You are here

IGF 2016 - Day 2 - Room 3 - WS87: Law Enforcement, Cyberspace & Jurisdiction

 

The following are the outputs of the real-time captioning taken during the Eleventh Annual Meeting of the Internet Governance Forum (IGF) in Jalisco, Mexico, from 5 to 9 December 2016. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 

***

>> CHRISTIAN BORGGREEN:  I think we are ready to get started.  Welcome to workshop number 87.  My name is Christian Borggreen.  I'll be a moderator.  I'm with the Computer Industry Association in Brussels and delighted to be co-hosting this section with Alexander Seger.  The team of law enforcement access to cloud data is fairly known so we are not going to spend too much time introducing it but I'll give you a little taste of it.  It is a basic cyberspace challenge is the notion of territoriality and jurisdiction and especially challenging for law enforcement to access evidence stored in the cloud.  And just a basic sample, you can imagine a criminal suspect in country A trying to get evidence that is stored in country B in the cloud but it's actually stored in country B from a country established in country C.  Obviously this lack of legal clarity that cyberspace brought upon this discussion is a problem not only for law enforcements but for companies, for our rights and for companies the risk that when their trying to address one country's rules that might be in conflict with another country's rules.  And where in a few instances where there are legal agreements for instance mutual legal assistance, these are also very cumbersome and take a long time to use.  All right. 

This session will quickly explore some of the main challenges identified by the main stakeholders which we are trying to invite on this panel here.  We will look to some of the national, regional and global solutions and also be discussing how we avoid fragmentations of cyberspace, reduce conflict of law and ensure rights are adequately addressed for individuals.  The format will be four minutes maximum from each speaker here followed by Q&A by the audience. 

And please if you are remotely participating thank you so much for doing so.  You can also be sending your short questions via Twitter using the hash tag WS87, work shop 87.  If you can get the slides up here.  If we can jump to the next one.  What we try to do here ‑‑ no, not yet.  One second.  Okay.  To have sort of four of the generally shared goals for this discussion for law enforcement access to data, to have sort of a general framework.  What we will try and do is use these four general goals to guide our discussion which hopefully will be more of a solution focused discussion.  Not only talk about all the problems and how complicated they are but hopefully trying to have solutions that can be addressed further after one hour of panel discussion. 

All right.  Now we will jump to our first speaker, I speak way too much.  I hope you can keep it within four minutes.  Our first speaker is from Brazil, Neide de Oliveira, also coordinator of the national cybercrime working group in Brazil.  I was hoping you can talk about objectives for law enforcement, some challenges you're facing and some alternative measures that Brazil's government has taken the make sure you get this access for instance through organizations.  And I think we will jump to the next slide. 

>> NEIDE de OLIVEIRA:  Good afternoon.  I'm honored to be here.  Thank you Mr. Alexander Seger, Christian Borggreen and Bertrand De la Chapelle for inviting us to this meeting, to give us the opportunity to present our view on the Internet.  As Christian said I'm federal circuit prosecutor in Rio de Janeiro.  And I represent here the international corporation secretary of federal prosecution.  We have two officers in Brazil, the state and the federal one.  And we have a common discussion group for cybercrimes issues in the country.  Brazil's approach to the theme of Internet jurisdiction was settled with the passing of Marco Civil Internet our Civil rights framework for Internet. 

It was passed after an expanded public consultation process.  It regulates connections to Internet and asks us to Internet applications and to also determine the (indiscernible) distributing data.  Although our Marco Civil is not yet a data protection law, it is already under discussion at our congress right now.  It does guarantee essential rights on Internet such as private and freedom of expression.  Our Civil rights framework is very clear.  Constituted under Brazilian laws we have established in Brazil must follow Brazilian legislation.  The article 11 grants even one of these conducts performed in Brazilian territory is enough to bring the company to Brazilian legislation where there is a branch in Brazilian territory or it is part of the same economic group that means when at least one of the companies established in Brazil, even if the company does not have an office in Brazil it is bound to Brazilian legislation when the service is offered to the Brazilian public. 

That means to us that any Internet company or operation is serviced in the country is under Brazilian jurisdiction and must present in court all personal data under Brazilian law.  Since legal requirements are met what is revealed by the competent judge.  We do need an improvement to deal with the companies that are not established in the country, only offering its service but for those that are well established even paying tax in the country our law is very clear and the judges are enforcing it by legal means.

From our point of view there should be a common framework among countries so there wouldn't be so many different legislations but now it's a matter of which company and for example Brazil, this country has jurisdiction over the company.  The organizer and the cooperation of the states are very much welcome.  I commend the organization for in great initiative.  That's all. 

>> CHRISTIAN BORGGREEN:  To understand you correctly, for law enforcement it was important access to data.  You protect the privacy.  You feel that you're more confident in getting that data when enforcing data operators locally in Brazil but having a two track approach where you're forcing data to be stored locally in Brazil but to have an international framework. 

>> NEIDE de OLIVEIRA:  In order to have more efficient response by Internet service providers, and it's not necessary to have a data centre in our country.  Of course.  It's not necessary.  But if the provider has an office in our country or offers their service for Brazilian users, it's enough for us; these providers have to obey our legislation. 

>> CHRISTIAN BORGGREEN:  Thank you so much.  I think we will have another question.  I think we will jump to our next speaker from Microsoft, Paul Mitchell.  What do you make of this? 

>> PAUL MITCHELL:  I'll tell you awe couple stories to set the tone.  Many of you know Microsoft has been involved in a legal case with the United States government as relates to e‑mail data stored in one of our centers in Ireland.  The initial filing, imagine officers investigating a leak to the press, they serve a warrant to seize a bundle of private letters in Manhattan.  They have to open the box with a master key, rummage through it and find the letters.  It goes on to imagine the reaction to the U.S. secretary of state since this would bypass all the legal formal procedures and would claim it's nothing more than a German company producing its own business records. 

