The following are the outputs of the real-time captioning taken during the Twelfth Annual Meeting of the Internet Governance Forum (IGF) in Geneva, Switzerland, from 17 to 21 December 2017. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record.
Panel: Framing: What do We Mean by a Rights‑Based Approach to Cybersecurity?
>> DEBORAH BROWN: Good morning, everyone. I think we should get started now. Welcome to rights‑based approach to cybersecurity, today's event. Thank you very much coming out Sunday morning to start your IGF with us. I would like to recognize the co‑organizers, the center for Internet Society, the Centre for Communications Governance At National Law University Delhi, Citizen Lab, Centre for Internet and Society, Global Partners Digital, Derechos Digitales, Privacy International and the UN Office of the High Commissioner for Human Rights.
I would like to give a bit of a background for why we decided to organize this event and this conversation today at the IGF. In recent years we have seen cybersecurity issues prominent on the IGF's agenda; and within this space we have seen an acceptance that security and human rights are reinforcing and the rejection of the false dichotomy between rights and security. And in the last few years we have also seen the freedom online coalition Working Group adopt a set of recommendations for free and secure approach to the Internet and cybersecurity issues. Yet on the ground we have seen a quite different situation. We have seen conversations around cybersecurity closed down and securitized and not have public discourse or scrutiny around policies. Alarming rates of personal data have been breached and putting us at risk around the world and also at the national level. Different policies being adopted that put human rights at risk. We wanted to have a conversation here in a multistakeholder environment to see how we can make progress, push this conversation outside the IGF, identify the real rights dimensions of security issues and see how we work in a multistakeholder way to advance rights to cybersecurity.
It is not a pipe dream but a reality. Without further ado, I would like to introduce our first moderator, Peggy Hicks, the Director of Engagement, Special Procedures and the Right of Development at the UN Human Rights Office. From 2005‑2015 she was Global Advocacy Director at Human Rights Watch and before that she worked for the UN mission in Kosovo and was a representative in Bosnia and Hevzegovnia.
First panel: What do we mean by a rights‑based cybersecurity? Over to you, Peggy.
>> PEGGY HICKS: Thanks so much, Deborah. It is a pleasure to be here. We were talking about the fact of the idea that a Sunday morning event is a fairly uncommon one in Geneva and I think that the fact that you are gathered here today shows something both about the commitment and the relevance of the topics that are going to be discussed today and I am sure it will be a fruitful conversation.
I am sure we will be joined by others once they get through the intricate labyrinth of the UN pass systems and all of that. So, thank you for joining.
We are also very fortunate to have assembled a wonderful panel that I will moderate today and bring through some of the conversations. As Deborah has said, the topic, as you know, is one that is not only relevant in an esoteric sense but relevant in a very real and live sense; that we see the impacts of cybersecurity issues in so many facets of our lives including, of course recent attacks on hospitals and other issues. But it's been a broad‑based concern that I think even those who weren't part of this conversation, are joining. And I think we should see that as an advantage: That there is a real interest and desire to join.
I come here today directly from traveling out to Silicon Valley where I was having conversations on a variety of issues but cybersecurity is of course one of the issues that comes up frequently. For me, it raises what I see as 1 you of the central issues in the entire discussion over the digital space most prevalent in this topic area and that is the relationship between private sector responsibilities and those of the public sector and the government. So, looking at how those pieces fit together, I think raises for us very, very centrally, the questions of human rights because we think that that can be the framework and lifeline that can fit between and give some of those answers to where do private obligations begin and end and what are those obligations and what are the government's responsibilities and how can it operate more effectively in a private sector space.
So, we are looking forward to hearing the views of our panel on these crucial issues, opening up this discussion of human rights and cybersecurity. I am going to turn to my fellow panelists here. They will each speak about five minutes. I will ask them each a question and then we will open it up to the floor for further questions, discussions and comments. I have the pleasure first to introduce Marietje Schaake who is joining us, a member of the European Parliament from the Dutch Democratic Party and has been very active in the foreign affairs and on the subcommittee on human rights. I understand also as part of the Kenya election observing, which is where I think I saw your name most recently. Others may have seen it there as well. We are very glad you are able to join us, Marietje.
Based on your work on Internet policy, can you give us a sense of whether you think human rights considerations are currently part of that debate and part of the discussion around cybersecurity policy and regulations.
>> MARIETJE SCHAAKE: Should I start right away?
>> PEGGY HICKS: Please.
>> MARIETJE SCHAAKE: Thank you so much. Good morning to all of you. It is great to see you and to be part of this program discussing the importance of a rights‑based approach to cybersecurity.
I think the broader context of how security versus rights is seen is very important; and I think we are at a point and I comment on this from a European‑centric point of view I must stress as a member of European Parliament this is the primary focus of my work. But in Europe I believe we are seeing a true challenge to the notion that rights and universal human rights are always an integral part of what we do; and more and more, for example, when it comes to so‑called migration management policies but also when it comes to countering terrorism, I am afraid that rights are sacrificed very easily. So, while I firmly believe we should always base policies on human rights in practice, this is a broader struggle than just around cybersecurity. So, just to share that upfront, the opportunity I believe lies in creating what I would call a human security angle to security matters, including cybersecurity in a way that we ensure there is trust and security but that they are not undermined by new efforts against terrorism or cyberattacks. Because, in practice, very often the bulk term of cybersecurity becomes an argument to justify the restriction of people's rights.
And this goes especially for accessing information. Think about intelligence services or police forces; the whole discussion about whether backdoors in devices should be required to facilitate this access. The question whether encryption should be weakened to facilitate this kind of access I think are all cases in point why this is important. I believe, of course, this is the completely wrong approach.
I think encryption should be helping people be safer and weakening it in the name a of national security weakens cybersecurity. This happens on a daily basis that in the name of security ‑‑ sorry.
>> I was fixing the . . .
>> Should I do something with the mic?
>> I will try to move a bit closer in are any case. I believe the EU should be leading a values‑based approach to security and I believe the two do not have to be contradictory. So that would be promoting security and integrity of the open Internet, encouraging restraint on the part of governments when it comes to national security policies that negatively affect the security of the Internet's network.
For example, data and the people using it and streamlining digital rights throughout important and foreign policy efforts. So to make it an integral part of what EU stands for not only at home but abroad. I think this global context is essential because we see another approach, Internet sovereignty approach by countries like China and Russia that are ‑‑ that are really seeking to protect governments' interest limiting access to information, cracking down on online dissent and using the internet to control people and oftentimes, here too, the national security and cybersecurity argument is used.
Another point ‑‑ and maybe we will get to that later ‑‑ I won't elaborate too much but I think we should have it on our radar is the contrasting interest between the private and public sectors. Large companies are often responsible for data breaches that impact citizens directly and therefore have risks of rights being violated. And I think there can often be a contrast between the interest of companies to be open about risks to take responsibility to inform people, versus saving their reputation and trying to put under the rug the actual weaknesses or breaches that they have faced and so liability issues and security and rights by design I think are very, very important to look to the private sector for as well to bind them where it is necessary.
So concretely I wanted to highlight two examples of where I do think we are making progress to kind of make it concrete while the concepts are essential.
I have been working for six years now on update of the dual‑use regulation. I know this is not always a popular topic in civil society so I also welcome a discussion about this. The idea is to have stricter controls over surveillance technologies and other systems that can be used for hacking, tracing, tracking, journalists, dissidents, students or basically anyone that the buyer of the systems wishes to keep in check.
Even though this is a multi‑billion Euro or dollar market there is hardly any regulation. Readily made, purposefully designed tools for surveillance are sold off the shelf to whoever wants to purchase it. Since the Arab uprisings, I learned how important the European market is for authoritarian regimes over the world and I have been trying to change the regulation to make sure that human rights are a serious criterion before licenses granted to these companies when they wish to export. So, we are about to vote in the European Parliament about this update then we will go negotiate and it will probably upgrade the law we have in Europe which will put this human security angle into our laws, which will require the makers of systems that are commercially available and are used for surveillance, hacking, exfiltration from people's devices, require them to ask for a license and require the authorities to assess whether rights could be violated with these tools and it gives them the power not to grant the licenses to these companies.
Essentially what we are doing is making sure that systems that are designed, marketed and sold for surveillance cannot be used for human rights violations or at least the criteria are significantly sharpened so oversight is sharpened and human rights becomes a part of the assessment criteria. This shows a rights‑based approach can work and it will be persuasive. You can take the lead and it will raise the bar globally. If you have any questions, I am happy to talk about it later.
Lastly, another area I have been working on that I think is interesting when it comes to improving cybersecurity and transparency in oversights in intelligence services, government's role and the private sector is when it comes to vulnerabilities and disclosure. Software vulnerabilities of course are used by governments to exploit weaknesses to gain access to people's devices. And there is not that much regulation yet or there are not that many norms yet about how to deal with these software vulnerabilities which can also be used by criminals, hackers and others who may have criminal intentions. So it is essential that the private sector has sort of steps to take to ensure users of systems that they sell software to that they sell safe software. Make sure that the public's interest is served, people's rights are respected and cybersecurity is increased by patching the vulnerabilities in software and making sure they are not exploited in one way or another.
The dual‑use regulation is a rights‑based approach when we regulate in a couple of months and the area of vulnerability disclosure is interesting to zoom in on when it comes to a rights‑based approach to cybersecurity. Thank you.
>> PEGGY HICKS: Thanks very much, Marietje. I think it gives us idea to move forward and certainly picks up on many of the themes that I had hoped we would get to in terms of the private and public sector discussion as you flagged as well.
We are fortunate to have on my far left, Chinmayi Arun, the Executive Director for Communication Governance, National Law University in Delhi and Assistant Professor of law there, consultant to the Law Commission of India and a member of UNESCO India's Freedom Committee and a Fellow at the Berkman Center at Harvard University. We are looking to your thoughts as well.
Particularly, perhaps you can elaborate, moving from Marietje's comments and give us the reasons you think human rights has not taken as central a role in these conversations and in your view what human rights can add to the conversation. Thank you.
>> CHINMAYI ARUN: Thank you ,Peggy. I am grateful to APC for creating this forum and starting this conversation, which I think is so important. I couldn't agree more with what Marietje just said. I think part of the reason we got here in the first place is that all these years cybersecurity has taken place in a sort of militarized silo; has been a conversation between people interested in national security questions largely an intergovernmental conversation involving industry a little. But this human element that Marietje highlighted beautifully hasn't been accounted for over the years and that created almost a parallel conversation. This is a good opportunity to change that and I welcome it.
So, to give you a few examples of why it's quite clear that human rights is and should be central to cybersecurity: If you think about the base concept of national security law and order, both of which underpin cybersecurity, you can see that both actually have institutional designs such as public international law, proportionality, constitutional principles built in from the start. So as far as ‑‑ for these conversations to happen far away from these principles, amongst people not used to articulating and implementing these principles means that cybersecurity becomes in a sense radicalized within the security field, you know, without accounting for proportionality at all. If this is happening in silos away from people concerned about human rights, who says that what the world agrees on is implemented in the context of cybersecurity.
And so that would lead us to the question of who are the right people to introduce this element into the conversation? If it's happening currently just between national security advisers or the heads of armed forces of various countries; and then if organisations like ours should succeed in participating in the conversation, I think that would then lead us to a change in the geopolitical politics of how we are thinking about this. Because, again, the trouble with having security conversations in international political silos it becomes a foreign policy conversation that doesn't account for the human rights of the individuals that live in the country affected by the negotiated treaties and organisations like ours can play hugely influential role in that context.
I think that for the human rights community and Internet policy community this will be a challenge. Like trade, this is a super‑specialized conversation. We will have to learn to engage with it on its terms. We in New Delhi the National Law University have set up a program on cybersecurity. And it is education‑focussed. We are learning and teaching people the baseline principles of national security, so when we argue for human rights within that conversation, we can be specific; we can use the language that these actors use and engage with them on their own terms. I feel that is a useful way to go.
Before I wrap up, there is one more thing I want to flag in the context of geopolitics. We have been watching the Internet governance debate a long time. The engagement with a Global South and how it takes place is really important. We are concerned about the actual effect on rights of people within the Global South.
Cybersecurity is a little complicated because the amount of money that we are talking about over here ‑‑ we are talking about the evergreen industry (?), arms trade, people selling equipment and data to governments, I think that it would be helpful to do an ecosystem mapping every time we try to deal with countries in the Global South so one is not having wrong conversations with people. I guess I am ‑‑ that has a commercial interest in this ‑‑ representing human rights. I think it is important to make sure that it's the people that care about human rights and that will do their absolutely best to ensure that human rights are protected are the people whose capacity we build and we include in the conversation. Thank you.
>> PEGGY HICKS: Thanks very much. I think that is a fascinating perspective to bring in. Your point about needing to be educated and bringing the lingo and the understanding from the national security side into the discussions, sitting in my chair, from the human rights side, I can see those gaps; that we need to be able to train people who have the ability to speak on both sides of that equation and that will help us advance the discussion very substantially. So, looking forward to picking up that point as we go forward.
We are also very happy to have with us Kathy Brown who is known to you. She joined Internet Society as Chief Executive Officer in 2014 and is leading the Society in keeping the Internet open, thriving and benefiting people over the world. Kathy is perfectly placed on the panel as well because her career itself spans the private and public sectors and her background with the United States National Telecommunications Administration, the Federal Communications Commission and her work piloting and leading policy in corporate social responsibility initiative for the telecom provider Verizon give her a unique place to enlighten us on these issues.
How do you think a rights‑based approach could benefit the global community and what it means from a multistakeholder perspective?
>> KATHY BROWN: Thank you. Thank you so much for having us here and for opening this very important topic. I would like to very much build on the presentations you just given and suggest that not only do we need to understand the law around cybersecurity but we also need to understand the technology and so I am going to add to what you say: That, for the rights community to be successful here, we need a number of things and that is the ability to have a seat at the table. So I think many are trying to forcibly make that happen. And we have a class of disciplines that is requiring us, I think, to educate ourselves this is the discipline of those we want to speak to.
Understanding the technology of the Internet and the layers of the Internet is enormously important that we enter at the right level and at the right levels to talk about var us concerns that we have. So we can start from personal security in your own home online and we have one issue. When we think about the hacking of the companies that hold our security in our own data, we are thinking about yet another and when we think about what is happening across the world, for instance, fake news and the act of national sovereign governments to actually do what I consider warfare, then we are talking about yet another level.
To understand where we even should enter the conversation, we have to understand the technology. We have to understand how the very architecture of the Internet which is an open architecture, built as a best efforts network of networks. Voluntary in nature, it is itself meant to be an open platform for freedom of expression; but that has many vulnerabilities for the bad guys to use.
No matter whether the bad guys turn out to be corporate folks who don't think they are bad guys; we just actually want to monetize some of the things available to them on the Internet like your data; or whether indeed they are criminals who want to go and grab your credentials from the credit company who holds them or whether they are indeed bad state actors, we are in on a different level.
So, when the rights community comes to law enforcement and to national security types and says we want in, the answer is well you don't know what you are talking about. So why are are you here.
Well, we do know what we are talking about in terms of our human expression and the rights of human beings online as well as offline. We know we have a whole body of work in the offline world as to what it means to ensure that human beings have the right to expression; have the right to assemble; have the right to their own sovereignty, if you will, their own self; and we can bring that to the conversation online. But I am going to agree with you that we need to do some work to understand how to enter that conversation.
I think here at IGF, is exactly the right place for us to take up what we have called a multistakeholder conversation in process; that we really haven't put into effect yet. That every nation of the world raised its hands and said yes, this is what we should be doing in the Internet space and now have gone off on this issue of security; and it has captured the whole of governance model.
