IGF 2021 DC-CIV Internet Regulation during Crisis One Year Later

IGF2021 meeting of the Dynamic Coalition on Core Internet Values: on the topic of “Internet Regulation during Crisis” - One Year Later 

Over the last ten years our work as an IGF Dynamic Coalition is focused on defining and emphasizing Core Internet Values, which comprise of the technical architectural values by which the Internet was built, and, more importantly, what can be called ‘social’ or, in other words, ‘universal’ values that emerge from the way the Internet works.

The first is that the Internet is a global medium open to all, regardless of geography or nationality. It's interoperable because it's a network of networks. It doesn't rely on a single application. It relies on TCP/IP, a common, open protocol. It's free of any centralized control. The only supposed control is the domain naming system, which provides a single translation system between domain names and IP addresses, and that's, of course, needed by design. It's end to end, so traffic from one end of the network to the other end of the network goes unhindered. It's user centric, and users have control over what they send and receive. And it's robust and reliable. These values have been under stress due to various developments, particularly during the Pandemic. Also, as the Internet expands with newer products, services and applications, there are emerging needs for focused pursuits on important aspects of the Internet , for instance, freedom from harm.  (In 2017, the Coalition put together a discussion paper focusing on freedom from harm as proposed by Vint Cerf in the context of addressing the rise of criminal use of the Internet and the solutions towards prevention of harm to the users of the Internet, including the harm that arises unintended from the staggering growth of IoT technologies, causing billions of devices connected to the Internet which in turn bring about new regulatory concerns.)

The Coalition was formed following the IGF Egypt workshop in 2009 titled “Workshop on Fundamentals: Core Internet Values” chaired by the then Internet Society President Lynn StAmour. As a DC, meetings were held at the IGF annually since IGF2010 and has also held sessions at EuroDig. 

The 2021 session, Chaired by Olivier Crépin-LeBlond and moderated by Alejandro Pisanty included as panelists Olga Makarova from Mobile Telesystems, Alison Harcourt from the University of Exeter, Bob Franskston, Internet Pioneer and author of The Regulatorium and the Moral Imperative, Gregory Name, Jutta Croll from the German Digital Opportunities Foundation, Desiree Miloshevic from the Global Initiative for Human Centered Digital Governance.

What do we mean by the term "the Internet"?  Our attempt to understand the Internet is not unlike the story of  the blind man trying to understand what an elephant is. The Internet is sort of a use case for something larger. The set of protocols and everything we call the Internet works on the principles of “best effort” connectivity: we assume it works because every component across the network is following best efforts to make the Internet work. In Internet architecture the architects did not try to solve all problems at once. In the Internet, the application problems are on a different layer, and are distinct from the problems of the network, which is the foundation infrastructure. There is some confusion as most people think of the Internet as Facebook, Google, as the World Wide Web- these are applications, not the Internet. 

In the Internet way of Networking, infrastructure is decoupled from what we do with it. This is a core design aspect, which needs to be understood before considering proposals which try to tie everything together into one lump as for instance 5G which is “anti-Internet” in the words of an Internet Pioneer and Technologist who has been studying the design of the Internet even before there was the Internet. One of the reasons why 5G is anti-Internet is because this technology bundle proposal tries to tie up all layers in one lump.  The Internet is to be understood as a prototype that is evolving rapidly. It's even more so for the Internet of Things. Viewed with this understanding, the evolutionary phase problems are better understood, for eg.,  routing still has major problems that aren’t always visible on the surface, according to the MANRS review report. The Domain Name System has its own challenges and is evolving. The complexities and nuances need to be understood before governance decisions are made.

The DC session on Core Values during IGF 2020 published a statement on excessive controls which are problematic practices adversely affecting Core Internet Values. These included Internet shutdowns, suppression of political dissent and fragmentation; There is a sustained growth in cyber criminal activity on the Internet, catalysed by COVID19 and the increased global reliance by the world on the Internet for everything from health, education, socialising to business. Some vulnerable stakeholders have asked for more regulation.

During the last two years we have seen 100+ Internet shutdowns by 29 governments (2020); Continued suppression of political dissent; Calls by some governments for encryption to be weakened; a visible trend towards fragmentation through national regulation, resulting in: Multiple layers of accountability that do not necessarily work together and weakened technical resilience of the global Internet. 

The word "regulation" comes back more and more often. The Core Values coalition shared a statement on excessive regulation with the community supported by several other Dynamic Coalitions.  More and more we are turning to strict legal regulation on state level and on international level. While the issues are not resolved without regulation, it is still unclear as to how regulation would resolve every problem. 

We have to defend the Internet from regulation because regulation will break the core values, the basic principles of the Internet. The Internet we have today is not the original Internet that was designed as global, end-to-end, interoperable, free and open.  It's much less open, much less interoperable, much more concentrated and based on flawed systems and stuff that the user has no control over.We have to emphasize that even the regulation has to be in conformity with the values on which the Internet is built. There should be governance values as well.