You can imagine in your mind what the points of the case are.  I'll make the observation it's not actually about the content of the e‑mails in question at all in this case.  In reality it's about principals, the rule of law, the balance of security and privacy and the interplay between national and international law.  This case is not over yet.  We won the last appeal round but the United States has indicated they would like to take it further.  So next we have an example of the horrific Charlie Hebdo tragedy that happened in Paris last year.  While there was a man hunt going on in Paris at 5:42 in the morning we got a call telling us two terrorists in Paris had U.S. e‑mail accounts.  We it to the authorities in 45 minutes.  There are frameworks today for international agreement that can and do work.  The Brazilian police arrived at the apartment of one our executives in Brazil ‑‑

(No audio) ‑‑ of the law enforcement investigation the Microsoft turnover Skype data for a Brazilian customer.  The problem was the data in the case was not in Brazil but in the United States and it would be unlawful under U.S. law for us to provide it.  As it also happens, he was in the U.S. at the time so his wife was not very happy about the event.  Key point there is when dealing with data requests complying with one country's law may result in breaking other countries. 

So these stories are real and illustrate the point that the legal frameworks need to evolve with the technology's evolution, the existing technologies we have don't address the complexity of the Internet and cloud services but it's also acknowledged that the growth of the digital economy, the future of the Internet of Things and potential innovations around big data, machine learning, artificial intelligence, all of these things that have potential economic and social benefits rely on the ability to transmit data back and forth across borders for providers to balance the load on their cloud service systems and network. 

All countries want to realize these benefits though somehow they have to cooperate to solve the problem.  I'll close by noting that Microsoft is one of only a few if it's scaled where this is such a big problem.  We operate in 122 countries.  We have well over a billion customers.  Some are governments.  And we have hundreds of data centres located all around the world which are intentionally designed to protect the data but for us to actually offer the services that we do, we need our customers to be able to trust us and for them to trust us we have to have a framework of trust that is grounded in the room of law with due process that applies globally.  I'll stop there.

>> CHRISTIAN BORGGREEN:  Can I ask you briefly, you're an international company very active in your discussion.  Where should we look towards good solutions?  We don't have enough time to go into it but can you point a little bit.

>> PAUL MITCHELL:  I'll give you examples of some things that are in process and working.  The Internet jurisdiction project which I'm sure we are going to talk more about is about capturing ‑‑ a couple of things that are pushing the boundaries in the right direction are work being done and transparency and on the ability for companies like Microsoft to be transparent about when we get data requests, what kind of data requests they are and what we are doing about it. 

So we and the other large providers are all doing transparency reports at some level.  The ranking digital rights project is an example of again trying to point in a particular direction that is actionable.  So those are ‑‑ those are things that are in process.  There's also the US/UK agreement which is a starting point to other new forms of multilateral agreements.

>> CHRISTIAN BORGGREEN:  Thank you so much.  We are going jump to our next speaker, Nathalia Foditsch.  I was hoping we can get more insight, academic point of view from things we heard from Brazilian enforcement but maybe thoughts about what we need to talk about when talking about territoriality and jurisdiction. 

>> NATHALIA FODITSCH:  Thank you so much, Christian, for the invitation.  I'm honored to be here today.  First I wanted to raise the question on the reasons why it's so crucial to discussion these issues.  Besides any social and Human Rights issues involved in all these process and due process, there's a huge economic impact in not having a proper system in place or having a flawed system or having a system that needs improvement. 

Recent study that was undertaken in Washington, D.C. found that last year only over a billion dollars was the economic cost of app shut downs at a national level in different countries and I'm not even only talking about the shutdown of the whole Internet but ‑‑ (no sound) ‑‑ (lost Skype connection) ‑‑ in terms of mutual legal system treaties they can delay a lot of process so I guess that's one of the main reasons why we should also talk about how to improve the system.  An average ten months in Europe it takes to have a reply.  And also we have to talk about the alternative options to mutual legal system agreements. 

Do we really want to have direct public requests?  Considering that the Internet is already so much privatized do you want to foster the privatization of government more or do you want the government to be involved in having a proper transfer of data in which rights and due process is guaranteed. 

Moreover it's important to understand that in many cases if we don't have proper system in place, this might lead to mandates and also government hacking which can also have even worse consequences in terms of Human Rights.  And actually I would tell everybody to take a look at a paper that was originally launched by access on government hacking.  And it will be interesting also to understand to what extent not ‑‑ having a system that needs to be improved is leading to data utilization mandates.  We had the recent case of Skype, what's up in Brazil.  Billion they're saying that having encrypted messages is pretty much not being able to intercept the communication is illegal so I'm not sure that's the way we want to, you know, go and develop. 

In Brazil just to finish, right, because my time is almost over, to what extent having the take down is necessary and proportionate.  A hundred million users were affected by taking down what's up in Brazil so is that what we really want?  In the end they also migrated to Cella-Gram (phonetic).  It's not bad.  They create competition.  But those are my brief points.

>> CHRISTIAN BORGGREEN:  Great.  Thank you so much.  I'm sorry for bashing you here but when authorities just, you know, if they have a beef with one provider they just shut down the whole app.  How many? 

>> NATHALIA FODITSCH:  100 million years. 

>> CHRISTIAN BORGGREEN:  That's probably not the best way in the future to go about it.  Okay.  Speaking of freedom of expression and Human Rights, you're the director of the freedom project and could you expand because I promised the audience to talk about the solutions so if we can talk about the solutions and not the problems.

>> EMMA LLANSO:  Great, thank you so much and good afternoon.  My name is Emma Llanso; I'm at the Centre for Democracy & Technology which is based in Washington, D.C.  And my colleagues and I have been working closely on this issue of transporter access to data.  I want to talk about the transparency aspects of this.  In four unifying goals we had, goal three was really to provide transparency a clarity for users, governments and companies in how these trans-border access issues and scenarios are kind of playing out. 

So one area where we have been doing a lot of work on this topic is in the freedom online coalitions working group on privacy and transparency, freedom online coalitions a coalition of 30 some governments from around are the world to work together to promote an Internet freedom agenda and they work on a variety of key substantive topics that we are facing on the global Internet.  In November 2015 our working group on privacy and transparent put a report on a number of consultations we have done with governments and companies describing the state of play and around transparency regarding government requests to companies for user data or content restriction. 