Suddenly it is about security and nothing else. We can't allow that to happen. This forum is the place for us to reassert the notion that we need to sit at the table in a multidisciplinary way. And I think if we start to use "stakeholder" in different ways for people to understand, we might get some leeway. That is it is a discipline issue. We have just as strong a discipline in the technical community; that community that builds the Internet, that is still evolving, the Internet, technically as the human rights community has in human rights; as law enforcement has in law enforcement; as the military does when it protects us.
We all want to be safe, right? So if we say security and safety; we want safety. That is part of our human rights to be safe. But we don't want safety to turn against us so we are no longer safe.
Here we have to discuss what it means to bring those disciplines to the table and in what fora and to what purpose? What are we each trying to achieve so we can have a conversation that makes sense to each other.
We found that, in doing this, in convening various stakeholders, various disciplines, that is possible. That is possible. But I would agree that, once we push the issues or we bring the issues up to an international level where it's very obscure and it's very kind of . . . big treaty kind of issues, we get farther away from solving the problem and more caught up in whomever has the power at the time.
So, I think as we think about this, the notion that we should solve problems where they occur and that we should bring a multidisciplinary approach to solving those problems would really do us well in this space and I would finish where I started, which is to say that the Internet itself is a platform for free expression.
We have a choice here. We can either stick with the principles that we have had in building the Internet, in evolving the Internet for human empowerment, for individual abilities; or we can ‑‑ we concede that opportunity to a notion that, to keep us safe, we need to give that up. That seems a total wrong way to go; and it means that we have to step up and say no, we are going to be here and at the table to shape the future of the Internet.
>> PEGGY HICKS: Thanks very much, Kathy. I am sure that final point will be one that will resonate through many of the conversations that we have in that forced binary choice between security and freedom, is at the heart of many of the questions. And as you said it's only when you start to tackle the problems at the practical level that I see that the choices are not only not necessary but actually inappropriate; that the greater security is not necessarily going to be achieved by the things that limit our freedom that is often posited.
So I look forward to hearing more about the multidisciplinary approach that you recommend. Before that, we have a final speaker, Francisco Vera Holt, whois the Advocacy Officer at Privacy International. I was going to comment on your policy director role at Derechos Digitalis and cybersecurity office at Chilean Ministry of Defense, as someone who worked through these issues as well. I am sure you will have plenty to tell us coming from that background as well. Could you tell us how Privacy International addresses the privacy along with cybersecurity.
>> FRANCISCO VERA HOLT: Good morning. I am very happy to be here and share my experience. I have the chance to be in the revolving door between civil society and government.
Also this conflict between cybersecurity and rights. Either you have more security or privacy? If I believed that we wouldn't be here. We are trying to look for ways in which we can reconcile and make these two approaches compatible and reinforcing each other.
So in that matter, in Privacy International we have been working since last year coming up with a framework, what we decided as a state in terms of ‑‑ not a state . . . but a state of things in terms of cybersecurity? How do we envision this and what would be a good cybersecurity approach? What does it mean in the context of a bad cybersecurity approach? We also share the view that we should have people at the center, cybersecurity discussion.
What we decide in this, it would be like having this network, cybersecurity at the center, but also device and networks. That involves a human rights approach to embed in this discourse that is necessary. When it comes to individuals, where individuals are responsible for how to deal with digital networks, how to be on the Internet. Taking approaches, borrowing approaches from other disciplines.
One example we drew was from public health: How you try to create security by immunization. Or having people aware of digital norms. But when it comes to devices now, we have an increasing number of devices connected to the Internet. We have what we call an Internet of Things.
What are we doing to increase the security of these? What standards are taking care of users in that context. Also when it comes to the networks, are we sure that the routing communities that we or our ISP providers are using are secure? What do we embrace as a secure Internet, as secure networks? That comes with what some governments especially in the Global South do approach or has this approach in terms of cybersecurity, which is sometimes completely the opposite. Not only the Global South. Everywhere. Especially this national security approach.
I think the problem there is really one we want to define with national securities it is hard to come up with a definition. Some default to military language, some to international relations or political science discourses or debates or power issues. Then we have this cyber now thing. Not only about cybersecurity but about cyber. I have been in meetings where people talk about the cyber; how do we protect, use the cyber weapons and so we have lost the line or coherence in the debate because nobody knows what we are talking about. That is very concerning.
Then you have national security discourse coming. Bringing the same old security discussion into the digital realm and taking or allowing for security agencies or law enforcement to take over these discourses.
When we want to talk about the devices and networks and we find ourselves discussing cybercrime or what should we have on the Internet and how do we say ‑‑ what is a crime ‑‑ it is very weird sometimes. Also how do we envision the security process or how to have secure networks. Borrowing from my experience in government, some government officers think that hacking or cybersecurity is some thought of wish list thing or magic.
So, having a cybersecurity company is liable having a spell cast on to something else, like a Harry Potter book or something, instead of understanding what is beneath. People really think they have a ‑‑ something was taken advantage ‑‑ but someone stole their passwords. Those conflicts and differences in perception are very concerning because they inform policy issues, cybercrime law that is affecting people. Or they turn into discourses ‑‑ they come from 1990s about responsible encryption, which means give us a backdoor or do implement with encryption, which only works in the benefit of some government agencies; but, in the long run, impacting the trust on the digital networks and making it secure or insecure for everybody. Those kind of bad approaches are concerning and we need to be able to influence the human rights discourse. That is another problem sometimes.
When we read definitions coming from civil society and how to embed human rights in the cybersecurity discourse, it is weird that we are trying to have a definition; we need human rights definition at the center, it takes care of privacy before other things, every time we do human rights assessments and such. That is not the way a public or government officer thinks. It is hard to demand human rights as a blanket statement instead of embedding that approach for instance in technical discourse.
What do we mean talking about human rights assessments? How do we make it compatible trying to address security, in a technical, rights point of view, also international point of view, what does security mean in those concepts and how can we convert and come to something with these concepts that addresses the cybersecurity landscape, what we want it to be, but also make it understandable for people at the decisionmaking level. Not only government.
I mentioned government a lot. But also in the private sector. What they should be doing in terms of cybersecurity. I mentioned devices, Internet of Things. How many cameras connected to the Internet or Internet‑connected things are we selling nowadays. Companies are not responsible for the frameworks of what they are selling because they used a factory in remote countries, some bundle, sell the thing and don't take care of anything else. This is complex. We tend to say cybersecurity ‑‑ what can we do?
What we are doing at Privacy International, beside the policy discussion we discussed, it is taking care of cybersecurity. Securing the devices, securing the encryption discussions, or the big platforms. But sometimes at the smaller session we don't have an approach of security besides signal, store and ‑‑ bad advice. I am not giving that advice. Unless you have risks that justify those measures.
So, when it comes to that, we developed a framework. Mostly, I have a friendly router which we are deploying and will be writing about it. I recommend you follow the latest things that we have been writing about how hard it is to get security and how it involves organisational divisions. Taking the organisation side, networks and securing them that would allow civil society to understand how this dimension goes beyond your personal devices or the platforms. What's in between. What about enterprise or government security which is an issue that works so we are blindsided and we don't understand how that works so we are looking for decisions that look for the consumer technologies and we need to understand more technologies that what we face every day. I hopefully did not spend more than five minutes.
>> PEGGY HICKS: That was actually very thought‑provoking, Francisco. I think you raised a number of points people want to follow up on. I very much appreciate how you brought in the practical side of the conversations that you have been a part of. I am looking forward to hear more about "the cyber"; and you made a point how we see the conversations in the digital realm carry over the conversations we have outside. The same conversations happen around standard counterterrorism laws where we had that same conflict and seeing how that now evolves into the digital realm I think is really interesting.
So, that's the view from the panel here. We are really looking forward to hearing any questions or comments from all of you if anyone would like to jump in. Please.
All the way in the back.
>> Thank you. I am Sonya (?) from Third World Network. My question is to Marietje Sclaake. The data breaches, the European Unions e‑commerce, free trade agreements which restrict the government's ability to require security, banking should use two‑factor authentication. The trade is restricted for one category, online banking but not shopping online, for example. To Mexico, DD Trade proposed no exceptions. So you have to let the companies do what they want in terms of security and we trust it will be secure enough and that is fine. Even if the exception of privacy applied. You have to pass one out of four tests, 44% success rate plus an answer that says you can't use it with laws inconsistent with that requirement. What do you think about that DD Trade proposal. Thanks.
>> (?) from Namibia. At what levels we enter the conversation as human rights actors. In southern Africa we had ID. Created model law. There was no multistakeholder process. So, here's a UN organisation that isn't living up to the principles of multistakeholders. So, shouldn't we be addressing at that level? In Namibia we have transactions and cybercrime panel. We are telling government all the time: This thing was not ‑‑ there was no consultation around this thing and it is based on that law.
Is there actually any meaningful consultation happening at the IPU level? Are these organisations also working in silos and not talking to each other around these issues because it is creating problems for us at regional and national levels.
>> PEGGY HICKS: One more question before we go back to the panel? Anybody? No? Okay. Marietje?
>> MARIETJE SCHAAKE: I wanted to also touch on what you asked but mainly what the other panelists were talking about when it comes to speaking each other's language; understanding each other's approach: I would really stress the opportunity that I see, especially for people in civil society to try to understand what the needs of the other are. Because security is a legitimate concern of governments, even if you may disagree with the entire approach, I think it is important to start with that. I encourage everyone to think in terms of positive agenda.
What I see if I look through you the hairs of my eyes, so I know this is a simplification, the messages from civil society are negative: You guys are are getting it wrong. Protest against this measure. Government is wrong again, et cetera, et cetera.
Well I think, oftentimes, frankly, people with responsibility for cybersecurity are in search of solutions. But it is hard for them to say hey, guys, we don't know how to tackle this problem. It is a message that most politicians or governments will simply not like to give. It is hard for them to admit where they don't know. So I think a huge opportunity and I think all of you were saying it in one way or another.
I want to echo, from a lawmakers' point of view, if you can come up with solutions in a concept at a time in a language in a way that is inviting and adoptable for people who are are making these laws I think it is ‑‑ will lead to more concrete and productive outcomes and it is actually an opportunity that I don't see that many people taking while I think it is wide open.
I wanted to share that after everything said about speaking each other's language, understanding legal, technology ‑‑ I would admit, all aspects. I think it is a valuable point all of you have made.
On DD Trade's proposal I don't have in front of me, it is hard to comment on a technical question off the cuff. I am happy to talk about it later. I would point to that I have proposed and was supported by a large majority last week: A framework for a EU strategy on digital trade rules. Because I think it's important that there is a comprehensive position. So that indeed there is an assessment of whether you should stand and that position should be transparent and then it should lead the EU's position in various trade negotiations.
And you could find it onlined on my website about a digital trade strategy for Europe. It was a remarkable majority across different political parties in the European Parliament. I think what we are showing that while it is important to fight for example protectionism online for example for states localization or demands to hand over source codes or place servers in countries which gives these authorities access to data, et cetera, so, fighting protectionism is a legitimate aim but data protection is a legitimate point to pursue and the EU can show the two go hand in hand. I invite you to read that and it gives an idea what I have been working on and the Parliament has been working on to get a strategic and transparent position from EU. Appeal to not only DD Trade but in general to come up with a strategy on trade rules.
>> PEGGY HICKS: Our second question, maybe, Kathy, you would like to comment and others?
>> KATHY BROWN: I think you are so right and none of us mean to put the full burden on civil society and the human rights community to learn everything and the governments don't have to learn about us; they need to learn about what the expertise is amongst their citizens and amongst those who take interest in the kind of policy positions they are taking, particularly when it has technical underpinnings. The need not only for consultation but beyond that for collaborative decisionmaking is ripe here; that is what we should be doing. There is amongst various governments a kind of show of multistakeholder inclusion that is not really real. And to the extent that the Internet society has been effective in various fora is to say than it is to say that we need the ability to be at the table and have other members of civil society at the table and I think collectively we have to make that demand. The ITU is open I think to that. But I think you are absolutely right that there are silos there as well and they are not necessarily speaking across the silos.
Recently, certainly in a development space there are many people at the table all speaking ‑‑ I am not sure it is is collaborative decision playing but at least they are there. On the technical side less so. So I think we need to knock on the door and say no, ef you have to open these processes in a fair way, useful to you and to us so we get to the right decision. So, I will talk to you afterwards a little more about that.
>> CHINMAYI ARUN: Can I chime in? Since you mentioned the ITU and I had a little experience dealing with that, I think that is also the place where the politics of representation and questions of expertise are at odds with each other. As far as I can tell, the ITU is comfortable engaging with expertise but has difficulty dealing with a broadbrush campaign. While I agree with what Kathy is saying, I think we can do a lot of work in creating that separation on building on both fronts in our countries. When we started engaging with the ITU it was (?). I remember being part of civil society sessions in where there was difficulty understanding how they fit in the larger universe of treaties The demands made were unrealistic ‑‑
I happen to be a lawyer and I happen to like reading democratic legal texts. So a colleague and I pieced it apart and what it meant in the context of three other treaties ‑‑ that is something needed and we can do it in addition to what the ITU has done.
>> FRANCISCO VERA HOLT: In regard to the ITU role, the silos that are both within or outside ITU and cybersecurity it is a discussion right now. Beyond governance, the security discussions take place over many places in the UN. The group of government experts that work in security are not mandated by the same governance of this forum.
When it comes to the real (?) of the ITU, it is not clear, ing right now, how far the ITU can go in terms of cybersecurity. They do what they can. They create frameworks and should engage more with other stakeholders; but that takes us back to the other discussion. The idea has to do with the membership and that expands regional and telecommunications, also some of them interact with IT universal. So yes, it is another discussion. It is very hard on the mission . . . breaking the silos, but trying to communicate, discussing ‑‑ when we talk about cybersecurity it is a systemic discussion, not one side; technical, social, legal. But how we can make all the issues converge and come up with something that makes sense for security of network, devices.
I think these should be brought together. The ITU is not the only body to make the decisions. Recommendations so far that I know of from the ITU, it is about frameworks, good practices. When I was writing a strategy, I used a lot of strategies from the European Information Security Agency or Office. It is also about how you can take material for country decision‑makers that not only stand on their own institutional independence, UN ‑‑ it is the quality of the advice. Not: This is a good idea, you should implement it. There is no such binding relations. The recommendations should stand on their own quality and that is where of course the process as well as the legitimacy of the instrument we are using.
Briefly on the other side, the question, there was a discussion about, banking, other infrastructures, critical infrastructures, which is not precisely about trade you security as a whole. Financial structures, the financial system, not only retail or e‑commerce, financial institutions tend to have more oversight and agencies placed there. when it comes to trade and security and privacy, I think it is very hard to be positioned because of the protections inside, the privacy protection side and the surveillance enabling side as well.
When we talk about localization in some countries it is not because they want to develop national companies which they sometimes do as well. It is because they want to have the information of the citizens at hand to have access to them.
We have this problem where we create information, Big Data, whatever name we have for that. We don't take care of the consequences of that. We see many discussions like that coming. Of course we need international standards hopefully binding. There is difficulty of putting things to go. The European Union is working in positions where it comes from free flow of data. We are bending over backwards to address information flows. The human rights process is a process and we are happy to engage with you in the future.
>> PEGGY HICKS: Thank you very much.
We are at 10:15. I told my fellow panelists they would have 30 seconds to wrap up. Should we take one more.
