IGF 2016 - Day 3 - Room 10 - WS186: Direct access & the next billion

 

The following are the outputs of the real-time captioning taken during the Eleventh Annual Meeting of the Internet Governance Forum (IGF) in Jalisco, Mexico, from 5 to 9 December 2016. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 

***

>> LUCY: Welcome to this discussion, which will be focusing on a particular aspect of government surveillance known as direct access.  Firstly, like everyone whose held a session in this room, apologies for the room and the late room change.  I think we're another Civil Society session bumped from a light and airy room.  My name is Lucy and I'm policy officer in the UK and we have some very fine speakers that I'd like to introduce.  To my left is not some chief surveillance evangelist.  Colin Anderson, Adnan Chaudhri, Patrick, from the Telia Company, Luiz, who's at the end.  Judith Lichtenstein from the Executive Director of the global network initiative and Carolina Botero.

Adnan, by way of introduction, can you explain a little of what we mean when we talk about direct access and can you give us a little of the background that PI has been doing what we've uncovered so far.

>> ADNAN CHAUDHRI: Thanks, folks for coming here today.  I think for cribs international, direct access is really at the heart in terms of what we with want those models to look like, what system of safe guards we want there to be in place and what really we expect of the private sector when it comes to government surveillance.  If you go back to the 1990s what happened with the privatization of networks, of digitalization, of the mobile phones was that there was essentially a will the of data being moved from the private sector which the government wanted to have it its hands on.  What they've done is across the world which would enable them to get access from the telecommunications companies to enable that access.  So within Europe, you saw technical standards, reception within Etsy, Russia, you saw, so in the U.S., it's known as COLIA.  With that, you also saw the rise of the industry which is to develop product and systems to enable that to take place but also to develop products which make that process more efficient and a lot easier.  Now, this system has its own problems and there's concerns in terms of the oversight but not enough.  Some governments want to stop this entire process and have direct unfettered access into the digital networks.

This raises very important concerns.  A few years ago, we did surveillance in central Russia showing how the Russian's wouldn't have access to the water in order to check them.  On top of that you saw surveillance companies selling probes to the secret police which allowed them unfettered access to the internet communications of the country at a mass scale.  There was another report in Estonia showing how they appeared to access 20,000 people because the agency had access to the internet.  Diplomats, even members of the ruined party's own political party.  I think we're seeing this as an increasing trend so as more and more legislation laws come up, we're seeing that direct access is a requirement.  For instance, in India, they want to ensure that a telecommunications service provider doesn't have operational control over the intersection efforts and this is of course of serious concern given the potential for abuse.  Something that's been recognized for example in the European courts of Human Rights last year.

Took the Russians intersection under the Court for Human Rights which ruled that it was inadequate in that it didn't have sufficient safe guards over who could access.  So, I would like to discuss particularly from the Private Sector how their understanding of that access is, what their concerns are, what efforts have been made either on the back end or publicly to push back against such systems, where they see this going and really what we can expect of them going forward in terms of Civil Society.

>> LUCY: Thanks, I'm going to come to Patrick in a moment but just on the Macedonia intersection you did, the president thousand took place around the time of the general elections.

>> ADNAN CHAUDHRI: Yes, reports were for a few years including during the election.  Intelligence at the time was headed by the Prime  Minister's cousin, so the Telecom agency wouldn't have session to.

>> LUCY: And one of the European's commissions was giving support to fund a free election so when they found out, they weren't very happy.

>> ADNAN CHAUDHRI: Exactly.  It undermines the entire Democratic process.

>> LUCY: Thank you.  So from what Adnan's been saying, does this definition of direct access square where telecommunications and your dialogue as well which I know has done a lot of work on this.  Can you take bit how the telecommunications and also describe the challenges you face as an operator operating in countries that have direct access and the action that you've been taking.

>> PATRICK HISELIUS: Thank you, Lucy.  So I'm a lawyer and not a technician, but I will try to explain as far as I know about these systems.  Telia company is operating in Baltics.  We also in a number of Eurasian country.  We provide Spotify services, but we're also present in these countries in Eurasia which we are presently divesting.  When it comes to direct access, we seek to be as transparent as possible this comes to direct access and what we do is publish the laws which provide the governments with this tool of direct access.  Let me start by saying that it's highly problematic both for the operator, and of course, more so for the users.  Because all this work that many of the operators are doing on transparency reporting, we publish transparency reports on the number of requests we get in many of our markets but in addition to that, there's direct access. 

