FINISHED - 2014 09 02 - Internet and Jurisdiction Project Flash Session - Room 2

FINISHED TRANSCRIPT

NINTH ANNUAL MEETING OF THE INTERNET GOVERNANCE FORUM 2014

ISTANBUL, TURKEY

"CONNECTING CONTINENTS FOR ENHANCED

MULTI‑STAKEHOLDER INTERNET GOVERNANCE"

02 SEPTEMBER 2014

11:30

INTERNET AND JURISDICTION PROJECT ‑ FLASH SESSION

***

The following is the output of the real‑time captioning taken during the IGF 2014 Istanbul, Turkey, meetings. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the session, but should not be treated as an authoritative record.

***

>> BERTRAND D.: You have on the table a brochure that we have distributed in significant number of the bags, but we didn't expect that there were so many people attending, so you may not have had it in your bag.

I want to launch this presentation and open the floor for questions and discussions afterwards.

Without further ado, the first element that I want to highlight is that it is a status update.

This is something that we will want to do at every IGF. We have had IGF workshops every year since 2012. We will have another one this week on Thursday in the afternoon under the theme will cyberspace fragment under jurisdictions.

I want to make a statement that this is a present statement of the current status it is not finalized regime framework and it is also basic for getting feedback input and on where it is.

So the starting point is to discuss what is the background. Why are we here and why do we need to do something and one of the big challenges that I do not have to detail too much is the fact that it is extremely difficult to define and determine on the traditional geographic criteria what are the applicable laws in an environment where the services and the Internet and platforms are across border. And let us remember that there is a huge benefit that the Internet is transborder. We need to keep that in mind because we're taking it for granted. But it is actually important to preserve.

The fact that the platform, the operators, the servers, the users and many intermediaries are in different jurisdictions is in different location is actually bring ago set of criteria for determining potential competing applicable laws.

This is particularly true in situations where we're dealing with content or speech where the laws in the different countries are very different.

To give you a very concrete example without going very far, in France and in Germany the rules applicable to hate speech or to antisemitism are completely different from the rules in the United States, which means that things start out perfectly in the U.S. are illegal inure up and if you are using a platform located in the U.S. but are you using it in Europe, the question is what is the applicable law and jurisdiction is a big question.

So the end result of this extension between the cross‑border and the Internet services and the fragmented nature of the legal system today is that is there are pensions between the actors. They are not understanding each other. They are conflicting of requirements and needs and, so, the result of this situation is that we do not have an international framework. And there is a big distinction between the governance of the Internet of the logical layer and the names, numbers, the IP addresses and so on and what I call, by lack of better word, the Governance on the Internet.

What are the rules that apply to what people do on the Internet, the good things they do and the bad things that they can do? And, so, there is no overarching framework for the Governance on the Internet, and the end result is that very naturally people use the tools that are available to them, and that includes a proliferation of natural laws that have no guarantee of being compatible, and, on the one hand, is sort of re-territorialization of cyberspace, but also extra territorial extension of sovereignties when people are leveraging the location of the operators in one particular Country to make sure that their laws apply also extra territorially.

So we're in a situation of legal competition. Collision of laws and potential fragmentation, it's a very loaded word and we will explore it in more detail on Thursday. So I don't want to belabor here, but it's clear that we're in a situation where each individual decision may seem perfectly coherent in the short term, but the communicative effect of all those decisions may destroy one of the benefits that we are getting from the Internet.

Which leads to a situation that in the international system the traditional loads of State cooperation do not function well here. There are no international treaties, no harmonization of content rules, of course, but also the mutual legal assistance treaties that are used for criminal issues are not functioning, they are too slow and they do not cover issues that are not criminal. There are many situations where there is new, so‑called, dual incriminations. Something is illegal in one Country but not in the other.

So in this context the result is an increasing direct transborder request from law enforcement public authorities, Governments of all sorts, DNS operators can be DGTT and also the Google and Facebooks of this world that are located in another Country. And this for three things, basically. Domain seizures, content take down and user data.