>> We have heard about silos, need for a multidisciplinary, multistakeholder approach. Marietje talked about the need for regulatory frameworks for some levels and then there is the discussion taking place in the ITU but also about a treaty. There are some states that feel the way to address the fragmentation in discussion is a treaty. Kathy talked about actually the opposite which is to solve problems. Closer to home. So I just would like a reflection from the panelists on this: To treaty or not to treaty when it comes to cybersecurity. Just short reactions.
>> PEGGY HICKS: Very good closing question. I will go through the panel with your closing remark plus that and you are limited to a minute apiece. So, be concise, please. Chinmayi.
>> CHINMAYI ARUN: I have two parts to this; one I have been planning to say and the other is to respond to you. We need to build expertise, to invest in capacity‑building all around the world. When I say build expertise I mean people from developing countries should be speaking in their own voice but in their educated own voice.
I see people with 25 shades of skin color, saying exactly the same thing to me. To me, that is a problem. I hope that we are going to invest in building expertise because that is how we are going to learn. It has to be a diversity of very educated engagement on this question.
The second is: To treaty or not to treaty? I feel we should reclaim the treaty. The ICCPR is a covenant but you know it is ours.
>> Oh, you are very good.
>> I am going to take my time to refer you to The Internet Society's website. Deploy 360 is a rich site with technical information on it. Do studying, come back to us with questions on this. We actually want you to delve into the technical parts so you can make the policy and political decisions one needs to make as we pursue this with respect to the treaties, I think it's always good to ask who wants them and why.
>> That is a good point.
We have heard from Francisco how the cyber discussion can derail into space not to say cyber cyberspace. But it is good to bring it to people. Security measures is not about a system or cyber but people at the end of the line somewhere. That is something that decision‑makers need to be reminded of sometimes. So to humanize and to share what's wrongly guided practices or policy measure can mean for people in a concrete way is an opportunity.
Now I think the rephrasing of multistakeholderism into multidisciplinary approach is very useful. To a lot of people, multistakeholder is an abstract term. In the governance circle the it means a lot but not in a lot of fields. Multidisciplinary is more useful. I am going to completely adopt that. But it is also good to see how multidisciplinary civil society groups and leaders actually are. I will recommend thinking more in terms of prioritizing and agenda‑setting because the risk is that a very large group of people from different disciplines, different parts of the world are talking to each other a lot and not coming out with key priorities to other disciplines. Not to say stakeholders. So, I think that would be an opportunity as well.
I will continue to focus on what we can do in the EU. I think it is a great example to here how in Chile you were able to draft laws and codes over there. This is a perspective we take on board each time we think about solutions; but especially with a new or not even so new anymore, but with the current President in the White House the US' role has dramatically changed I would say.
There were challenges before but many more now. So, normative rulemaking, a normative approach, rights‑based approach the EU does most convincingly. Not because I want to defend the EU, net neutrality, big tech companies. Where it's necessary. A single market where you can have security and human rights‑based form. This standard setting that comes from a place where democratic principles and values are the building blocks is an opportunity we should all use. That is also my answer to Marietje's: We should think about a framework. Treaties, I would be cautious about at this moment in time, looking at indeed what Kathy said: Who wants them and ask ourselves why, we benefits and what are the alternative ways to approach this. Thanks.
>> FRANCISCO VERA HOLT: I am addressing the treaty thing because I said enough already. If you ask if we want a treaty, have ground rules for cybersecurity, concerning privacy and leading to a better ecosystem, by all means. But what we will do in the 15 years that it takes to get the treaty done, what do we do to address the countries who will not sign the treaty. Coming to a solution for a problem that we have not addressed yet. What happens in ten‑fifteen years for that would take for a UN treaty of that level.
That issue is fragmented more in other ways. Who wants it and for what are the questions we should solve before negotiating on anything. Of course we will not be negotiating on anything.
>> PEGGY HICKS: thanks to the panelists for a very rich conversation. I don't know if you mean to ask me as moderator as well. I would second the final comment on the treaty issue. Not to say too much, but in the conversations around that idea, let me just say that I have been impressed with the fact that that it's more notional than concrete and those building blocks, the steps that would require a treaty or the issues that would be brought out by the discussion of the treaty are actually more important than that end result, in a way, and the concrete monitoring and independent information on what is happening in terms of cybersecurity and hacking in particular is something, for example, that could be brought out through the conversation around the treaty as an end post; but without the understanding of that 15‑year time frame that no one wants to wait and we have to use the tools that we have in the intermediate stage obviously as well.
So, thank you all again for contributing to what I hope is a great start to the conversation that's going to continue for the rest of the morning. Obviously thank you to APC for pulling this all together. If we could close with a wonderful round of applause for this panel.
>> DEBORAH BROWN: Thanks very much, Peggy and thanks for the panel starting us with a provocative and insightful discussion for the day. We have seen from technical and political perspective why a human rights approach is necessary also breaking down silos and learning to speech one another's language.
While we are moving around and welcoming the second panel, I will start off by introducing our moderator, who is Irene Poetranto, from Citizen Lab, a Senior Researcher on cybersecurity and human rights issues, Citizen Lab and one of the co‑organizers in an independent research lab at the Munk School of Global Affairs at the University of Toronto. I will give a few minutes for the panel to make their way here and reflect that all of the questions left off with ITU, new treaty, some of the developments that happened in the last year will be the subject of conversation for the next panel. So I will leave you with them.
10:15 a.m. ‑ 11:45 a.m.
Year in review: Overview of Current Initiatives in Cybersecurity and Stability
>> IRENE POETRANTO: Good morning, I am Irene Poetranto. I with work with the Citizen Lab in Toronto. Thank you to APC, Anriette, Deborah, Mallory, great work and the audience for being here Sunday morning. I am joined by distinguished panelists, Mehwish Ansari from Article 19, Crystiane Roy, GG; Kaja Ciglic from Microsoft, Lea Kaspar, GPD; Markus Kummer, IGF Best Practice Forum and Madeline Carr with Cardiff University.
We will reflect on the extent to which a number of cybersecurity initiatives and we are using cybersecurity to include information security, cybercrime, cyberconflict, have or have not adopted a rights‑based approach. Compared to a decade can did ago when only a handful of issues were raised. Now (?) cyber this or cyber that as Francisco earlier pointed out. And so our goal is to understand what the barriers are both real and perceived to a more consistent focus on rights in cybersecurity processes. So we have a lot of ground to cover. I am keeping my intro very brief here. We will proceed with Mehwish (?), then Crystiane and Lea, GPD process ‑‑ a lot of acronyms, (?) Kaja Ciglic on the Microsoft convention; Markus, Best Practices Forum. Madeline will discuss these fora as a whole and inclusion of human rights and the way forward.
Each panelist, you will have seven minutes each and just go in succession then we will open the floor for Q & A. I would like to ask each panelist to briefly introduce yourself and provide a bit of background on each of the fora you will talking about to provide context to our ends why. Mehwish, you have the floor.
>> MEHWISH ANSARI Thank you very much. As Irene said, I am a digital program officer with Article 19, an international human rights organisation that focuses on freedom of expression. The digital program works specifically on developing human rights considerations at the point of Internet infrastructure, Internet community infrastructure and providers to increase recognition of human rights and develop those considerations and into commitments.
I will talk a little about the ITU. In understanding cybersecurity we recognize that it's not only about the security of information but also the underlying infrastructure; and infrastructure is a particularly essential consideration. It is ironic when we think about infrastructure conceptually it encompasses the most physical layer of the Internet but the most intangible as the Internet exists in is our daily lives but it is essential.
It is the infrastructure that determines the flow of information across the network of networks. How that information flows where and who has access to it. If we think about the Internet as a civic space, then it's that infrastructure, whether we are talking about the physical aspects of the network or the standards and protocols and governance interoperability that really determine the potential for the Internet to exist as that civic space and one that enables human rights.
So it is in this context that I want to talk about the ITU. I know we discussed earlier today but briefly it is the International Telecommunication Union, a UN specialized agency that, broadly speaking, is mandated to develop policies and standards aspects of telecommunication structure. In recent decades this mandate has been bloated to accommodate a growing focus on Internet‑related policies and standards and more specifically in the past decade or 12 years or so, following the conclusion of the (?) process we see the ITU increasingly push to include cybersecurity as an essential part of its mandate and scope of work. This is really coming out of the WSIS (phonetic) process that the ITU was made facilitator building confidence in security.
So the ITU has used that platform as a way to push forward ever more into cybersecurity issues. But the problem is structurally and systemically the ITU is not a space where rights‑based discussions regarding cybersecurity can flourish. Simply because it does not have the expertise or the capacity to do so. So when we talk about the ITU in terms of its organisational structure we say it is fundamentally an intergovernmental organisation where member‑states dominate the conversation and multistakeholder participation is minimal.
In particular, when we are talking about the way that membership is structured or financial barriers to entry, let alone participation, it especially excludes civil society participation. This is compounded by the fact that there is a systemic lack of transparency. So, if you want to follow the discussions outside of the ITU, it's very difficult to follow decisionmaking as it is ongoing; one problem leads to another.
If the forum so particularly alienates the human rights experts needed for a rights‑based approach to cybersecurity, then the discussions will continue in the ITU, but the conversations of applying the human rights framework to the development processes just will not exist.
What is more insidious is, when we start seeing how rights‑related concepts like privacy end up being co‑opted to rubberstamp certain standards or policies that do nothing for the rights of users or, even worse, actually subvert the rights of users which we have been seeing more and more within the ITU. In terms of the multilateral nature of the ITU, this only exacerbates the securitization of what we are talking about, whether IoT ideation or mobile device theft, it gets couched latently in terms of national security.
I am talking about ITU because it brings up the broader point if we talk about cybersecurity; it is not just the nature but where the discussions are happening, particularly talking about a rights‑based approach. I think I will end there and hand it back to you.
>> IRENE POETRANTO: Under time. Great job.
Next, Crystiane, talking about the . . .
>> CRYSTIANE ROY: Thank you and APC for organizing this today. It is an essential discussion we need to have, if not at the forefront but in the minds of everybody who deals in cybersecurity issues. I am based in Geneva, work at the Canadian Mission and cover policy issues at pretty much every day I get time to spend at the ITU and very much endorse everything we just heard from Mehwish. I am going to talk this morning about the GG, a process that is fairly mysterious and we heard a discussion at the first panel this morning how when we got to the higher level treaty discussions or between states that it became very obscure and nebulous. Hopefully, I will shed a little light on that. So, just forgiving from Canada's perspective, initially when a country like us goes into a process like the GG of course we do it because cybersecurity ‑‑ there is no other purpose than in ensuring human security, that your wallet's not going to be stolen or your identity will not and your rights will be protected that is intrinsic to how we see cybersecurity. But when we get to the GG we come to a conversation and at the table there are countries for whom cybersecurity is not at all about that. Cybersecurity is exclusively about ensuring regime continuity. Right there you have had an image in your head of the Venn diagram where the two bubbles are there. Imagine the overlapping space that might be there. In fact it's a tiny if not nonexistent space between the two sides of this discussion.
Then there is the process itself: What the GG is. The GG is created, the full name is Group of Governmental Experts on Developments in Information Security in the Context of International Security. It is created out of a resolution that is in the UN First Committee of the General Assembly. The First Committee of the General Assembly looks at disarmament and security. It should be in the back of our head at the table ‑‑ the mandates of the different committees at the UN are fairly well delineated and there is a real effort to try not to walk on each other's flowerbeds if I can say that. The GG is created in that context, in a resolution drafted by the Russian Federation since 1998.
In 2005 we had the first GG; then there have been four more an that after that. One of the big constraints of the GG ‑‑ which from the outside you really wouldn't think about this ‑‑ is the size of the report that we have to produce. It's a report that has to have 8500 words. And in that report you need the list of the members of the GG, the executive summary; and you need the introductory letters sent to the Secretary General.
In the end, you probably have 4,000‑5,000 you words to write that report. Faced with that limitation we are going to choose to talk specifically about what the General Assembly mandates us with: Is to talk about information security ‑‑ ICT developments in the context of international security. So, during our discussions at the table, we will probably make arguments that relate to human rights. But when you see the report that comes out at the end, there is probably not going to be a whole lot reflected of human rights. It does not mean it was not discussed or we didn't argue about it, but the final report may not illustrate that very clearly. That is a shortcoming of the process and that is why, for instance, this year at the General Assembly, following the failure of the last GG to produce a consensus report at the end of it, the Russian Federation did not actually run a resolution; they decided to run a decision and the decision basically is just a statement of fact and it's not something negotiated. And the decision basically said we agree to keep this agenda item ‑‑ this item on our agenda for next year's discussion. So I think the Russian Federation, as well as many countries on the GG this year, agree that we need to think about what will be the next step in the international conversation on cybersecurity. Other constraints of the GG discussion and the context in which it is created: There is no mandate to talk about use of cyberspace by terrorists or to talk about cybercrime. The mandate is for state actions against other states. Again it is a really fairly narrow mandate. What else might I add at this point?
The reason why this year the GG did not come out with a consensus report ‑‑ I will take a step back before that. So, the first GG also did not create a report; there was no consensus. Although Canada was not at the able, of course we heard afterwards that the main reason why there was no agreement was because of the lack of recognition of the application of existing international law and this debate whether or not wire trying to regulate the content of Internet. The second GG produced a report. The third GG produced probably the most important report where members agreed international law should apply and the fourth how it applies.
We talked about creating norms and confidence‑building measures, that created work at the OFS they built confidence‑building measureses. That report created a lot of little measures everywhere to try to strengthen cybersecurity.
The last report failed because essentially we had, again, this Venn diagram where there was no overlap; where some countries were saying okay, if we are going to talk about how international law applies we have to look at all of international law; that it talks about countermeasures, about how you retaliate when you feel that you have been attacked.
Some countries were no, if you talk about this absolutely not you are trying to militarize cyberspace. We are not. We are trying to create expectations: If you do X, Y is the result you will get. Countries say we don't want parts of international to apply. Bring that further: If you don't want all parts to apply, what about human rights law? Does that apply? When we talk about creating a treaty, imagine that negotiation: We are still going to talk with countries for whom the importance is not human security but it is protecting the regime. The GG did not have a positive outcome this year because we could not agree on the basic premise, an international law applies and that includes human rights as well as humanitarian law. When we talk about the importance of human rights, this is why right now we are not ripe for a treaty. Thank you.
>> IRENE POETRANTO: Than you, Chrystiane. Lea, the floor is yours.
>> LEA KASPAR: It's the red button. (Chuckles) Good morning I am the Executive Director of GPD, based in UK, London. Our work on cyber and cybersecurity is twofold. I will try to summarize briefly. We work with partners around the world facilitating nongovernmental actors, cyber policy discussion and on the other hand our work focuses on making the discussions of cyber policies transparent and more inclusive. I am here to talk about the London process, the global conference in cyberspace, particularly the one that took place in New Delhi last month. Several people here were there and some people on the panel as well.
What I would like to do is actually use the conference to illustrate what I think are key trends that as human rights defenders we should care about rather than focusing on the comforts itself. But perhaps in a way of context actualizing, the global conference in cyberspace is the fifth iteration of a series of conferences referred to as the London Process, called that because it was efficiency set up by the UK government and the first conference was held in 2011 in London. Now it's important to think about why that process was started. Listening to Christiane, the moment in which the first London process conference was initiated was actually pre‑agreement within the UN GG. One of the motivations of the UK and the Group of Governments that decided to organize this was to try to move forward the discussion on global cooperation or find global consensus on rules of responsible behavior in cyberspace. Now if you think about the timeline back in 2010, 2011, 2011 the year the conference was held, we did not have agreement that international law applies in cyberspace at all. At that time this was one of the initiatives seen as a critical push getting us to that. And I think it is getting us to the point wherein 2013 the first consensus report in the UNGG but there was the agreement that international law applies. Fast‑forward to 2017, where we are now. And where the global conference in cyberspace was held this year.