And I normally explain it in a way that these parallel systems work in a way that if there is normal requests, the authority comes to the operator with a warranty and asks for information about the customer.  We ask the operator, we go to the locked room, go into the room, get the information, and then we hand it over to the authority.

If it's properly signed and all that.  We could also refuse if it's not, according to the law.  But, when it comes to direct access, the authorities have direct access to that room, and we don't even know when and how often or even who goes in there because they are directly hooked up to our network and our systems.  So the position of the industry dialogue is that we as Telecom operators want to be in control of our network and systems so we are against direct access.  And yeah.  I'll stop there for now.  Thanks.

>> LUCY: So the transparency reports that have been coming out really affects the society and a lot of things we have on direct access comes from these transparency reports.  You're saying that as Telecoms, you want to be receiving the waters is that so that you can challenge them if they are incomplete or because you want control of your own system.  Can you say a little bit more about why Telecoms are putting themselves out there to be that middle man?

>> PATRICK HISELIUS: Well, in general, telecommunications systems is about trust so we need to put ourselves on top of that.  On top of that, we have the UN guiding principles upon which Telia company has discussion of privacy on our web.  Where we have committed to certain positions and one is that we argue that we want to be in control of our networks and systems.

>> LUCY: And next, the global initiative and GNI, does what he's saying jive with what you're seeing as well?

>> JUDITH LICHTENBERG: Yes, maybe before I answer your question, let me first give it a little context.  So the global initiative is a multistakeholder organization.  We bring together ICT companies to forming a common approach to freedom of expression and privacy online and our foundation is a set of principles that are based on international norms and they inform responsible decision‑making when companies are faced with requests from governments that could harm the freedom of expression and privacy rights of their users.  And we also along those principles, we developed a set of implementation guidelines that provide concrete steps that companies can take to implement our principles.

So, currently, our company members include Facebook, Google, Microsoft, and Yahoo and we have cooperated with the industry dialogue since March 2013 when they were established and so what Patrick is describing is certainly also of concern for the Global Network Initiative.  We have advocated for more transparency from governments in our companies, because while on the one hand companies are obliged to comply with national laws but on the other hand they also have the obligation to respect the human rights of their users especially when it comes to security and national security and law enforcement orders on the one hand, and then the user's right, sometimes companies are really placed in difficult position. 

And there is a lot of secrecy around those orders because they are so sensitive, and that is a challenge because then companies are not able to be transparent about the efforts they actually do to protect the rights of their users.  And this type of direct access we are discussing today is even actually going a step beyond those legal obligations to remain confidential.  I think the main characteristic as described already is that companies are no longer in control so they have no clue what's happening on their network so they are not in a position to be transparent to their users.

And although this is primarily, direct access is primarily applicable to Telecom operators we see that governments around the world also seek a kind of direct access to internet companies and to other industries.  So maybe it is telling that when the Snowden revelations came out that a lot of internet companies and also some members of GNI really made a strong point that the authorities didn't have direct access to their servers.  And that was definitely another impulse for companies to also advocate for more transparency.

>> LUCY: Thank you.  Thanks.  So Collin, we're seeing that the companies don't know what's happening.  Civil Society, it's very difficult for us to uncover when it's happening.  What are you seeing from your research on this topic?

>> COLLIN ANDERSON: So I think my contributions may unintentionally be demotivating and unsatisfying, which is the norm, unfortunately.  What's interesting about this is it gives a lot of government and policy questions, which is quite often, you start to hear these very salacious rumor about how direct access is implemented and administrated, particularly in authoritarian countries.  I think a vivid example by the picture painted by MCN which is that he had basically given the floor to the Iranian security access and had direct access to the communications with no regulations about who was able to listen to that content or read messages.  The problem is that that becomes very ‑‑ even with sort of an understanding or expectation or baseline, a very difficult thing to scrutinize from a technical level.

There has been over the course of the past decade very good research that was done on the structure and supply and administration of censorship apparatuses, even in countries that are opaque about that.  And that's because censorship is essentially normally the denial of information.  You have somebody sitting in the middle and blocking it so commonly, it's easy to characterize where that's being done, how that's being done, and even the equipment behind that.  In the case of telecommunications or any sort of variance we fundamentally struggle to main table that scrutiny on a technical level.  Most of what you see from technical academic research corporations is equipment that is not built for surveillance. 