If you think about it and you're in a Country and I used to be a French representative in French government for those issues, so you are concerned that something has been posted in another Country that is illegal in your Country, you have three reactions. One, you want the domain to be taken down. Or you want piece of content to be taken down, or/and you want to have the information about who has posted this to make prosecution if the person is in your Country.

So, the problem is that the current mechanism of sending that request lacks transparency and clear procedures. It is under the responsibility of the operators and the platforms to make decisions, but the way the requests are being sent, the way they're formulated, the formation that is provided about them is not really detailed. And, so, in that context, it seems that some framework is needed for that very specific set of issues. Transborder requests for domain seizures, content take down and access to user data. In order to make sure the co‑exist tense of different laws in those shared cyberspaces, we have stumbled upon the notion of proceed usual interfaces. So, in another words, there is no harmonization on substance, but there will be and there can be harmonization of form and procedures to establish in a form of probability between the actors in the triangle between states, the platform and operators and the users.

The main objective and main background criteria is to introduce process, transparency, and also predictability in the decision making, and I'll come back to that afterwards.

So what is the project itself? It was launched in 2012, the beginning of 2012. It was Paris based secretariat in France. It's a neutral facilitation platform to discuss this and the development of a framework and it is an observation that now contains 33 international experts institutions that include Oxford, Harvard and many other international places. I see some in this room. And a dialogue process, so the purpose of the observatory is to keep track of trends and produce a monthly newsletter with cases and, Paul, if you can throw the two. We have published and you can have them online if you use this little card with the address. We have produced for 2012 and 2013 a compilation of the cases that have been selected. There are 20 in the newsletter, there are 600 plus for the newsletter, and this is the compilation of the more than 800 cases for the two years.

But the project is also and probably most importantly the observatory is there to support and provide evidence for this discussion. It is a multistakeholder dialog process, and the goal is to get people around the table to do something that is, I think, too rarely done. Usually people have a problem with each other. They are grumbling that this actor does don't that or I made a request that didn't go through or you are adopt ago law that is not working.

The goal of a multistakeholder process, whatever it is, be it a workshop here or any on‑going discussion, is to turn problems that people have with each other into a formulation that is the problem they have in common. And the problem that people have in common is how do you find the framework and rules to organize the interaction between those actors that respect human rights and the concerns of the different legal authorities.

So to do this we have organized, as you can see here, a discussion process with more than 70 entities, not all have participated to the same level. There is probably a core more committed group of 30 actors, but overall public authorities from the different countries that you can see institutions, the technical communities, society, so we had, in particular, made an emphasis to involve countries such as India and Brazil, who are very important players in this respect. Not only by the number of people but also by the approach that they are taking on those issues and the problems that might be facing.

Likewise, in society the technical community is also involved. So you can see the list here. That meant 15 meetings in ten countries and we participated in more than 20 countries as well in the last two years. And the outcome of this process, or the objective, is to develop what can be described as an operational, I insist on the term operational. This is not a think tank exercise or academic exercise, however much respect there is for that, it is an operational effort based in cooperation with academic research. And a multistakeholder due process framework for the submission and handling of direct transnational requests for domain seizures, content take down and access to user data on issues that are mostly related to user generated content or harmful behavior, like fishing malware.

This objective is actually achieved in the following way. The first two years and all the meetings that I mentioned have led to the identification of six building blocks for a potential framework. And in the six building blocks they can be distributed in two columns, basically. The first column is dedicated to how requests are being made. And this includes questions of authentication.

I receive, for instance, at a platform, an Email from somebody who says I'm the law enforcement agency in Kenya and the address is a Yahoo account. Is a natural effect. Access in many of those countries have huge constraints so they are using a normal Email to send that kind of request. How do you authenticate this?

