't be continued and used in a way that it is being used or even be considered to be used. Because then it needs to be readjusted in some fashion. And there, again, the collaboration of the community would be of value to ensuring that. At least ‑‑ hopefully I'm paraphrasing this appropriately.
Any questions from the participants?
Yes, sir?
>> My name ‑‑ I'm the chair of the Web Payments Group at the Worldwide Web Consortium. I'm trying to ground the conversation a bit where the things that the panelists have said, where basically the rubber hits the road. Right? So the problem that we're dealing with right now is we're building payments into the core architecture of the web so we want to do to payments what e‑mail did to personal communication. You should be able to put in somebody's address and send them five cents. It should travel around the world in milliseconds. And having that as a foundational first class feature of the web is something that we're trying to accomplish.
Now, the problem with doing that is that there are regulatory issues, policy issues, and we are effective a group of technologists. As Jeremy pointed out, the work primarily looks at how do you do it, not necessarily what the ramifications are once you do it.
Now, we would like to think we're fairly open-minded and thinking holistically about the problem. I guess the question to the panel is, how do we ensure that we have the right policy framework to develop this technology? The technology is the easy part. It's having conversations with folks like the people on the panel that's the difficult part. So how do we get more policy people into the fold?
The other problem, as Jeremy pointed out with the W3C, is that a lot of the work continues without policy people involved directly. And the reason that is is because the engineering side of it is afraid that we will get mired down in political, geopolitical debate rather than creating a technology for a very specific use case. So we tend to look at things as the technology's not evil or good, it's just the technology. And we're hoping that it ends up being use the in the right way.
So the general question is: We're building this payment mechanism into the core architecture of the web. It's happening right now. We don't have policy people at the table. How do we get more policy people involved?
>> I think this speaks to a sort of wider question that I was sort of considering before this panel which is that open processes are actually ‑‑ can sound a little hippy and an easy way out. But actually open processes in development are really hard. They have a lot of real challenges that they present. This has been something, from my experience, with ‑‑ of the ‑‑ like you, technologists making decisions but really over the last few years have seen a much greater interest from the public sector from policymakers. But while we have open processes and open community, anyone can take part. There are challenges to actually allowing people to participate, from the public sector ‑‑ well, in our discussions there's really a very sort of ‑‑ people feel very free to say what we want on a mailing list. I think the policy mailing lists get rough and tumble.
As a government, or a government representative, you're not going to necessarily dive in there. What you say is going to be taken as representing the government position. So too often what that means is they won't actually participate, they won't contribute. So while we say everyone is welcome to take a part in this process, the reality is that often a lot of people won't feel able to do that. Speaking from my perspective, we've done a lot of work to try and mitigate that. And that's involved sort of specific events and forums for government people, actually closed meetings where we say, ok, we're an open community, but we will have this meeting where it's an invitation‑only event for governments and regulators so that you can ask questions, you can say what you want. Whatever you say is not going to be sort of transmitted off as the view of your government on a public mailing list. And the idea is not to have this close the session as part of the policy making process but to facilitate the incorporation of public sector policymakers into what we're doing with technical policies.
So I think, yeah, some sort of innovation there in how those processes actually work is probably required. I don't know if that's helpful for you.
>> It's a really excellent question. I think there's an easy answer and a hard answer. The easy answer is you just go ahead and develop it and don't think about the policy implications. Because that's often what happens. I think ‑‑ think of PGP. They just put the technology out there and the regulators had to play catch‑up later and that may be the answer for you.
The hard way of doing it is to do the leg work and find out where is the most appropriate forum or for these issues to be discussed around the world, how I get an appointment to talk with these people? How do I bring ‑‑ create some liaison between our committee and their process? Because they're not going to come into your technical committee, obviously. And that is a lot of work. It's expensive. I know you've told me in a private conversation the W3C doesn't have a lot of money to be throwing around to bring in external stakeholders.