So Blue Coat is not the primary vendor of surveillance equipment.  It's something that happened to be useful and re-appropriated but was not necessarily structured in a way to surreptitiously interrupt traffic, especially in the capacity that it was used in Syria.  I think what is a useful way of understanding the situation is to look at things like the Mark Klein whistle blower having to do with the implication of AT&T or even things like you get out of ISS the surveillance conference having to do with, for example, the manufacturer Vastech who promises direct access.  What this is, direct access different configurations is commonly that have a piece of equipment that you have connected to what is called a spam port on a core router or a router that is close to the user.  Traffic is being duplicated, taken offline and sort of sent it a central repository. 

That's not something live on the network, so you can't scan for it.  It's not interacting.  It's just passively collecting so you can't necessarily force disclosure.  You basically have very little insight into a properly configured direct access surveillance system so as a result, it's not easy for someone like me to even confirm what is suspect.  So this is why really when we've been able to articulate the structure of surveillance regimes in countries, it is fundamentally based off of journalistic methods.  It's based off of interviews and disclosures and leaks and at best maybe freedom of information requests against export or companies who were providing it but very rarely is it based off technical measurements and that is unfortunately problematic in that it sort of denies opportunity for Democratic debate.

>> LUCY: So, as Adnan said there's lots of different standards.  One way of working out if a case does employ direct access finding out which of those standards it employs.

>> COLLIN ANDERSON: Not necessarily because even if you have clues, know who the manufacturer is, really, this is just passively going in a different direction and it's going to be incredibly difficult unless there's some really major design flaw to understand what that is.  Quite frankly, to be clear, things like spam ports and mirroring are built into every single router and they're not necessarily specifically intended for surveillance.  Even that sort of bulk collection is useful for looking for spam or redundancy in networks and these sorts of things.  So, this is nearly always, to the best of what I could find, and if I'm wrong, I will be able to have a very fortunate career off of the publications, you know, this is outside of the eye of the user.

>> LUCY: Okay.  Thank you.  Okay. Deep breath.  Luiz, we'll come to you next.  I know you spoke at length in the last session about Mexico's surveillance framework but from what's being said already, is there something you can add to our knowledge about what's happening?

>> LUIZ: Yeah, it's difficult, as many have mentioned to detect this type of access.  From the legal framework point of view, which is mentioned, the legal framework is very vague in some aspects about which kind of collaboration can a company give to authority and even though in my interpretation, I wouldn't think that is something that is legal, it's not the first time that my interpretation is not the interpretation of the companies.  Like, for example, I was just mentioning, it's not that example of direct access but it's really kind of because in the first semester of 2016, the biggest mobile company provider in Mexico got more than 25,000 requests for reviews of data and they never requested one so it's just a mere illusion that it's kind of the R-tax but it's not. 

The other thing that has been revealed, for example, this is something I just thought of when listening which is when Snowden information came out about how the US and NSA has access to certain telecommunications of country like Bahamas and also was mentioned to Mexico with regard to metadata which is something the Mexican government didn't make any push back so we're aware and consented this type of direct access by a foreign country. 

But also as it has been documented that Mexico is one of the biggest purchasers of malware, particularly hacking team, revealing the information about how hacking team malware is infected in the victims, there's a few ‑‑ there's one type of infection that would require the cooperation of the telecommunication company that some certain equipment should be installed in the telecommunication company infrastructure in order for the authority to be able to scan the network and infect people.  B and we have documented reviewing the data that was leaked that at least two states, Chihuahua and Guerrero where there was the disappearance of students, there was violation of human rights.  Those companies also purchased this.  If they purchased it, we can guess that they had some help to install.  There's still a lot of research about this.  But there's some instance that some sources of direct access might be available and working in Mexico.

>> LUCY: Thank you, so we're getting the real picture of how difficult this is to nail down and the information we have is transparency reports or leaks of what kind of technology is being bought.  So Carolina, coming to you next, again, is there something that you recognize in Columbia, what does it look like from where you're sitting?

