IGF 2019 – Day 4 – Raum IV – DC on Core Internet Values (Part II)

The following are the outputs of the real-time captioning taken during the Fourteenth Annual Meeting of the Internet Governance Forum (IGF) in Berlin, Germany, from 25 to 29 November 2019. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 



>> OLIVIER CREPIN‑LEBLOND:  It's a long morning moving into the afternoon afterward.  The first part was pretty exciting.  We will try to make the second part as exciting as the first one.  I see new faces and some people have had to move to other sessions as well.

I will hand the floor to Maarten Botterman in a moment or perhaps Shane, whoever, wants to proceed forward.  My name is Olivier Crepin‑Leblond.  I'm the Chair of Dynamic Coalition on Internet values.  U.K. chapter ftz Internet Society and also part of the European at large organisation ICANN.  We have a number of new panelists with us and this is meant to be a session with a lot of interaction and dialogue with everyone so we will keep interventions to a minimum and then open the floor and get movement going.  So I just wanted to recognize the people that have come into the room that some of whom were not in the first session.  With piss sitting next to me, who will speak to us about the summary of the 6F framework proposal that he has put together.

Jim, whom you have seen in the part part, welcome, Jim, Marilyn cade could not make it.  They might be listening remotely, so if you are listening and watching, Marilyn, see you soon, and please, if you can, put some comments in the chat, that would be really helpful.  We will be happy to read into the record.  Matthew Shears is with us as well,  Sivasubramanian Muthusamy, and Thomas Rickert is with us at the end of the table, and Vint Cerf.

Martin, would you like to take the floor, please.

>> MAARTEN BOTTERMAN:  Thank you for that.  The combining of the core Internet values with IoT session is in a way a sign of inincreasing maturity that these things matter how we approach it, and in many ways it's comparable to Internet how we deal with IoT and IoT of things for specific characteristics.

The first part of this session we focus on security because if we don't secure, if we don't create an environment in which we can rely on what these things do and don't do, whatever we think how we should deal with it will not be enforceable.  And potentially the IoT may become a bigger danger than a blessing.  And that's a big thing because it's a blessing we need.  We need IoT devices to manage our environments, to assist us in ways that otherwise would not be affordable or possible.

To in the security discussion, there was some talks about what level of security is needed and a very strong take away was also that in this we don't talk about a blanket IoT.  It matters what you talk about.  And we need to look into classifications when we dive deeper to become more concrete on security issues.

It does matter whether IoT devices are passive or active.  It does matter in what function they are used.  Examples given were an arrow playing which is in a way is a lot of big combination of devices plus links and shares and cars, et cetera, but other examples were also the text that are used to track food on the other side that obviously don't have a lot of high costs with it because it would add to the cost of the food and at the same time the vulnerability of such passive devices is also different.

So that's one thing.  Security, key, because we become dependable on and if it's not secure, that leads to dangers.  Second, classification, very important.  We need to become more concrete on that part.  One suggestion given to enforce more secure devices or to encourage more secure devices was that, for instance, Government can contribute not so much by telling how it needs to be or try to regulation on technology level, but by their procurement policies because Governments are big purchasers in this.  And in that way, they can influence the market in a positive direction.

The very last remark that came in makes us realize, again, how much this also relates and there is so much in place in this IGF, it's relevant also that we make sure they are available and useable and affordable for those countries in the Global South that need it for crop management, for dealing with extreme weather and for other applications that would be so much served by this, and for that, we cannot just send devices south.  We also need to work in such a way that capacity building takes place, that people who live in specific regions are the best ones to know how to use those tools.

So with that I think I covered most of it.  Did I forget anything?  Anybody else?

>> SHANE TEWS:  The only thing I would add is accessibility and the importance of thinking about accessibility in the design process.

>> MAARTEN BOTTERMAN:  And Shane is from now on the Chair of the Dynamic Coalition of IoT.

>> OLIVIER CREPIN‑LEBLOND:  We look forward to working with you, and goodbye Martin.  Was that blunt enough?  You have gotten your responsibilities now so I'm sure we will see you in the room now and then.  So thank you.  I guess we can now plow forward then with this second part.  I guess one of the points that we asked in the first, at the end of the first part was with regards to regulation.  Do we require hard core regulation and making the distinction between the different types of IoT devices where you might have automotive IoT devices, industrial IoT devices and consumer IoT devices, some are regulated the automotive industry is regulated due to safety concerns, such as the consumer IoT devices are an open book one of the questions being, of course, do we want hard core regulation soar should we have some kind of ethical framework that organisations, companies, consumers, et cetera, subscribe to as a good practice for IoT security and IoT devices.

But, of course, we are also looking at the core Internet values and I'm going to hand the floor over to Sivasubramanian Muthusamy to give you background on what the core Internet values are.  The technical views on which the Internet was built.  Sivasubramanian Muthusamy is in India so can we unmute him and see if we can have him come over.

>> MODERATOR:  We have your slides coming up on the screen and we can hand the floor over to you, and if you need to go to the next slide, please ask explicitly then to go to the next slide.  There we go, Dynamic Coalition.  Over to you, Sivasubramanian Muthusamy.


>> OLIVIER CRÉPIN-LEBLOND:  Yes, acknowledge.  Continue.

>> SIVASUBRAMANIAN MUTHUSAMY: I am from India and Olivier has introduced me.  We have been doing this work encore Internet values, the Coalition, the leaders in the room, they have been doing the work encore Internet values since 2009 and they have defined and articulated certain core Internet values.

Please go to the slide that says core Internet values.  We have articulated it as follows, the Internet is global, open, free, interoperable.  The Internet is user centric and end‑to‑end, robust and reliable, and works as an ecosystem for par missionless innovation.

It has a distributed architecture that requires a unique approach to its governance.  These are architectural values, but what we are talking about is not just architectural values, but architectural values that reflect as global values.  Internet values are not merely technical values.  The technical values, because underlying architectural values represent larger social benefits and these reflect as global values.  For instance, the architectural value of interoperability, openness result in the social benefit of a global network of networks that connects the people globally, connected people across geographies and cultures.

So these values result in one Internet which makes one world.  These values do not change.  I'm sorry, the next slide, the slide after next slide, the slide that says values do not change.  These are core Internet values.  These values do not change.  These values are not swept away in an occasional flood nor disbursed across languages and cultures.  These are infinite, permanent and at the foundation.  There are contrary reviews to that, but that's debatable.  The point is that we can look at values as inherent and unchanging because the Internet is because of these values and the Internet is unfathomably relevant to the whole world.  Despite challenges certain problems that arise, certain problems that alarm us, despite all of that, the information is useful and invaluable and when we talk about Internet values, inherent values, again, those inevitable security measures that, we have to consider them as necessary measures for the time,.

