IGF 2019 Reports
1. Protection and the commercial use of personal information.
2. AI and the protection of personal information.
3. The international rule of personal data protection.
There was broad support for the view that legislation is an efficient way to enforce the online protection for personal information. Speakers from Germany and China introduced legislation and shared experience about the online protection of personal information.
Some participates introduced the draft of the Personality Rights Section of the Civil Code of China, suggesting to distinguish between privacy and personal information and maintain the openness of personality right system, including the openness of privacy and personal information. Some compared the legal definition of data in different countries. Some proposed that there are three general principles of commercial use of data:principle of user consent and transparency, principle of data security, principle of creating commercial interests and values.
Participators agreed that GDPR is an important step forward in protecting privacy rights not only in Europe but also around the world, and GDPR compliance matters. Some participators emphasized the importance of managing user’s data in accordance with the law of the land. Some discussed the Data Subject Rights according to GDPR, including the right to know what data is being collected, the right to correct the data, the right to delete the data and the right to take it somewhere else. Some believed that the key requirement of GDPR for companies includes three aspects: the duty to inform data subject, the duty to remove data and the duty of data breach notification. Some argued that it is necessary to extend the rights that are at the heart of GDPR to all of customers worldwide.
Openness of the personality interest system is essential for the new era protection of information; only the multiple measures of regulation could solve new problems.
Presenters suggested that the law, or the new regulations, should promote the openness of the personality interests system. From the perspective of historical development, the type and specific content of personality rights have gradually enriched with the economic and social development and have been confirmed by law. Modern society has entered an era of Internet and big data, and the development of science and technology is changing with each passing day. This has also led to the emergence of many new types of personalities which should be protected by law. Presenters recommended that the definition of privacy and the scope of protection of personal information needs to evolve from a purely static model to a dynamically determined model to cope with the new problems that may arise in the future with new developments in technology or its application. It was recommended that the government should cooperate with the business companies to protect the rights of personal information, and ensure that legal rules related to online protection of personal information are effectively observed and enforced.
Presenters from two companies shared their successful experience with regard to data protection. Below is the summary of their practice:
1) Six key privacy principles:
- Control: To put users in control of their privacy with easy-to-use tools and clear choices.
- Transparency: To be transparent about data collection and use so users can make informed decisions.
- Security: To protect the data through strong security and encryption.
- Strong legal protections: To respect users’ local privacy laws and fight for legal protection of their privacy as a fundamental human right.
- No content-based targeting: Not using users’ email, chat, files or other personal content to target ads to them.
- Benefits to you: When collecting data, Microsoft will use it to benefit the users and to make their experiences better.
2) Improve from three aspects:
In technology aspect, complete technical tools and privacy protection specialization, such as pseudonymization, data access permission system, data secure risk monitoring system, finding sensitive data, data leak-proof, data encryption etc.
In regulations aspect, build a data sorting and classifying system, and set up rules of data security management process.
In management aspect, set access control mechanism, making sure that only authorized staff could reach client’s personal information.
To strengthen the online protection of personal information, the presenters had shared their experiences and pointed out that we are facing an updated version of cyberspace and it is necessary for all stakeholders to work together. In the new era protection of information, there are four main changes as to the cyberspace. First is the fast development of cyberspace itself, i.e., integrating internet, mobile networks, IoT, block chains, big data, AI and etc. The others are the integration of cyberspace and real space, the increasing popularity of artificial intelligence algorithms, and the digitalization of social economy, people's behavior and everything. To deal with these changes, personal information protection has to be promoted through the mix of multiple regulatory modalities including norms, market, law, policy, technology and etc.
There were around 60 participants attended this forum in Convention Hall I-C in person and 95 paricipants online. There were nearly 30 women present this forum onsite.
There were no gender issues for this forum.