>> CAROLINA BOTERO: Well the picture in Columbia will be very similar to what Mr. Fernando just described.  The law is very big but still offers powers for direct access.  The main thing, there is this norm that orders the ISPs to open kind of back door to connect directly with the law enforcement so that they can do the filtering themselves and there are some Wiki leaks, they appear that in the DEA there was a room where they were directly connected to the traffic of Columbian ISPs.  Whether that is true or not, we don't know, but there's the information and the law.  The last thing we knew is that the technology to implement these was being defined with the IS Ps but we don't know if they are really working.

On the other hand, we don't have transparency reports.  We've been monitoring.  We've been asking, but there are still no transparency reports in Columbia so we can't monitor that.  And finally, I would say that I am also very worried about something Collin just mentioned was those systems that are not meant for surveillance but will be still or can be used for surveillance.  I would just mention, one, Columbia has the IMEI registration for cell phones and it includes a lot of data.  According to Columbian standards, data on communications cannot be delivered to law enforcement but with judicial current. 

However, the regulation that even the law says that this data is available for any authority, administration, law enforcement, or judicial initiative.  I can't remember the third, but everybody.  That's not in the law.  It's a regulation.

And I think it is because previously, it was basically the telephone so all regulations where are centralized and it went through kind of control.  Right now, you have many means of communications and there's lots of people doing communication.  And in this case, because of issues of theft, but it is finally regulating communications and is not complying with the standards and that raises another issue, which I would like to put on the table, which is the metadata, and that should be as protected as the communication itself but there's nothing in our law that says so, so I believe that authorities are ‑‑ so there is a big void there and we need to raise the awareness that this should be as protected as the communication itself, the content.

>> LUCY: Great, thank you and you said there was no transparency reports, do you mean from the companies or the governments?

>> CAROLINA BOTERO: The companies.

>> LUCY: Interesting.  Thank you very much.  Adnan, I come to you next.  We could talk all day about surveillance in Pakistan, but I want to tell you two things specifically in ‑‑ the issues in Pakistan challenging surveillance and also can you tell us the example of Blackberry where the government wants to direct access into Blackberry's service ‑‑

>> ADNAN CHAUDHRI: In Pakistan, there was often the same rumor or urban legend that that is the case but the but the reality is that Pakistan doesn't need to be urban legend, per se.  People now know about the prevention of electronic crimes act that was passed in August of this year that deals with cybercrime and retention of data and so forth, but it actually goes back a lot earlier.  I mean, like in ‑‑ like you've got the 2010 ‑‑ what's it called?  Monitoring and reconciliation of telephoning traffic.  Telecommunications company, or any international Telecoms provider which has license to operate in Pakistan. 

We have to allow for mechanisms that in turn allow for the real time monitoring by the authorities, usually in Pakistan, it's the Pakistan telecommunications authority.  And, the problem that we have as Civil Society organizations is confirming that they actually are doing this.  It's very strange because on the one hand, it's the law.  But if you try and talk to the PTA or use the freedom of information act, they won't tell people, okay, we have data and the thing is talking about Telecoms in Pakistan, you do have companies like Telenor that said, we do the government requests and here's a breakdown of number of requests.  Pakistan, mobile link, which is owned by Russian company, MobileCom.  So the problem we have is trying to gain that access.

In regards to Blackberry, it's quite interesting.  Because what happens is as I said, legislation passed in 2010 and 96, the investigation of fair trial act basically the government can request data on the grounds of national security and in July 2011, the TPA passes directive basically making encrypted data illegal.  Any network data that cannot be monitored in real time.  What happens is if you are a telecoms company, you have to allow the government to read your data.  Blackberry uses the Blackberry Enterprise services for communications, regarded as strongly encrypted.  So the PTA requested full unfettered access to this.

Blackberry at the time said no, they won't.  So they were told by the Pakistani government to leave.  I'm sorry ‑‑ this was in July 2015.  So they were given until the end of November 2015 to change their mind and hand over access to the government.  Now Blackberry themselves have in other regions, they have given access, but they've always stressed it's been as long as it's for criminal investigation purposes.  The PTA just told them we want access for security reasons.  They were about to leave but in December of 2015, they came to some sort of agreement and now Blackberry is operating in Pakistan again.  What's kind of worrying is no one knows what the details of that deal were.  No one knows if they had to hand over the data.

On a side note, encryption is illegal but it's kind of a gray area in that encryption is legal in Pakistan provided that, A you fill out an application to the Telecoms communications authority stressing why you want to have encryption, then you have to hand over your encryption keys then you apply for a license for a certify and then the PTA says, okay, fine you can use encryption.