So yeah, that's the hard answer. Making it even harder is the fact that I think global payments in the way that you're describing are maybe one of these orphan issues that we've been talking about, place that don't have a global forum. There is the OECD, but the OECD is ‑‑ forgive me, I don't know the exact number, 33 countries or something. And that is really a global question. And maybe this is where there is a governance gap out there. So that makes it even harder still. I don't have a real answer for you, but I think these are questions we're all concerned with here at the IGF and something ‑‑ you aren't the only one thinking about them.
>> This is an excellent question. But from my point of view, it's a learning process that we as society or technologist or academia as well as government agencies and regulators have to go through together. And you shouldn't expect that the governments will listen from the first day.
The experience last December was an excellent experience. And ‑‑ technologies are evolving quite rapidly. Government's regulators have an issue on getting onboard with the latest technologies. So it was really important to try to prepare them for what the issues are, what will be addressed. It could be the possible scenarios or positions to take. And that's, as I mentioned, a learning process. But it has to happen. There's no other way around it. It has to take place.
One of the challenges that we have seen during this process is governments regard the other opening coming from Civil Society, being academia, or the technical side as being a consultancy opinion or advisory opinion. This, of course, puts the barrier between how the decision can be influenced. But if trust is built and the trust and the soundness of the advice given over time and in a period of time, I think the influence of this advice will be stronger. As mentioned, Wiki was an important step in the process. And every IGF or every such meeting is part of that learning process. And the engagement is very important. Keeping the engagement evolved with technology is critical. In my opinion there is no other way than this kind of engagement.
>> I think ‑‑ the concept of understanding social consequences I think is a very legitimate concept. And I think you have to have a broad policy discussion. And I think a multi‑stakeholder for it is a great place to have that. I think one of the preconditions is, and I think the technologists who participate in the IGF are pretty good at this. But the technologists who are technologists who don't participate aren't so good at this. And that is you have to be able to speak a language someone can actually understand. You can't start with X509 certificates. Because then you've just lost the audience.
So one is finding a common language to have the conversation. But I want to make sure that we're not losing the concept of you're developing a technology solution that is not actually a simple use case. It's a very complex use case even though it might be a simple solution for a problem. Because it's a complex use case ‑‑ because while you might have different social consequences, you have a lot of legal consequences to what you're doing.
So I mean, I just jotted down a few in the amount of time it took for two other people to make comments, and that was authentication and digital signatures. There are, in fact, national and regional requirements related to those. Anti‑money laundering is almost every single country, and it's not necessarily uniform. Data localization and geographic location issues which are coming more and more to the floor. Data protection, secure personal data, and the emanations of that which you might not think of because, for instance, if you are using an IP address in order to develop a security profile or in order to enhance security, you are collecting personally identifiable information that may have consent implications. Encryption, which has regional, local, either standards, prohibitions or enablements, ID management, Cloud standards, analytics, behavior, fraud prevention.
So you have an entire legal ecosystem because of the word payments that you have to live in. And that, you know, multi-stakeholders may help you there, but there is also an obligation to understand the ecosystem you're working in.
>> I wrote down the question because I wasn't sure I understood. Usually we get questions how I do get policy people out of our way rather than get them more involved.
[Laughter]
I think Jeremy might have been making a joke. But I was going to say, as well, I would not, to the extent possible, not worry about getting policy people or government‑related people involved in the process, to the extent that you can, you know, build the service or the technology you want, create a good service, create a constituency, create a market for it. I think once you build that critical mass, then it's more incumbent upon the policy people to react appropriately rather than the other way around from my perspective.
>> KAREN MULBERRY: Thank you. Anything I can tell from you participating in the ‑‑ in the fact that we have for the last close to two years now been inviting policymakers into the IETF dynamic and how open standards and debate occurs. Some points were raised that became very much aware as we started to do this in terms of everyone speaking a different language. And we have to come to common ground from both sides so that there is an understanding of what a policymaker is looking at when they're trying to develop that structure and framework and the requirements to protect their constituency; much like the technologist and engineers are looking at solving a problem in the best way they possibly can so that it contributes to the innovation and the global economic value.