Before the Indian government took on the mantle of hosting the conference, it was held by the Dutch. Held in the Hague in 2015 in an effort to move the discussion forward. I think what the 2015 conference gave us was quite a lot. From a human rights perspective it was quite a high bar in terms of how far we can push global agreement and consensus on norms in cyberspace. If you look at the Chair's statement back in 2015 we have strong commitments to human rights, to multistakeholder approach not to mention that the outcome was with all stakeholders in the conference. All of that is important to see where we got to in thinking about the historical context of what kind of was the challenge for the Indian government, to an extent.
Some of the people I have spoken to about this, what happened this year, will say nothing happened; in a sense, this process does not matter anymore. What happened in 2017 was basically the death of the London process. That is controversial but I think it's important to think about how much further this can go.
This is I think where I want to get to with the two trends that I think the conference illustrates. On the one hand, the global conference on global norms is stuck. It is a big question of whether we can move it forward through some sort of multilateral discussion or discussion where we have taking place at the international level. To reach consensus on these issues is becoming more difficult.
If you look at what happened the at the conference and the fact that initially the Indian government had the intent to draft a Delhi declaration, for all participants involved which was dropped in favor of a less controversial chair's statement ‑‑ there are questions ‑‑ different reasons that happened. I think part of it is ‑‑ speaking to some kind of back ground, when they saw the consensus document it was absolutely clear there was not going to be the draft. I mean there was not going to be consensus on this. It was dropped. The pushback was hard. Talking about treaties, how long it will take, who should negotiate, we should be critical about the feasible of that endeavor.
That's the first I think trend that's worrying but also important for us to take into account focus as human rights defenders. The second trend the conference illustrates I think is important is core discussions on norms in cyberspace are are becoming increasingly government‑led and dominated. And as a result, securitized, so they are being framed in a certain way, very much in terms of threat narratives.
I think, as a result of that, the spaces in which these discussions are taking place are more closed, less transparent, less inclusive, more difficult for a civil society to engage in. The conference itself was a very good example of that but I think that is happening across the board. We are going to see these discussions move into multilateral spaces more and more. This is a fact of life. We have to be aware of that, I am not saying it is good or bad. It is just happening. What Mehwish was talking about the ITU is seeing ways to expand its mandate is just another illustration, example of that.
I think just to kind of sum up this part of the intervention is on the one hand I think the global norm is stuck and the conference kind of illustrated that; on the second hand it was an illustration of I want to say involving governments reclaiming the discussion on cyberspace. Thanks.
>> IRENE POETRANTO: Thank you, Lea. Next we will have Kaja.
>> KAJA CIGLIC: Thank you. I will talk about mostly the Microsoft proposal on the digital convention. Building a little on the previous panel, also on discussions here. One of the points made is the trends on cybersecurity. We look at sort of the global policy landscape in general. We are publishing a report in early January.
In your definition you gave at the beginning of cybersecurity: Very narrow cybercrime, information security, network security. We have over the past year observed over 300 individual new pieces of legislation.
Over 100 countries today are writing laws mostly based on national security, as you said earlier ‑‑ when we talk about internet discussions, internet security that is important; but don't forget at the same time what is going on at the national level and what direction that is taking.
In terms of the digital proposal. Microsoft for sometime now has looked at the internet space ‑‑ the threat landscape but also the diplomatic discussion with a level of worry. We have since I think maybe 2012, so early ‑‑ not early but the middle of the UNGG process ‑‑ started putting forward proposals and ideas for what potential responsible rules of behavior for nation‑states should be. We strongly focussed them on the importance of adopting internet ‑‑ accepting the internet law as something that applies in cyberspace and also trying to understand and further the discussion on how it applies.
The last years have seen that even if there has been a level of agreement, the last UNGG, to an extent that was controversial, how it is applied and interpreted is there is a level of vagueness, perhaps deliberate, left by the nation‑states in this space.
The reason we are increasingly worried about this is that we have seen nation‑states arm themselves in cyberspace. While you probably have a few really capable players that actually to an extent basically act fairly responsibly with their weapons, what we have seen in the past few years is the dramatic expansion in capability across the world.
I think the US earlier this year said over 40 countries have cyber offensive capability. I think Canada came back a few months ago with a slightly higher number; and Russia at the conference in New Delhi talked about over 100 countries. You see reports of countries as diverse as Denmark and Zimbabwe. Don't just think about Iran, United States, Russia, Israel as your top five. North Korea. With the ‑‑ as was said earlier on the panel, politicians see cybersecurity as a magical space and don't invest in effectively and enough in defending their networks.
So, at this point, where you go from limited defensive capability into suddenly you have access to weapons that could profoundly damage not a particular target but a whole online environment because it is all connected and it is really difficult to develop cyber weapons that are targeted. That is the bit that started worrying us over the past few years.
What we came up with was a set of proposals at the convention which is largely an aspirational goal. It has been designed to start debate ‑‑ encourage debate, to sort of try and get us out of this basically inability to have a discussion at an internet level but also to make sure that we don't just give up on this process. But the process continues, the conversation continues and we make all efforts possible to actually make progress and adopt and hold government ask thible to a set of behaviors. The proposal itself has three different parts; one is the idea of creating an internet attribution offerings some sorts to bring light on what is actually going on on the networks. That is a proposal we put out there for discussion in terms of whether this is a business‑led plus academia plus civil society plus maybe governments but we are not sure. That is sort of a discussible approach.
But the idea is to find technical data not necessarily politically to attribute but to have data that allows us to see where attacks are coming from. In the spring, there will be a call for the industry to do more. For the industry to commit to not do certain behaviors. So, when we call on governments: Please don't insert backdoors. Also, have the industry come together to an agreement saying we won't accept backdoors, at least knowingly, in our products. We won't help new offensive operations if you call on us.
Sort of a set of principles in that way. Work with the civil society to encourage capacity building. The one I think is most controversial, that stirred the most debate, was a set of ideas on this potential convention treaty. You can read it out.
We put forward I think about ten different proposals; things like don't stockpile vulnerabilities; do not engage in offensive operations, install backdoor; don't attack infrastructures or certs; a set of callouts to government; and they have largely been focussing a lot like INGG on military actions in cyberspace. In times of peace.
We have not seen a full‑on cyber war but we see these attacks all the time now. We specifically also called out sort of a need for there to be dialogue on this. We, a little like civil society, feel this is a dialogue that is very government‑to‑government driven. We have some of the technical expertise helpful in the discussions but are similarly excluded. Also we have called for a very narrow interpretation of the convention. We very clearly do not want to introduce restrictions on content or freedom of specific speech. That is sort of an intro.
>> IRENE POETRANTO: Thank you. So now we will have Markus, please.
>> MARKUS KUMMER: Thank you. I am Markus Kummer. For the first five years I was (?) the Secretariat. In 2013 introduction (?) chair and (?) 2014 facilitating, co‑facilitating the Best Practice Forums. That allows me to maybe give a brief background introduction on how they started and that is very much in response to the question: Treaty versus nontreaty. The thinking was treaties may be useful but it will take time to get there and we cannot wait until we have a treaty. We have to do something.
The idea with Best Practice Forums ‑‑ 2007 we provided slots for Best Forums. The idea was we learn from each other and encouraged those who staged them to explain what they would do differently with hindsight, learning from mistakes can be more interesting than looking at the perfect example.
Unfortunately, governments have been quite keen in engaging in Best Practices Forums. They never made mistakes. Everything was fine the way they did it. It was more a beauty contest, did not fulfill our goals. In 2014 we lead Best Practice Forums, were able to provide more Secretariat support and in this area of cyber ‑‑ already various Best Practice Forums. IPV 6 and IXP's. These are narrow themes and produced I think very useful outcome documents.
In the space of cybersecurity we started with unsolicited communication, spam and also have C‑Certs for two years. There again it showed that the outcome was a tangible outcome that can produce you results. For instance, we used the documents that came out of the C‑CERT Best Practices Forum as attempt to use their own forum. That asserts the value of a Best Practices approach, bottom‑up convergence seeking rather than top‑down negotiation of a treaty.
Having said that, I think I agree very much what was said on the previous panel on treaty and also on this panel. I certainly appreciate the aspirational goal of having a treaty. We need to do something. We cannot wait until we are there. The Microsoft proposal, the attribution center, is an interesting aspect of moving forward.
But back to our cybersecurity for this year, in a way we merged the C‑Certs on spam and last year had the best forum on cybersecurity. That clearly said we look at it as a multi‑year project.
And this year, then, it was ‑‑ we linked it to the other intercessional work of the IGF connecting and enabling the next billion and looking at how cybersecurity can contribute to sustainable development goals. A rights‑based approach is very much a part of that.
At the centre when we started the discussion, it was very much brainstorming; what can the IGF contribute? What is the sweet spot of the IGF; and clearly it is ‑‑ breaks down the silos that was mentioned in the previous session: That we have a tendency to think and work in silos. The IGF is the place that breaks down the silos.
I liked what ‑‑ the point Kathy Brown made, maybe we should talk more about multidisciplinary approach. Multistakeholder has become a bit of a mantra and a bit meaningless. Once everybody uses it; when it is really not multistakeholder, in the IGF it clearly is. Every stakeholder participates as an equal. But most of the other organisations that use the term, they are not really that multistakeholder. So, maybe multiidisciplinary is a better approach and cybersecurity is a space where we do need a multidisciplinary approach and this is very much the work of the Best Practice Forum on cybersecurity.
I don't want to claim merits for work I haven't been doing and I recognize that our lead expert, Maarten van Horenbeeck ‑‑ maybe you can raise your hand ‑‑ is in the room and he will be on a later panel and Matthew Usher will be on a panel, is actively involved at an expert level of this Best Practice Forum ‑‑ that allows me to give a commercial: We will meet Wednesday afternoon. This year ‑‑ originally they have been designed to feed into the main session that is connected to it. There will be a main session on cybersecurity. That will actually take place ahead of our Best Practice Forum. In many ways that is a benefit because it will allow the Best Practice Forum to reflect on the discussions that have taken place. There are many sessions on cybersecurity. So, we will be able to wrap up and to incorporate that into the Outcome Document.
But I think I can close with that and, once again, I think when we look at the various spaces where these discussions take place ‑‑ and the London process is one of these spaces and they shows how difficult the discussions can be and the IGF is the only truly multistakeholder, multidisciplinary space where everybody can participate as equals. We clearly do need all of the voices, the legal, technical voices and also the civil society voices to monitor, in particular, then, human rights aspects. Thank you for your attention.
>> IRENE POETRANTO: Thank you. Madelyn, the floor is yours.
>> MADELYN CARR: Thank you very much. I am an international relations scholar. I am not at Cardiff University. I have moved recently from a very good international relations department into a faculty of engineering. I did that precisely for the reasons that Kathy Brown articulated in the previous panel: I firmly believe that these global challenges around issues like cybersecurity cannot be resolved within a single discipline; and it is absolutely essential that we work across disciplines to kind of come up with creative and innovative solutions. I worked on things like cyber norms, Internet freedom, multistakeholderism and now am part of a research hub in the UK. About 40 million‑pounds of financing looking at cybersecurity aspect of the Internet of Things and specifically at government and policy dimension of that.
I found both the panels absolutely fascinating this morning. I think I can make some comments that can kind of link them together. I guess one of the mainstream that has come out of this ask that human rights in the context of cybersecurity is being discussed in different fora, the different languages than national security that tends to dominate the discussions about cybersecurity.
We have heard a lot of interesting reasons why that is; why these discussions are in some ways siloed and separate from one another. The reason the language that came up over and over again on the earlier panel. The different concepts and points of reference that we use to ‑‑ things like organisational structure ‑‑ don't worry, that happened to me before ‑‑ that Mehwish pointed to, not being suited to having these conversations. Christyane discussed, as mundane as the word "report" that keeps the conversation very bounded and focussed, for better or worse. Also this point that Lea made about the prominence of multilateral forums where these discussions take place. I agree with her: I think we will see that in the future. Marietje made the point on the previous panel: We can't discount national security or avoid the kind of implications that cybersecurity and human rights have for governments and for policymakers. She suggested that, if we come up with a solution that does address those kind of political aspects we might see some forward momentum. National security is a very powerful language and not a language that's easily got around.
But what I want to suggest today is perhaps if we think about human rights as not at odds with national security but as a constituent element of it, and I want to suggest there is a way to do that that I see that comes from international relations.
Human security can certainly be discussed within a state‑based approach to national security. This is not a discursive leap but a conceptual link. Ideas of human security are used in international relations in thinking about traditional non security issues: Food, climate, water security. These kind of security elements that don't exist specifically within borders and require a kind of a joined up thinking.
Human security approach asks different questions than a national security approach. It asks questions about: Security for whom? So: Who are we actually ‑‑ what is the er reference point? The economy, the state, the system; or in a human s approach we have to ask who are we actually talking about security for. I would say we bring it down to the individual, we are talking about human beings. The security approach also bubbles up: From what? We can see from what Christyane is saying some actors would say we are protecting ourselves from political instability. From terrorism.
In this room, I think we would say we are protecting ourselves from the human rights abuse. This is the core focus for us. Human security: Security by what means? how do we do it: Through technology, through policy and regulation, through a treaty or through norms?
But the fundamental question that also arises from a human security approach is the question of what happens when the state itself ‑‑ which in international relations is meant to provide security ‑‑ what happens when the state itself becomes the source of insecurity. So when we think about issues of surveillance or human rights abuses by the state through intrusive measures. The human security approach allows us to ask the questions, doesn't put human rights at odds but embeds it with national security. That is a powerful way to think about it.
I would say these ideas have been developing in my mind as I work on the Internet of Things because it is so granular, so human; it is about human beings in their house, with implantable medical devices in their bodies, human beings moving through their environments from work to home; and this makes us think about cybersecurity in a different way, in a very individual, human way. I hope that joins some of the conversations together. Thank you.
>> IRENE POETRANTO: thank you, Madeline. I myself can barely keep up with the discussions. I thought the panel gave a good overview of the discussions going on so far. I would like to open to the floor for questions. Anyone?
>> Perhaps people are shy. I really want to make a point that I kind of hoped was going to come out through the discussion but I don't think it has. It has to do with how we are framing this discussion. I think to a certain extent from a human rights perspective ‑‑ what Madeline was saying about ‑‑ if we are focusing on this discussion: How to stop human rights abuse. If that is the mind frame we are going into this discussion. I think focusing on the global level might not actually be where we are focussed.
Giving an example, Kaja mentioned it, the number of cybercrime policies, laws, policies, at the national level that have been proliferating, increasingly that are problematic, that is where the biggest threat to human rights is happening. If we are talking about where we can make a difference, having in mind how stuck the global conversation is about norms, my suggestion would be focus the work on at the national level; on stuff that can ‑‑ if you can, obviously, where you can work with the government, to try and shape those policies and legislation. I think that is important. If you keep talking about ngoing to this commission, to the IGF, with all due respect to the IGF; but if we keep looking at that, I don't think we are focusing on where the biggest threats are happening and we can make a difference. As opposed to state on state, where we can engage with great difficulty. Thanks. I wanted to make that point.