And trying to identify some of the obstacles and opportunities for transparency because it's very clear that there's a growing demand for more information from governments and companies in this issue around the world.  I think it's really important as we talk about potential solutions here to really understand sort of what is the case for transparency, what is the point of it.  And it's not really just transparency for transparency's sake.  It's not that we want to see lots and lots of grids of numbers and stacks and stacks of reports because that in itself is a good.  Transparency enables a couple key elements.  Of course it enables transparency (laughter). 

It is transparency.  And that leads to enables accountability.  We are empowered to exercise oversight if we have an idea of what they're doing and what is going on.  It promotes individual empowerment.  It gives citizens and individuals an understanding of how companies and government action affects them individually and directly, and also affects how these entities are shaping society and affecting the information we have access to and what our governments know about us.  This kind of empowerment can also lessen the chilling effect about their willingness to express their views and use information and communication technologies.  And then of course transparency helps to inform policy discussions and advocacy and helps us find the kind of solutions that I think we are all really here for today. 

So I think one of the ‑‑ there's a couple of ideas that I wanted to sort of throw out there for discussion.  In terms of how we develop laws, policies and frameworks with meaningful transparency in mind I think one key aspect to keep in mind is at an operational level providing transparency can be somewhat challenging for companies or governments.  It can be a big data management project.  You run into all sorts of questions about what data should and shouldn't be provided based on national security concerns or other kinds of issues and so any time we are talking about how to provide ‑‑ oops ‑‑ did we lose the mic?  No. 

Any time talking about how to provide transparency we need to keep that in mind for what those projects might pursue.  I see I'm out of time and maybe that's why my mic has changed.

>> CHRISTIAN BORGGREEN:  We are not shutting you down although that is good in the future for moderating just to shut people down.  Especially on a freedom of expression related panel.  No panel would be complete without having Bertrand De la Chapelle.  I'm just going to jump directly.  I will shut you off if you don't come and help us get closer to what we are trying to achieve here which is pointing to some solutions. 

>> BERTRAND DE LA CHAPELLE:  Thank you Christian.  I'm Bertrand De la Chapelle.  We have three programmes and one of them is specifically dedicated to this issue of cross border access to user data.  I insist on the term cross border.  The fundamental problem we are confronted with is this information that is stored by countries in a country that is different to the one where the crime that is investigated is taking place.  And in addition those companies are serving users around the world as was said by Neide without having any local offices or local actives. 

By definition any service on the Internet hopefully is accessible everywhere in the world.  We held in November 2nd weeks ago conference in Paris called the global Internet and jurisdiction conference that had one of its tracks dedicated to this.  The first element is to frame the problem appropriately and to recognize that this is a problem that is a problem for all the different actors.  There are no good and bad actors.  There is a common public interest need to be able to find the information when there's a criminal investigation. 

The problem is that the current mechanisms of neutral legal assistance treaty lead to a situation where it's either cumbersome and leads to a conflict of law and puts the companies into a situation where they have to choose which country of law.  And so fundamentally the key challenge is what are the proper frameworks, what are the proper standards for due process to govern those cross border requests that are coming from a public authority in one country to a private actor in another one. 

So beyond the framing what is important to know is that this is a problem that is being tackled by several different initiatives.  There are initiatives in the U.S. some of which have been mentioned and Emma mentioned a process whereby a certain number of Civil Society actors and companies and academics with the participation actually of the U.S. government is looking at ways to handle the specific situations when the only nexus of connection with the U.S. is the use of a U.S.‑based platform.  The crime is in one country.  Investigation is done in one country.  But the data is held by a company that is based in the U.S. and that's the only nexus of connection. 

So how to develop safeguards and procedures for this is one of the things what the proposal is exploring.  At the same time the justice department in the U.S. is exploring position bi‑lateral agreement with the United Kingdom that could be scalable afterwards to handle those specific cases.  But in parallel in Europe the Council of Europe and Alexander Seger in particular is dealing in the context of the cybercrime convention on how to improve those mechanisms and the European commission has been taught by the council of administrators of justice and home affairs in June with a specific role for access to basic subscriber information.  It's important that all these different initiatives are aware of what is being discussed so that there is a chance of policy coherence and this is one of the ways we help facilitate in Paris two weeks ago. 

Towards the solutions, what is important when we try to address those issues is to deconstruct the big problem into manageable chunks.  One first element is the operational challenges in trying to find a solution.  I'll list a few of them here.  The rules are not the same for basic subscriber information, for traffic data and for the content of e‑mails, for instance.  I wouldn't get into details because of time but it's important to know that the rules are different for those three types of data.  There's a very important question of how do you validate the authority and authentication of the investor. 

How do you know it's a law enforcement agency in Kenya or in France?  There is a question regarding the criteria for jurisdiction and Paul was mentioning the Microsoft case which is a very important case trying to distinguish whether the location of the company or the location of the server is actually the relevant criteria for establishing jurisdiction.  To be honest it's very likely that neither is a good criterion because if you apply them too rigidly it leads to certain incurrences and bad solutions.  One of the challenges being discussed is there are other criteria for the jurisdiction including the location of the crime and or the nationality or are the residence of the person to who the data is being requested. 

And so just to finish, beyond the challenges that are common it is important are to identify what are the common corporation areas that can be explored and in that regard the criteria under which there's a notification of the user is a very difficult issue.  The criteria as I said for the jurisdiction and everything related to due process mechanisms.

>> CHRISTIAN BORGGREEN:  I think we are getting closer to solutions.  You got a little bit more time there but that's okay because you're helping here.  We got closer to solutions.  Before we go to our last speaker I would own courage you to send your questions on Twitter using the hashtag WS87, workshop 87, and have your questions here in the audience because in four minutes we will go to Q&A and you can ask our experts all your questions and comments as well.  And of course our final speaker Alexander Seger is head of the cybercrime division of the council of Europe.