The last side, to preserve and perpetrate and benefit from these values, we need to call for governance values that need to be in tune with Internet values.  Internet Governance is global, it need not be looked at as central governance model.  It's global without being central.  It's globally distributed, yet it's harmonious.  It's coordinated.  We are not talking about control.  So it's not a controlled, it's not a governance process of control.  And necessary measures occasionally that are needed globally, regionally or nationally could often could be taken by consultation in the multi‑stakeholder process either formally or informally.

That's just about what I want to say.  Thank you very much.

>> OLIVIER CRÉPIN-LEBLOND:  Thank you very much for this.  Actually, just go back to the previous slide because we didn't have this displayed when you spoke about them.  So I just want to sort of leave them for a few minutes on there.  Thank you for your intervention, and now we are going to go through our various panelists and, of course, the first question which is in your agenda, well, first thing I needed to mention was there are some papers about core Internet values in the agenda.  It's been updated so you can read some of the previous discussions in previous years.  But today's discussion really is about the ethical, potentially ethical considerations and how are they important for development, deployment and use of IoT.

And in order to ensure that we are creating sustainable solutions with IoT.  If we are going to have legislation, does it break this whole permissionless innovation side to things?  Is the IoT the Internet?  I have heard some that say that it isn't, that there they are two very different things.  Some are saying IoT is sensors and a gateway and it's completely out of it or they could just be private networks and so on.  So lots of potential topics here.

Let's start then and get some views from Jimson Olufuye.  I'm going to go through this alphabetically as listed in first name basis so that leaves V or Vint at the end.  So Jimson Olufuye, what are you're views on that, and you have been reflecting on the first part of this discussion that you have taken part in as well.

>> JIMSON OLUFUYE:  Thank you very much.  Welcome everyone.  This is Jimson Olufuye.  We have discussed in the first part and it was quite interesting, and the language is also very interesting.  We are talking about the Internet core value, value with regard to governance, data governance and reflecting on the short presentation, it says we should take a cue from the Internet layer itself.  The Internet layer, of course, technically we have the link layer, we have the network, the transport, and, of course, the presentation.

And the work harmoniously ‑‑ they work harmoniously from one layer to the other, so there is perfect handshake.  And as he said this core value has worked in every culture.  Its permeated society, and it has helped to create content that benefits society by and large.  Prospered economies globally, and this is the model.  It's global, it's open, it's operable, transparent, perfect harmony so why can't we have that when it comes to the maybe the data governance itself?  Because that is why we are here, Internet Governance.

How do we address those issues with regard to security, with regard to intellectual property, do rereserve some part of it like critical Internet resources, managing the critical Internet resources, looking at IP or IPC, so that has been resolved with ICANN, which I think is one of the examples of enhanced cooperation as it is, because today we have the Government there, we have the private sector, civil society, academia, we have all stakeholders, technical people working, well, if you look at it from a far distance, you say, well, they are working harmoniously in a way, yes, because we are discussing within that framework.

So now moving to managing the content, we have been speaking earlier about how do we ensure that IoT serves us?  So how do we categorize them?  What level of accountability should they have embedded within them?  So there have been discussions in the United Nations as we know because all of this came from WSIS from the WSIS 2005, we talk about IGF, we talk about enhanced cooperation.  But a core requirement with this cooperation has been satisfied from my perspective by ICANN, the finalization of the oversight function of the iana enforced by the U.S. to the global community.  So that is resolved, excellent.

So the next level is how do we resolve other issues?  At other levels, maybe at the national level we have some things happening.  For example, in Nigeria, we have the data protection regulation now that came to be this year to guide in terms of governance in terms of data of Nigerian citizens.  The AU has come up with the AU Convention on data protection and cyber execute.  We know about the popular GDPR.  In terms of compatibility, that will create issues.

So we need to ensure that innovation is now striving, that work is continuously created and to do this we need to have generally acceptable framework, because if you look at Kenyan data protection regulation, it has prison terms of five years, 5,000 Shillings, 5 million Shillings fine or 5 million Shillings fine.  In Nigeria there is no thing like penalty.  There may be imprisonment penalty, but there is a fine is about $30,000.  But compared to GDPR, which is 5%, which is growth, which is huge.  We need to have a framework for this and this is why resolving every general standard comes to play.  If I may, the high level panel made some recommendations.  One of the recommendations talk about a multi‑stakeholder Working Group.  Whereby we can bring in all of these important principles, and then we all accept it.

How can we accept it?  If you don't have an instrument and an instrument I have seen that will be relevant is still the CSTD, that the is United Nations commission for science and technology for development.  If we have this Working Group, under the CSTD then it will be easy for the resolution because we have some form of consensus now so to speak about these principles.

These principles can then web site to the ISOC.  And then it can move into the General Assembly and accepted, you know, by everybody.  So I think we needs to get to that point so that when we get to accepted by all, it's the form of a treaty, and it will be binding in a way upon the manufacturers of devices, binding on associations and what have you.  Yes, we can say we could do self‑governance, but that is no the ultimate because moving ahead, the risk ahead requires that we should coordinate this perfectly.  It doesn't mean we should consult regional activity, but at least at the global level we should maintain that same handshake, the high level of cooperation.

So in short, there is need to look at how we resolve this at the global level and through the CSTD, the CSTD is an assistive framework, because part of the mandate of CSTD is to discuss public policy, and Internet Governance policy.  The framework is already there and the private sector is there at least in the Working Group will be there.  At least the last one we did phase 1 and phase 2, all stakeholders were represented and we were all, we listened to ourselves, and I think it's a framework and instrument that we should use to advance the discussion.  Thank you.

>> OLIVIER CRÉPIN-LEBLOND:  Thank you for this.  This is quite a concrete proposal.  Next is Matthew Shears.

>> MATTHEW SHEARS:  Thanks Olivier.  So I will bring it back a little to the discussion we had earlier on.  I think what was so interesting about these two parts to this, and makes a lot of sense that they have been brought together, I mean, there are some characteristics about IoT, I think, that can give us indicators about whether or not the devices or the networks that they comprise do pose ethical dilemmas and possibly undermine core values.  And there are three things I think that are quite pertinent.  There is no doubt that when the networks are deployed that they will be relatively ubiquitous across public and private spaces.

They will be sensing and communicating and they are networked and they will contribute to the accumulation of data which will be used for diverse purposes and they will be low cost.  They are low cost, and they are also discrete in their form factor which can be adapted to local environments.

The challenge is not so much whether or not the devices in and of themselves break or contradict any of the core values, but it's really about how they were used and it's in their use that they could well pose ethical dilemmas and could be in contribution to the core values.  At the same time, I think we have been here before with these discussions.  We have these same kinds of discussions every time we have a new technology.  We wonder about the ethical dimensions, we wonder about how they would impact human rights.  We have had it with 3G, 4G, now we are probably having the same thing with 5G as well.

So what's different here is the potential of the scale of the damage to persons and systems if these networks are not managed in a particular way.  So we know that, I think we know what the challenges are and we know we have a collective responsibility to address them before these devices flood the markets and the consequences of their deployment make us perpetually on the back foot when it comes to managing.