Many indicated that there should be more efforts and more thoughts on how to develop better transparency and accountability mechanism for AI policy. It was noted that it is not new that policy runs behind technology and that a human rights-based approach and an ethical framework was needed. It was a consensus that there is a gap between technology and policy, with surveillance being a key concern. The global digital divide was also highlighted, particularly with concerns on data sovereignty and network sovereignty which is especially important for African economies where there is no national capacity to hold data or to regulate. Many raised the issue of the concerns for the relationship between technology and elections and the urgency to develop policy to protect democratic elections.
- What role can different stakeholders play in cybersecurity capacity building? Resource challenges and what can be done to address the challenges?
- What are the needs and requirements in achieving a multi-stakeholder initiative in Cybersecurity?
- How can Governments use emerging technology in addressing issues of trust, privacy and data protection?
- What is the role of national CSIRTs/CERTs in enhancing cyber resilience?
There was broad support for inclusive and multistakeholder approaches to cybersecurity strategies. Cybersecurity challenges are broad and interrelated but there is still scarce examples of implementing the model maturity model of cybersecurity.
Many indicated that there is need for clear programmes and approaches to assist with practical implementation of cyber security. There was alot of support for cybersecurity collaboration and capacity building and capacity sharing.
In the Latin America there is a wide engagements of public safety through public and internet actors through technical cooperation and CSIRT building. There is need to work more cohesive with law enforcement and support police investigation and prosecution of cyber crime.
Capacity building of law enforcement to collect and present evidence (data involved),
Raising awareness raising of users on the threats in cybersecurity and have reporting mechanism for cyber crime among users.
Awareness raising of users especially in rural areas on online safety is crucial and civil society has a concrete role in implementing cybersecurty
strategies.
Strengthen cybersecurity for elections.
Efforts of the Commonwealth Secretariat in implementation of the Commonwealth Cyber declaration os 2018. There are four broad programmmes in this relation which are:
- Africa focused on Gambia, Kenya and Namibia conducting cyber capabity and cyber resilience to identify key areas for legislative focus
- Carribean focused to build capacity of judges, prosecutors on electronic evidence
- A programme to strengthen cyber security internationally for Commonwealth countries.There are barriers in moving electronic evidence across borders
- Strengthening cybersecurity in elections by working with country partners to develop guides.
Cybersecurity actors and local communities can work together to build effective strategies.
Countries should share the cybersecurity challenges in order for them to be addressed.
Having a reporting mechanism for cybersecurity can assist in tracking progress and a sustanable model for capacity building in cyber security.
Around 100 participants onsite.
More than a third of the participants were women.Ge
Gender issues were discussed in relation to awareness on cyber threats and capacity building to users on skills gaps where more women than men lack the cyber security skills.
- There is need for increased capacity building of law enforcement to collect and present digital evidence (data involved),
- Raising awareness of users especially in rural areas on online safety is crucial and civil society has a concrete role in implementing cybersecurty strategies.
- Countries should strengthen cybersecurity for elections programmes
- Cybersecurity actors and local communities can work together to build effective strategies and share the cybersecurity challenges in order for them to be addressed.
- Having a reporting mechanism for cybersecurity can assist in tracking progress and a sustainable model for capacity building in cyber security.
- There is broad support for inclusive and multistakeholder approaches to cybersecurity strategies. Cybersecurity challenges are broad and interrelated but there are still scarce examples of implementing the model maturity model of cybersecurity.
- There is need for clear programmes and approaches to assist with practical implementation of cyber security. There is a lot of support for cybersecurity collaboration and capacity building and capacity sharing.
- In the Latin America there is a wide engagement of public safety through public and internet actors through technical cooperation and CSIRT building.
- There is need to work more cohesive with law enforcement and support police investigation and prosecution of cyber crime.
Towards a Human Rights-Centered Cybersecurity Training
1. How can we create cybersecurity trainings that aim to save communities where principles of human-rights based cybersecurity fail?
2. How can we properly ensure that programs that build cybersecurity capacity are actually human-rights based?
3. How can these rights be operationalized in capacity-building programs for vulnerable groups through cybersecurity trainings?