>> LUCY: Thanks, that's so interesting, that example, because they were asked to leave the country which is very, very serious, then they were asked to stay, no one knows what the deal is, do you know if Blackberry explains legally what the deal is or what was said? 

>> ADNAN CHAUDHRI: That's interesting because people have approached them and they've often said we're not at liberty to say.  People are so curious.  The thing is now, Blackberry, funny enough, doesn't have much of a market share in Pakistan.  They use Android and IOS and things like WhatsApp, and now they haven't come forward.

Other people are glad they haven't had to leave, does this mean it hasn't been handed over?  Blackberry talks about on their website, on their blog, have the CEO saying, are you going to leave?  After a fruitful agreement, we are going to continue our operations in Pakistan.  But again, very haven't said under what condition that was.

>> LUCY: So it raises more questions of thank you, I'm going to come back to the panel with more questions in a bit but before I open the floor, are there any questions you want to ask each other?

>> PATRICK HISELIUS: Yeah, we talked about or Collin said that this direct access is outside of the eye of the customer and to great extent, it's also outside the eye of the operator, right?  There is this direct access and we don't know how often they go into the room and get the data.  So, and one more thing I want to add here is that for those 14 or so companies that Telia Company operates in, direct access looks a bit different in different countries but 12 or so have some direct access.  So I think Finland and Denmark does not.

In looking at that, one must remember that in some country, there is Democratic oversight so the operator cannot know how often and what is fetched from that room but in Sweden there is the data protection board, there is the Democratic oversight but we can't count the number of requests because there is no request.

So, in Sweden, the law says that any operator that carries traffic going over the Swedish border is obliged to if the authority comes to us and ask to equipment, we are advised to say where they can hook on their equipment.  End of story.

>> COLLIN ANDERSON: But that's to say that direct access is rarely, if never, sort of imposed on your network without your awareness.  You are required to apply, but you are aware because you have complied with providing that channel.

>> PATRICK HISELIUS: That's more or less the same level of knowledge that every one of us can have.  Law enforcement can see which countries have laws regarding direct access.  Probably, then, they also have it.

>> LUCY: All right.  Thank you.  Are there any questions?  Do we have another microphone roving?

>> I'm curious.  I have been doing analysis regarding surveillance laws in 12 countries and I did make myself a question whether in the law I found something that gives direct access to this companies in the 12 countries we research.  We didn't find that very clear cut, but I have some things, you know.  In El Salvador, and Peru the legal documents that regulate the collaboration between the private sector and the companies is secret.  Our researchers in those countries file for information are requested to get that data and were denied.  This ways place where I think if there is any direct access will be or might be but I don't know but it's secret and we were not able to get the data.  I was also searching some of the tech mandates obligations in the laws.  There is some very general provisions to collaborate with very broad provisions that might be interpreted but it's not clear and it's not direct are the laws that Patrick mentioned.

So my question for you guys is, in Europe, which is the legal provision that authorizes direct access.  Is there any?  Or you find it not in the regulations?  For instance, the documents that we filed for you, it was not the law.  It was not the regulation.  There were protocol of registration regulations.  It was a lower document so I wonder where is this direct access provision coming from in the law when you put that in your transparency report, for example?

>> ADNAN CHAUDHRI: I don't know all these laws by heart, but I can say in principle that different laws are differently foregoing as to clarity.  Some are, as you said, on a very high level.  And then there is secondary legislation and also licensed requirements which are not ‑‑ license requirements were sometimes referred to as license agreements such as for could contracts but not negotiated.  A license requirement is like regulation as part of the law.  Unfortunately, many times, that license requirements are confidential.

Something we say that surveillance laws should be clear and transparent, that's something that should be included because they are a regulation.

>> LUCY: Thank you.  Any other questions from the floor?  Yeah, Luis, go ahead.

>> I have a question because in Mexico, our organization has been working a lot in using information laws to try to get information and more transparency and we recently on Monday got victory in Supreme Court in which the Court gave us access to certain statistical data but the main standard the Court said would regard to transparency surveillance was there's going to be a case by case decision and where dealing with information can pose threat to national security, for example.  And I'm trying to think in ways in which I ‑‑ because I will make this question to authorities I know they will deny this information. 