Some of the things I think that we need to consider and, again, this might obviate the need for addressing or it's a manner in which we can address some of the ethical challenges is much of this will be about changing behaviors.  It may be, indeed, unrealistic, but at some point we are going to have to think about how we ask more of the individual user to take responsibility for their network and for understanding that their network of IoT devices in their home is a part of a greater whole.

It will also take a change of behaviors among manufacturers to implement levels of security and security by design, for example.  And agreeing what are the minimum security environments before devices can be put on the market.  There is no easy way forward here in this multidimensional, multilayered challenge, but it's one we are going to have to step up to.  I think coming back it's the deploy of the devices that will challenge us of most.

When you put devices on the mark, they may well be safe and may meet minimum security standards but it's the purposes to which those networks and devices when put on the network that the purposes that they are put to which will determine what kind of ethical challenges we are going to have to face going forward.  So I guess that was the idea just to leave you with, kind of tie this into what we talked about this morning and leave you with a thought that we have to consider not just whether or not devices are secure when they are put on the network, but also how do we prevent the uses they may be put to which could challenge us from an ethical and also from a core Internet working perspective.  Thanks.

>> OLIVIER CRÉPIN-LEBLOND:  Thank you, Matthew.  I have seen a number of people wanting to comment on this.  We will open the floor for discussion afterward.  I would like to first go through the different panelists we have.  So far we have a proposal to the CSTD could be a good location for these discussions and for providing a framework, we have got a point about the end user requiring to be a bit more astute in how they use their devices and to learn a bit more about them.  Let's hear from Thomas Rickert who can provide us maybe another point, or maybe the same.

>> THOMAS RICKERT:  Thanks very much.  This is Thomas Rickert ecoInternet industry association for the record.  I think one point that I would like to add to the discussion is that in Germany, ECO has recently published booklet on ethics and digitization.  There was a survey done, and it was asked who in the eye of the people that were asked is mainly responsible for making sure that there are ethical rules being observed when it comes to digitization.

And interestingly 39 percent of the respondents said it's up to the political arena.  And I think that is sort of striking because other than what Matthew said earlier, it will be potentially challenging to get users to take more responsibility because if they ask for the legislators to step in, obviously they want to push responsibility elsewhere.

Little comfort is given by the fact that 31% said that our stakeholders have a shared responsibility to make this work and that would include the companies and science and civil society, but still I think we have quite some work to do to raise awareness for actually making everybody take their share of responsibility.  And also, I think that it's a sort of comforting trend that we see legislation evolving around the globe that is similar or comparable to GDPR which I think embeds some of the principles that we need to have in place when it comes to ethical software development, security by design, privacy by design, certain rights for users to exercise, so I think it needs to be a combination of legislative efforts and combination with raising user awareness to make sure that they use devices in a, and services in a responsible manner.

>> OLIVIER CRÉPIN-LEBLOND:  Thank you for this, Thomas.  I mean, there is already a lot that end users need to learn about.  We have all heard in many of the other sessions the issues of hate speech, privacy, fake news, there seems to be a, maybe a course that everyone has to follow when they, after they are born as to how to navigate the virtual world these days, in addition to how to navigate the real world.  Well, for someone who knows a bit about the virtual world.

>> THOMAS RICKERT:  Maybe one point I should have from the survey and sorry for not adding that earlier.  The users said that only 6.5 percent of the users said that it's the companies that are offering the services that should be responsible for ethical standards.  And I guess that's quite telling because obviously the users don't trust the companies to be capable of offering a certain level of comfort.

>> OLIVIER CRÉPIN-LEBLOND:  Thank you, Thomas.  For someone then who knows a little bit about the virtual world and maybe a lot about companies, let's have Vint Cerf.

>> VINT CERF:  Thank you very much, Mr. Chairman.

I want to make several observations.  I want to begin with some that are perhaps a bit broader than our focused discussion.

The first one is an observation about users.  Some of us have been thinking that an Internet driver's license might be a very useful concept, not that we really issue certification, but the idea is that people should take classes in how to use the Internet and be aware of the hazards that might confront them.  So that's one kind of interesting idea.  The second thing is that the phrase permissionless innovation, something I make use of frequently has come under fire recently, and it appears to me that permissionless innovation does not mean irresponsible innovation.

And so I think the term responsibility, accountability, other things like that are becoming more common in our vocabulary as we talk about the Internet and the uses to which it is put.

So I think we should hang onto that notion of responsibility and accountability.  With regard to IoT devices in particular, I had six different desirable properties of IoT devices, some of which have already been mentioned but for the record, reliability is very important.  Why would you only want a device that worked 85 percent of the time.  Second, security, and here I want to refer to integrity of the updates to software, which we know will be needed either to add functionality or to fix bugs, and that means knowing where did the update come from, knowing that the update has integrity, digital signatures will be helpful there.

Security also means defense against attempts to attack, to control, to otherwise abuse the IoT device.  And finally, access control so that the device takes command and delivers data only to authorized parties.  It's clear that that functionality should be built into the IoT devices, and they should be evaluated against those criteria.

Safety for sure no one wants an IoT device that is patently unsafe, whether it's a new office, the car or at home or something you are carrying around on your person.

Accessibility has come up more than once and I am a huge fan of that, you know, I'm wearing a headset because I'm hearing impaired, but other people have other disabilities that require accommodation.

And it's a hard problem.  The design of accessible systems is actually quite difficult.  Affordability is clear.  If we want everyone to benefit from these devices, they have to be affordable in the context in which they are acquired and used.  And finally, I want to use the word sustainability here which is a popular phrase around the United Nations, but in this case, what I mean to say is that for the lifetime of that device, that it needs to be sustained.  That means that the maker of the device needs to make commitments about how long that device will be maintained, software kept up to date.  The user should have some expectation and the makers should be transparent about their intent with regard to maintaining the device.

So those are the kinds of desirable properties that I see.  The two other points, and then I will stop.  One of them has to do with the notion of shared responsibility that Thomas brought up.  I am a great subscriber to this notion that there is plenty of responsibility to be spread around in the use of Internet‑based devices, and from users to manufacturers to legislators.  The one thing I will say is legislators after they pass laws leave a lot on the table because somehow those laws have to be enforced, otherwise they are not useful.

So there is some issue there to make sure that laws are implementable.  And finally, I wanted to draw, Matthew made an interesting point about the purposes to which the devices are put, and there is an analogy here to content showing up, for example, in social media.  It is the content that creates so much of the turmoil and debate that we have experienced in the past decade or so, and the purposes are parallel notion.  How did you use or how did you abuse the IoT devices.

So Mr. Chairman, those are some of the thoughts that come immediately to my mind, and I think they are consistent with the things that we have heard earlier.  Thank you.