So there's a balance. And, frankly, since we have been doing this for a while at the Internet Society, it is actually ‑‑ it has created an awareness on both sides. Policymakers have started to acknowledge that they need to understand a little bit more about the internet technical aspects and how things are built much like the internet engineers and technologists are now starting to become aware of, well, maybe I need to understand how to look at things with the policymaker hat on as well as to be able to express them in a means that the language resonates with a broader group than just the small collective that may be contributing to developing a technical solution.
So I think, there again, that goes back to we're all really looking at what it means to be a multi‑stakeholder. And what's the appropriate inclusiveness that we all need to consider as we move forward with this concept and actually make it a true enabler for what we're trying to accomplish.
>> Let me give you, perhaps, an example. We're using public policy as if, you know, how to get government regulators and large think processes into your specific process, which is difficult. But, you know, if you think of industry 10 years ago, it was a very sequential design process concept. And I'm using industry, so it's someone in marketing or some business unit gets a brilliant idea. They then speak to a technologist or enabler who can make the brilliant idea happen. Then someone remembers at some point because you're going to sell this, you have to go speak to a lawyer. And the lawyer drafts a contract and may make a little minor change because it has to fit into the contract for legal purposes. And then you launch the product. And then someone remembers that maybe a policy guy should be spoken to somewhere along the way, and that's usually a month after the launch.
And then you end up adapting backwards. And adapting backwards means you start putting Band‑Aids on things to fix problems that you weren't aware you had. Whether it's because where you chose your data center for processing, what you did because you didn't secure this element, why are you collecting this element, maybe you shouldn't collect it. And then the Band‑Aids go backwards.
And over time it's come to everyone's concept that this is not a cost‑effective way of doing business. Because if you have a more collaborative team approach at the outset, it might take you a slightly bit longer time to move. But what happens is if you get all of those people in the room together and you discuss the project, it turns out the marketing guy has an idea. That idea is never correctly articulated to the technology guy. So the technology guy overdrafted his solution because he didn't understand the request rather than have this guy come back to him 16 times for edits, he just gave him as much functionality as possible. But if you have everyone in the room together, the guy can articulate better what he needs because it's an iterative process. The technology guy can say you have five different ways of doing this the legal guy can tell you one is illegal. The policy guy can tell you two of these shouldn't happen. Then you're down to two processes that don't need Band‑Aids and you choose the best and most cost effective.
That's the privacy by design process, security by design process. Those are the ways that you can be much more cost‑effective in the long run even if it takes a little more effort at the beginning. So you know, you might want to think about whether you have those elements, policy with the small p as opposed to Policy with the big P to help the design process.
>> KAREN MULBERRY: Thank you. The next question that was asked ‑‑ we do? I'm sorry. Please, go ahead.
>> I wanted to follow on from what was said. My name's Louise Bennett from the BCS. Because I think we have some good examples in Europe of when it's been done right and when it's been done wrong. I think it's very important that policymakers produce simple, clear principles and then technologists can see if what they're producing actually meets the requirements of those principles.
An example of where I think it was done right was the European Commission's Data Protection Directive produced about 20 years ago where the eight principles for privacy of personal data still stand up well. Now they're going the wrong way in that they're trying to produce a data protection regulation, which has all of the things that you said were wrong, which will be mandatory, and micro‑manages and produces things that actually technologically are impossible like the right to be forgotten.
So I think regulators need to produce clear principles about how things should be done. Technologists can then test whether the way they are developing their technology appears to them to meet those principles. And you can go forward quite effectively.
I think I'd like to lead on from that a question to the panel which I'm afraid does cover this area of Cloud computing. Because of the European data protection laws, many countries think that this is simply used by European countries as a barrier to trade because they don't allow personal data to be held in Cloud service in other countries without breaking the laws in the EU. And I think both sides have got it wrong, because I think the requirement ought to be for any other country that is going to hold that data to demonstrate that they are meeting the principles that are required by EU countries. And that way you could have cross‑border trade perfectly effectively. But I think it's become a real war that shouldn't be going on. And I'd like your opinion on that.