The second thing is what is the request format? What should it contain? Today you have anything from a flimsy sheet of paper to a very structured document with all the information. How do you establish transparency report something today each platform is doing a transparency reporting but there is no enter probability or standard for the information. So traceability is extremely important.

So that's ‑‑ lie probably reuse the expression. It's a bit of plumbing. It's how you format the request. How do you send them and so on.

The most delicate issue is, of course, the other part, like how they are handled when they arrive at the companies. And they are being screened and decided. And here there are questions of who makes the determination. What is the respective role of courts, platforms, operators and other actors. What are the criteria? What are the procedures? In particular if we care about due process, notification of users and contradictory procedure is a very important element

Finally, not to mention appeals, of course. And finally, when you implement the decision, whatever it is, one of the technical constraints that you should respect to not harm the infrastructure and what are the dispute management mechanisms. I'll come in more detail now.

So basically at the end of 2013 there was a general agreement among the participants of this process and, again, it involved the different actors I mentioned, including the Google, FACEBOOK, Yahoo and others, but also Governments in different countries.

On the existence of those six building blocks. And the discussions since then in 2014 have led to basically a deepening of the understanding and the following components that you will see described when you pick up the brochure that is on your table that you can take away and see afterwards, but I will describe them now. Keeping the two dimensions that I alluded to before. Request submission and request handling.

On the request submission, the framework that is immerging is based on two elements, request format and neutralized database. So the common request format is very simple. If you think about an analogy, when you create an html page there are market tags that say this is the title, this is in bold, this is in this, this is in that. And the benefit of this is that you can have different readers and different production tools once it's being sent it is compatible because it's interpretable. People share the same set of market tags.

Think of it in the same way for the request. Whatever the sender of the request may use as a software to prepare the request, whatever they may use on the other side, the idea is to have a set of market tags that not only allow to structure the request, but also to highlight what is necessary in the request. And this includes the notion of points of contact in the requester and the requestee and, that means that, for instance, in one Country the law enforcement agency or the courts and so on would have one gatekeeper of sorts that actually validates the authenticity of the request. Not necessarily the content but the fact that it does come from an appropriate issuer.

The second thing is the request needs to contain the type of the request that it's a domain seizure and it's a content thing and access to user data but it's also to include in certain way the rationale to say it's a content take down but it's for reasons of hate speech or for reasons of defamation or other types of key words so there can be traceability and statistical analysis.

That is extremely important. As a human rights principle and as a due process principle any restriction of an individual freedom should be based on law. That means that any request that is being sent needs to be able to make a reference to the actual ‑‑ actionable law in that specific Country and the procedure that should be followed. Like, for instance, is it an article of the constitution that is relevant? It's a particular law regarding Internet? Are there particular laws regarding the press that are transposed for internet matters?

But also on those issues, and that type of request does the national procedure require a warrant or code decision or not? Society may seem mundane, but the sort of compulsory presence of that sort of information in a request is something that raises the bar of due process from what it is today. Today you get requests and the national basis not necessarily known.

Finally, elements regarding request details, the specific action and the specific fact, user ID, the video ID, the picture I.D., et cetera. So that is as granular as possible. And whether the action is, for instance, content take down, permanently anywhere or a jewel localized content in accessibility for limited period.

So documenting this type of request is extremely important because it facilitates the decision making on the other side. But that is extremely important, as well.

Any request should contain a justification for necessity, proportionality, potentially urgency, and very importantly, confidentiality.

Why is it important? The fact that the regime is focusing mainly on issues related to speech and content related allows to establish notification of the user as a default. What is not the case always, it's a fundamental element that allows defense and the fact that you have notification of the user by default requires that there can be exceptions that will require confidentiality. So this is why in the market tags there is Annie valuation, a placeholder for any comments saying for the following reason this particular request should not be notified to the user.

You may be aware, I don't get into details but you may be aware that there are discussions going on at the moment on cases in the U.S. regarding whether non notification of the user can even be forever, because there are situations where there is a gag order that says you cannot tell the user that there has been some thing about him and this should last forever. And there is a discussion not decided yet that whether this is constitutional and whether there should be a limited period.