>> ALEXANDER SEGER:  Thank you.  I have one slide if you can put it there. 

>> CHRISTIAN BORGGREEN:  Yep. 

>> ALEXANDER SEGER:  This is a real technical challenge.  What I'm going to talk about in the next four minutes is the type of solutions that are currently under discussion within the framework of the Budapest convention on cybercrime.  A number of things up talked about referring to national security arena, talking about criminal justice.  At the Budapest convention there's 50 parties; Brazil is neither a party nor an observer state.  United States is a party, Japan many others. 

The party to this treaty meets twice a year at the cybercrime convention committee and the cybercrime convention committee established ‑‑ it's all on that slide ‑‑ to identify solutions and how to address the issue of criminal justice access to evidence in the cloud. 

The group produced the final report about 6 or 8 weeks ago and that was then discussed three weeks ago by the cybercrime convention committee.  The rational is that you're talking about cybercrime but also about evidence in relation to any crime.  It changes the scope and the scale enormously.  Evidence is on servers often in foreign multiple shifting or unknown jurisdictions.  And without data there's no evidence, there's no justice.  And I fully share the frustrations that other prosecutors have because we have on the cybercrime commit about 120 prosecutors and law enforcement officers. 

We cannot protect society against crime anymore.  Less than one percent of any cybercrime reported actually ends in court proceedings.  And only very small part is actually reported.  You have to keep that in mind.  So a number of very specific issues have been identified by the cloud evidence group.  Important one is we need to differentiate the type of data needed.  Law enforcement most on needs subscriber information.  Without subscriber information it can't get started.  The committee groups identified the effectiveness of existence; I don't think we have to go more into that.  We have the issue of loss of location or loss of knowledge of location; we don't know where the data is. 

And that leads to a jungle of unilateral solutions and I would say the procedure is part of this now.  In frustration because governments and law enforcement have a job to do.  They find their own national solutions to address the problem.  Then we have the issue of when is a provider that may hold data actually in my territory?  What moment on wards are they here?  We need to define that.  And that was also mentioned in the presentation by the Brazilian prosecutor earlier on.  We have this generosity by U.S. service providers.  They and the U.S. law can provide voluntarily subscriber information.  Content is another debate but providing subscriber information they can provide.  But voluntarily. 

There are a number of challenges that come with it.  By the way, other than the United States parties to the Budapest convention, 138,000 requests were sent to six providers.  It's about ten times more than requests were sent just to six providers.  We have the issue of emergency procedures.  And Paul from Microsoft mentioned emergency procedure used in the mutually request in the case of the Charlie Hedbo attacks.  Service providers can incorporate sometimes on content in emergency situations, child abuse, and so on.  They can do that. 

Non‑U.S. providers are not allowed to do that so we have an unequal playing here which we have to understand line.  And again for European countries, European Union countries and providers providing a service in Europe there will be a different situation from April 2018 on wards when the new European data protection rules are in force.  Five solutions identified, not going into detail as the website indicated here you can find the report in detail.  One is we have to make it more efficient.  There's no way around that.  It cannot come with more adventurous solutions if we don't invest more. 

The second solution, second part of this package of solutions, it's about protection orders.  Orders to provide or produce data.  Article eight in one b talks about ordering a service provider, offering a service on the territory to produce subscriber information.  Now the debate is what does it mean offering service and so forth?  But if consensus can be found that's article one B can be a legal base for a domestic production order offering service on a territory and the connecting factors, then it may create a legal basis for this type of regress to providers like Facebook, like Microsoft and many others, it may also protect the service providers because there is a lawful order at the origin. 

The third solution is that this whole complex of domestics production disorders has to be clearly defined in domestic law.  You have a whole variety even in Europe.  In some countries a police officer can order the production of data, in others you need a court order for the same thing.  There's no harm whatsoever. 

Finally the fourth proposal is practical cooperation with providers to improve it to use online tools to make it clearer for providers.  What are the powers of law enforcement in different parts to the Budapest convention?  So if Microsoft gets a request from a police officer in country A, you realize the police officer is not authorized to ask this from you, only a prosecutor.  And if you get it from country B only court with issue an order to produce this data and so forth.  We also by the way create the cybercrime convention committee meets at least once a year with providers to discuss issues and listen to your concerns from the provider side. 

And finally we expect the final decision to be made about starting this next year, it's a protocol to the Budapest convention to find legally binding solutions to a number of issues answered I think I'll stop here. 

>> CHRISTIAN BORGGREEN:  Thank you so.  We got a little closer to some solutions so thank you for that.  Now we are open up for Q&A from the audience and hopefully there will be a lot of questions.  Hopefully it will be someone with a microphone.  I'll just throw it to people.  I see a question there, the gentleman with a phone and there's one in the very back.  Maybe we will take that first and then go to you afterwards. 

>> AUDIENCE:  Hi.  I'm Leandro from Argentina.  I like to raise a point about the powers of law enforcement specifically speaking about rule 41 that has been approved in the U.S. that expands powers for judges to issue warrants on a global basis for remote access and I would like the input of the panel for this as I think it's setting a precedent globally to every country basically just allowing judges to issue warrants that are across borders.  And I think that is worrying on Human Rights perspective.  So I would like the input of the panel on that. 

>> CHRISTIAN BORGGREEN:  Great, thank you so much.  There was a question here. 

>> AUDIENCE:  So it seems according to what I have heard that compliance rules regarding or improved by international cooperations could be the best manner so to translate those principals into an enforcement law or to ban principals to provide certainty about transfer or maybe the storage from abroad from country A to country B and exercise persecutions internationally.  Am I correct? 

>> CHRISTIAN BORGGREEN:  Thank you.  I think I understood the question.  And final comment here and one question also, a question here in front if we can get the microphone here.  Okay.  We'll take you. 