They will say ‑‑ wanting to build an argument about ‑‑ because, my intuition is that knowing that there's direct access doesn't really help me circumvent the surveillance so you can't really say that by revealing that, we are harming the national security.  Harming is perhaps something people will be opposed to, and that's why you don't want us to know, but it doesn't really endanger or help someone resist that types of surveillance.  That's my intuition.

But I want to ask this or what other arguments can we build to convince courts or transparency bodies or even the authorities themselves that revealing this information doesn't endanger the efficacy of this surveillance.  Although in past principle, I don't think this is an acceptable, legitimate, necessary and proportionate way to do surveillance.  But just in a way to hack this and to get some information about it because unless we don't get really knowledge that this is going on, we cannot have a Democratic debate about whether the society will allow it or not.  We will get trapped until you don't get information.

>> LUCY: It's a really good point and this just shows what we're struggling in this issue.  So I have a couple more questions and I'm going to go back to Collin to try and get some motivation for this.  So we've been focusing on telecommunications operators and their involvement or involvement in direct access.  But can they provide access for other internet exchanges?

>> COLLIN ANDERSON: Well, certainly.  If you're thinking an intelligent actor, you're going to want to try to get access at any point the information is disclosed and I think the Snowden disclosures and subsequent analysis on that point has done well to articulate the different points of intervention.  I don't need to really just go into details on sub marine hacking.  I think one place that's particularly interesting is that for example internet explaining points have been particularly useful places of intervention.  One such case would be the statements that were made by Cos Lindefeld about wiretapping at deep face one of Europe's highest traffics in the country.  What was interesting is that while Germany has certain laws that restrict the amount of information that can be collected.  When you're talking about, for example, laws that limit to 20 percent at a particular network, and Dekiks might potentially have hundreds of operator that means that the law would allow for the wholesale collection of traffic from particular ISPs that interconnected at Dekiks.  This is particularly relevant and useful when, for example, Dekiks provide as I lot of traffic change for, for example, Middle East earn ISPs.

So, basically, any point along the traffic including cases in which the ISPs might not necessarily cooperate but unfortunately are rather in the interest of the intelligent agencies, there are very few strategic places of where you can interdict a whole lot of traffic.

>> LUCY: Thank you.  So PI, we've kind of been looking into cable processors and trying to get in touch with them but it's kind of difficult to do because they're these huge conglomerates, but Adnan, do you want to talk a little bit about how we tried to get some transparency and how we failed?

>> ADNAN CHAUDHRI: Yeah, so the vast majority falls through so many cables but these are owned by companies and weird knowledge of network conglomerates as Lucy said.  So we tried to take a complaint in 2014 to the UK contact following a 2014 disclosure by Edward Snowden that his companies had gone above and beyond what was expected of them, to which we were fold essentially we had no case because there was no evidence and because the Snowden documents weren't evidence in itself.  And that's essentially the problem.  Because it's so secret, because we have no access to that knowledge, then how are you supposed to hold it accountable.  How are you supposed to challenge it?

>> LUCY: Exactly it demonstrates again that we have lack of forums available to bring any sort of transparency and scrutinize these practices, exactly.  So I guess, are we going to have to think about how are we going to move this forward?  Patrick from your position, what would you like society do to keep this moving?  What can we do on this side?

>> PATRICK HISELIUS: One I already mentioned is that operators to publish transparency reports, you need to know that in parallel with the requests that we can count, there is direct access.  And if there are transparency reports out there that lack information about that context, then that should be added to all transparency reports.  What we try to do from the industry perspective is also because these laws on surveyor, et cetera, are quite often quite complex and general the meaning is hidden somewhere so what industry dialogue has done is made it more easy to collect information that have helped from providing the database and it's available, and also in the room are those online, if you want to have a short introduction in the problematic issue of direct access, you can read a blog post which I wrote so it's a two‑pager and there you can get a grip on what direct access is all about and why it's problematic.

One more thing.  I think it was you, we don't know each other's names, that mentioned that there is a need for some kind of a model law so maybe that's an action point in the multistakeholder context because we know there is direct access in many countries but it's definitely lacking in many cases the three transparent and rule of law so if we can work together what's required to have direct access, then maybe that's a small other step forward.