>> Thank you. Doing research in the Global South, I agree with what you just said. Aside from the national level, there is room for working at the regional level as well, a lot of discussions are going on in the Global South not just to the global level. Your comment has sparked some questions.
>> Thanks for that. Actually I want to echo that last comment. There is a lot going on now with the global commission on cyberspace, the proliferation of various issues just as the GG (?) That gets you to a point in the global conversation. But I agree where the rubber meets the road is what is happening nationally. What I see in that ‑‑ saw in my old job at the State Department is that multiple countries ‑‑ and we encourage this ‑‑ are doing cybersecurity strategies. That is great. But if they are not as part of that factoring in human rights ‑‑ thinking of all of the issues, not just the security issues, you have not human rights friendly or laws to prejudice human rights.
One of the things from a government policy and civil society perspective is to work with the governments as they are developing the strategies. When you talked about regional efforts, the OAS is doing regional work developing regional cybersecurity strategies, a components of that is talk about the sues. In Africa and other places we talked about the human rights and security aspects as well. Not the global groups should be ignored certainly foremost in thinking about this but locally important to look at the national efforts at, we encourage them to do these national efforts. Thank you.
>> I am standing here because I don't have a mic on that table. I you wanted to pick up on the language and goals definition and build on what Chris just said, if you stay in the cocoon of human rights it is hard to reach the people dealing with hard score human rights issues. Don't want to be undiplomatic. A lot of people in the security field see focusing on human rights as a hindrance. The ones who are protesting, as I mentioned. The ones saying you are getting it wrong.
I think what you want to talk about isn't how you can achieve security, cybersecurity or national security or both while preserving human rights and appreciating what we do in (?) democracies or the EU in my case: It has a ripple effect. It is usually instant, people beating demonstrators or UK intelligence servers destroying hard drives. It doesn't take more than a day to say to Turkish (?) don't arrest demonstraters. They remind you . . . the countries that come with a promise and the rights guarantee in principle continue to deepen and translate those in other areas.
I think what you want to avoid is that your whole discussion gets categorically outcast because it is seen as a nuisance instead of a key ingredient to the solution.
>> Can I also ‑‑
>> IRENE POETRANTO: Sure. Go ahead.
>> I would really agree what was talked about. Events happen and discussions effect. Europe does have, we have seen again and again, a really strong effect on legal adoption as well.
I think we saw the European Union over the last ‑‑ three years now, roll out a directive on network information security which looks at critical infrastructure and we are increasingly in discussions with governments around the world now see that they want to do something like this. They basically look at two models because there are two of legal framework, the EU and the Chinese. That is basically the option. We see a lot in reality copy‑and‑paste. I am noting and assessing what good practices are; and copy‑and‑pasting is a bad thing. It is good. But more thought should be going into it.
I also agree the human rights challenges are really at national level. I think we are seeing in particular in the Middle East and Africa, the proliferation of cybercrime laws that take the interpretation of what is the threat of national security far from what we see in Western democracies. Models like the Budapest Convention on cybercrime is something developed, can be adopted but needs to have almost an interpretation going. So it doesn't sort of take Western concept and put it in a different environment where some of the definitions might be interpreted really differently.
>> IRENE POETRANTO: Thank you. Markus, go ahead.
>> MARKUS KUMMER: Thank you. I couldn't agree more with Lea's point that that level you have the impact. They are not part of a master plan but emerge spontaneously. They are here now. This is one of the most powerful messages that comes out of the IGF in terms of approach and process: You need to have a multistakeholder process. To pick up on Chris' point, when you develop a national strategy, make sure you do it in a multistakeholder setting, invite all of the relevant stakeholders around the table. Unfortunately, this doesn't seem to be the case in all countries. We heard about Namibia. We had the IGF in Namibia. Through that you can also have an influence and impact at the national level. In many countries, it actually had an impact: That governments started talking to the other stakeholders, to the technical community and listened to them and their concerns so whatever they decide is not detached from the technical reality. I think this is an important message that comes out of the IGF.
>> IRENE POETRANTO: Thank you. Crystiane.
>> CHRYSTIANE ROY: Yes, building on what Marietje said this morning, the importance of educating lawmakers. Even in Canada we have had Internets since 1994, fairly broadly used there are many lawmakers who still don't understand how it works. So the whole education and capacity‑ building component is still superimportant in a country like Canada. How challenging is that for lawmakers in LSC's and developing countries where the technology is just starting to be introduced.
So, just understanding how it works, how the technology came to be in this multistakeholder fora is a key component of resolving our problem of ensuring that when you make cybersecurity or national security legislation, it impacts the protection of citizens. The GG this year's report is all‑or‑nothing. If you don't agree on everything of the report then you don't agree with even parts of it and parts talked about the importance of capacity building, of doing exactly that. But unfortunately, as the parts on international law were rejected, all of the capacity and confidence‑building measures were thrown out the door. That is a very unforntunate aspect of the GG report not having reached a consensus this year.
>> IRENE POETRANTO: Thank you.
>> To also comment, Lea, yes, it is important to work at national level but there is a degree of deadlock that happens at that level because there is no common language and I think to create that common language and to go through the terminology issues, you have to work at the global framing as well as the national level.
I think Crystiane mentioned the national as regime security. It is difficult to have a conversation at national level about national legislation when the approach that is behind that legislation is regime security masking as national security. If there is discussion or framing at the global level that that problematizes, that is hard to raise at the national level.
One thing civil society can do which we don't do enough is talk about cybercrime. We are so concerned about cybersecurity and the human rights abuses concerned in cybersecurity legislation; and if it's to combat cyber insecurity, we do not engage the practical daily level of crime. Don't work with the agencies addressing that ‑‑ look at the level of fighting crime effectively, work with the law enforcement agencies.
The Internet jurisdiction project is an interesting project that looks at the level of practical collaboration. I think that will give us more knowledge and will form new multistakeholders. We won't just talk to the talking heads but to the law enforcement agents using that as entry point, is something I would like to see civil society do more of.
>> I would like to pick up where it was left in the previous session. Talking about multidiscipline, history to the analysis of world problems. History is a very important teacher. Therefore I think when talking about solving problems at a global level I would argue the place of history. In this context, I would like to talk about how the language of the human race worked in developing countries. To restore two problems simultaneously, national and global, I would appeal we don't lose sight of either. If you look at cybersecurity from a human rights perspective, I would like to step that to imply human rights and well‑being of the global sense, the global compact referred to in the previous session.
Here I would like to draw attention to the invasions of privacy that arise. A kind of rapidity to consensus on global data flows they are moving to even while we deride the ‑‑ we don't want to talk about treaty at a global level because we believe we should have (?). We cannot deny this, I think, to draw attention back to the fact that a certain global consensus process that does give place for developing countries to build norms is essential.
And in many ways let's not forget that it's just 5% of say SME's in developing countries that are online. In many of the treaties, the UN and US are benefit. I would like in a cybersecurity debate we look at how we tend to look at invasions of privacy from an angle that lets go of debates around localization and the fact that Australia or New Zealand do have partly localization policies. Thank you.
>> First I would like to respond to the lady from the EU. The question that I am always struck with when I hear such comments is ‑‑ I mean, in civil society we didn't decide to just do this. But why are the people in the national security clusters not thinking about human rights when they are thinking security and when we raise the issues of human rights, they say you have to think about the security issues. But why aren't they thinking about human rights when they are doing what they are doing? That is something that always strikes us in the context where I come from.
And ‑‑ I mean, I am listening to all of these things ‑‑ I mean, hundreds or so cybersecurity, cybercrime frameworks have been installed over the last while.
I can't see how they can not be a standoff, confrontation between national and global civil societies. I can't see us as having civilized discussions going forward around these issues. Even within civil society in Namibia at the moment we are fracturing because there are some of us saying we need to speak to government, address it at their level and others say these people aren't willing to listen to what we have to say.
So the fracturing is even happening at local level within civil society. We are at a stage where we cannot avoid polarization. We cannot avoid confrontation between civil society and government and possibly the private sector. It is probably going to escalate upwards into regional and global levels.
>> Thank you. One more from Mallory then I will give the panel a chance to respond.
>> Thanks. I like to focus advocacy locally and using ‑‑ my question is to Lea and Mehwish: Best Practices, what do you expect from the shift of building alignment not just with civil society to do more local advocacy but the role of the stakeholders in the other spaces to build the capacity and the sort of organized, coherent voice when we go back to national contexts to do our advocacy policy there.
>> IRENE POETRANTO: Thank you. Lea, would you like to respond?
>> LEA KASPAR: There are a couple of things I would like to pick up on if that is okay. But I think there is a thread linked slightly to what the lady over there was saying: Take an example of privacy, if you worry about that, how that is taking place, then linking that. What you can do. How that's being undermined potentially through cybercrime legislation and what you can do at the regional global levels, use global agreements to push change at the national level.
One thing, doing with cybercrimes, on point ‑‑ Budapest convention was mentioned already. This is a treaty that countries can sign up to. It is not a treaty. It was passed by the Council of Europe. Therefore, because it has come from what is seen as a predominantly Western origin, developing countries have ‑‑ it is just how it works, COE countries signed up.
What happened since, a number of other countries have decided to join. The Budapest has a data protection provision. If your country signs up to the Budapest, that gives you the ability to argue to push for stronger legislation at national level. When cybercrime has privacy implications, is discussed at a national level, it does link. What I am definitely not saying is it's not looked at at a global or regional level. It is aligned in a vertical sense.
Just the impact, Markus said, the impact is happening at the national level. There is a way of linking that. Maybe Mallory, to yours, I don't have a kind of a how do you say, the turnkey solution to what we should do. It's . . . one of the values of the IGF is actually to have that discussion. For us as a community to decide our priorities and what we jointly could focus on to create the linkages both vertical and horizontal, horizontal meaning geography.
We can talk more about it. I have some other ideas as well. But I will stop there if Mehwish wants to chime in as well.
>> MADELINE CARR: Lea put into words what I could never do so eloquently. But really my . . . the issue is when we are talking at the ‑‑ about these ‑‑ we have been talking a lot about silos. That is part of the problem. What we are doing today is talking about our experiences in different forums. No one has been at all of them and can talk that. I advocate doing more of that: Breaking down silos through discussion. Even in civil society we are not talking about what is going on in the spaces, what trends are happening, where the conversation is moved, stalled and in what ways.
Again, there is no cure‑all, but I think that the value of discussions within ‑‑ with other stakeholders ‑‑ being able to break down silos discursively is very important for a step that we can't overlook. Thank you.
>> To your point earlier: It's important that the civil society engages with the technical community. Law enforcement as well. There needs to be greater awareness and debate how the laws manifest themselves in the technical sense. The other thing ‑‑ a point made earlier today: Governments do have a responsibility for security, including online.
How that is defined depends but you will never be able to move it away from that context. You probably shouldn't. It is a core government spot.
Understanding and driving understanding that these go hand in hand even though there is tension in it, I would try not to move away too much from it. Contrast, data protection and security: They have to come to go together. I think this is sometimes forgotten in some of these conversations.
>> Seems we are a boring panel. We agree on everything.
>> Great harmony among us. I will not disturb the harmony. But the responsibility of various multistakeholder groups has been within us. Some may say we have equal responsibility which actually works on the IGF, non‑decisionmaking roof. It is a forum for dialogue. Here all stakeholders participate as equals but we have to step there are different roles and responsibilities for lawmakers, governments, law enforcement. Civil society for instance remains essential. I think it is a watchdog function absolutely essential. But to think that every stakeholder group has the same function is somewhat naive. But we need to include them and need to be better actually at realizing the strong point sweet spot of each of the stakeholder groups. This is also part of the discussion on the discussion of cybersecurity: That we try to define, narrow down the functions of each stakeholder group. Once again I think it was an excellent discussion.
>> IRENE POETRANTO: Thank you very much. I am not sure I fully understood your question Anriette but you talked about raising it to international level discussion, human security being a component of you cybersecurity. You know as well as I do that many of the countries that do what they do for regime security purposes when come to international fora will say they are abiding by human rights and protect the rights of our citizens, interpret it differently but we do it. I am not sure in the end we can raise it again and again. It's not lost but I am not sure it will have a concrete result on the ground.
To talk a little about Namibia's ‑‑ civil society is a multiheaded animal. There are people in civil society that within their own country have a scope for engagement. That is very limited; that if they wanted to engage more, they would get arrested, go to prison. Even if they disagree with their government policies, the possibility for them to engage is not possible.
As you have different levels of government, you have different levels of civil society. Development and ability to act. Not because they don't want to but because of the actual constraints in their own environment. Finally, one of the last things I don't think we talked about here enough and maybe, Markus, I will be breaking the harmony, we talked about the proposal role of private sector in security. All of the tools that we use are emanating from the private sector and there is a drive for well we have to make sure this.
Product gets out there ‑‑ sometimes that means we cut or censor on security. I make a censor talk to (?), to my phone, I am not a cybersecurity expert. That is not what they do? They put out problems products that create more vulnerabilities for all of us users. That is a huge part of the discussion.
I am not sure how we will get there because at the same time as a government we want to enable our private sector because it drives the economy forward. So there is this ‑‑ here there is also this challenge that we have. We haven't really talked about it here. It is an important consideration in our discussions, I think.
>> Super discussion. I guess in closing, I would say that while I agree with the point that human rights on and offline frankly are kind of affected at the local level, the national level or ‑‑ yeah, national level, really. The potential of a global system like the Internet is that the global community can have this kind of downward pressure and also can set an example better or worse as Marietje pointed out. Yeah, human rights is always enacted at a local level through legislation. But the point of this is that we are talking about a global system and we have this potential to have this kind of global yeah downward pressure. I think the starting points for understanding the complexity of cybersecurity which in itself we all recognize as a meaningless term, going back to the human security thing. Cybersecurity for whom, for what, more what means. Getting to the heart of the complexity of these issues is understanding, I would say, how to weave ‑‑ how to introduce this into the conversation in multilateral forums because it is not a problem introducing human rights into other forums.
The difficulty is getting those into multilateral forums which are not going anywhere. A really important point of focus is how we integrate the discussion about human rights into global security, national security frameworks.
>> Thank you. I know we are standing between you and a much needed coffee break. That is a good point. Thank you to APC for putting together multidisciplinary. We have academic, private and civil society represented. Please give our panel a hand.
(Recess taken 11:45‑12:15 p.m.)
>> DEBORAH BROWN: A reminder, we are coming back 12:15 for the next panel. So we have around 25 minutes.
Panel: Deep Dive on Cybersecurity and Human Rights Issues
>> DEBORAH BROWN: We are going to begin our third panel today. We published a document that outlines the key developments discussed in the last panels and today. This panel picks up where the last left off, looking at more national context on cybersecurity issues and diving deeper on technology issues. Our moderator is Lucie Krahulcova. She covers unfolding European legislation issues in European cybersecurity strategies and several areas under the digital market. Her key focus is export control, data retention, encryption and she coordinates the Global Network Travel Coalition. Over to you, Lucie. Thanks.
>> LUCIE KRAHULCOVA: Thank you. Thank you, APC, for organizing this entire event. Unfortunately, I managed to miss the first part of the day due to my inability to register on time. Thanks for joining us today. Hopefully we can keep it lively and interesting and continue the discussions we had.
On a more granular level, I will briefly introduce the panelists joining me here today and I will ask them to present an opening statement after which we can go into questions. If there are issues you want to discuss in this little forum here, please feel free to bring them immediately, otherwise I have questions that we of course can go down the road with. On the very left, I guess that will be your right, is Luis Fernandez, the Executive Director of Digital Rights Defense, Mexico. Maria Paz Canales, Executive Director of Derechos Digitales, based in Chile, development, defense and promotion of human rights in the digital environment. They have fantastic stickers.