A balanced approach is needed.

In the EU GDPR, in Germany the NetzDG known as the Facebook law, in France the 2018 disinformation law, there are upcoming proposals for online safety in the UK. In the UK, certainly there's more of a self regulatory approach, which may be seen as overly interventionist, there have been discussions in Germany as to over-application. So in terms of core values we need to look at a global level and examine how we can integrate them into implementation of these national regulations, but seen as in conflict with inadequately defined notions of digital sovereignty: there seems to be confusion between cyber and internal market and national champion policies in particular. 

There's been greater State cooperation in the recent past, in particular in the area of emerging technologies, which has really gone hand in hand with a move towards data sovereignty. Most of these can be found in trade agreements with increasing cooperation between the United States and the EU. The EU and US agreed on regulatory cooperation on Trade, one of which “intensified dialogue on standards for the strategic sector, in particular those related to emerging technologies, [in particular] 3D printing, robotics and connected vehicles” This needs to expand on a global level, expand to various Internet technologies, and expand to non-governmental stakeholders. At the global level, as many authors have pointed out, there's a potential for incorporation of core values in standard setting based upon principles set out in a number of organizations, notably the IGF, but also more formalized fora like the ISO and WTO, but there's very little evidence of reference to these principles in day-to-day decision-making on the ground. But how can we translate these developments into decision-making? The integration of core values and principles in standard settings has always been very challenging, but now we have more tools at our disposal than ever before. The most effective method to date has been the integration of third sector scrutiny into decision-making, particularly if you look at voluntary SDO standards, making the funding of third sector involvement is important, the recognition of core principles within decision-making across the board has been important as well.  

This cooperation as of now has expanded to a new EU - US agenda for global changes to “help facilitate trade, develop compatible international standards for e-commerce etc, which is an agenda for “renewal of cooperation on regulation and standards, starting by re-engaging conformity assessment regulation and aligning positions in International bodies”

We continue to see the implementation of national security laws that regard political dissent as terrorism and restrict freedom of expression on the Internet. Around 30 countries resorted to Internet shutdowns last year, including in Europe. This is not a trend that is diminishing, to the extent of attracting the attention of the United Nations Human Rights Council Political suppression continues to happen by implementation of more and more national security laws that regards political dissent as terrorism and by restricting freedom of expression on the Internet.

Encryption is fundamental. There have been calls to weaken encryption to tackle cyber crime, including terrorism and child abuse. Weakening encryption will allow private legal content to be scrutinized, also legal content. To quote from the Open Rights Group, “there will no longer be any such thing as personal communications” [if encryption is weakened]. Everything we say, no matter how private, will be accessed under the bill. It is equally important to note that the overall weakening of encryption is likely to harm privacy, political activism and investigative journalism

This is an approach that makes security look like a binary choice between favoring the rights of this or that group in society. This is dangerous. 

There is no contradiction between privacy and the protection of children, although the human right of privacy cannot overrule the rights of children. Child sexual abuse material can be detected without abusing the technology.  While using technology to detect criminals and bad actors, necessary caution is needed on the possibility that governments, especially those that function on non-democratic frameworks, might misuse technology.

Child sexual abuse, women’s issues, child pornography are issues that must be dealt with, but when repeated over and over again, it opens the flood gates to legislation, and paves way for excessive legislation of the Internet space. COVID increased legislative attention to the Internet, to some extent necessitated certain changes away from the Internet Way of Networking. We are all committed to protecting the rights of the children, but the way the issues are raised is not like the issues brought to the Internet. 

There is a trend towards a fragmentation of the Internet. In some countries, we have the creation of a national Internet. Other countries are suggesting to force DNS services to meet regulatory requirements. A recent example is the European Directive on Network and Information Security. NIS2. To quote from a statement of the Internet Society: This approach risks the creation of multiple layers of accountability and clashing obligations, threatening the autonomy of DNS services and resilience of the Internet. These are global challenges. For a long time, the belief was that they could be tackled by voluntary action based on best practices. But the reality is that obviously many governments now clearly disagree. But this doesn't mean that every country should go its way. As many governments try to reinvent the Internet, we need to work globally in place of national actions. 

The Internet merely mirrors our lives. Various forms of abuse exist not because of the Internet, but because of crime (on the ground). The Internet is just an environment that can be used by all participants. We need to fight with the criminals, not with the Internet. The main problem of the Internet is it is global, we should fight with real causes, not with the Internet, to stop abuse, to stop harmful content, to stop any harm, any crimes that we see through the Internet.

Harm that is planned, or otherwise originates online requires a physical location both at origin and destination. Geographic laws - local, national (state) law, and/or international law are violated in any act of harm that APPEARS to be online harm. Tackling the only online part is not useful.  We need the online and offline parts working in harmony.  We can’t solve all problems by just looking at the wire.

