IGF 2020 WS #141 How public and government can trust cloud & online services

Thematic Track

Organizer 1: Mieke van Ulden, Online Trust Coalition
Organizer 2: Jelle Attema Jelle Attema, ECP | Platform voor de InformatieSamenleving

Speaker 1: Irene Vettewinkel, Private Sector, Western European and Others Group (WEOG)
Speaker 2: Juliette van Balen, Technical Community, Western European and Others Group (WEOG)
Speaker 3: Liesbeth Holterman, Technical Community, Western European and Others Group (WEOG)
Speaker 4: Bianca Smit, Private Sector, Western European and Others Group (WEOG)
Speaker 5: Jolien van Zetten, Civil Society, Western European and Others Group (WEOG)

Moderator

Mieke van Ulden, Civil Society, Western European and Others Group (WEOG)

Online Moderator

Mieke van Ulden, Civil Society, Western European and Others Group (WEOG)

Rapporteur

Jelle Attema Jelle Attema, Civil Society, Western European and Others Group (WEOG)

Format

Break-out Group Discussions - Round Tables - 90 Min

Policy Question(s)

The policy question addressed in our workshop is how to demonstrate compliance of online services and cloud with policies and norms required by different governments, authorities, domains and uses. And how to demonstrate to end-users (SME or consumer) in a user friendly and accessible way, that an online service is reliable and the users of these services are compliant with regulations when using such an online service or cloud.

In these round tables we want to explore three challenges: 1. On the demand side: create an accessible, affordable and user friendly way to obtain certainty about the reliability and legal compliance of online services and cloud. So that it is easier for SME's and end-users to decide on using such a service. Small customers do not have the knowledge and means to check reliability and compliance of online service providers and cloud providers: so they have to jump on the train, hoping that it is safe and reliable. It took the Dutch government three years to find out this year that the online services of an international tech company were reliable and compliant with regulations, despite all the certificates the company could provide. Most companies, especially smaller ones, do not have the resources to do such in-depth research. 2. Supply side: create a level playing field for small and big tech companies when demonstrating reliability and compliance. Startups and SME's offering online services and cloud on a national level often have to proof their reliability and compliance to every larger customer and a number of supervisory authorities (cybersecurity, reliability, tax authorities, sectoral authorities as in health care and other vital domains). Large companies however provide services 'as is' and the user of these services is supposed to know about the reliability and compliance of these services. 3. Supervising authorities should ask providers of services to demonstrate the compliance and reliability of their services. Now supervising authorities have a tendency to introduce their own schema's and systems for accreditation and certification. This makes it very difficult for (smaller and larger) providers of online service to provide cloud and online services to other countries, other domains or other uses.

SDGs

GOAL 3: Good Health and Well-Being
GOAL 4: Quality Education
GOAL 7: Affordable and Clean Energy
GOAL 8: Decent Work and Economic Growth
GOAL 9: Industry, Innovation and Infrastructure
GOAL 10: Reduced Inequalities
GOAL 11: Sustainable Cities and Communities
GOAL 13: Climate Action

Description:

We would like to organize four round tables in parallel, in which we discuss with participants a real life case that illustrates how essential it is and how difficult at this moment to find out about the reliability and compliance of an online service, when you're an end-user, an SME who wants to use online services, or a supervisory authority supervising online and cloud services. The round tables are chaired by women, working in high level positions in organisations that are stakeholder in this problem. Users of these services (SME's as well as private users and consumers) want to know for sure that an online service is reliable and that, by using these services, they do not violate legal obligations. Often they do not have the knowledge, means and power to interpret the meaning of certificates, standards in relation to their concerns and questions. Providers of these services want to demonstrate reliability and compliance of their services to their customers and supervising authorities: nowadays they have to demonstrate to almost every big customer, authority, country or sector that they are reliable and comply with legal obligations in a different way. Supervisory autorities responsible for cybersecurity, privacy or continuity of cloudservices rely on the data out of these services (for example inland revenue and taxes, healthcare, energy, mobility or other data) want certainty about compliance. Trusted third parties like auditors and security experts can give assurance to all stakeholders about the reliability and compliance of a service, but present frameworks for certification and legal obligations require that for each stakeholder, each authority and often different domains and uses new certifications are required: most of the time asking roughly the same questions and requiring the same evidence. The round tables are introduced, chaired and facilitating by women having a leading position in organisations representing the central stakeholders in this field of trust in online and cloud services in the Netherlands: users, sme's using and offering services, professional bodies providing assurance and supervisory authorities. The aim of the workshop is to receive feedback from other countries and continents how the trust problem is perceived , how it is analyzed and which solutions are thought of. The facilitators of the round tables participate in the Online Trust Coalition (OTC) in the Netherlands to solve the trust problem, using the existing international frameworks for assurance and certification. The OTC has presented a Manifest and a White Paper to outline the problems and suggest possible solutions. The representatives of the OTC would like to discuss the problems and the possible solutions identified by the OTC. The aim of the OTC is to put the problem of trust in online services and cloud on the agenda of all stakeholders and to work on an internationally accepted solution that makes use of the existing frameworks for certification.