There was broad support for the idea that we need capacity-building efforts to make individuals more secure and able to protect and demand right to privacy and freedom of expression. This is especially the case as more states see cybersecurity as a national-level goal, and often neglect or even violate individuals' rights in the name of national security.
Many supported the idea that when it comes to cybersecurity trainings and NGO activity on the ground in the Global South, there needs to be better priority-matching while carrying out initiatives, in other words, making sure that what the organization on the ground (who may be benefitting from cybersecurity trainings) actually needs what the organization trying to build capacity is offering to do.
Many also supported the need for a better handshake between the technology found as a solution with the characteristics that are trying to be solved within the organization on the ground. This means understanding exactly what problems an organization may be faced with and finding technologies that offer those exact problems well, rather than just always adopting new technologies and new "solutions" that may, actually, not be the needed or wanted solutions.
There were many proposed suggestions for the way forward. These mainly dealth with better informing civil society actors of their IT security needs and weaknesses. Often times, the technologies on the ground may be secure, but the people using them may not be, and simply behavior can be a huge security risk. To solve this, conducting human-rights centered cybersecurity trainings with civil society actors should include:
- threat modeling; adversary modeling; device security; compartmentalization and access control within an org.; project management and ample documentation; trainings for software use; 2nd level of security; common understanding of cultural differences that may plague cyber hygiene; etc.
Another issue that was brought up that is not covered by better/more cybersecurity trainings is the burden licesning fees may be on small civil society actors. Often times, pirated or free online software is used by an organization, simply because the licesning fees are too great. This, however, means that more organizations use less secure devices. More could be done to help organizations with licensing fees or secure devices, so that they are better equipped to protect right to privacy, freedom of expression, and other rights.
Progress may be made on the issue by building capacity within civil society organizations who are crucial for the well-being of society as a whole but often given less weight in terms of IT security. This needs to change. Small teams need to be able to protect their fundamental rights and have access to secure IT infrastructure.
onsite: 60, maybe 25 of those were women.
The session was had no specific gender dimension.
Online Protection of Underage Users
1. What are the problems and challenges of online protection of underage users?
2. Sharing the experiences and practices of online protection of underage users.
3. How to use the laws and policies to strengthen the online protection of underage users?
The Internet is changing the production and life of human beings, and driving social and economic development.With the increased access to the internet, social media platforms and online games children are encountering new forms of risks from violence and abuse.
There was broad support for the view that legislation is an efficient way to enforce the online protection for the underage users. Speakers from Germany and China introduced their domestic legislation and practical achievements of the online protection of underage users. Some proposed that online protection of underage users should include two sides, one is to control the negative impacts, and the other is to promote positive guidance. Some hold the opinion that there are some common problems in children's information protection, such as reducing the experience of children’s online services, constituting reverse discrimination against children's users and so on. Some raised up that purely online solutions won’t be effective to keep children save from online violence. We also have to pay attention to offline causes of violence and develop measures that address children's life circumstances, context, availability of support networks and broader family and child support. Both the presenters and participates agreed that an integrated child protection system can be achieved only through the cooperation of all stakeholders.
Social-cultural recommendations: 1) Greater evidence and understanding is needed of the interplay between offline and online violence and its causes and how the multi-stakeholder approach that includes governments, the private sectors, families and children can effectively prevent violence and protect children from harm. This includes both education and awareness raising but also recovery and support services that take into account both online and offline risks; 2) Internet has no boundaries, online protection of underage users is a common issue all around the world, to prevent and respond to violence and abuse of online underage users needs jointly efforts from stakeholders of the whole world; 3) Online protection of underage users should include two sides, one is to control the negative impacts, and another is to promote positive guidance.
Governance issues recommendations: 1) Monitor the applications of the legislation related to online protection of underage users in cyberspace and confirm the age ratings; 2) Consider different opinions regarding the potential effects of technology on children’s growth and development.