Anyway, having conditions for confidential, it is important.

The interesting thing is that once we have a request format of that sort, it can be coupled for specific types of neutralized databases that constitute the plumbing of the system.

The first one is the points of contact that I mentioned are listed in registries to facilitate authentication. And the discussions that are going on point to possible roll of entities like Interpol, Europol or other police corporations in maintaining the registries in question. That would not be exclusive, but it's one of the options.

Likewise, on the other side, the different platforms and operators will of course maintain a registry of their points of entry, which is if you have a request to send, please send it to this address, which can, in different cases, be subdivided. It can be a specific ad dress for request from one region or specific address for request of a certain type, et cetera. That will be up to the actors.

Think of it in terms of analogy as the port that is used in networking. There is a specific port for that type of request and they can be sub divided.

The second category or the second database is related to traceability. You may have noted that in the request format there is information regarding who is sending it or actually I didn't mention it in that slide, but there is information about who is sending it and where it is going to. The type of request, the rationale.

Those elements are not detailed enough to be related to a specific request but there are statistical elements. And the idea is that the system would capture those neutral statistical metadata the moment the request is being sent to feed a neutralized database of traceability that would function in open data. So that will allow, provided that the standards is shared, a diversity of entities to mind this data to produce different types of transparency reports. One would want, for instance, to track whether defamation requests are growing around the world.

Another one will want to see how many requests have been sent on video issues between one Country and one particular platform, for instance. So the idea is that there is a benefit in neutralize go this information and in particular in making sure that it is collected as automatically as possible.

The third element is extremely important and it is connected to what I was mentioning earlier regarding the explicit mention of the legal basis for request.

As you know, every single large company is maintaining in‑house a database of known laws, quote, unquote. And this database much known laws is a huge endeavor as anybody was trying to do anything of that sort it is 190 countries. The laws are changing constantly. There is jurist prudence. There are international treaties. It is a huge task. And not only it's a huge task for each large company and a duplication, because each of them is doing it again, but it's completely inaccessible for the smaller companies and especially if you are a start up you're launching your activity, it's accessible worldwide and there is no way you will have a legal and human resources to set up that kind of database. Society makes perfect sense for just that reason to have a neutralized database of legal references related to those types of requests.

But there is another reason why it makes sense is that it's a huge endeavor so if you want to be exhausted from the onset, you're thinking about big numbers and big costs. The fact that it is coupled to the request allows potentially to build the database from the bottom up each request at a time. Like fair au monies or leaving a trail. So every time there is a request coming in the part that is related to what is the relevant law and procedure feeds into the database. So that is a benefit.

There is a danger with that, because how do you ensure that it is exhaustive, that it is accurate, that all the dimensions are taken into account? This is why this legal reference database needs not only to be neutralized but also to be by a certain way by third‑party actors. So law firms, scholars, individual companies and any other type of initiative can inappropriate manner enhance the database, make it more complete, validate that some ‑‑ I don't want to go as far as a Wikipedia type of thing, but there is a community around this database that needs to be built in order to make sure that it is as exhaustive and accurate as possible.

And last, but not least, a law database is necessary to keep at least the trace of the request I.D. number, the time stamp and where it came from and where it went

At minimum having one log database that says the request that went through the system are identified. The question may be interesting to explore, but it has delicate consequences is whether more information should be in this database, including the actual content of the request to enable reviews or picking one request to see how it worked.

But the moment you put more information in the database or log database, the question of access becomes a big question. So there is a balance here that will be discussed in the coming months.

So that is the plumbing part. A request format and neutralized database to ensure transparency, legal references and so on.

Now, if I move to the second leg, how requests are being handled is the tricky element because the goal is to develop shared procedures and norm mechanisms. Here is goal is to have more predictable decision making. And to establish or to explore dispute management mechanisms.