>> LUCY: Thank you.  Is there any more questions from the floor?  It's a bit late.  A bit complicated.  Moses, thank you.  Can we pass the microphone to Moses, please?  Sorry, thank you.  Over here.

>> MOSES: So, my comment is about the role of multinational companies, especially the internet service providers whose companies could especially be in Europe but have branches in Africa.  They are maybe not 100 percent owners of the companies but strategic holders but when you look at the company that they do become, they will just say, 100 percent compliance or we received this number of requests but these are the only requests we give so we looked at some of the transparency reports that ‑‑ let me first give the Verdephone and it showed very clearly they were not showing any government requests but when you looked at what their local subsidiary was reported, those were two different things all together.

And then there were cases where there have been prosecutions or the evidence submitted to courts came from ISPs so you wonder to what extent the transparency reports are in their foreign operations or when they're operating, for example, in the countries where some of these laws might not be as strict as home countries, how, then, that plays out.

So, probably from your own experiences, thoughts, maybe freedom of information requests, maybe those are things we can ask forward to see whether they are complicit in some of their privacy issues.

>> PATRICK HISELIUS: To note, there are many companies out there that do not yet publish any transparency reports.  So those should also be asked, those companies, Verdaphone and the ones that are transparent must answer by themselves but what I can say is what we do do in the telecommunications dialogue is that we are as transparent as possible and sometimes it's difficult to be transparent because in the end there is also safety and health issue for colleagues locally.

So, sometimes we cannot be transparent either because there is confidentiality required by law and/or there is a risk to our colleagues locally.  Unfortunately.

>> JUDITH LICHTENBERG: I would like to add that because of those confidentiality obligations for companies in the law, there are also heavy sanctions if they vital those obligations.  So, it's not only that the company itself can be sanctioned, but also employees can be criminally prosecuted and for example, for violating the disclosure of state secrets.  And another thing, and it has been said, already, for an example of Pakistan, is that companies can be forced to leave a country.  So, the risks are high if you don't comply with those legal confidentiality obligations, so I think it's very important to also change the laws in that regard, and actually, not only we get better laws that are clear and meet the principles of necessity, legality, and proportionality, but also that it actually becomes clear by law that companies are allowed to be transparent.

>> ADNAN CHAUDHRI: I think it's really important that foreign bodies put pressure on these governments to ease up on, you know, and say that, yes, we will provide more information, and be more vigilant.  For example, in Pakistan, a lot came from the government asking for transparency and data legislation is that, Oh, we are trouble makers or anti-state and so forth.  You've got the UN repertoire on freedom of speech saying that there should be protection of freedoms and the right to privacy and so forth.  The UN, covenants on human rights said the same thing.  We've got questions asking for governments that needed to explain in overly broad language but allow for retention and so forth and also question why, for example, you've got in section 54 of the Pakistan telecommunications reorganization act that basically does not allow for appeal by anyone whose data has been accessed by the government.  So we need to have stronger bodies whether it's the UN or other groups putting pressure on the government to do that.

>> LUCY: I just want to say that the new UN regulations also recommends that states remove restrictions on being transparent as well, which is a real step forward.

>> This is very good.  We are coordinating a project that is led by many organizations from Latin America where we are pressuring local companies, only ISPs, to be more transparent.  It's similar to the project we have in the us, Who Has Your Back?  When we are asking companies to comply to certain standards that have been developed by the local partners based on local laws and realities.  My question is some of these companies are global, but some are regional, are not totally global.  Some are part of the industry dialogue right now and I wonder if there are plans for instance regional global transparency reports.  I wonder also who other members from Latin America are in the industrial telecommunication dialogue, conference, or venue.  I don't know how you say.

>> PATRICK HISELIUS: It's the Telecoms industry dialogue and you can get the home page from me afterwards.  Operators present in Latin America, if I'm right it's Milicon and Telefonica and AT&T are all members of the Telecoms industry dialogue.  And when it comes to questions direct to Milicon or any of the other companies I would have to refer to them.  Thanks.

>> LUCY: Thank you.  I just thought of another question from what Adnan was saying earlier about encryption.  With encrypted traffic, good that impact how states can practice direct access?  Does that have anything to do with it at all or not?

>> COLLIN ANDERSON: Oh, I'm answering that?

>> LUCY: Yeah.  You're our techy.