The presenters discussed the common problems in children's information protection system in different countries and suggested that we could address more attention to the following issues: 1) reducing the experience of children’s online services and constituting reverse discrimination against children's users; 2) high social cost of identifying children's age and obtaining guardian's consent; 3) the sharing of platform responsibility and guardian responsibility.
Two presenters introduced the Regulation on the Protection of Children's Personal Information Online, which was the first legislation in China specifically aim at children's online protection. The law sets out strict requirements for network operators that collect, store, use, transfer, or discloses the personal information of minors under 14 years old.
A professor from University of Münster introduced The Three-Level Protection System of Minors in German Media Law: 1) absolutely illegal contents–particularly dangerous contents; 2) prohibited contents – seriously harmful contents; and 3) contents detrimental to the development of minors.
To strengthen the online protection of underage users, the presenters had shared their experiences and pointed out that the rapid development of the Internet provides infinite possibilities for the growth of underage users, while the protection of underage users in cyberspace is still not enough. Some contents in cyberspace have a fierce conflict with many traditional educational concepts, especially some traditional educational principles and concepts in both China and many other countries in the East. It is still necessary to strengthen the control and guidance of access sites and equipment to control the negative impacts and promote positive guidance.
There were around 100 participants attended this forum in Convention Hall I-C in person.
There were 97 online participants.
There were nearly 50 women present this forum onsite.
There was no gender issue discussed in this forum.
Outputs of IGF 2019 OF #14 Online Protection of Underage Users: https://www.intgovforum.org/content/igf-2019-of-14-online-protection-of-underage-users
The UNGGE cyber norms have been designed with international peace and security in mind - specifically, with providing the kind of predictability that helps states avoid an unintended escalation of tension into dangerous kinetic conflict. As such, they have been written in rather abstract terms using open, flexible language.
However, with the growing emphasis on implementation of the proposed norms, this diplomatic process now comes into conversation (or collision) with the pragmatic reality of how security practitioners work on the ‘front line’ when they collaborate to respond to cyber incidents. Here, we find a preference for much more specificity and clarity.
This workshop brought out the (sometimes conflicting) views on the operationalisation of cyber norms. We asked how the proposed norms could be mapped onto the incidents. Did the norms have a positive impact on incident response in these scenarios? Did they have negative (unintended) consequences? Were they relevant?
There was broad agreement that the UNGGE Norm 8/H is important - [...states should respond to requests for assistance…]. However, there were several interventions that raised questions about who exactly would issue and respond to such a request. In many instances, the technical community pointed out, these requests would not naturally loop in the national CERT or other governmental actors. Indeed, doing so could potentially introduce a level of latency that would undermine rather than support cyber security practitioners to resolve an incident.
There was also broad agreement that the UNGGE norms are somewhat abstract. They lack the specificity that the technical community feels would be required to guide their actions, but the governmental policy representative pointed out that they were not written with this operational level in mind.
We identified at least three key questions to advancing the dialogue between the technical and policy communities in the implementation of cyber norms:
-
"What kind of implementation are we referring to?" The dialogue between the incident response community and policy community needs to advance in considering what kind of implementation is achievable and desirable for both ends. Second, both communities operate in different
-
"What are the mechanisms necessary to respond in time?" Both communities have different understandings of temporality. On the one hand, the technical experts highlighted the inherently immediacy of response required to handle and manage incidents. On the other hand,
-
"How can we advance the conversation (knowledge exchange, trust-building) between both communities?"
The technical community (CSIRTs and network operators) had a productive dialogue with the policy community on Cybernorms by expanding on a UNGGE Norm as an example (that about answering to appropriate requests for assistance), in light of cybersecurity incidents, as lived by the technical players that first responded to them.
Speakers from the technical community presented stories about the Estonian cyberattacks in 2007, Bank Heist in Bangladesh in 2016, and the NotPetya and Wannacry incidents in 2017. Looking at these incidents from the perspective of how the Norm supported these response activities, the group proposed a new framework of analysis to measure the value of the norms and their applicability in real world situations.