>> OLIVIER CRÉPIN-LEBLOND:  Thank you very much, Vint Cerf.  You mentioned one point which had been touched on in the first part of this double session regarding the sustainability of the device with an example being a refrigerator or goods that have a long life span but yet might need to be constantly updated and whether they would be usable without the IoT component part.

>> VINT CERF:  Thank you for bringing that up.

The more immediate ‑‑ that's a long‑term consideration.  And if it turns out that if it's not maintains, can you still make use of it.  There is a related issue, and that is autonomy, and I will add that to my list here, and here I'm not thinking of, you know, the autonomous evil refrigerator which takes over the house and does other bad things.  I'm thinking here about the fact that these devices should work even if the Internet access is gone.  We hope not necessarily gone forever, but you want your house to continue to run even if the Internet connection happens to break.

And if you don't design it that way, there is quite a bit of damage that can be done to everybody's daily lives just by interfering with Internet access.

>> OLIVIER CRÉPIN-LEBLOND:  Thank you.  I think we can open the floor now the Fatel is the first person in the queue.

>> AUDIENCE:  Thank you, Mr. Chairman.  Khalif Fatel, Chairman of the MIL group.  Before we started the session, Vint and I were having a chat and it was totally separate from the topic here and we were discussing how important it is to have critical thinking, especially with the young people so they are able to challenge.  So I'm not running for office, I'm not seeking self‑glory so allow me to challenge and try to walk the walk and talk the talk here.  Because some of the things we are trying to do, and I will bring in some of the pieces of what has been discussed so far, but at your opening remark, Olivier as Chairman of the session, we wanted to address what do we do with IoT?

Do with legislate or do we leave it open?  What do we do?  And I was finding it challenging to understand where we were going with that problem to solve by starting with what is known as core values.  So are the core values that we heard at the beginning axioms.  New technologies could answer me.  Are they axioms or aspirations?  So here is philosophical thinking, ladies and gentlemen, if we don't do that, guess what, we are becoming less and less relevant.

So if you tell me that there are axioms, I will tell you they are not axioms because it's one vision does not mean everybody shares that same vision, and it certainly is not one net.  It's a network of networks.  So if you want to call it a marketing exercise, I, you know, happy to accept it as a market exercise.  Secondly, one world, yes, it is one world.  So if you tell me this is aspirational, I'm happy to go by that, and then I will say how to make this aspiration a reality, then you have got me as a buy in.  But if you tell me it's an axiom, I will challenge you and defeat you in the debate and that's one.

Secondly, many of you who have been talking about IoTs may know this fact because I repeat this fact at every private briefing we do to boards and Governments and Vint will probably confirm it as well.  On average, every quarter more than a billion IoT devices are entering the Internet with little attention to patching or security.  Now, for those of you who are adhering to a philosophical position of laissez‑faire, no Government intervention, no legislation, wake up and smell the coffee, because to propose to educate the citizen and even giving him a driver's license on the Internet, guess what?  The world will get devastated before that plan could work.

So something has to happen before that.  So what is that?  So either we educate everybody and all of a sudden now every citizen is so informed and they know exactly how to buy this doll that talks to them and make sure that it's IoT device is not Snooping on them, in my book we are finding it inescapable that certain Governments will legislate.  So when we don't mention it, we sound as if, no, no, legislation is bad.  We all know legislation has unintended consequences, but then I weigh the risks versus the reward.

With a billion devices entering every quarter with little attention to security and patching, and the threat to society and waiting to educate the citizen who today has never had so much information at their fingertips ever in the history of civilization, yet they have never been yet so misinformed, ladies and gentlemen, and you want to tell me you are going to educate them?  I think you better find another job.  In conclusion, part of the point that I think Vint raised and I want to add on that because it's very relevant.  When we talked about shared responsibility, we need to add the word just like ten years ago, I used to challenge those at ICANN that it's not about serving the public interest, it's serving the global public interest and many of them used to raise an eyebrow at me.  Now, they are using it like it's the latest song by, I don't know who the latest pop singer.

So shared responsibility needs to have another term added to it.  It's proportional shared responsibility, ladies and gentlemen.  So the citizen, yes, the citizen needs to be better engaged and informed and within this Forum, within the IGF, I think we are in the perfect place to try and create better awareness, but better awareness does not mean that they are aware enough, but proportionate means that those who are in position of authority, who can legislate, we can help them do better legislation so at least we can save society as well.

So on that note, don't vote for me because I'm not running for office.  Thank you very much.

>> OLIVIER CRÉPIN-LEBLOND:  Thank you very much, next is Alejandro Pisanty.

>> ALEJANDRO PISANTY:  Thank you, I will try to be brief because I have scheduled time so replying to only two interventions.  One of them is Jimson Olufuye, I think the proposal to take the governance to the IoT resonates strongly with the idea that the world can have one single Government and that the UN is that Government and that's just not the case.

The CSTV is uniquely placed to hold some discussions that are attractive to some Government officials in some countries who like to go to a single place, sing the point of contact, but definitely it doesn't exhaust the space and we have to get a lot more.  I think Matthew Shears' intervention basically does away with that proposal, sweeps is not under the rug but over the window and to Fatel, firstly the question whether these core values have been negotiated as aspirational, no sir, these are design principles of the Internet.  The Internet was designed in a sequential order where there is still maybe a bit of a question whether it's best effort or interoperability that is like the first principle you take into account, then you have openness and so forth.  They are hire arcically ordered.

Those that are not design principles by which you stick, but which are, for example, robustness or stability, these are not desires, these are design objectives.  These are design goals, and that's pretty objective.  And for your point on proportional responsibility for years we have been speaking about multi‑stakeholder governance in particular, and the design of multi‑stakeholder mechanisms.

This is to do away with multi‑stakeholderism, it would be an ideology or a religion where as multi‑stakeholder governance is a method.  It's a principle.  You can work on, and then what you see, of course, if you look at things like ICANN, you have a structured system because you have decisions that are binding that lead to contracts that may lead to gain or loss of money and you also have to have accountability, you have to have the opportunity to redress wrong decisions, so forth.  Whereas, on the other hand, you have the IGF which is very open for discussion based on two principles which are very clear, when is the principle of open discussion and the principle of non‑duplication.

The principle of non‑duplication el tells you whenever something is liable to go to VSTV, and if it's not enough you will do something else, if it's telecoms policy you will take it to the ITU or local or regional spectrum agency, but you can have this more open discussion and the only rule that applies is multi‑stakeholder balance participation.  So that problem has been solved for you mostly, and if you want to follow through to what a citizen do, you can still get it.  Thank you.

>> OLIVIER CRÉPIN-LEBLOND:  Thank you very much, Alejandro Pisanty.  We will go from a question for a remote participant.

Go ahead and introduce yourself, you yes, you have the floor.