The current decision making in those issues is relatively simple. It is reception of the request by the platform or operator, checking whether it is receivable, it's complete or not, then the platform makes a determination with or without the loop of notification of the user, because there are cases where they do and cases they don't. There is a decision which is yes, we accept the request, no, we refuse it or we propose a change

Change typically is request being made for global takedown, and the response is no global takedown, but a GOYP filter nonaccessibility for a certain period, for instance.

Then it goes to implementation and it is a very heavy burden for the platforms that they have to do and they have a lot of internal procedures, but there are relatively closed and opaque and the criteria are not always extremely clear. Most of the time it's on the basis of the terms of service and those of you that have made the effort may have seen that in the last few years the terms of service have developed very significantly in terms of the level of detail and in an attempt precisely to provide more clear understanding of what are the criteria that are going to be applied.

So the idea is how to make this even a bit more predictable and a bit more manageable to the benefit of everybody.

The first thing is adding user notification loop by default, as I mentioned earlier. With potential exceptions, but justified, the notion is there should be a loop in that regard.

The second element is, although there is no way that we'll be in harmonization on substance, as I said before, it's perfectly possible, as seems to be the case, to develop shared procedural norms, standards, and criteria. In particular, it is obvious that the territorial criteria cannot be absolute black and white where oh, okay, it is simple. The territorial criteria says it should be the law of this Country or that Country.

In many cases there is a set of criteria that actually pull in different directions. And taking into account the different criteria that justify application of one law or another, is one of the difficult tasks that the platforms are doing today. So, the discussion that we're facilitating is actually aiming at producing an agreed set of criteria that the platforms would also use and the Governments can understand will be the basis upon which the decisions are going to be made.

And finally, because there is a set of criteria in most cases and there might be pulling in different directions, the idea as emerged is what about a panel or panels in the plural that could provide advice for companies who are caught in a situation where they feel that the criteria are not going in a clear direction. The advice would be non binding, the composition of the panels or panel is still a discussion to have, but this is something that has emerged as a potential facilitation and a potential improvement.

So that's the first leg, and if you look at the brochure, it's the first column in the second block. The most delicate situation is you can do the plumbing as much as you want. You can improve the circulation, the transparency, the whatever. There still are situations where people don't agree. One Country has requested something and the platform says, well, we're sorry, but no, for the following reason.

So the first element is that when the answer is not documented or when it is not even coming, because there are situations where there is even not an answer to the question, it is frustrating for the parties and it's increasing tensions between the actors and the government, in particular. But, even when there is a documented response, the situation can create and maintain tensions. And there are no channels of interaction today that are pre‑established to alleviate the tension between the platforms in one Country and the governments in another Country when there are public order issues or a real discrepancy between the different national laws. And, so, because there is a risk of escalation, there is a request that is being made. The content is really triggering some kind of problems locally, then the platform is being blocked, then there is a recourse in the courts and this goes on and on and on and at one point it triggers the adoption of a new law in the Country that is actually fragmenting, et cetera, et cetera.

So, when there is no channel of interaction, this is what happens. So the idea is can there be additional transnational mechanisms that can safeguard the users right and I did fuse tensions? That includes procedural appeals on the basis of the shared norms and standards that we mentioned before, but also something new which is a pre‑determined facilitation mechanism. If you think about it, there is no way we can have an arbitration system really between a government on the one hand and a platform on the other side. I mean, this is not the way it's going to work at least in the foreseeable future. But at the same time, having something where a facilitator that would be accepted by both parties that would be pre‑agreed in terms of procedures would basically bring the parties together. It can be just oral, it can be a teleconference, it can be a very urgent matter if there is a problem, to basically say, listen we're in a situation where the criteria are not clear. The evaluation of the actual danger locally or the actual infringement is not so obvious, can we try to find on a case‑by‑case basis the best, I wouldn't say balance, but the best respect of rights of the different sort and security issues and legal aspects and so on.