Online measures should not be the shortcut to not do the job in the offline world. At the IGF our focus is to develop solutions altogether by the multistakeholder process, which is in a way an expanded Think Tank process for effective and balanced solutions. We need to come up with further technological alternatives. The challenge is how do we solve social problems and societal problems without breaking the basic underlying mechanism, its global interconnectivity,  interoperability and without hurting its Core Values. 

Governments are more and more understanding that all stakeholders are to be involved in the intergovernmental processes, and it's gradually becoming multi-stakeholder. However, Governments are not quite asking the Internet: Here is the problem. Solve the problem. Rather, the concerns are raised in such a manner that there is a problem (because) the Internet is not (good) it is not working, so let's take over the Internet. And that is what is doing a lot of harm. 

There has to be a balance of rights, the  technological challenges are mostly in finding a balanced solution that would work for everyone, for every group of society that deserves to be protected. And we need to be careful not to rush into solving a problem by creating another, as often the choice available is binary, as a choice between two Rights. For example, Weakening encryption gives access to States, but that opens doors for other kinds of actions that may be undesirable in terms of law, democracy, and common good. 

We need to resolve the problems and get back to the Internet model and anchor the Internet on the Core Internet values.

The panel then discussed “Human Centered Digital Governance”, an idea born when the pandemic started, out of concern for "surveillance capitalism" that is affecting and undermining Western values that are several hundred years old. The required policy changes and the needed shifts in thinking and the need for new concepts are discussed as solutions. Human-centered digital governance addresses mainly one problem, that of the misalignment of Internet users and suppliers who provide digital services. Users pay with personal data that are collected. There is a central flaw in this whole complex system, that of the absence of informed consent and invisible third-party digital barters in the digital economy, unknown in traditional economic channels. Apart from threatening the economic models,  it also weakens users' mental health, and erodes the appreciation of objective truth, and the list is long. 

The challenge of digital governance is to find ways on how to use technology benefits while keeping them human centered. Collection of data should be transparent to the data subject. To achieve that transparency, the Human Centered Digital Governance working group suggests classification of personal data in three major realms or categories: Official data O-Data, Privy Data P-Data and Collective Data C-Data.

The solutions from this approach align with the EU GDPR: Data needs to be classed into official data, privy data, and collective data. The official data is something that should be verified by a third party. Official data needs official authentication, and should be the only legal source of that data, with individual users having genuine control over the use of the data through easy tools and supporting institutions. Privy data is data generated by individual users who generate the data themselves, (blog posts, photos) or data generated about data subject by second parties (apps, companies). In both instances, users/data subjects need to have control over their first and secondary data. This is currently not the case and the processes are opaque. We need to create legal structures to support the establishment of data commons, for what may be called C-data, which is to be under the control of trustworthy and competitive organizations that would then promote benefits of data subjects and the broader society. This new classification of data and the supporting organization institutions will then be able to address some of the digital asymmetries and could eliminate the third-party financed digital barters.

The integration of Core Values and Principles into decision making has always been challenging. Standardisation and the definition of norms of regulation at international level by many organisations or bilateral trade agreements are starting to see an inclusion of human rights and of core values, but this is not the case with every process. Political boundaries on the Internet are exploited to bring forth legislation. It is impossible to solve a global problem in one country as a local problem.

Call to Action: 

On many aspects of the Internet there is deregulation, non-regulation and self-regulation but in some aspects, especially in matters pertaining to security there is a trend towards the regulatory approach.  The sustained growth of criminal activity has triggered the understanding that we are reaching a point where more regulation is needed in cases where self-regulation has failed.

However, the impact of regulation should not harm legitimate users under the pretext of protecting another stakeholder. The coalition wishes to call upon stakeholders to be considerate in drafting regulation that will result in fragmentation of the Internet. Inadequately defined notions of Digital Sovereignty together with national and regional regulatory initiatives that are not harmonized would not only fragment the Internet but might space out the Internet as an Internet of many dimensions.  The present notions of Digital Sovereignty needs to be refined in matters related to Internet Governance  Any regulation that is drafted needs to be human-centered and take into account ts societal impact on Civil Liberties, its technological impact on Core Internet Values and the needs of all actors, but in particular, those of the average Internet User. There is a move towards a good degree of cooperation between the EU, Europe and other states in matters related to Technology and Commerce. The Coalition would like to see this degree of cooperation extended worldwide, and in matters related to Internet Governance, involve non-state actors, Internet Technical Community in a multi-stakeholder setting. We wish to recommend that the Core Internet values are referenced and integrated in the Internet Policy processes and implementation.

– Report by the Dynamic Coalition on Core Internet Values. 

Updated December 24, 2021