>> AUDIENCE:  Hi, I'm a Brazilian lawyer and I want to highlight the blocking of a patient in Brazil is due to a different interpretation from that proposed bylaw which does not consider the principals laid down by Marco Civil.  And what experts in the field are expecting is that the authorities become more open to understand a subject that is new to them.  Thank you. 

>> CHRISTIAN BORGGREEN:  And I think we have a question up here in front. 

>> AUDIENCE:  Thank you.  Thomas from the German federal foreign office.  I don't have a question but would like to give an answer maybe to your question about practical measures.

>> CHRISTIAN BORGGREEN:  Yes. 

>> AUDIENCE:  Concerning transparency.  Germany and Brazil are running the general assembly resolution on privacy for quite some time.  This time we introduced paragraphs in the preamble to provide transparency and we have two paragraphs in the operative report one calling on states to enable more transparency measures and another one that addresses companies also encouraging them to be more proactive about transparencies.  That is a practical thing.  And both sides, enterprises and government, should follow up on this.

>> CHRISTIAN BORGGREEN:  And we had one question which maybe is more relevant to Paul.  It's regarding a prosecutor in New York.  Are they best served to come up with a global framework about how to get access to data?  But I mean this is a new topic, this is a fairly new topic in terms of interpreting, there's no legal framework.  We have justices in New York and Brazil who are tackling this question here.  Maybe we can attack that question, first.  I don't know if you want to go first Paul and then afterwards...

>> PAUL MITCHELL:  So I'm not entirely sure I understood the question but if the question is should some American judge make the decision on worldwide who should have the right to do what, I think the answer is clearly no.  I think most of the rest of the world would have a problem with something like that.  We are trying to have a slide up there that basically characterized the problem, your four buckets of problems.  I think what the warrant case does is puts all of those problems together in one case in a way that you have to kind of figure out what is the germane issue, is it where the data is, where it's processed, who the data pertains to, what happens if it's data that it's a communication between an American and German, and it's stored in a Brazilian data centre whose law applies.  Those are the unanswered questions, some of the unanswered questions. 

I think what we are trying to advocate for as a whole is that we start on a global basis or continue since the conversation started but we work towards clarifying processes that we would go through in the instances where we have these conflicts.  We have talked a little bit about the idea of process standards or process architectures that get to the how you go through the process from when you get a request, however it gets to you, to where the decision points might be where you have to arbitrate between is it Brazilian law or U.S. law, and maybe that gets you ultimately to a place where you start on the international cooperation side to identify how between pairs of countries and eventually you might get a broader group and a broader convention that would result from that. 

But what is clear is not a workable solution is a unilateral decision from a judiciary on any country that my law is the law that matters globally and you will all fall in line because it's not practical, it's not implementable in may real way in the way the Internet works today.

>> CHRISTIAN BORGGREEN:  Did you want to add?

>> Thank you.  I think that there's an important element that as to be taken into account here which is that there's a sort of pendulum swing at the moment.  We were in a situation where the frustration that has been mentioned was clearly that there was no possibility of accessing this data.  And what is happening at the moment is there's a pendulum swing in the opposite direction because trying to solve this problem we get into situations where there's an extreme extension because it's understandable.  In the case of Brazil and in the case of the data regulation implemented in 2018, it's accessible in a country is now sufficient to exercise jurisdiction which is important. 

The Microsoft case is also touching upon the question of extra territorial extension of sovereignty because if the U.S. government prevails in the court it may mean they have access to data stored by an American based country anywhere in the world.  There was a question towards Human Rights but I think it's important for everyone to understand that the challenge of extra territoriality is also a problem for governments themselves.  In as much as everyone is trying to solve its own problem, the fact that another country is trying something extra territorially is also a problem.  The judiciary is the best place actor to set the norm is clearly a negative answer because the Microsoft case is what I often qualify as a lose‑lose situation. 

You can see there are other cases that touch ton extra territoriality, you get a case in France on the territoriality extension on the right to be deemed, there's a case in Canada, there's the Microsoft case.  This question of the territoriality extension of sovereignty and the jurisdiction criteria is one of the most important ones and there probably is a need to move slightly away from the pure territorial basis.  This is something that goes in the discussion there's the cybercrime convention.  It is also being discuss in the approach by the U.S. groups that I was mentioned before, understanding that the exercise of sovereignty needs to be respectful of the sovereignty by the other actors and it's the way to find the balance. 

Generally speaking I think we are in a situation where if we are not careful enough the jungle of solutions is producing what we have labeled legal arms race because every single actor in this situation is trying to find a solution in a cumulative effect of all the decisions is not only making the problem harder to solve but harming every single actor in the long‑term.

>> CHRISTIAN BORGGREEN:  I think we had a question about Brazil and the interpretation of the Brazilian law which I know very little about but thank good there's two Brazilians on this panel here.  Maybe week first turn to it academia.  Because how do you implement a law if it's not entirely clear?

>> I loved that Bertrand De la Chapelle used the expression of prisoners' dilemma because I think it's a great one.  I think your point related to judges is crucial.  We need to train and understand the national behind the Civil rights framework in Brazil.  First this law was intended to guarantee the rights before any ‑‑ before criminalizing the use of the Internet. 

So training judges in the whole system is crucial for sure.  Second we actually have some pending cases before the Supreme Court, Supreme Court in Brazil now to discussing whether take downs apply, whether using this law that was actually enacted in 2014, if take downs actually are supported by this law or not so we have cases even in the Supreme Court right now discussing that.  So I think and Christian also asked me if the law is clear I think in terms of the jurisdiction it's clear, it's clear that data doesn't need to be stored in Brazil but we have jurisdiction over the data so that's clear in the law however what is not clear is whether the take downs respect the overall intention of the law and some specific clauses in the law, and whether take downs should be the solution or not to cases whether the due process legal system and prosecutors are not ‑‑

>> CHRISTIAN BORGGREEN:  When there's a communication service that 100 people use, could that be in conflict with other laws or principals?

>> Sure, constitutional rights and also the Marco Civil which is the rights framework for the Internet itself.  So there are other parts of the law that talk about how important it is to allow for this freedom of expression. 