>> AUDIENCE:  Alian, I am not speaking on behalf of any entity.  Given that security is basically impossible it's basically a matter of time and resources to break the security of any device considering that nation state level tax on structure has occurred and will occur for instance stock net.  Should nations agree to not perform cyber attacks on nation's critical infrastructure by some sort of Convention or not?


>> VINT CERF:  It's an interesting formulation.  Let me take the last part first the Global Council on the stability of cyberspace proposed a norm related to the last point that you made, and that norm was that we would not, we would agree that as normative, that countries would not attack the core infrastructure of the Internet.  Of course, a norm is not a guarantee.  It's not a treaty.  It's not enforceable, but as a principle to the degree that we all believe that the Internet is a constructive and beneficial artifact, then agreeing not to wreck it is probably a useful thing to try.

With regard to nation state attacks against IoT devices they can, as you point out, be very, very sophisticated.  So an absolute guarantee or building security structures that will absolutely be proof against concerted attack is probably impossible and even if it were impossible it might be too expensive.  It might make devices unaffordable.  So the answer is twofold.  The first one is do the best you can, we are back to best efforts again.

And the second thing is some of the ways in which those devices are configured and structured might allow multiple defenses to protect those devices.  So rather than leaving the light bulb to defend itself against a nation state attack, it might be embedded in a system that also has additional protections beyond just that light bulb.  And so architecturally speaking we might want to build in multiple defenses or defense in depth which is a very popular construct in most security designs.

>> OLIVIER CRÉPIN-LEBLOND:  Thanks for this.  Of course, as we are having more and more devices that are IoT enabled, this is a growing, a growing concern obviously.  Let's have the question from the person on line and I will come over to you.

>> This is a question of Shivas Romanian to Vint Cerf.  Why do we have a class called IoT unless there is an architectural distinction on how devices connect and interface on the Internet?  Why not talk only of an Internet with no sub classes, and view the Internet as an Internet of people who also happen to connect their devices to their own access zone in.

>> VINT CERF:  That's an interesting way of phrasing the question.  The first observation I would make is that at least we can talk about engineering the devices.  It's really hard to engineer people.  So the behavior of the devices might be more in our, under our control than the behavior of people.  I will also point out that many of the problems we have on the Internet are the consequence of the behavior of people, and figuring out how to deal with that is not a question of engineering.

It's a question of behavioral psychology and sociology and incentives and all of those other things.  The reason we talk about IoT, I think, is it is the latest class of thing which has software in it that allows the device to be connected to the Internet and to interact with other things that are on the net.  But as most of you I hope will appreciate, the Internet Protocols were very carefully designed to make no distinction between devices on either end of an Internet exchange.

So a super computer on one end can talk to a light bulb on the other end and from the protocol point of view they are all equal in the eyes of the Internet architecture.  On the other hand we recognize that light bulbs and super computers have different capabilities and, therefore, could be used or abused in different ways and at different scales.  So I appreciate the, let's say the purity of looking at this without classification.  I think IoT is simply a convenient label for a collection of things that are now new on the net that weren't there before, appliances and things of that sort.

>> OLIVIER CRÉPIN-LEBLOND:  Thank you, Vint.  Just a quick question, is the ability for the light bulb to speak to the super computer likely to be somehow less likely with 5G being another dimension that might break network neutrality as such?

>> VINT CERF:  Wow!  I have not heard a sentence with as many "Buzz" words as that for a while.

>> OLIVIER CRÉPIN-LEBLOND:  I thought about this one and I didn't include Blockchain or encryption.

>> VINT CERF:  And crypto currency and by the way, I want a pony.  So the answer, I think the answer is unknowable, and the reason for that is when we designed the Internet, we didn't know what the things that were on it were going to need to do.  So we wanted to make sure that anything could talk to anything else.  Many people will telling you that's a bad thing.  Some things shouldn't talk to either things, but we couldn't know that when we were doing the original design.  So it's very possible that a light bulb will turn out to be an important thing for a super computer to talk to, maybe to gather information that that light bulb has.

And I'm thinking ‑‑ I don't know what I'm thinking.  It could turn out to be that the light bulb is keeping track of how many times it's been turned on and turned off, what's the lifetime of that lit bulb, remaining lifetime Lukely on that device.  There is something else about the device that might be failing.  So you can imagine collecting data and crunching it in the super computer from a whole bunch of devices partly for purposes of trying to understand the ecosystem and how it's functioning.

>> OLIVIER CRÉPIN-LEBLOND:  Thank you.  Next speaker, please.

>> AUDIENCE:  Thank you so much, my name is Amiel, I'm from the Danish Institute for Human Rights so this is not a Forum where a spend a lot of time at least in the past, but I'm very excited to be part of this these conversations because we are looking into particularly human rights impact assessment methodologies to what we are currently calling the digital business activities, which is a term that you can disagree with.

But anyway, I just wanted to highlight one point.  I don't know if it's a question or a comment depending on if anyone would want to take that up.  We talk a lot about, we talk about core values, and then we do mention society, but otherwise we mention a lot consumers and end users and so on, which I think is a little bit of a flawed term because there might be many people impacted by a certain IoT device that is not aizer or a consumer.  And I think terminology sometimes really matters, and I think it makes sense when we discuss core Internet values to actually think about just humans or whatever word you want to use, and not fall into the trap of thinking about it in the sense that I think particularly the private sector has wanted to deal with these issues that everyone is a user and a consumer, which is very positive framing for someone who is potentially impacted without having had any choice in that process.

So I will leave that comment right there and hope that some one of you take that up.

>> OLIVIER CRÉPIN-LEBLOND:  Thank you for this.  Hisham.

>> AUDIENCE:  Thank you, my name is Hisham Azid.  I am speaking in this context for my own thing.  So I wanted to link this to what core values actually are, and among them in my mind is universality, safety and security, the do no harm principle, and also being it, the Internet being development oriented as well.  And for some part of this world and this big network of networks, we are still missing in the discussion a few of the perspectives from the Global South and we tend to think that most of the IoT deployments maybe will come first in well Developed Countries, but we, still the impact that will come from small networks and a few devices in the Global South will do or have the potential to do as much harm to the big network and to the core of the Internet as well.  And I hope that part of the discussion is not missing as we move forward.

And very quickly also I want to move to some part of the discussion that went around the table about the balance between the permissionless innovation and what could be done to ensure some principles of responsibility, I would say.

And I think, and I think in this context we need to see the full spectrum of what could be done.  It's not just as if we can even either have nothing at all, no standardization, no classification, no legislation, or we are just jumping into talking about legislations and treaties.  And I think there are plenty of solutions in this spectrum that we should look more seriously into.

This balance, I think, between different solutions is key to how we deal with this.  And I want just before closing this comment to go back to the principle of the information society and the Internet being development oriented.  For the developing world to make use of the IoT applications and devices and what have you for the purpose of SDGs, it will take them for the institutions of those countries, for the Governments, for the other actors in these countries to be able to test those deployments.  And without us giving it a good thought, I don't think we will help these countries actually achieve what they could achieve out of deploying IoT.