Approx. 50 people in the room. Fair gender and geographic representation among speakers. Slightly less women than men in the room.
- A proposed approach to scrutinize norms implementation through a case-study analysis of incident and response to incidents that have occurred in the past. Through the lense of practical experience, the effectiveness of these norms can be evaluated.
- That this approach can help to bridge a dialogue between policy and technical communities, raising understanding of different mindsets and communities with different objectives. Also, this dialogue through practical examples can inform future norm-developing processes by considering lessons learned and preventing un-intended consequences.
- On the normative matter of "Appropriatee requests for assistance" participants agreed that introducing latency can undermine incident response, also can damage established informal networks of trust.
The DC SIG had a very full session. 18 existing schools were present in the meeting and spoke. There were at least 3 Schools/IG programs in formation also in attendance.
- How do we improve the capabity building capabilitiy of schools on internet governance
We reviewed the content to help schools with planning on curicula and organization We explored activities for next year.
The website is at igscools.net - anyone interested in particpating needs to contact the webmater fior access to their own section of the wiki. Also explained how to contribute to the continued development of the documention.
Monthly meetings will resume in January 2020.
Discussion was rich, with many suggestions for continued work.
Details on the web site, the wiki and taxonomy document were explored.
IG schools contribute to IG capacity. The work we are doing is useful in this regard and should be continued.
We. looked at new activities that could cotribute to out capacity building goals.
we need more people on the work, and several indicated their willingness to contribute to the project
100+ particpants in the room. There were only a few remote particpants
The session was diverse in terms of gender and national origin with school particpants from many regions in the world including both developed, and developing regions. Also representatives from a wide variety of school initiatives were presnet
Anyone interersted should follow igschools.net for ongoing developments. the amount and quality of the content is ever improving.
(1) How far do participants in multistakeholderism at ICANN perceive inequalities of influence in the regime, particularly on lines of north-south, gender, age, language, and race categories?
(2) How far do participants in multistakeholderism at ICANN regard these inequalities of influence to be problematic for the legitimacy of ICANN?
(3) What innovative steps - beyond what ICANN already does - could be taken to reduce these inequalities and achieve a more inclusive multistakeholder regime at ICANN?
There was consensus that inclusion and (in)equality is a major issue and challenge for multistakeholder governance of the Internet through ICANN and other institutions.
Some diversity of perspective emerged regarding the relative priority between inclusion and other concerns (e.g. market development and efficient decision-making). Most participants emphasised that inclusion contributed to other objectives, but several speakers also noted possible trade-offs.
It was repeatedly stressed that 'openness' in multistakeholder governance is not the same thing as 'inclusivity' and 'meaningful participation'. One needs carefully to identify structural inhibitors within 'open' participation.
The discussion considered how people in more excluded positions tend to perceive larger and more problematic inequalities than people with more access and influence. Those in power can therefore underestimate the degree to which marginalised people feel constrained from participating. A particular observation was that the ICANN board generally saw less problems of inequality by age, geography, language, and race/ethnicity than the ICANN community and ICANN staff.
Policymakers need to talk openly, seriously and precisely about inequalities in Internet governance.
Studies such as the one discussed in this session can provide concrete data for an informed, direct, reflective consideration of the sensitive issue of structural power in multistakeholder governance.
Consider whether alternative technologies of deliberation - away from heavy reliance on email and conference calls - could encourage more inclusive participation in policy development at ICANN.
When deliberating about inclusion and how to improve it, policymakers can be more sensitive to (and aware of their tendency to underestimate) the ways and degrees that people in more subordinated positions experience exclusion.
The discussion noted various initiatives taken by ICANN to address inclusion issues, as well as their limitations.
See point 3
80 participants onsite
Number of online participants unclear (our online moderator was taken ill just before the session - the technicians kept the remote line open, but did not moderate.