>> CHRISTIAN BORGGREEN:  Thank you.  Do you want to comment?

>> I'd like to say that our framework, Civil rights, states very clear that providers have to obey our situation.  It's clear for us.  And there is a penalty about suspense the service with the decision is not obeyed.  But all the prosecutors, the federal prosecutors especially, we know it's so difficult for the society to understand that and it's a problem when hundred millions of users is out of the service because of a decision in one process.  And we prepare technical notes and shared these documents with all the prosecutors in the country to say for the state prosecutors that it's not a great penalty for the providers to obligate them to obey the decisions because you have other penalties that we think it's more efficient. 

As the financial block the provider in Brazil.  Federal prosecutors ask the federal judge to block this account and we think that the providers are kept and it's more efficient to obey the decisions when you have a lot of money, millions of dollars blocked.  So we think it's better solution then to interrupt the service. 

>> CHRISTIAN BORGGREEN:  Follow up comment from your colleague sitting here in the front. 

>> AUDIENCE:  Good afternoon for all.  I'm a federal prosecutor in Brazil.  And I work not just to cybercrimes in Brazil but I also work with Human Rights.  I'm like not just prosecutor but a citizen, very worried about the privacy of the Internet and the security of the Internet. 

What you would try to do and say we all Brazilians try to do with this law I think there was a huge discussion for all the stakeholders in Brazil to give their opinion, to give their base, their reasons to us to get in a law that's the Marco Civil Internet, the Internet Civil point.  And what it's important to say here is that Civil Marc is not just a right for the prosecutors, the judges, or the authorities to get in and take information.  It's a right for all the citizens because it means that no one, even the authorities decides against this and no one will be ‑‑ no one ‑‑ everyone has the guarantee that you just have the privacy, your privacy damaged by following some rules that's in the law. 

And about the privacy I'm finishing.  I don't want to take so much time.

>> CHRISTIAN BORGGREEN:  We can bring a chair up here.

>> Sorry, Chris.  But I would like to say that like a citizen our privacy is protected.  We have a law.  We must work a lot with the jurisdiction everything.  But we have of a law that guarantees that my son that was raped is going to be found by an authority we have reasons to search, we have just the criminals with this.  So I would like to point this and really, really, I'm really finishing, Chris, just one minute because it was important for the Brazilian lawyer Nate said.  And in the car wash the block that was in the financial made by the judge in the financial firm that was judge order that was not obeyed and the firm was ‑‑

>> CHRISTIAN BORGGREEN:  I'm sorry.  You have ten seconds. 

>> AUDIENCE:  We have the other punishments that all the prosecutors are trying to get in the firm and not in the citizens. 

>> CHRISTIAN BORGGREEN:  Thank you so much.  I'm going to jump right away we have a few questions we received via Twitter here and welcome even more questions.  We have a question from Ora Ruse who asks besides the criteria in who has jurisdiction is there any official collaborative and jurisdiction.  And I'm realizing we have Europeans, North Americans, and Brazilians speaking.  But if there are common approaches maybe in Africa or Asia that he we haven't heard of, from someone in the audience maybe.  Should we take this question?  Okay.

>> I think the quick answer to this is that it is a common problem that can only be solved by an appropriate discussion among the different stakeholders and among the different initiatives that are taking place.  And so the strong message that we heard is no single actor or group of actors can solve this alone.  The message to work together was very strong and as Internet and jurisdiction in the policy network we are facilitating a discussion.  It is up for the stakeholders and the actors to move forward to connect with one another, to identify the elements that are common but I would say that this topic has been ramping up in the last few years, is becoming extremely acute now and has reached a sort of tipping point that Mike's me relatively optimistic on the likelihood of finding elements going to largely concrete solutions.  If you want more information we have a booth. 

>> CHRISTIAN BORGGREEN:  I'm going to go to Alexander.

>> ALEXANDER SEGER:  If we talk about an international official way of addressing this then you have to what is happening in the framework of cybercrime convention committee, we have Asia Pacific countries there, Latin America countries there.  Let's be very clear, it's five solutions that hi put on my slide earlier on.  Some have them of been accepted but let's shape how this is addressed in the 50 countries but the other 30 countries that are about to join.  This is not just something academic in a way.  It's going to shape the reality in those countries. 

One point I want to underline regarding this discussion about other concepts, currently the solutions are focusing on subscriber information.  We are not addressing the content data that may have to be addressed as a protocol to the convention but there is a lot of frustration about the concept of territoriality.  Facebook has 140,000 servers or more in Sweden.  I was recently in India, and in the conference just for the fun of it I established I opened a new outlook account.  John Doe whatever.  And I could choose the jurisdiction.  By default it gave me India so I took another one, Isle of Man.  If the Indian authorities want to investigate this who do they go to?  This is sort of frustration we have. 

Prosecutors don't take this lightly.  They don't just go for the fun of it after providers or whatever.  There are serious cases of crime, situations of life and death; you need to act quickly on that. 

>> CHRISTIAN BORGGREEN:  Thank you.  I have one more question here from Twitter and we will ask if there are more questions.  Someone here is asking from Twitter if the ITF should identify each of the key concepts, I guess jurisdiction is one of the key concepts we have been discussing.

>> The IGF is not allowed to make discussion.  The discussions are extremely important.  Discussions like this, yesterday this is very important to discuss this but you have to come to solutions, we cannot wait another ‑‑ 26 years ago this was considered a highly urgent matter.  We are still discussing.  It's not something we started yesterday.

>> CHRISTIAN BORGGREEN:  All right.  We will take some questions.  I see one question right here in front.  And two in the back there afterwards.

>> AUDIENCE:  Hi, I'm from Brazil.  My question is concerning suppose we eventually make states manage to make a framework of cooperation for sharing data and cases of related jurisdiction.  But what would we do concerning possible how can I say safe havens, states that are not into those cooperations and just serve as havens for companies, et cetera, or is that too early to think about it? 

>> CHRISTIAN BORGGREEN:  And I have two questions right there.