And the facilitator may achieve the result, like the parties do agree on a solution, and here it is fine. But if the parties don't agree, the idea is that the facilitator can provide a so‑called best advice. Like situation is difficult but my best advice is do this. And here there are conditions, or there should be conditions under which the operator follows the best advisor not and if not, how it provides enough justification from the reasons why it is not being followed.

So this is in a nutshell the introduction of a sort of architecture to diffuse tensions. To facilitate dialogue. Facilitate day log to develop the framework as we've done in the last two years and it will continue necessarily to update this framework, and also facilitating dialogue to diffuse tensions in situations where there is no clear answer in international law on which law should prevail or which decision is the optimal.

Once again, request format, come and request format. Neutralize databases, improve work flow with shared procedures and norms and criteria, and dispute management. So we're getting to the end

The work plan in 2014/15 is relatively simple. Generally speaking it's refining this framework and putting it to implementation. So getting to technical specifications because we now have reached a level of clarity I think on the two elements of databases and request format that allow to move to the technical specification of the plumbing, tore system.

Second, documenting and formalize go the immerging procedural norms and standards to give you a very concrete example, both in turkey and in Pakistan the courts have made a decision that blocking an entire platform because of one piece of content is not proportional. This is an immerging norm that will be documented because it's immerges and it appears in other court decisions.

And there are a few other issues regarding conditions under which access to user data should be granted. Conditions under which a domain name should be taken down, in particular there is a growing recognition that domain seizures, per se, are not a content control tool and that they should be dedicated mostly to situations where there is fishing, malware where the cite it self is actually harming the infrastructure or the rare cases where the content, the whole activity of the site is dedicated to a content that is sufficiently broadly illegal. So these kinds of norms is the second element, how to document them and make the list of criteria.

And finally, defining the dispute management procedures, it's clear that the next bullet point is an essential element, because these things require organizing meetings, traveling and facilitating also the participation of a certain number of actors. So increasing the resources and the human capacity of the project is important. And I take the opportunity to make an open call for anyone who has the capacity to help us identify additional funders, it's welcome.

Prepare the pilot implementation, and fundamentally I finish with just a list of a few questions that we are now addressing or confronted with, and I will open the floor. But you can see some of these, like if there are neutralized database, what are the respective benefits of having a structure that would manage them centrally and have economies of scale, or is it better to distribute this responsibility with a set of actors so that there is a sort of cluster of people will become interested in making sure that these database are correctly maintained?

How to assure the accuracy of the legal reference database. How to compose potential advisory panels. What is the procedure for dispute management. These are the concrete things and, of course, case studies and examples and best practices from various systems will be integrated.

So, that's basically it for the presentation. I hope that it provided a glimpse or a better understanding of what the project, the initiative, the framework is, and where we are in the discussion. You can get more information on the site at internetjurisdiction.net, where you can subscribe to the newsletter every month, the Twitter account is here, and this is our address, if you want to contact and talk to us.

So, with that, I think it is time to open the floor. If you have any questions or comments or any contribution to make on those topics.

Who is starting first?

>> ALLON B.: Hi. My name is Allon Bar with the Ranking Digital Rights.

>> BERTRAND D.: With the?

>> ALLON B.: Ranking Digital Rights.

>> Bertrand D.: Okay.

>> Allon B.: I have a question with dispute management procedures that you've explained, or devise some possibilities in which they could go.

It seems that the dispute management procedures strictly focus on the interaction between government and companies; is that correct? So my question is: how does a user get involved in this? So you've introduced the possibility or the obligation, to some extent, to have user notification. What is the user's right to remedy and how is it possible to perhaps introduce it somehow in this passage of framework? Thank you.

>> BERTRAND D.: Two elements to your question. It's a very important question. One element is whether the users individually can initiate something at the very and make requests themselves. beginning but that will provide a sort of frame work. So there are similarities, but in our case we're dealing with requests coming from mostly public authorities. For the moment this is not what has been the focus. We understand that there is a question about this. The first focus is the request that currently the platforms and operators are receiving from the different law enforcement and entities.