Expected Outcomes

The organizers, all member of the Dutch Online Trust Coalition, hope that the problem of finding out the reliability and compliance of online services and cloud and the impact of this problem on level playing field, administrative burden, innovation and access to online services will be internationally recognized. Secondly we hope that international stakeholders recognize that international harmonization of the way providers of online services and cloud can demonstrate reliability and compliance is good for government (the effectiveness of supervisory authorities), economy (innovation, level playing field, easy access tp services) and society (trust). Feedback of participants will help the members of the coalition to get (more) support to address and solve the problem of trust in online services within Europa and in other continents: online services and cloud are borderless.

First of all we have a real life case, that demonstrates the (international) dilemmas, limitations and issues with trust in online services and cloud. We want to discuss, using this case, to what extent the problem and issues are recognized in other countries and continents. We would like to get feedback to what extent harmonisation can contribute to a solution. To facilitate discussion and feedback, we will use voting tools like mentimeter and chat to give participants the oppoortunity to provide detailed feedback. It is very difficult in discussion to get all viewpoints clear: we will use chat to give participants to share their views and to refer to information about their viewpoints. The different tables are chaired and moderated by speakers working for an important stakeholder in this domain. Each of the speakers is committed to the Online Trust Coalition and personally very much interested to discuss and analyse with participatnts different perspectives on the problem: online services and cloud do not stop at borders. Each of the speakers brings in professional expertise.

Relevance to Internet Governance: These round tables will show that harmonization of the way providers of online services and cloud demonstrate that a service is reliable and compliant with law will help Governments (effectiveness of supervisory authorities), private sector (level playing field, innovation, easy access) and society (trust). Solution to all large challenges of our society (mobility, climate, energy, health, education) and all important technological developments (for example Artificial Intelligence, Internet of Things, Data driven developments, quantum) make heavily use of the internet and are facilitated by online services and cloud. Trust and easy access to reliable and compliant online services is therefore crucial for addressing these challenges and for societies to profit from these technological developments. decicion making procedures, .. norms and rules , partijen beter opelkaar kunnen vertrouwen en steunen & toezicht hierop houden, administrative lasten vermidneren en innovatie stimuleren.

Relevance to Theme: The session is framed as "Cybersecurity policy, standards and addresses", but the issue it adresses is broader than that: it adresses the issue how a provider of an online service can demonstrate that an online service is reliable and compliant to end-users and SME's and to the supervisory authorities. Nowadays it requires much expertise to find out what standards and norms mean for reliability and compliance of an online service. However: we have no agreement how a provider of an online service can provide such certainty to a stakeholder (be it the end-user, an SME using a service of a supervisory authority). Norms for cybersecurity, information security, privacy, continuity and others of course play a crucial role when demonstrating reliability. Just knowing that the parts of a car or household appliance comply with international standards, does not make a car or appliance suitable for the purpose you have with it. Determining how all these standards add up to reliability of a specific service used for a specific purpose is the challenge we try to explore and address in this round table and with our Online Trust Coalition.

Online Participation

 

Usage of IGF Official Tool. Additional Tools proposed: Brainstorm: (moderated) chatfunction of the online participation platform voting/prioritizing issues (mentimeter or equivalent of the online participation platform), Discussion (for example as facilitated by LinkedIn, but preferable using the online participation platform) Collecting background information: chatlike functionality, preferably provided by the online participation platform .