Next to me is Maarten van Horenbeeck, a Board Member and former Chairman of the Internet Response and Security teams, also known as FIRST. He is the Vice President of Security Engineering at Fastly, a content delivery network. He was on (?) Google and Microsoft. He worked as an expert on the Best Practices Forum, BPF. Many of you are a member. Maarten wears many hats. Thank you for joining us. Maarten, you were last in my intro. If you wouldn't mind kicking us off ,we would appreciate it.
>> MAARTEN VAN HORENBEECK: I will be happy to. Thank you very much, first of all, for the opportunity to be here today and speak with the wonderful panelists and with you all. I would like to start off with a statement that I think takes things into a slightly different direction than is typical. The protection and human rights is something that cannot be disconnected from cybersecurity in general. The reason that is the case is because cybersecurity in a way makes sure that the technologies that we have come to trust every day work in ways that are actually trustworthy in that they do what they tell us they will do.
There are challenges with that concept. The biggest and one that came up quite a bit this morning is that it really depends a little from the point of view of the different stakeholder groups; and in particular I would say the states, whether that is what exactly you consider to be cybersecurity. When a state starts investing and planning for cybersecurity they can come from protecting economic development, social individual rights and from the national security angle. That setting of the priorities actually ties into where a state or any stakeholder group, whether private sector or another type of organisation, invests in cybersecurity. There are a number of places they might invest: Defensive cybersecurity, making code more robust and secure; on building detecting controls when something goes wrong and invest in response.
This is important, because where you invest makes the decision of what technologies you invest in. That is of concern to many stakeholders groups, particularly human rights defenders. If you invest in a technological path that is abused in the future you may end up in problematic situations in the future. That is something to be thought about.
It is valuable when a state invests in cybersecurity technology and they know where they come from in terms of priorities that they need to do that with a bottom‑up approach, getting different stakeholders involved, having discussions, debates on what is and isn't acceptable in cybersecurity based on needs rather than what other states or organisations do that may come from a very different place.
Finally, as those technologies get selected and implemented there is a really important role for civil society and the technical community to work closely together. There are many ways we can make technologies more robust and better at protecting human rights. One way is by looking at the rights applications of the technologies. In the ITF there is a group working on the human rights impact of specific security technology. That is a great place to invest time as a technologist or a civil society member.
Finally, as a technical community we can and are doing work to make sure we set expectations clearly as what we do as engineers and what the boundaries are around what we do.
Within FIRST, the community I represent here, we have an ethics working group where engineers and teams come together as what we do as emergency responders and how the expectations are aligned with whether civil society, private sector or governments that rely on us. I think there are a lot of opportunities for us to work closely together around those issues. I think more time would be a valuable thing.
>> LUCIE KRAHULCOVA: Very clear. The point about investment and how it will dictate the future, I think that is super important and also that is where most traceability comes from if you follow the money. I think that is key. Maryant, if you want to follow up, thanks.
>> MARYANT FERNÁNDEZ: Good morning, everyone. Thank you to APC for this opportunity to speak to you today. We were given a broad question about making a statement as to why the human rights component should be addressed.
I want to focus on two specific points. The first is related to something very connected with what Maarten said, which is that nowadays we exercise rights in this space. This is integrated to our daily lives as persons in the society that it's not separated any more from the exercise of rights in the physical space.
What we need to look at when we look at cybersecurity in the digital space it is pretty much the same concerns when we look to the security in the physical space in the sense that we have to be in an environment that enables the exercise of rights. Not only political rights but also economic, social and cultural rights. When we look into cyber policy not only about how to enable the protection of people like consumers but more a subject with agency.
We should focus our analysis in the framing of cybersecurity policies in how we enable that technology that people need to use in the daily life, getting services from the government, from private companies or to communicate or simply to exercise freedom of expression, assembly or organize themselves; is able to protect these rights which we already in some way recognize in the physical space for the international human rights framework.
I know it is problematic when we introduce the human rights language in the conversation. But if we frame this issue also in again the economic and social aspects the government embraces, rights in the cybersecurity discussion, I think we will engage in a better way with governments and private companies, about the benefits of having this approach in that discussion. That is my first broad point.
The second is that human rights discussion in cyber policy matters because human rights defenders need to do their job in this space. How governments use technology to subject defenders ‑‑ subdued their capabilities. These tools are essential for us doing our work as human rights defenders. So when we talk about cyber policy, it is related to some kind of threat which can be external or internal. We see in the case of surveillance technology in cybersecurity, the government has the course of ability to prevent the work of the human rights defender. That is something we need to be aware when discussing the cyber policy and put that point on the table also not only to restrict the possibility of a ‑‑ confront an external threat but also to limit and to frame a responsible behavior of the government using technology in cybersecurity for internal purposes. Thank you.
>> LUCIE KRAHULCOVA: Thank you for that. You went straight into my questions. That is perfect. I think that is a lot of what frames this conversation. I was an at OSC event a year ago where we discussed something like this. I had a baffling exchange with the representative from Azerbaijan.
I criticized surveillance, said it does not function the way it should, violates human rights. He said the first right we are trying to protect is the right to life and we achieved that.
I picked that argument apart. But he gaved me a baffled look when I said there are other rights that have to be taken into account when these government policies are formulated. I think you are hitting the nail on the head. It exists in different places across the world. Luis, can I give you the floor?
>> LUIS FERNANDO GARCIA: Thank you. I don't want to repeat a lot of what has been said in previous panels or this. I will jump into this conversation that has been going on during these panels and give a little perspective of the local level in Mexico, for example: We have been talking a lot about human rights language. It was explained perfectly how it is important for human rights to be embedded in policies on cybersecurity and we have been talking a lot about the language. It is very important if we ‑‑ and I think there is a lot of progress happening at the local level in countries at least mentioning human rights language inside the cybersecurity discussion. However it's important to be careful that this be language of human rights is not a way for government to ‑‑ it is easy to put in a cybersecurity human rights, you need respect human rights. But if there is no mechanism to oversee or monitor compliance of these principles, human rights language might become a tool for totalitarian governments to be able to show that: "Look, our policy says human rights" although in practice there is nothing resembling the compliance with that principle.
I think the Mexico situation is exemplary in the sense that there are these contradictions between this country that has the cybersecurity policy published that talks a lot about human rights and centered on humans but at the same time is spying on human rights defenders and journalists with malware attacks.
I think it's important to draw these contradictions, because I don't think it is really evident to them that this is a contradiction. The cybersecurity narratives ‑‑ particularly malware attacks. Think about it: Our government is spending millions of dollars on a company whose whole business model is finding holes ‑‑ security vulnerabilities in hardware and software. Not only is Mexico not investing in defensive cybersecurity, it is actually feeding these offensive attacks ‑‑ endangering the cybersecurity of everyone in the world.
Drawing these contradictions between what government is starting to say ‑‑ it is good they are starting to at least say something about human rights in their security policies, but we need to build mechanisms internationally and nationally, locally to make government accountable for these contradictions that it's very harmful that they get away with.
Probably in the conversation we will talk about this more it is essential that we go deeper in the conversation. We have been talking about tension between the human rights and cybersecurity. We should explore it more. In Mexico, the way national security is interpreted and defined is way broader than other countries might think about. In the national securities law of Mexico, it says that it has to also do with stability of the state, which is interpreted as stability of the government and everything that makes corrupt human rights violating system unstable, journalists, human rights defenders is something that is a legitimate target for national security agencies to attack, for example.
I don't think Mexico is a bad apple. I think it is a fundamental problem with the national security narrative, in contradiction with democratic principles at large.
I think we need a conversation that is not isolated also to cybersecurity issues just as we are doing in Mexico: Working a lot with many civil society defenders, human rights organisations, defenders, challenging the notion that national security is this holy, magic, secret place where they can do whatever they wan and you cannot even talk about it or know what is going on. That is something we need to challenge on that basis and that level and draw the lines to cybersecurity positively. Because if we let cybersecurity not escape that bubble of national security secrecy and unaccountability, there is little we will be able to do to make progress on this topic.
>> LUCIE KRAHULCOVA: Thank you. That is a great entry. I had an intro but you all managed to cover all of the points. This is how you can tell as a moderator that your panel is exceptionally prepared. It is hard to interrupt and keep time when people discuss the points you want to be making.
We want to do a deep dive. We get stuck in this contradiction and clash. I see repeatedly that there are mutually enforcing concepts here and a value chain we can follow and prove this.
I was a GCCS at Delhi a few weeks ago. A lot of states stopped at the cybersecurity chain at the state level. Why am I securing infrastructure, looking after cybersecurity it is defensive, offensive, stops at the state level. Why is the state trying to preserve itself? For the people. I think that's where a lot of our frustration lies, represented here, state stops at the state level. We are tearing our hair out why that does not trickle down and integrated into our experience of cybersecurity.
I think that you guys have touched upon that already which is great. In a lot of case we have seen cybersecurity policies that go further than not addressing human rights but used to curtail or disregard human rights especially policies which are overbroad and deal with anything from data protection to privatized enforcement to network infrastructure.
We have seen bad laws everywhere or those that focus on security over privacy. Those are extremely commonplace and was mentioned. It is hard to argue with that reasoning when you hit the wall of national security. It is state versus state; stop organising human rights. I am civil society. I will always organise. The user experience we want represented online. You all pointed to the same thing. I totally areee with it. We see it happen in the EU as well. Compliance with 108 or UN charter; it is not quite enough to ensure the real‑world application of it. I would be curious to hear from you guys in terms of what are the obvious risks and challenges of that. But also not so obvious places we can focus on as civil society that hand out better deals that would only apply to rights. You touched upon that . . . we want to force the government to do better. In your opinions what those rights would be.
I would like to take this opportunity to encourage you to think of your questions. If you want to put your hands up so I have an idea of who wants to speak I will give you guys the floor in a minute.
>> I would you briefly comment on that. I think to share a little experience we have in Mexico, two years ago when our organisation started we saw a problem with surveillance and that there were at least two very strong narratives, difficult to break. One, when you were talking about surveillance, you were seen as paranoid with a tin foil hat and also something I called like the interactive called the Won't Anyone Think of the Children? It is like "But this is for good" ‑‑ the security problem is very difficult and we need to make this sacrifice.
We have been successful in a way in turning those narratives ‑‑ in Mexico, if you ask a common . . . someone on the street, do you trust the government to surveil you, do you think they are doing it for your security, they will know. The government used the tools for schools to spy on human rights defenders, journalists, people exposing human rights abuses. Mexico is a perfect example particularly on why on a (?) and context, where the government is trying to point the security problem as government good guys, drug cartels the bad guys.
It is clear to most Mexicans, for example, the lines between the state and organized crime are blurry at best in many cases and privacy is security. And when you are not ‑‑ you don't have privacy from the government who have probably working with organised crime it is not only your privacy in danger but your security. It is harder although continues to happen. But it is harder for the government of Mexico and this is something that might be expanding to argue that renouncing your privacy is good for security. I think we should build beyond that, go beyond the nonsense discussion and we should talk about that the in discussing how to advance cybersecurity.
>> I would remark that the idea that the privacy's not in conflict with security; it is essential for security and essential for having people's center approach in cybersecurity. Again, coming back to my original idea and first intervention, this is not different from what happened in the physical world. The same way we don't give up our right to privacy in the physical space to allow the government to keep us safe we shouldn't be re‑assigning our right in the digital space. Otherwise we will end up in a sea of surveillance. We have fought hard in human history to stay away as far as I understand. So I think that we don't have to fall into the trap to make us think if this is something separated from the physical reality.
Again, this is the space in which we now develop our more like general activities that we used to before in the physical space; so we should apply the same rules. This is not automatic. We have to think more of the technical details of how to make this true, not to just make the statement it is the same as the physical world. It is more complicated than that. But it is a principle for making decisions in this space.
I want to add to this. Not just the challenge but also the opportunities, the discussion about cybersecurity provide us. In that sense, adding to what Mr. Fernandez talked about his experience with the Mexican government in Chile, many times engagement with government from a very collaborative approach is fruitful. In the first panel in the morning a lot of people remarked about the need to be more practical and not just present a position of civil society as a full criticism of everything the government's doing but more to provide alternatives, a way out and positive; to find the way in which we can achieve in a better way the cybersecurity concern, the respect of human rights.
This Chilean cybersecurity policy is a good example of how you can do that. Of course, it's not perfect. Of course, as Mr. Fernandez said: It is one thing to put the statement on paper. You can make sure the application, behavior of government related to the issues of technology. For example, the issue that the cybersecurity policy in Chile considers the human rights impact of the measure that you can take in different aspects in the use of technology and in the measure that you take for keeping secure the cyberspace, it helps us have a more informed discussion on human rights perspective on the implementation for example cyber crimes investigation.
We are going through the process of discussing in the Congress what will be the amending of our cybercrime law. The fact that we already agree on the cybersecurity policy about relevance to respect human rights; that any kind of regulation, procedural aspect to protect human rights, it is helpful for the discussion. That gives an example of how you can be positive, building on top of what you have already been discussing with your government in this very broad application of the cybersecurity. To apply that to all of the fields of regulation. As an organisation, we try to work with other organisations in the region. We started some contact with a Guatemalan government. We need (?) society to invest in this kind of work, building our own capability and also help the government in our region to build this capability and understanding.
I agree. Empty words on paper is what we talk about when we have these he challenges. I want to talk to something that may lead to help come to a solution. One thing underappreciated in technology: We have the ability to change everything we do. What I often see with policymakers and people trying to solve a cybersecurity problem is they go and look for solutions that worked in the past and in different networks. Corporate networks, something common and effective. States, when they try to solve problems at a national level, they grab for the same tools that work, in a completely different context. A year and a half ago I had a conversation with someone who worked in policy. He was using network solutions.
As many of you know, the Internet went to an immense amount of change when it comes to encryption. Over 50% of webpage loads are encrypted and no longer readable by people in the middle. It makes security monitoring very difficult and is no longer the tool it was in the past to deal with specific security issues.
The challenge is this type of solution is expensive and the budget a lot of goes to these spins solutions. When you employ them, you want value. When you have monitoring at a broad level and data is encrypted a little more every day you have to find ways that the solution still looks like it delivers all of the value. Two ways of doing that both have implications on human rights. Method one, you look for things you can't monitor for than the thing you deployed the solution for. You look at what you identify and how you can show that to show the value of the investment. Second, taking encryption away from people. Both have human rights implications that in the original discussion may not have come up. To bring that to a bit more of a solution. In the security world we have had many challenges with building security into a problematic product.
In my career I spent a lot of time working on trying to solve it for products, not security products but products used by people on the Internet. What happened there, there were several processes developed by organisations who were quite good at it. Then replicated, evaluated, changed.
I think we can do something similar in a sense when we talk about technical solutions. They shouldn't just be discussions within the state or engineering communities. They need to be inclusive dialogues that involve the people on the networks, using the networks that would implement those solutions. That includes civil society. I would argue that all of you play an important role in bringing up concerns when you see them, flagging them, helping drive the domestic and international debates.
The second piece is process. When we say that human rights are important, we need to come up with process that help us assess the human rights that we do. IGF has a Working Group HRBC working closely on identifying what things go wrong when building a new protocol, what things do we need to think about. How much knowledge of the protocol must exist on the endpoints controlled by the users, versus the intermediaries, controlled by others.
Finally, whatever process we develop, implement, needs to be transparent. As if the process is executed and in the end there is a violation of something discussed there: That needs to become clear and brought to the attention of everyone involved.