When we think about solutions, I think we still need to look at capabilities and institutional solutions that can work across the globe, and some of the solutions maybe we are still discussing today.  They still would give some fragmentation of a mass market that can happen.  Thank you, and I apologize if I went too long.

>> OLIVIER CRÉPIN-LEBLOND:  Thank you very much, Hisham.  You mentioned the Global South and markets which have more price pressures than the markets in setsz say Western Europe.  We have had a discussion here about the potential for more Government intervention or testing of devices, et cetera.  How do you see this affecting the Global South, because everything has a cost?

>> AUDIENCE:  At the moment, I feel that there is still not enough incentive for the producers maybe and the manufacturers to still take an extra investment to do some verification on their side.  So it's left up though the user, sometimes up to the markets to decide for themselves, and we are asking too much of the user at this level, I think.  An avid user in an IoT environment and many are around the table would no know more about this would at least have 50 devices to deal with on a daily or weekly basis.

So if you are asking me to keep track and be informed on 50 devices from different manufacturers, this is impossible for me to do.  So what most people would do, and this would make very much sense in context of the survey made here in Germany, my colleague to the right mentioned, the customers would look in any country with a Global South or Global North would still look for someone to help them with this.  Sometimes it would be user associations in some context if they are strong enough and well resourced, but in other it would be Government institutions and even those Governments are still not equipped with the frameworks to do this.  So we still need to explore solutions around that, I think.

>> OLIVIER CRÉPIN-LEBLOND:  We are hearing quite a variety of views on this from stronger influence by Governments, less influence by Governments, stronger informing of users and, yes, let's continue this.

Let's have Jimson Olufuye is.

>> JIMSON OLUFUYE:  Thank you very much.  Well, we do generally accept that there is need for light regulation because if you do not have control of anything whatsoever, then that thing will self‑destruct.  So there has to be light regulation at the regional level, national level and local.  There is no doubt about the national and regional, but at a global level, you know, my friend Alejandro talked about the outcome of the CSTD Working Group reports.

Well, let's face it, one of the two outcomes or we can say one of the two major outcomes of the WSIS 2005 have been very, very impactful to global peace.  The IGF as a result of UN mechanism, right, and business is happy with it.  We are happy with it.  Now, the second line is enhanced cooperation.  Now, one way or the other, the basic reason for that enhanced cooperation has been satisfied.  It has to do with the critical information infrastructure.  Now, we are talking about bigger issues in terms of how to keep the space safe, okay, that actors who imbibe, if you can say civilized norms.  There should be a treaty or what have you.  It's going to be challenging to get to a treaty level, but nothing stops us.

That is my point.  From using that same framework, you know, that deliver this Internet Governance and also is there for solution to be arrived at.  I was a member of the CSTD Working Group on the Internet public policy matters.  And all stakeholders were in there, in the Working Group, and the discussion was frank.  At the first part, that is the first phase of the Working Group it was really rancorous because there wasn't a clear understanding, but at the second Working Group, there is more understanding of the issues.

And all of these we were discussing, we discussed all of them and I could say here we are just maybe one, 0.1% opposition to what has been generally accepted by every other member of the committee, of the Working Group, just 0.1 percent of members that had objected.  And that crashed the resolution.  So all of these norms that the high level panel came up, it has been incorporation at the top level.  We wanted mapping that justifies this has been happening and then the group commission commission said it has to be a multi‑stakeholder, a standing multi‑stakeholder engagement mechanism.  But that was the last recommendation that include all.  So we already have a framework.  So that is the point that is already there within the framework that brought out this idea.

It's already there.  We don't need to reinvent any of it.  Why business say we don't want to go to ITU is because we don't have opportunity to have for our voice to stand as like the voice of a state actor.  There is restriction in terms of treaty, the resolution or ratification of treaty, but with regard to the Working Group, there is equal participation at equal level, equal footing.  So I think we still need to look at that.

This is my objective resolution.  What we came up with from that, phase 2 of enhanced cooperation is exactly what the thing that the global commission on cyberspace and the high level panel.  That is exactly the same thing we came up with.  But the CSTD is already an existing framework that we could use.  Thank you.

>> OLIVIER CRÉPIN-LEBLOND:  Next we have Matthew Shears.

>> MATTHEW SHEARS:  I wanted to come back to the comments that were made because you made excellent comments and I want to start with the point that we have billions of devices coming to the market.  We don't have the luxury of time to point of finger at different stakeholders.  This is going to have to be a multi‑stakeholder approach.  And it doesn't necessarily in any way undermine permissionless innovation.  You have a whole layer of players that need to engage here, and in the earlier session we talked about the importance of, for example, labeling IoT he vises that go into the retail space.  When you think about CE marking that was introduced I can't remember how many days years ago but at that time that was a basic marking to ensure health and safety requirements were met.  At the time manufacturers weren't pleased because it required additional processes to go through, but at the end of the day it did help even in the minds of consumers for them to be able to identify what kind of products were certified and which had a role in the market.

So I think this is, this is for all layers from the user, we can't say that this is user centric Internet if we don't, if we don't assume as a user some certain level of responsibility.  But it's all layers, consumer groups through to Governments but I don't think we have the luxury of time to sit around and debate the merits of one or another.  It is going to have to be an approach that we take on.


>> AUDIENCE:  Yashi from Japan.  I have an observation that what we are discussing here is pretty similar to what we are starting to see in Japan because of global warming.  So what we are seeing in Japan right now is because of the change in the atmosphere.  We are seeing a lot of disasters, much more than before.  And we used to have a lot of ideas, especially on a national level, to prevent disasters.

So disaster prevention was one of the major issues for the country.  But now I think we are throwing away the idea of disaster prevention anymore because what we are seeing and starting to see is a way too big that there is no time, no money, no people to really design something or even build something to prevent anymore.

So we are now moving towards what we call disaster mitigation.  So we start to see if, okay, if some big thing comes in, let's forget this part, and unfortunately in the current storm we lost a small number of people, but if we try to prevent that, that was nearly impossible from a financial point of view and also from a time point of view.  So what we see here is explosion of devices and also explosion of connectivity, and then the permissionless innovation, which is kind of explosion of technology.  And there is no way that we can prevent problems.

It's impossible.  Of course, in the past, it was possible because the economy was not going so fast, the technology was not changing so fast, so these classification, like these mechanisms, certification, they, I think, mostly worked, but I think we are now at the stage where we need to start trying to mitigate the troubles, and then introduce old mechanisms like certification or whatever that we can mitigate the challenges or the problems to make it under our control and then to, how to say, to enjoy the benefit of these devices and technology, so on.  Thank you.

>> OLIVIER CRÉPIN-LEBLOND:  Thank you for these suggestions.  Let's have, is it two hands, okay, I'm sorry, go ahead.  It's the two finger hand.