>> COLLIN ANDERSON: Oh, I'm the token techy.  Well, there's multiple places are encryption can happen.  Encryption happens, for example, on the cellular network between the phone and the tower, that's irrelevant because ultimately the telecommunications company has full access to the traffic.  End‑to‑end encryption is the safest way to predict content, certainly.  It allows for less visibility into the traffic, less intermediaries that might be subject with subpoena, so ultimately it is highly beneficial to encourage using encryption at all times, not just when you think you're being surveilled.

>> ADNAN CHAUDHRI: But you would still get metadata if not content.

>> COLLIN ANDERSON: Here, you talk.

>> LUCY: Okay.  Any more questions from the floor?  Is there anything else anyone would like to add?  Carolina?  Closing thoughts.  The

>> CAROLINA BOTERO: I would just like to add that there is the issue of transparency and how to reach to more countries is very important in international sphere because we're all assuming also that we are using the same language whereas in Latin America o or at least in Columbia what we found is that whenever we talk to countries about transparency, they think immediately on corruption because it has been the way that they have been approached.  So, even if they are not only local but also regional and international, it's been hard to put them in the page of thinking on transparency.  They are not ‑‑ they just think we're complying with the law and there's nothing to do with telling the others what we're doing and it's very hard to explain and the responsibilities they have on decisions towards Human Rights. 

That said, I would also like to point out something else, which is, in Columbia, during many decades, we have big surveillance program by the Department of Security that is no longer working but it was the traditional way of tapping phones so people that found to be surveilled could find that they had these huge folder on their full life pictures, everything, and records of their communications because they were tapped.

Today, that's very, very hard to prove, and it is very hard, then, to make people realize the impact that it has even if now it's much easier to track them and know their communications and everything.

So, how can Civil Society think or show people the impact of surveillance at least in our countries.  I just think on the projects that the Germans did, the MP where he asked for the data and he showed ‑‑ that, I think in Columbia wouldn't have much impact because of our history of violence and problems, security discourse is very high and people just, kind of they don't have nothing to hide.  That wouldn't be much of a problem.  It's a much more impact when you see that there are pictures of your children, all your schedule, and so on.  And I wonder, how can we reach that point of showing that information when it's not that easy now?  There are no folders anymore.

>> LUCY: Patrick, did you have last comments?

>> PATRICK HISELIUS: Yes.  There's actually one category of stakeholder which is not present at IGFs, but which is actually the stakeholder that is the most interested in our transparency reports, and that is investors.  So, investors quite quickly read our transparency report and then they follow up with questions, et cetera.  Much more so than Civil Society and NGOs, et cetera.  And maybe that's something that companies that are still not writing reports should know so they can start writing their own transparency reports.

>> LUCY: What was your question?  Sorry.

>> PATRICK HISELIUS: Investors react positively.  There is one stakeholder that often react negatively, and that is media because media don't understand that the call for transparency from NGOs and the work of transparency from companies is to a step to respect human rights panned try to bring the discussions forward.  Media, they often tend to take these transparency reports and try to find something which they can take as a bet, yeah.  And direct access is a bad thing.  So it's easy to write a bad article.

Investors like that we write transparency reports.  Yes.  No, no, no, no.  No, no.  They don't like that we provide direct access.  No.  No.  No.

>> JUDITH LICHTENBERG: Yeah, I just wanted to say as a final comment that the discussions here show that this topic is not just any one company or any one Civil Society organization and that it's important that we all work together and so it really requires a sustained multistakeholder collaboration.

>> LUCY: Thank you very much.  A positive note to kind of end on this.  I just want to wrap this up because I think everyone is coming to the end of the day, and everyone is tired.  This has been really useful.  We wanted to put this together to show how difficult it is to work on that it's not going away.  It's getting worse.  We've seen where we're getting our information is leaks and rumor.  I think going forward for us at PI is that we do more research on this.  We want to start throwing transparency on other companies, targeting investors is a really good point, and meticulously go through all of the transparency reports for all of the clues with the company.

Like I said at the beginning, this is an issue we're continuing to investigate and we would really like to hear from anyone that has information that could help us map out the countries and help us understand more.  Do get in touch with us if you'd like to collaborate on that so thank you very much to the speeches and also I want to say thank you to the amazing volunteers and IGF staff that have been taking care of us over the past few days as well.  So thank you very much

(applause)

(Session was concluded at 5:49 p.m. CST)