For instance when a new technology gets implemented and later abused, those things need to be identified, brought up and there are a lot of organisations including the previous panel that do a lot of good work and flag those things. I think it is also important that whatever assessment we come up with to test human rights implications of an idea also needs to be testable. If we work on putting together those guidelines and apply them to new security technologies as they get implemented at the state level or international, I think that will bring us much, much closer than where we were to knowing whether the technology is rights‑respecting or not.
>> LUCIE KRAHULCOVA: I am tempted to end there. It was mentioned. How do we ensure the process works. The Chilean government, you mentioned it is fruitful to discuss it with them and all stakeholders need to be at the table to address that. We have stakeholders in fora. What does that mean from the community affected.
I am from one of the organisations pretty good at being represented at international fora. I am with the end users and national level NGO's screaming at us: It does not trickle down, we don't have time for iPad, we are not consulted in a meaningful way. In Europe, technical opinions in society submitted to the UK government, decided to go the opposite way, drafting the legislation, IP Act.
Not just how are we invited to the table, but my question is what groups need to be there and what does that engagement look like beyond sitting in the room and saying things? How do we integrate that. I don't know if you guys have ideas. Do you want to say how you guys worked it out.
>> Seems like a multiheaded animal. Of course when discussing cybersecurity, you have different groups. First they had different level of knowledge of the topics. Different interests. We confront the specific groups targeted by technology; they need specific protection. LBGT community, women's rights. Abortion, it is banned in many countries, still. Those groups sometimes feel very comfortable with a government discourse that implies increased surveillance or increased measures to control what is going on.
We need to bring those people to the conversation but work with them to make a broader analysis and find a real solution to the problems they are confronting but at the same time don't sacrifice freedom of expression, privacy and all of the considerations. First I will say we need to make a greater effort in the civil society side to combine in a better way our own diversity, knowledge and understand which side of the conversation you are confronting this discussion and bring it to all of the stakeholders; for example the government and also very important that conversation can be developed with the technical community because they are best once positioned to find the practical tools that allow you to find solutions to the real problems that need to be addressed but the cybersecurity consideration starts and ends.
For example in the Chilean process the government was open for the call. But many groups have limitations engaging in the discussion because they don't have the ability, time, money to engage in this discussion so there is much more we can do to still bring in a diversity; and I hope that in future processes in other places at a local level the participation is more diverse. Because it is an urgent need. Thank you.
In many countries the discussions at different stages. In Mexico, cybersecurity is a buzz word. It is new. That is why they came up with this strategy and our focus made sure the strategy mentioned human rights. It was understood when you do cybersecurity policy you have to talk about human rights. However I think we needto do more ‑‑ needs to challenge more other parts of the strategy. First on the diagnostics: What is the baseline. What is really the problem? Because right now many governments are relying on and diagnostics are made with interests by companies ‑‑ they are painting the picture that Mexico ‑‑ once a month you see an article, Mexico is the worse, has the most cybersecurity. You ask questions, do not find answers about the statistics. Civil society needs to be able to challenge the assumptions and know what the problem is. If you don't know what the problem is you don't know what activities will solve the problem. We need to challenge that, the diagnostics and the plan to solve that problem and make sure there are indicators and are there to monitor compliance. It is easy for government to say this is the problem; this is the solution. Vague problem and solution. And in the process you do whatever one.
An example of why it is dangerous. In Mexico, violence spiked and the government said we need the army to be in the streets but the civil police is not able to handle the problem. We have been with the army 11 years now. The evidence shows that when the army intervenes in a region with violence the violence does not come down and human rights violations increase. There is an index which means every time the army engages in a firefight with someone, there is never survivors.
That indicates there are human rights abuse. There is evidence that has been gathered with data, research. Now we are stressing the army cannot continue on the streets. This is not helping. But the army wants to stay because it has power. And wars are profitable. Cyber war ‑‑ wars, real or perceived, are profitable. If we let the discussion of cybersecurity to have this war mentality, these institutions are going to want to prevail in war.
Mexico does not want to end the war. It will let the same mentality into cybersecurity, a lot of people won't want this war to end and that will affect human rights in the end. We need to be there, civil society, challenging what the point is, what activity is proposed, what they are wanting to and can achieve and measure weather those actives really solve that problem or not.
So we move beyond this war on words on paper that was important at some point but we need to go forward. To echo the last point, what is currently the status, what actually works, is a problem all of our communities share. Within the technical community it is equally an issue.
When we want to advocate the solution to the problem the challenge has become the securitization of these issues, has become immense and there is a lot of discussion about even relatively minor issues, making them seem quite large to warrant investment and new technologies to invest in them. I agree completely that the one of the challenges is measuring and taking appropriate action to what we measure and making sure the solutions work. I would say there is an opportunity filled only by a few organisations, that kind of merge between technical community and civil society and actually AccessNow is a great example of building that putting them together.
If we put the qualities together we can do that and come up with the measurement. It is expensive, takes time but is something that needs to be done to discharge some of the securitization that happens today.
>> LUCIE KRAHULCOVA: Thank you. We are running to overtime. That is my bad as moderator.
The narrative power and the streets ‑‑ I don't know how many people GGCC ‑‑ Russia and other countries, it is about state retaining its power. Geodominance through its fear sphere. A concept for us to comment on. I will give the floor a couple of minutes to the audience. I apologise. I had to let them share their expertise.
>> I support the idea ‑‑ we approach government with data and so on. Does that have any effect in your experience in behavior change in terms of the military, in terms of security cluster? We see that and have been hearing here on the panels, the government say let's talk you but then they do their frameworks anyway. Then for you, Mr. Van Hoerenbeeck, very often we find the technical community sit on the information where they actually can inform policymakers and civil society and tell them: Look you are talking about things but the technology has moved on; so your discussion needs to move on as well.
You have this issue, you have two solutions and very often this information is not shared with policymakers. It goes around, these discussions go around and do not get out of the tech community. Once when we have the silos and silo mentality. Then, when we get to levels like these as you have experienced yourself from the example you made where you tell the person that that official, this thing has moved on, where does that leave that particular ‑‑ if that was a policymaker, where does that leave that person. Also we find because we are saying this to our government ‑‑ because we are faced with the situation where there are three laws coming in Namibia: Cybersecurity ministry ‑‑ framework setting that up. Electronic transactions and cybersecurity bill and (?) bill. We are saying a lot of the stuff you are looking at is outdated.
The technical community is not stepping forward and saying these things do not work, the technology moved on. Is there a way that the a global level, the technical community can communicate better, communicate the stuff you downwards? Those are my observations and questions.
>> LUCIE KRAHULCOVA: That is perfect. I was going to cut you off. You tested the limits of my moderation patience good for you.
>> There is no One Size Fits All strategy. We start playing nights, talking to the government and trying to convince them surveillance without you controls was problematic, prone to abuse. They didn't respond to that. That was Mexico. Then we want to ‑‑ went to hard ball. We do not talk nice with this government now. Actually, that gets things done sometimes. We participated in the forum and in different stages and the cybersecurity policy strategy. But showing up and saying mean things about the government forced them to include the language of human rights and the cybersecurity. In those spaces, if we talked nice, I don't think we would have gotten that language in.
Because they felt they had to mitigate the harm. That is a strategy that worked in my context. I would not recommend it in every context. It is context‑dependent. I would suggest that sometimes playing hard works better than playing nice. It depends on the situation.
>> Thank you very much for the question. It is relevant and is a problem, a challenge. What I have seen in working with engineers throughout my career is that many people just build the things, the right thing to build for their employer or the thing they are building as the project they are working on.
In 99% of the cases it is not because they want to be neglectful or not thoughtful of the other issues but because that is their work. In the recent past I would say many more engineers and people in the engineering community are becoming aware of protocols technologies are misused and abused. There is a way to build communication between the communities. It will take work on both sides.
Within the engineering communnity: More discussions and trainings about what this all means would be a good start. That is something the engineering community can do more of. At the same time, I would encourage you to use technical conferences, places where engineers come together to submit some of the idea that you have or the problems you see in the community.
That awareness building is only going to happen if more of us talk with more of us and work together on individual projects and learn about what some of the challenges. On both sides people can make a tremendous change but the change that matters will happen only after talking and working more together.
It is definitely a correct observation. It needs to be a proactive and converted approach of reaching out to each other or it may not happen.
>> LUCIE KRAHULCOVA: Great. Thank you. We have seen it with the conferences I am familiar with, techie conferences there has been more space made for those narratives. Especially Republica and others ‑‑ I think you will see more places ‑‑ the best place is give it to the technical community.
>> I am going to take one last question. Because I nodded to you and I have to. But then we will wrap up.
>> My question is on language, what language is the right language to use. How human rights can be alienating or not the right language for getting over silos. My question for Maarten, you talk about protocol group and I noticed in your introduction you were in a Working Group in the technical committee on ethics.
Human rights . . . ethics is less clear from my background. Do you see a substantive difference in what ethics conversations and human rights conversations look like and if you can explore that with us.
>> LUCIE KRAHULCOVA: I can't imagine how you are going to tackle this in the next three minutes but I will give you the floor. Give it a try.
>> MAARTEN VAN HOERENBEECK: I will try. I don't lead that group. The people from the first community thought it was helpful and started it. It is important to acknowledge that all of these trickle into each other in a way in a sense that ethics for us as an organisation and people who do incident response and security is all about being predictable and making sure that people know exactly what happens when you work with an individual. I think that's important because I think it is a major challenge we have today.
There is a fear of unknown in the communities. We see this on Best Practices on cybersecurity as well. People don't know what other communities are doing. When you have a discussion around cybersecurity, governments step back because think it is our domain. Civil society does not step in and the technical community stays away because they deal with security issues not the fleshy human side.
I think a big challenge is making sure that we have a common understanding of the challenges and the best way to do that, to make the technical community aware of the challenges you see is through case studies and examples. If you go to an engineer and talk to them about how a particular code they wrote affects human rights, they probably not see unless it has an end users. People write code and they are the end user. But they don't always think, for instance, someone with less English language skills may not read something the same way or understand the problem the same way.
So if you come forward with case studies, you can pivot people more easily not community. It is a short recommendation but I recommend looking into case studies as a way of getting your point across and getting your language normalized.
>> LUCIE KRAHULCOVA: That was pretty good. We are at time. I would like to ask you to join me in thanking the panelists with a round of applause for joining us here today.
* * *
13:15‑14:00 p.m ‑ Closing Remarks
>> ANRIETTE ESTERHUYSEN: I am Anriette Esterhuysen from APC. In this panel I will synthesize and extrapolate and help us do a reality check but also look at how to move forward. I am going to start by asking the question which is the title of the event. Let me introduce them briefly, Sunil Abraham from Bangalore, India. If you ever want a multilateral, critical perspective on anything, get Sunil on your panel. Then: Matthew Shears, Global Partners Digital, who has walked the road of trying to approach cybersecurity from a multistakeholder perspective. He has done the hard work of trying to do what we are talking about here. So, the question I want to ask, and you are welcome to say more about yourself if my bios were insufficient. Is a rights‑based approach to cybersecurity a pipe dream or in fact a critical and achievable mean to a secure, stable Internet. Sunil.
>> SUNIL ABRAHAM: I hope you can hear me. Thanks, Anriette, for giving me the opportunity. It comes to the question you posed I think it will remain a pipe dream if we use the strategies employed so far. I think the purpose of this session is to build on the learnings shared by the various panelists and see if we can agree as a community on a way forward. I am going to try to do this.
As a warning I would like to start off by saying I doubt I can in any honest fashion completely synthesize and summarize what I heard. I am going to be cherrypicking and only work with the ideas that struck me directly. I am sure there are a lot of other things and I hope Matthew will you cover some of that.
The first thing I heard was this critique of multidisciplinary multistakeholder and the idea that we move to a multidisciplinary format. I completely disagree. I disagree because a single corporation can fill the panel with people from ten disciplines. That is not difficult to do. That is one way not to get a seat at the table if that is what we want.
I have been a long‑term critic of this multistakeholder model; and a paper that nicely summarizes some of my views is by Luca Billi regarding hetero stakeholder cooperation for sustainable Internet policymaking. It is a lovely paper to read. I agree with many of the things Luca said there.
The thought of going multidisciplinary, civil society must go multidisciplinary. We must have engineers on our side. If we want them quickly enough become engineers, we must poach them from corporations. Confuse them. Poach them.
As Maarten said we have to look at the standard ‑‑ he talked about the work ITF article 19 leadership. The number of people we have there is far too little to cover the full amount of protocol development just at the ITF. More recently, even though this has no direct consequences perhaps to cybersecurity, we lost a big ballot at the WC3; and other technical standard setting organisations do not let civil society in. We have to find a way in. This might mean working quite closely with certain corporations that share our ideals on certain battles.
So, my core takeaway from this point I want to make: Civil society must do their homework. If you go to an ITP meeting and blabber at the mic, people will shout, tell you to sit down. At the IGF ,we never had the experience. All of the nonsensical things we say are warmly welcomed and applauded. So we never do our homework. We turn up at IGF meetings and say whatever we want to.
Plural forum ‑‑ I want to point to trade agreements. We don't have a seat at the table, civil society has not given up on trade agreements. We hound them in hotel lobbies, chase them. We continue to fight that fight. Second, we can't give up on governments as custodians of human rights. How can we accept that situation in human rights in most nation states are enforced by the government. This is their primary responsibility as well and also governments as a source of transparency. So, even though there is a bit of a mixed reaction about whether we should or shouldn't change with multi lateral ‑‑ I think we have no option (?) and must. Perhaps closely connected to (?) that is the idea of treaty and it national (?) law.
The broadcasting treaty when I checked on Wikipedia it says it was 11 years since the birth of broadcasting treaty and the lobby is waiting for civil society to get exhausted then they will take it through the finish line. They have absolute staying power. We should be doing this exactly; it is a marathon not a sprint. Because it will take a long time (?) we shouldn't work on international treaties, especially in this area. Again, the false ‑‑ we must have both top‑down and bottom‑up.
My fourth point, technical solution, the point was made by several speakers, civil society is seen as being nonconstructive and antagonistic in cybersecurity discussions. There are some people who are working on these standards. The first person is Anne Cavoiukian, her lovely paper on privacy protecting surveillance; and Joan Feigenbaum from Yale University, several papers on how you could protect rights and sustain at the same time.
There is a lot of work ‑‑ what we don't want is for civil society to have a seat at the table and wastes that seat by just saying we want human rights in every sentence. This, I think was ‑‑ sorry, I have forgotten your name but ‑‑ how government solves the optimization level. Two levels; one at the rights.
Suppose we equally want to protect your right to property and privacy, how do we solve that at the level of rights. Then if we have to instantiate that optimization solution into a technical solution, how do we get that right. Thank you.
>> Thank you. Matt.
>> MATTHEW SHEARS: How might we engage in cybersecurity spaces based in part on some of the experience of freedom online Working Group and elsewhere. Excellent points were made about securitization and scope. We need to come back to this on an ongoing basis. Challenging the scope on what falls under the framework of what is cybersecurity and what is not.
We see the most egregious coverage of issues that impinge on human rights in a number of countries in cybersecurity frameworks around the world. We need to keep a very good eye on how that's developing and develop good arguments to counter that. I think some of that language exists; we can leverage that. That is the first point on scope on securitization.
I very much agree with Sunil that we will see, most likely, some good work done and some movement forward in terms of engaging at the national level where governments on cybersecurity policies, whether at the framework level or at specific national policies. It's modest, we must admit, but still a good place to engage. This same engagement can occur at the regional level as well. There have been positive developments at the OAS in terms of cybersecurity engagement by civil society.