Roughly even numbers of women and men in the audience. Female chair, male presenter, two female and one male panelist. Contributions from the floor from 3 women and 5 men.
Gender inequality was one of the five types of structural inequality put in focus. Much discussion compared the situation around gender inequalities with circumstances related to age, geography, language, and race/ethnicity. One woman in the audience wondered about perceptions of gender inequality at ICANN when many leading positions are taken by women.
The session has a background paper.
- Which issues do you want to highlight as priority keypoints at the IGF to global stakeholders?
- How can we improve involvement and return rates of youth at the IGF?
- Which challenges do youth face to attend and participate at the IGF?
During this session the YCIG Steering Committee presented their activities of the past two years and its progress to increase engaged youth participation at the Internet Governance Forum before opening the floor to speakers from the different regions to address the three policy questions and then taking comments from the room.
The speakers addressed their concerns regarding the concept of “Internet Governance” and how this can be explained to audiences. This is important as an outreach exercise both to foster interest in youth in schools and raising awareness on policies that affect them but also to investors to explain why they should be sponsoring youth to organise or participate internet governance events and projects.
Many agreed that participation at the IGF is limited due to visa and funding restrictions, but also raised their concerns that navigating and integrating in the IGF ecosystem is difficult. Although remote participation provides access, there is difficulty with accessing the platform. There were many YCIG members trying to connect from countries such as the Maldives, Burundi, and Kurdistan who were unable to participate because remote participation on mobile devices didn’t function.
Furthermore, there was a large request for YouthIGF processes to be more transparent so that there is better support available.
One of the speakers raised the issue that there is an “absence of inspiration platform for youth so that they can have aspirations to become stakeholders” and that youth should not be considered as a symbol.
The panellists discussed a range of issues related to attribution of responsibility for adverse human rights effects stemming from application of AI technologies. The debate, in particular, touched upon the potential of regulation and of self-regulation for effectively addressing the issue. There was broad consensus that only clear regulatory frameworks are capable of serving as a firm ground for the rule of law-based approach which is key for the protection of human rights. There was further agreement that such clear regulatory frameworks are of interest for businesses as much as for the users as they privide concrete instructions on what needs to be done for human rights protection.
It was emphasised that a lack of understanding of what AI is and how it functions creates a lot of mystification around the technology. Concrete information is needed to inform regulation - e.g., false positives/negatives need to be evaluated in real numbers.
The concepts of informed trust and of responsible AI were introduced. The panellists outlined in very clear terms what the technical community and the business community can do to ensure effective and enforceable accountability.
The panellists agreed that:
- there is a need for impact assessment - in concrete areas (such as ADM, facial recognition or incurred data use) and in measurable terms, encompassing a full range of human rights and a whole life cycle of AI technologies;
- there is a need for a clearer understanding of what we mean by transparency, accountability and other key principles;
- empowerment of users must be one of the key elements of relevant policies introduced by governments and private actors alike;
- there is a need for effective multi-stakeholder cooperation, in particular in bridging the gap between the tech community and the legislature.
IEEE representative informed the audience about the ongoing work on a set of technical standards on how to put ethics into the code, and about the currently starting work on a certification system.
The Council of Europe has prepared a draft recommendation of the Committee of Ministers on the human rightys impacts of algorithmic systems.
The need for quality and targeted research, for effective multi-stakeholder cooperation and for a comprehensife revision of the existing regulatory frameworks with a view to identifying areas where safeguards for human rights protection are mission were mentioned as indispensible condition for progress.
Onsite participation: approximately 250 participants, gender balance - roughly 50/50 (%)
Online participation: no information. No questions from online participants.
The session did not directly discuss gender issues. It touched, however, on other vulnerable groups - in particular, children - that need special protection in the digital environment. The discusion also strongly emphasised that discrimination is one of the most severe risks stemming from the use of AI technologies, as the latter tend to amplify existing inequalities and biases.