>> I don't disagree with the first part of your statement. I think in the second part you may have overstated the pro headquarters related to Cloud. Under directive 9546, especially under Article 26, which is the derogations. You can accomplish them by model contracts, in the case of consent, you can accomplish them in necessary to accomplish the purpose of the transaction. Binding corporate rules have developed in relation to those that they weren't exactly clearly stated in the directive but they have been merged under the directive. So I think the directive does have ‑‑ and then there's the formal adequacy finding by the commission in terms of data transfers. The problem is, many of those solutions ‑‑ and this is where the Cloud dimension becomes problematic. Many of those solutions operate well in a point‑to‑point environment but don't operate so well in a global multi‑point environment because they've become tremendously cumbersome to manage.
So if you have a contract with anybody who may touch the data, that's problematic because you're not sure where the person is touching data from. If the best person for fixing the problem your customer is having happens to be on vacation in a country that doesn't have an adequacy finding, the contract didn't foresee that, then that person can't access the data which means that person is not going to serve the customer, which might be the best person to serve the customer. It creates logistical issues. And I think there are ways about how to work those.
I think one of the most important ways, which is a principle that exists in the privacy guidelines, it exists in the APEC privacy framework and underpins the Canadian Privacy Law is the concept of accountability. And that's the concept that obligation has to flow with the information. So that where the information goes, the protection has to be of the same quality and nature as where it left. But it doesn't rely on the law of the destination country. That can be an element, but that's not the only factor.
[No Audio. Please stand by.]
This industry for a long time has asked for that problem to be addressed. That didn't mean industry was asking for a detailed regulation. What it meant was it was asking for a harmonized implementation of the principles, of the directives, so you didn't have these one‑off pieces in every member state. But I think both accountability is a possibility.
The other thing which is a useful piece of information is there is a very interesting work going on between APEC. In APEC there's the concept of cross‑border privacy rules which is similar but not exactly the same as binding corporate rules in the European Union. For those who aren't familiar with either term, it's a concept that allows you to transfer information among ‑‑ in the European Union, within a group of companies, cross‑border privacy rules can be across a group of companies. But they are both kind of rules which you have to live up to, which you're vetted to, which are overseen and which have enforcement bodies associated with them.
What's currently happening is there's a mapping going on between the cross‑border rules and the European binding corporate rules. It's going on in APEC but participating in that process is the French Data Protection Authority, the ICO from the UK, a representative from the German Data Protection Authority, a representative from the European Data Protection supervisor and a representative from the commission. And what they're doing is doing a mapping to see how much of the requirements of a binding corporate rule ‑‑ across ‑‑ of cross border privacy rule.
The idea would be if you can develop that mapping, the guess is it's about 75% commonality. Then the question is, how do I not give you full mutual recognition ‑‑ mutual recognition because you're doing everything. But how do I give you credit for the 75% you're doing so you don't reinvent the wheel? And that's a concept of interoperability across regulation? Because we're not going to get to a harmonized regulatory format.
But that concept secures that you're not dropping the level of protection in one country but diminishes the administrative burdens required to demonstrate compliance. So that's a little bit of innovation that I'll give to intergovernmental organizations credit for having pursued ‑‑ two Intergovernmental Organizations.
>> Mike Nelson with Microsoft. I wanted to send a little bit of time on ‑‑
[No Audio. Please stand by]
Countries are trying to clamp down on hate speech or you have some draconian law enforcement measures. They're going to go contrary to what you've outlined here. Is there a way or is there a need for the OECD to start marketing its principles to those agencies? And is there a way to bring them in to the process so that they feel that their concerns are taken into account? Or are we just going to have this situation where different parts of the government have different priorities and they go off and do different things to the internet?
>> I'll jump in. There is an obvious tension there between principles which we all agree are reasonable, the fact that they were developed by a relatively closed sort of countries.
>> And a closed set of ministries.