>> AUDIENCE:  I would like to, Jimson Olufuye and several of the other interventiones in a program speech.

>> OLIVIER CRÉPIN-LEBLOND:  Etc. go to Vint Cerf because I know you have to leave very soon.

>> VINT CERF:  I do, thank you, Mr. Chairman.

The certification idea I think has a lot of value to it, although the question of how you test, I was trying to figure out what the signal meant.  The question of what test you do in order to certify something is quite tricky, especially a lot of it is software starting to be assured or reassured that the software is good.  One area of importance there would be open sources and open, you know, the libraries, GitHub and things like that.  There is a big issue there because you put all of the software, again, make it available.  Everybody thinks because it's open source all of the bugs will have been found and the answer is, nobody looked because they thought somebody else did.

So we have to be really thoughtful about how to do the certification.  It brings me to the second point, which has to do with informed responsibility.  It's hard to take responsibility for something if you aren't adequately informed.  So we owe it to those who must make decisions, whether it's consumers or manufacturers or legislators, that they have the information they need in order to make are sensible decisions.

I will have to run away, Mr. Chairman, but thank you so much for allowing me to participate.  This is an important topic.

>> OLIVIER CRÉPIN-LEBLOND:  Thank you very much for joining us.  So Hya Fatel.

>> AUDIENCE:  I will be brief, in fact, I'm glad that some of my friends here did pick up the conflict and responded.  I have a couple of comments.  There are certain elements in the core values that have been, and I'm glad that they responded.  Certain elements in what is known, what has been described in the presentation as core values that can be treated as actions, others that cannot, that are not actions with all due respect.  Let's just be clear here, for example, openness.  We have the gentleman here who helped structure the infrastructure of the Internet, openness is at the core.  It's a core value.  So that's an axiom which means we don't need to debate this, but where we start talking about permissionless, please define that?  You want to tell me that's a core value, let's have another debate on this.

>> VINT CERF:  They don't have to ask you for permission.  That's what that means.

>> AUDIENCE:  Precisely.  The point is we have to define it to those who are not sitting listening to us talking about multi‑stakeholderism, because the truth of the matter here is if we want to win the debate for those who are not in this parish, the multi‑stakeholder parish that we all belong to, we cannot lecture it to them from a pure I tan point of view.  And the point is valid but I was very conscientious in the statement not once did you mention that legislation by Governments is also one of those actions, and if we don't make that as part of the spectrum of what is actionable, then we are missing the boat of how the speed is so dangerous, the speed of this deployment is so dangerous to society.

And last but not least, certification, voluntary certification or regulated certification.  See, these are part of the issues of how we make ourselves relevant when Governments ask us what do we do, especially those who are not subscribers to the multi‑stakeholder model, which if I remember, is still an experiment and what I would call still in beta, so it's still in beta.  Let's make it work well so people adopt it.

>> OLIVIER CRÉPIN-LEBLOND:  One more intervention from the gentleman in the back and then we will go over to 6/F framework.

>> AUDIENCE:  Thank you very much, for the record, this is Mohamoud Iwan President of Internet Society Accessibility Special Interest Group, also I am a member of Dynamic Coalition on Accessibility and Disability.

I would like to highlight here or draw the attention of the house while we are discussing the core values of the Internet, stability, resilience, all of that is good stuff, and openness too.  We have talked a lot about this in this session, but accessibility on the Internet is the core value.  And I would like to draw attention towards the publish which is about different statistic.  It varies so percent to 15 percent of Persons with Disabilities so while we are discussing core values, Internet may be reachable to them, device may be in their hands, but it is still possible that they may not be able to use that device as effectively as it were in some else's hand.

So we need to make it, make it somewhat possible that devices, be it IoT or Internet or the computers or softwares or hardwares, to follow a Universal Design so that everyone can use those devices.  Thank you.

>> OLIVIER CRÉPIN-LEBLOND:  Thank you very much.  That's a key point, actually.  I have heard it repeated in other forera, but it's particularly important, especially for IoT devices now that they are about to permeate so many parts of our society, so the software of these devices, et cetera.

We need to go to Alejandro Pisanty for the 6/F framework that he is going to present to us because that links in with the discussions we have had so far.  Let's have the presentation, please, Alejandro Pisanty, you have the floor.

>> ALEJANDRO PISANTY:  Thank you for giving me the floor.  Thank you, Maarten Botterman and others for bringing this presentation.  What I will present you is a framework I'm bringing forward so you can challenge it.  It's maybe not complete or relevant enough and it would be by this interaction that it will be made better.  It is meant to help us analyze things we see on the Internet or cyberspace in terms of things we know.  This doesn't mean that there is nothing new under the sun.

Lots of things change when we go to cyberspace, but we look at several different types of conduct from the positive likeable ones like sharing to the ones like crime online.  We often find that the people who are performing it or the human, the agents of human beings, like even software are actually performing an action.  We hear people say things like they will never stop liking the smell of paper, but they will want the PDF immediately.  We here about the originality of cybercrime.  We build with Internet designs and goals and we have a clear description.  There is a difference from what you saw on the screen, because it has put a set of non‑core Internet values in the list which are societal values are are not design principles of the Internet, and that's where we depart.

So these are the ordered hierarchically for which you arrive at permissionless innovation.  It's a very precise term that will tend to mean you don't have to ask permission to the Internet for doing something.  There is no manager, no manager of the Internet.  There is no broadcaster or communications company that tells you whether you can put in a video link.  It doesn't mean you are acting without any permission or without any rule of law.

Everything that's done on the Internet is done by someone somewhere.  And this person may be violating the country's Constitution, may be violating city or state regulations, he may be violating condominium arrangements, so this is not permissionless in that sense.  This is not far west.  This is not a space without law or as Governments like to say a noun governance space.

I go likely to the framework.  The purpose of the framework is to understand conduct that we see on line or to map it vice versa.  The method we use very often is when people are mired in discussions is to remove the Internet from the problem.

Let's say people are discussing fishing and we tell them, you know, fishing, we have seen fishing, we have seen people stripped of credentials for access to their money in physical spaces.  Just two weeks ago a woman in Mexico, I mean, I know her because her son works in the same place I do, he tells me she was a victim of the following attack.  A person came to her office, a guy came to her office with a piece of paper and clipboard that had the logo types and told her we are working for the security of the banks and we need to renew the credentials of people.  It was done by hand and she actually hand signed with a pen in ink.

The same thing you will do on phishing.  So what's the difference between doing that face to face and doing that on the Internet?  Number one, the thing that changes is that you have a mass scaling.  You have network effects, but mostly you have mass effect effects so this criminal could only address 50 persons, 50 older people during the day, whereas on the Internet he can address 50 million with a single click.