>> AUDIENCE:  My name is Jacqueline; I'm with InternetLab in Brazil.  I'm sorry.  Yeah another Brazilian.  Shouldn't we be aiming as a task to determine whether a country can directly request user data?  The reason why I'm ‑‑ I mean by directly I mean not having to go through (indiscernible) the reason I'm asking is because it seems to me Brazilian judges are unconsciously applying a multi factor task.  I read decisions saying I'm investigating a person in Brazil and also the victim of this crime that has been committed in Brazil is Brazilian.  It seems to me that this solution that would acknowledge Brazilian jurisdiction in this case would resolve 80% of the cases and deal with the frustration of the Brazilian prosecutors. 

>> CHRISTIAN BORGGREEN:  The question about safe havens, I think the gentleman behind you ‑‑

>> AUDIENCE:  I'm neither Brazilian nor a lawyer.  My name is Byron Holland.  My comments are really from an operator's perspective.  Although I've also recently been changer of the CCNSO which is the country operator group in ICANN.

>> CHRISTIAN BORGGREEN:  And your question? 

>> AUDIENCE:  It's more comment and suggestions.  Would you like me to keep going or do you want to answer the previous questions first? 

>> CHRISTIAN BORGGREEN:  Go ahead.

>> AUDIENCE:  So as an operator we face these challenges all the time.  As an individual I'm a strong proponent and believer of a free open global Internet although I'm subject only to the laws of my own land.  We heard the Brazilian prosecutor or sorry we heard Microsoft talk about the situation in Brazil where they broke down the front door.  Metaphorically that happens to me as an operator frequently.  Part of the solution is getting law enforcement to know that an knock an explanation is often very, very helpful and I think we are starting to see that in some environments that discuss the subject where law enforcement is talking about their situations but when the front door is broken down, explained rationally as a community are very open to helping law enforcement where appropriate. 

That said I will only respond to the laws of my own land so the multilats and those vehicles have to be in place in a mining full way because when law enforcement tells me to do something I don't and I wouldn't even if I know it's reasonable and just.  And I think a very good example of that recently was the avalanche takedown.  800,000 domains were taken down.  That was a cooperative endeavor with Interpol, et cetera.  There are thousands of examples where it can work but hard work to engage in before we find this beautiful solution. 

>> CHRISTIAN BORGGREEN:  Great, thank you.  I think we have to take the questions now and thank you for that good comment about the need for a real dialogue between operators and law enforcement.  If we can go to the first question about solving many of the problems we are discussing but avoid the problem of forum shopping maybe criminals pick the jurisdiction that is not covered, to have their data extracted.  Maybe any quick comments?

>> Under the question of multifactor test there's a lot of debate going on about this in the U.S.  Our department of justice proposed a law that would enable service providers to respond directly to requests from foreign government answer not having to go through the MLAT process.  So this scenario you were talking about. 

And there's a lot to be said about this bill but a couple of key things that come ups we are thinking about this, one is what are the criteria that a foreign government would have to meet to get this sort of special ability to serve an order correctly on a company in the U.S. and what those standards are would be very, very important.  One of the criticisms that my organization had of the DOJ bill it presents the different factors demonstrated respect for rule of law, adherence to international Human Rights obligations, and some other things, presents them as factors and not as requirements so we think that providers material too much leeway for a sort of potentially political determination of which country does the U.S. want to make this kind of agreement with and how can we sort of fudge the fact that they meet some of these factors but also not others. 

And I think another key question who gets to decide if the countries meet these standards?  Would it be only the department of justice or the department of justice working with the state department where there may be influence of international relations or is it's something that should be put before the legislature as well and have congress be able to evaluate how the standard are applied, how these agreements are assessed and what decisions are arrived at.

>> CHRISTIAN BORGGREEN:  Do you want to follow up?

>> Yeah, quick follow up on the multifactor test.  We had a session in Paris that was a short session on the future of territoriality as a criteria for jurisdiction.  And this is a question that was raised very explicitly coming from the workshop sessions that people had earlier in that day.  And there was a strong debate regarding whether a multifactor test is appropriate or not.  Some actors are legitimately considering the current tests are too rigid and too simple.  The Microsoft case being a perfect example on territoriality. 

But at the same time when the proposal of the multifactor test which as Emma was saying is part of the bill that was being explored at the moment in the U.S. was mentioned in that session, there were reactions considering that it is difficult to implement, that it is complex, and that in particular for instance including the nationality or the residence of the user is a very difficult criteria to evaluate.  So there's a debate going on.  I think on a personal basis looking at the discussion that the trend is towards sort of multifactor tests, that it's more or less the practice that people are having but there's still a debate in the moment in that regard.  And the other element regarding the comment by Byron on the explanation by the law enforcement. 

What he's talking about is also very operational in terms of what are the formats for requests, what are the informations that should be communicated to the operators whatever the operators are, to justify the request for data which such is by the way on a very important element of due process and trust building and so on.  Also touches on issues of confidentiality.  How much data with be shared with the operators on criminal investigations?  So those two elements multifactor test and procedural elements regarding the format for request is some of the elements that are discussed at the moment. 

>> CHRISTIAN BORGGREEN:  Alex? 

>> ALEXANDER SEGER:  Thank you.  I'm afraid the territoriality principal this year in October celebrated its anniversary and I think its many years since it's done away with.  It's not to focus on the location of data because that's a very volatile concept but to focus on the person in possession or control as the key factor.  It's a situation when it's perfectly all right when it's acceptable, it seems like for subscriber information there's doubts from the Microsoft side regarding the issue of content.  For a long time you will have dual principals. 

But I could perhaps anticipate what may happen in the future because you see it in other areas and in the European Union that countries may require for companies to be legally represented in that country and to have somebody there to be ordered then to produce and maybe simply a law office, law firm, a branch, whatever.  I think this is something that could develop and you have data protection regulation and so forth, we may perhaps see this also in the criminal law area. 

>> CHRISTIAN BORGGREEN:  Please.