I don't believe we should step away from the global level. I don't think we can afford that. One has to look back over the past year and look at the incredible amount of investing getting to where we are. Civil society is in the Internet policy and governance space as a whole. We can't afford to step away and lose leverage.
That being said, there are some challenges. I think of the things, of the challenges we have reached a plateau in 2015 with the Hague meeting that the Dutch hosted. If you look at that chair's statement from that event you will see the commitments and the wording about multistakeholder approaches to human rights are considerable. We haven't progressed beyond that. We didn't progress nor build upon that statement at the recent GCSS meeting at Delhi and that is unfortunate. We have a lot of material to work with and we need to think about using some of the tactics that government representatives have used and the private sector used. There are many, many statements and commitments to human rights and multistakeholder (?) someone from the (?) government men.
Tioned how the process collapsed in 2017. The fact is in 2015 there was a consensus report of GGI (phonetic) references human rights on a number of occasions and calls for consideration of stakeholder engagement. So the material is there. We have to get smart like government representatives who lanch those commitments and statements.
The same is true with the freedom online collation: Some 30 governments promoting and seeing human rights be adopted and enforced around the global.
Those same countries have endorsed the work on cybersecurity and human rights that was developed by the freedom online coalition Working Group one. How do we use the commitments, build on and leverage the commitments made by government not that we have to come to the cybersecurity debate as if we are new to it. We have plenty to work with. Let's not forget that.
The next points ‑‑ that is a tactical issue. But many people in the session today talked about how we need to change our language and think more about and become more involved in the technology space to understand better the issues we are trying to address.
There is absolutely no doubt in my mind that we need to start thinking about ourselves as wanting to be hybrids. If we want to engage in cybersecurity and address human rights issues, as was said in this session: We need to think as technologies, understand the technology and the security concerns. We can't realistically sit at the table if we don't bring some of those solutions to the table. That is what people are looking for.
If you are a government or a private sector meeting to address a cybersecurity attack threatening your national health service, the last thing you want is somebody in the room saying hang on a second I want to talk about human rights, please. No. You want people in the room there to solve that issue.
When does human rights come? When you are building the cybersecurity framework, when you are assessing after the fact what the consequences were of not having adequate security. There are ways of approaching these. The engagement model does not have to be upfront as if you are coming fresh, we are not. We have a lot to leverage. We have to address technologies as well as human rights activists. This is going to take time.
The cybersecurity is not going away. We have plenty of time. Let's not disengage because we feel frustrated. You heard from Maarten, from FIRSt. (?) open to talking to society. Let's think positively and constructively about that.
In many ways, to wrap up, the onus is on us. We are trying to engage in a space that isn't open to us and we are not familiar with it. We are going to have to adapt. That adaptation process will prevent this from becoming a pipe dream. We are really at a point where we are going to have to take a serious next step to bring it into cybersecurity to the degree we want to see it. Thanks.
>> ANRIETE ESTERHUYSEN: Any reactions from the floor. We thought we would have this as a three‑way conversation ‑‑ maybe a four‑way. Between our two closing speakers and those of you in the room. Any reactions to Sunil and Matt who don't I think agree about much at all.
Matt, I think you are advocating for the hybrid approach where we ‑‑ I am just ‑‑ ask civil society to try to be everywhere and do everything. And I think that in many caseses results in what Sunil described as civil society not having done its homework effectively.
Maybe that is my counter question to the two of you: How do we engage top‑down, bottom‑up, plural, lateral, multilateral stakeholder, as well as the standards that Sunil earmarked, as well as the coalition ‑‑ the space where the ongoing debates take place and also when you answer that question, when we talk about "we", who is the "we" we are actually talking about here?
>> The last question is the toughest. I think the "we" is a set of civil society organizes that share a similar if not common theory of change. So that means we will have to trust one another to represent our views at various fora. In my view there are too many of us here at the IGF.
Sometimes we have contingents from the very same organisation; and the excuse for that is we have to be on multiple panels. Suppose we halved civil society participation at the IGF, would IGF swing around become a place for draconian nonsense? It seems that we should reduce participation. It becomes a part of jamboree for us. We come to meet donors and do coordination meetings. Everything else but the business of governance. That is a practical suggestion from my side.
Trust other NGO's, adequately ly represent your agenda and take on new battlegrounds which we haven't participated in or traditionally see seeded from.
The other two things I want to say: There are old ways of reframing the issue even if we don't want to replace human rights with ethics. Such as free software advocacy. I had that on my list when I went to Tunis. I didn't know there was Internet governance. I went to meet people in the free software movement. If every time there is a scary report saying in Mexico, the number of cybersecurity attacks are the most for the region or the world, the response from civil society is we want to shift to free software.
Unfortunately these days we can't because we are using Macs in any case. There is a bit of a problem between our personal politics and the solutions we should advocate in developing countries. We can't tell the iPhone may be the most secure device for an activist but not for 1.3 billion Indians. Free software was a very old way of understanding the world and that was part of some of the original advocacy around the Tunis declaration but I don't think it found because of the proprietary lobby it was pushed out of Tunis, it was not mentioned anywhere else.
Standards, however has found most recently in the (?) public core doctrine and then the Global Commission for the Internet Residents and Stability ‑‑ I don't know the exact acronym ‑‑ stability of cybersecurity ‑‑ developed the public core doctrine as their often.
Open standards is another thing we advocated for. That is no longer core civil society agenda anymore. If you think of regulation and some of the emerging issues such as fake news, both policy levers, open source, free software and open standards are important. We don't really have to reinvent language just to please governments. Sometimes they just need to hear it under a brand they are familiar with.
>> You are absolutely right. Anriette, there is no way we can do everything under the sun. What are the tactics that we use for getting to the table so we can engage in substantive and constructive way.
We can't engage at all levels. We don't have the capability. So we have to pick and choose.
Just to give you an example of where it can pay off ‑‑ so the freedom online coalition working on an Internet free and secure was set up two and a half years ago by the Freedom Online Commission. It was a multistakeholder process, there were government representatives, civil society, business and academia. We ranged between 15 and 17 persons. It took a year to build trust amongst us in that Working Group. And it took another year to build ‑‑ year and a half to build the 13 recommendations that came out of that Working Group. But it is the first time that there are a set of recommendations in a multistakeholder fashion that relate to human rights and cybersecurity. They are high level, you can imagine.
It is difficult to negotiate recommendations with government. But it is the kind of thing that does give one hope that we are working towards tools that can be used and leveraged by civil society and other stakeholders with respect to cybersecurity. One of the key recommendations which was never discussed before this Working Group was cybersecurity needs to be rights‑respecting by design and from inception. This was a notion that wasn't there before. You might say okay, so what? But if you go to free and software online, the website, you can see the recommendations and a definition we mentioned and that they are supported, the work supported by the government's of Freedom Online Coalition.
Coming back to my earlier point, you can use that as leverage with the governments when engaging with them. It is not about being everywhere all the time. Not about Matt going from the global to the technical at the national level. It is about being smart. What is true I think people touched on, when you move from national to global level, you are increasing the political sensitivities and the challenge in engaging in those spaces grows in terms of a practical effect.
You have to resign yourself to the norms level at geopolitical level whereas you can make inroads at the national level. We have seen examples of that. Thank you.
>> ANRIETE ESTERHUYSEN: I think different context calls for different tactics. Luis Fernandez' input makes that clear. You could go to a more confrontational approach.
When we go forward, trying to make this agenda real: Is it a "we" made up of society; a "we" that is more heterostakeholder, in a way that Sunil referred to when he mentioned Lucas' article. A key message that everyone repeated, including you: Is the relationship and engagement of the technical community. So, anyway, responses people in the room and particularly APC's organizers of the ef every event. Chinmayi, you have the floor.
>> AUDIENCE MEMBER: It has been an interesting day. Thank you. I agree with parts of what both of you say. It is an interesting ‑‑ I guess a moment of opportunity. Sunil, correct when you say shouting human rights is not useful. It is one of the things that irritates me, as you know. It is not something we set out to do. We end up doing it because of the way our world is structured. Maybe one thing we have can work on as we plan our mode of intervention, we examine how that is and get more detail oriented.
To Matt's list of successes I would add that I think everyone coordinate successfully, get language that the governments liked into the documentation. That is a huge win. But I think it was the result of eight to ten years of everyone thinking and reading about it. If we can find a way to get there with cybersecurity that would be helpful.
I am sorry, but I feel the sensitivities in cybersecurity are high. If there is a way to build an introspection in the way we work with each other and towards the global goals, that would be great. I would worry if getting the phrase "human rights" in a nonenforceable document we compromise a country's concrete human rights?
>> ANRIETE ESTERHUYSEN: Any one else? Francisco ‑‑ Marietje ‑‑ behind you first.
>> AUDIENCE MEMBER: I think we have been trying to partially respond what we want to achieve. I think we have to be very explicit with the question what we would liker would appeal to us. It is ‑‑ there are different possible outcomes. Let's get human rights language. What would that look like. It is easy for countries to say ‑‑ for instance, privacy and cybersecurity are complementary terms we are all in with that so let's go. And you see that, you see it becomes a compliance issue, a checklist thing.
In the activism world we are so used to getting defeated times sometime we can't envision what it would look like. What we want to achieve, our end goal. Having that in different forums. Having this as a statement be would good in an international setting or treaty or resolution from the UN GeneralS but in a country, totally worthless. So, be clear with the venues and see what we want to achieve in terms of the end goals.
>> ANRIETE ESTERHUYSEN: And the discussion about norm setting, that point was made by Marietje and you are making that goal as well. Principles are one thing but engaging in establishing norms is another. Please introduce yourself.
>> AUDIENCE MEMBER: (?) Really so ideal and beautiful in theories. But I really ask you ‑‑ I am not talking just about my region but it is very important to address the realities in the ground. In my region, mostly the traditional media is owned by the government and also there is no network neutrality, the network is owned by the government. In such an environment, a lot of people are in prison because of ‑‑ due to a post on Facebook.
Really, I want to hear what is the rule of the international community. Of an institution to enhance hands expression on the Internet in my region and others. How (?) tweet (?) suppress freedom of expression. These are important questions. To be honest with you, I didn't see some actions that are really goes going to affect our work in the field. Thank you.
>> ANRIETE ESTERHUYSEN: Thanks for that.
>> AUDIENCE MEMBER: I have a question with regard to who we need to involve. It seems to me there are a group of Western governments that are absent from this debate and we are developing a narrative of us and them increasingly so when we talk about the failure of the DGE it is justified and explained by the governments that want to protect their people and evil ones talk about it because they want to protect the regime.
Are we creating a sustainable regime? We expected in India that would help involve the Indian government. The final statement looks very self‑centered. I think that is due to the fact that it is not a one‑year event involving a government. It is involving conversations that happen all year. The groups to discuss cybersecurity still lack the involvement of their government, so how can we bring them on board?
>> ANRIETE ESTERHUYSEN: I am glad you are pointing this out. Often in this us‑and‑them approach the so‑called good governments are the ones of the worst practice so they go to Freedom Online Coalition meetings but at home they happily violate rights online without any recourse.
I think it is challenging and to have this us/them dialogue and I think often the attempts to create more of a common platform between Global South and Ground North governments result in a form of capture and co‑opting.
I am sorry to be critical. I don't think it happens but it is challenging. We had more hands in the back. Yes.
>> AUDIENCE MEMBER: Thank you, Chair. Winston Robert, New Zealand. I think civil society should be brave enough to remind governments they did invent the principles, Geneva principles 2003. I was there as a government representative negotiating that statement.
It took the whole year to get agreement and I take Matthew's point the hard questions take time to get agreement on. We have Geneva agreement principles. We should not forget that. It starts with a statement about the primacy of human rights in the story. You can remind governments of that statement ‑‑ we civil society ‑‑ I was a government rep and am now a civil society rep. I have changed hats.
I think we civil society should be brave enough to remind governments of their obligations that they signed on to in that respect. Thank you.
>> ANRIETE ESTERHUYSEN: Thanks a lot for that. We need to ‑‑ I am going going to come back to the panel.
>> I wanted to be brief on two things because multidisciplinary was challenged. The point is well taken. The way I was looking at it was multidisciplinary is a concept for governments. I think as a critical observation that multistakeholderism can be as empty and meaningless a phrase. Stick a few people in a room, does that cover legitimacy?
It is important to ask the critical questions. My point was that it is time to be translating your concepts to language that government representatives use; it makes it easier for them to participate.
I don't think you need necessarily the highest level and biggest signoff and I think participation does not mean buy‑in or agreement but have people you included so they can share from operational point of view what different parts of government are facing. Again, government in a strange way is also multistakeholder. Sometimes the economics people are fighting with the intelligence, with the foreign affairs (?) because it is a division of the pie on the inside.
I wanted to clarify. I would hate it if people understood my comments to mean that inclusiveness is not important. If there is a way I can help brainstorm about bringing more representatives of government, which I am not, but bring them into the room, I am happy to.
>> ANRIETE ESTERHUYSEN: Thanks. I think the concept of heterostakeholders tries to capture that notion you have multidisciplinary and plurality of interests and worldview.
Going forward, consolidating a way of making that not just trivial and at the level of inserting rights language that is empty, what would you like ‑‑ not just civil society but more broadly what we can do going forward.
>> Somebody mentioned checkbox. That is exactly what we are facing on human rights, on multistakeholder. It has become too easy and facile to talk about multistakeholder. We saw it at the GCCS when it is not happening in practice. The gentleman in the back, absolutely, this is something we need to do, call governments to account. Where they make commitments we need to ask them to honor these commitments and do not call them out enough. Maybe the same governments working freedom online or coalition or elsewhere. As you said, Anriette, cannot be taken for granted. Working governments, they have the same obligation. Even those that have the freedom such as freedom online.
How do we take this forward? We don't really, because of our . . . . . . we are resource‑limited. I am a great believer in trying to find commonality of purpose with other stakeholders.
I don't think we can necessarily address an issue so systemic and holistic as cybersecurity without involving other actors. We are going to have to talk to business, bring in academics, first and foremost, talk to the technologieses, get them on board. That is the only way we will bring about the kind of change we look for longer term. How will things look at five years in? Time. We got an inkling in 2015.
What did all of the hacks and particularly for example the year before in Ukraine, the power grid, do? They all impacted the individual. In varying degrees. At the end of the day, the more we are engaged and part of this ‑‑ a node in this network, so to speak, then we need to be involved and civil society needs to be involved. This is an inevitable evolution if we want success in the cybersecurity space. We need to work across stakeholders.
>> ANRIETE ESTERHUYSEN: Sunil, the last comment. The next group is waiting outside.
>> SUNIL ABRAHAM: I completely agreed with what was said about demonization about the government. Civil society gets played as pawns in a geopolitical game. We need to get more smart about it.
The checkbox question, in Germany they have an interesting approach. They go to surveillance oversight boards, over technical expertise saying we want won't talk to you about human rights. We will explain the technology.
The people on the oversight board gets it once they understand the technology, how it works or say we suggest you modernize your structure and use e‑records.
This is exactly the change that the anticorruption civil societies movement use as e‑governance and open data as second generation.
Finally, when it comes to corporations, encryption did more for protecting privileges in countries compared to civil society lobbying around privacy and surveillance law. Advocacy energy (?) these ideas we should be considering here.
>> ANRIETE ESTERHUYSEN: Thanks for that. The only summation I would say is that detail is something we need to take on.
(Session concluded at 14:03 p.m.)