>> The second is the identity and anonymity management of the Internet.  This person has to come to the office, has to come to a place where there is maybe a camera or video surveillance.  He is sort of showing identity which is much easier to hide on the Internet because the Internet has no intrinsic architectural requirements.  There is no requirements, in the principles, there is no requirements for identification or authentication.  This anonymity and factors are good or bad.  We know that anonymity is good as a Lebanese engineer said in the previous IGF our core values she needs anonymity on the net because if women in their place look at their own bodies and ask questions about the reproductive or physiological behavior, their brothers may find they are having impure thoughts by thinking about their bodies, and may actually stone them to death and I am not in any particular religion.  This can happen in counties and small towns in my country of Mexico.

So anonymity can play this positive effect.  Next thing you see is transjurisdictional effects.  Phishing works well because there is crosses, are it crosses country boundaries, so the victim is one country.  The criminal is another and maybe the funds transfers take place to bank in the third country, and the main website hosting and so forth will go across boarders.

>> So this makes very difficult to attribute the attack and even if you can be sure who is a criminal, because you have police intelligence, you will not be able to act through the law because there are too many countries that will not contribute to your persecution.  They will not give you the evidence of what the IP address was used, who it was handed to, so forth.

Then you have higher level effects.  One is barrier lowering, you have lowering of the barrier of economic access to the market, you have lowered barrier to form a grouping so you can have Wikipedia organized without having the big established company of the encyclopedia Britannica.  You can have a criminal gang forms, E‑commerce, all has much lower barrier than physical space.

You have friction reduction, this is prediction of the number of operations or energy spent in doing one.  That leads you to one click shopping in electronic commerce stores.  It also makes work of criminals easy in the case of phishing again.  You see this red thing that says change your credentials immediately because you are going to lose your money forever, and you actually click on it instead of asking, introducing some friction here would be good, because it would give you time to think before you actually relinquish your funds.

And it comes with memory and forgetting.  Wikipedia is how we easily increase memory for human kind.  We are actually creating a store of knowledge that's distributed and so forth so it's much more robust with phishing for or crime they actually use a storage of information in order to obtain data that can help committing crimes.  So this is mostly what the framework is about.  Example as I mentioned Wikipedia, you can briefly see how every one of these factors makes Wikipedia better than enencyclopedia.

It scales with both readers and authors.  Can anonymously post things that are forbidden.  You need to do some ‑‑ it works for jurisdiction, it works across borders so if it's forbidden in one country to write or read about something, it is made somewhere else so no one will go to jail.  So I would like to submit this to your attention and comment.  Thank you.

>> OLIVIER CRÉPIN-LEBLOND:  Thank you very much, Alejandro and thanks for being quick on this.  There is a question online so he we will start with a question online and we will have any questions from the floor.

>> It's again Ruth the Internet is global open distributed from end to end, robust reliable ecosystem of permissionless innovation, of these values, which ones do you refer to as non‑core value?S.

>> AUDIENCE:  Alejandro.

>> ALEJANDRO PISANTY:  That requires a more extensive reply and I will do that in writing.

>> AUDIENCE:  Next question, Maarten Botterman.

>> MAARTEN BOTTERMAN:  Just being aware of the time is gone, but I'm very happy that you were able to and willing though excel dual those six points Alejandro.  These are subjects you cannot answer from a single country or a single sector perspective.  It requires reflection and it touches upon the core.  So looking forward very much to progress.

>> OLIVIER CRÉPIN-LEBLOND:  Thank you.  Anyone else?  I think that really ties in with the, with, you know, we have another three minutes remaining to the session, but it's a good thing to work on as maybe one of the next steps, certainly the framework that you are proposing here.  Alejandro, you might have a few things to add?

>> ALEJANDRO PISANTY:  As long as we have a minute or two left I would like to address James concerns with this framework.  As you can see, as we address CSTD, if we think CSTD will do some work on IoT, we can ask whether it will perform any, in front of any of these six factors.  It will particularly not scale well, because it's a country by country and a single agreement and it will be slow to get a treaty.  And the effectiveness of the treaty doesn't scale with the Internet.

Again, it's nice from a cross jurisdictional point of view, but it's still assumes too much about identity management, for example, which doesn't work.  I mean, if you have a CSTD agreement on IoT, it will assume that you can trace people who are producing software, who are producing hardware or who are using it or abusing it, and it will crash against the identification factor.

So I mean, if you want something that formally says that the proposal of having the CSTD govern IoT by treaty, if you want a way to destroy, let's say, not to destroy that, but to prove that it won't work, you have these six factors, and it doesn't work with almost any of them.  Thank you.

>> OLIVIER CRÉPIN-LEBLOND:  Next is Peter major.

>> AUDIENCE:  Thank you, Alejandro.  Well, let me put it clearly.  CSTD doesn't create treaties, it doesn't give any form of binding Conventions.  What we have been talking about was multi‑stakeholder Working Group on equal footing giving recommendations.  One of the reasons we are here was one of the Working Groups we have been working with to is the improvement to the IGF, and it has been mentioned in the UNGA resolution that the extension of the mandate of the IGF was partially based on that.  So that's why we are here and we can discuss things.

Now, what I heard from Jimson was a proposal to bring in to neutral body all of the ideas in the multi‑stakeholder environment and come up with some recommendations and that's basically what CSTD proved to be able to do, so this is one of the good ways forward and probably you may agree on that.

>> ALEJANDRO PISANTY:  What I heard in Jim's presentation was repeatedly the word treaty and governing structure.  A Forum, I have no problem with this.

>> OLIVIER CRÉPIN-LEBLOND:  Thank you, Peter.

>> JIMSON OLUFUYE:  Actually that is it, a Forum where you could discuss issues.  It is mentioned that the Working Group on improvement to figure, the recommendation of the Working Group pass through the CSTD structure to the UNGA, and that led to the extension of the IGF where we are sitting here today.

So the recommendation of that group, Working Group once everybody agrees because the private sector is there, civil society, academia, on equal footing, our recommendation then goes into that structure since we already agree.  It's whatever we agree that is passed down.  That is how it works.

If we do not agree, it's not going anywhere, but I just heard you the first part we had about 50% disagree, two sides about what to do.  The second phase we were just less than 0.1%.  So there is an improvement, but that is an existing structural framework that has worked before that we can use.  Thank you.

>> OLIVIER CRÉPIN-LEBLOND:  I have a reds light that has been flashing two minutes which means we are out of time.  I'm a bit scared of reds lights.  Shane, any last closing words from your side? 

>> SHANE TEWS:  Just to thank you for putting the whole IoT discussion at a different light.  I think it really was an elegant way to have a longer discussion about both issues and put it in good perspective so I appreciate your time towards this.

>> OLIVIER CRÉPIN-LEBLOND:  Thank you very much and thanks to our panelists and everyone who has contributed today, and I hope that you can continue at the time work by joining both coalitions the DC IoT and the DC encore Internet values.  Thank you so much and have a good morning, evening, afternoon or night, wherever you are but lunch probably here in Berlin.  Thank you.