>> Yes. Yes. So from my ‑‑ just talking for myself, that's one of the reasons why I support the IGF having a role in developing a more global, neater set of principles. And, indeed, in the other session next door to us, that's what they're discussing right now. So I think that that would have a lot of value. It can draw from the principles. It can draw from the Brazilian principles, other sets of principles. We can find commonalities there and then we can develop something that has a broader ownership and which isn't seen as being a top‑down, north-to-south instrument.
>> To bring a different dimension, complementary dimension, in countries where you don't have the privacy directive that's clearly outlined and abided to. I think it's quite desirable to bring those countries into the picture early on before problems are being faced, talking about the countries emerging economies. Instead of having north-to-south directive, I think inclusive interaction is more valuable, trying to raise the awareness early on before the problems are being faced. Some of the countries, as mentioned, have issues of security on the freedom of expression, online or offline. So this kind of inclusion early on I think would be quite valuable. Perhaps it puts the burden more on, on the North, to bring on other countries into the policy making forces.
>> I guess I would want to remind people that the OECD also has observers that are not just delegations from Civil Society, from technical society, business, and trade union. They also have observer countries. There was also a significant outreach at the high‑level leaders meeting related to policy making principles that actually brought a number of other countries into the mix. It allowed them to have a comment period related to those. A number of them became signatories to this document.
So this isn't a pure North telling the South. This isn't the pure we aren't thinking about you. We for the longest time suggested to the OECD that he this need to take the documents that are created and develop an outreach process related to them to actually figure out how to make those documents more applicable and relevant to the countries that weren't as involved in their development. Because their development is not necessarily uniquely tailored to countries, but it's actually applicable beyond those countries. But you actually then have to go out and make that document more relevant to countries directly.
So this is something that we have continued to suggest, stay positive and valuable addition to the OECD. And I think there is no ‑‑ there is no limitation that the OECD would see on doing that except for budget because it actually costs money to be able to go out and kind of take the document on the road and move those things. And I think every organization is seeing budget constraints and a tight economy. So I think there is an issue related to budget and what they can do with that.
The other thing I would say is I'm not sure that another set of principles actually answers the problem. And I don't think the other set of principles would address the problem that you made about which ministry is playing and which ministry is paying attention.
I think one of the things that the OECD process does do and some countries better than others is there are interagency processes within governments where they consult broadly across the agencies in terms of vetting the language and vetting the position. Now, whether that means that they're going to pay attention to it once the document is done is a very different concept. But at least there's a feeling that they have input at the time it was developed.
You know, you could take that for what it's worth, but I don't think you can ‑‑ we don't live in a perfect world where you can fix the problem and everyone is bound to what they discussed. I think the policy-making principles aren't perfect, but they're a significant improvement and a beneficial benchmark that goes out there, that helps countries think about this. And, you know, in the developing country context, they're going to take principles and things they see in other places and figure out how to adapt them to needs in their economies.
And one of the things ‑‑ I'll go back to the APEC document of the digital prosperity checklist which is a useful exercise. We took a set of principles related to digital prosperity under a number of different headings. But then we also created a document that discussed what's the benefits of getting this right. Why does the economy gain from doing this correctly?
That's one of the things that's also missing from the policy document, is the explanation of why this is useful to you at every level of development. And that would also be a useful thing to make policy more applicable across a broader range of economies.
>> KAREN MULBERRY: We're about out of time. I would like to ask the panelists if they had any closing remarks before we end our session or if there's any additional questions from the participants.
I would like to thank our panelists for their contribution and dialogue that we've had today. I very much would like to thank you for participating in this discussion. I think we've had a very good exchange on the value of openness, some considerations and approaches to collaboration, as well as inclusiveness in that dialogue and how we might want to approach getting more governments, individuals, technologists involved in the dialogue and that maybe through the IHF and similar processes we can continue this collaboration in hopes of enabling more innovation, more economic advantages for developing countries, and the ability to share, even, more in things that have yet to be invented or understood but have come up with a means of collaborating.
So I'd like to thank the panelists. I would like to thank you very much for participating. I'd like to conclude the workshop.
********
This text is being provided in a rough draft format. Communication Access Realtime Translation (CART) is provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings.
********