>> Two things to follow up exactly on what Alexander is saying.  I fully agree with the trend he's describing.  One of the challenging is the scaling up of this solution which brings a lot of questions regarding small companies and also small countries.  Because if you push the reasoning too far and you implement for any type of service the kind of rule that may be management for very large providers it would mean that the proverbial three people in the garage were actually developing a new application should designate a representative in every single of the 190 countries to handle those things.  I was discussing it this morning with two people and there is clearly a question regarding the scalability of this thing. 

It may have a threshold effect, it may have replication effect and I like to quote in those regards in philosophy there's the Kantian imperative that you shouldn't do something if generalized it would look back and mandatory representation in a country is on the threshold of that kind of problem because if you generalize it, it can be harmful.  But I agree with Alexander.  It's a portion of the solution but we have to be careful in generalizing it. 

>> CHRISTIAN BORGGREEN:  I'm going to give a little homework for each of our panelists but you only have two minutes to do this homework.  I would ask you, we are going to discuss this next year at the ITF I'm sure, so what are we going to be focusing on?  What are the elements or the solutions or the elements towards solutions to be resolved in the next year regarding law enforcement access to cross border.  Don't answer now. 

We are going to take one question and ask each of you to over three second to give your main points.  We have maybe one last question.  In the very, very back.  Yep. 

>> AUDIENCE:  Thank you.  My name is (indiscernible) and I'm from the centre of Internet society, India.  My question is with regard to MLAT reform, one of the main issues in terms of creating a multi-jurisdiction MLAT process has been with regard to which are the jurisdictions which qualify to be on it.  On the one hand there is ‑‑ there should be Human Rights standards that all requesting jurisdictions should satisfy.  On the other hand if that standard is too high then it ends up excluding more jurisdictions and bringing that meaningless.  So with that in view, I know in the past they have come out with a proposal and there have been over the last year multi proposals on ways to reform the MLAT process.  Is there any merit in looking at some kind of a staggered process which seeks to incentivize raising Human Rights standards in different jurisdictions so as to become a part of that network where there is a minimum threshold that participating jurisdictions should meet and beyond that minimum threshold develop different steps and within that framework they can get more power or rights.

>> CHRISTIAN BORGGREEN:  What a good question.

>> That ties in very well with what I think we need to be working on over the next year which is how to answer this question and the idea of a staggered implementation has a lot of promise to it.  The question in the U.S. if we come up with an agreement with a country that enables them to circumvent the MLAT process that means the demand from that government doesn't need to be reviewed by a court in the U.S. and it doesn't ‑‑ from the kind of Human Rights perspective of trying to maximize privacy protections for as many as people as possible, losing that probable cause standard is like a loss. 

It's not like going into a negotiation saying we will do away with the very high standard of protection that exists doesn't seem like a path forward to many advocates but there have been a number of proposals with the idea that if you can get more government with a lower standard to promote privacy, so isn't that a positive development?  And I want to see if we can find out some way to move ‑‑ lift all boats to probable cause standard, figure out how to ensure when companies are handing over data it really abides by the standard which I think is pretty well reflective in the proportionality principal which were the coalition signed by hundreds of Civil Societies around the world.  So yes, so I think looking to the necessary proportionate principals is a great guide.

>> CHRISTIAN BORGGREEN:  What should we be doing?  What should the companies and organizations be doing until the next IGF discussion on the same testimony next year?  20 seconds.

>> Fundamentally there's a challenge to facility the interactions between the stakeholders and initiatives working on this, and the fundamental expression we put forward is to work collaboratively on due process standard across borders.  Due process is already difficult to do at a national level but the big challenge is establishing due process standards across border and that has a large number of underlying elements but as a hook that's the objective, developing framework for translational due process. 

>> CHRISTIAN BORGGREEN:  You, please?

>> Okay.  In order to reduce the conflict among different jurisdictions it's essential that the government, the society and the law enforcement from all over the world make discussions and meetings to establish as (indiscernible) judicial requests.  And to protect user's rights it's essential that the legislations about Internet issues especially across border data requests be a result of very open and previous discussion about the stakeholder inside and between them.   

>> CHRISTIAN BORGGREEN:  Thank you so much.  Paul? 

>> PAUL MITCHELL:  What both of them said plus at least within the U.S. and hopefully within other countries that governments should actually begin to relook at how their national laws interact within the digital age across the board.

>> Well, I think I'm really glad to hear that Neide mentioned that it's important to have the participation of society in all this debate.  And also I think we need to find ways in which we improve efficiency of the process to decrease the time that takes for judges and prosecutors to have the information they need and transparency for sure.  I think it's one of the main issues at stake.

>> In addition to the answer I already gave about how to strengthen privacy protections for everyone, I would also note that government transparency is crucial issue.  This is not something that can be addressed solely by companies doing transparency reporting.  So it's something we would like to see continued to develop and improve in the next year. 

>> So the next IGF I probably also autumn.  We will have a review of follow up given by existing recommendations that, review is under way by June next year the report will be presented to the cybercrime committee.  I hope we will have consensus of the parties of the convention on article 181 B regarding subscriber information so we have a legal basis in the Budapest convention for subscriber information.  I hope ‑‑ I know because we already agreed that we will have a range of practical measures implemented by them in cooperation with service providers to include such cooperation who by the way can also participate in the negotiation of the protocols and by June next year I also hope we have a decision by the cybercrime convention committee to start negotiation of a protocol to the Budapest convention.  These are deliverables we can hope as delivered by the next convention. 

>> CHRISTIAN BORGGREEN:  So why don't we try and aim for that all together at the next IGF, we will be talking about how we all delivered solutions we are discussing rather than talking about how they should look in the future.  It's lunchtime.  Please join me in a round of applause to all the speakers here.  Thank you so much.

(Applause)

(Session concluded at 1:33)

Contact Information

United Nations
Secretariat of the Internet Governance Forum (IGF)

Villa Le Bocage
Palais des Nations,
CH-1211 Geneva 10
Switzerland

igf [at] un [dot] org
+41 (0) 229 173 678