That being said, interestingly enough, there is a very clear case now in a different space of Usury quests with a right to be forgotten discussion in the European union, or European court of justice and we are actually having discussions with some of the people who handle those issues in the different platforms and at Google because it's raising exactly the symmetric question of how do you handle the number of requests and what is the procedure for the number of requests? It will probably have ‑‑ ring a bell when we talk about advisory panels and things like that. We have developed that in the last year and, so, it was interesting to see that on the right to be forgotten. Google had established that rapidly, an advisory panel, that we will not deal with the individual cases, but that will provide a sort of framework and that sort. So there are similarities, but in our case we're dealing with requests coming from mostly public authorities.

There is a second leg to your question, which is, in the appeal mechanisms and in the dispute management, I may have orally emphasized too much the dimension of the relationship between the government and the platforms. You're raising a very valid question. On the appeal process, the procedural appeal, it seems relatively obvious that there should be an avenue for individual users to say, for instance, the norms or the criteria have not been applied correctly. That is clear.

On the dispute management, it's a very delicate issue. It is not sorted out completely. Here again the focus has been more on the direct relationship between the government and the platform, but a very interesting case of question is in some cases is there a possibility that the facilitation tool involves if not the user himself, but a representative of the user. Is there, for instance, a sort of tripod discussion. In which cases can there be a tripod discussion. This is the type of questions that are under discussion at the moment or that will have to be discussed. But it's a very important question. Where does the user fit in here? And, to be frank, one element that I didn't mention but has to be highlighted is the capacity to be represented is an extremely important element because in some countries the very fact that you have to respond is revealing who are you and, so, this is something that has to be taken into account.

Any other comment or question?

>> PALANES: Thank you. Palanes and some others, GTLD.

You talked about the confidentiality and the fact that in some cases the user should not be contacted. I understand that he should not be contacted because this is important that he stays anonymous in front of the government agency or something like that, because I don't see why a user shouldn't be contacted, except if it's just to respect his anonymity.

>> BERTRAND D.: That's ‑‑ go ahead.

>> PALANES: And if it is the case, maybe there is a feature, another feature for this platform, that is very simple, and that a lot of registries are currently doing. It's contact the user on behalf of the law enforcement agency, or of the IP lawyers, or anything like that, to protect his identity, but inform him that there is something that is happening.

>> BERTRAND D.: As a matter of fact, thanks for forcing the clarification. This is exactly the way that it is supposed to function. The contact the user loop by definition is through the platform because in most cases the information is not available to the requester and in some cases the retester is precisely requesting to get this information.

So it is indeed the second element you mentioned, it's the operator that is in contact with the user and is connecting

On your first question, it's probably a little bit more complex because it is not about protecting the Anonymity. There are situations where although it's speech related for whatever reason, there are elements of criminal investigation. There can be cases where it is criminal and there are elements, it has to be exceptions. I fully agree. But there are elements where revealing that something is underway is potentially changing evidence or changing the situation. So these are the questions and, for instance, one of the actors we were interacting with in checking this thing raised the point that is not incorporated yet in the slides but that it is an important element of the framework is who has the custody of the evidence.

There is an element for instance for those that are familiar with the UDRP, the universal dispute resolution procedure for domain names, is that it was revealed recently that apparently WIPO, the moment they receive a UDRP request takes a snapshot of the website under this domain name to produce as evidence to the panels of the UDRP that are being put in place

And a lot of people have raised concern about that because, first of all, what is visible in Country, what is visible in another Country can be completely different. How do you make sure that the evidence has not been spoofed in one way or the other to present knit a way that is not what was accurately on the site et cetera, et cetera.

So in cases like this one, the ones we address, what is on the side? What is being posted and so on? There is an element of the chain of evidence that has to be taken into account and it's part of the due process mechanisms to also integrate those things.

But so answer your question, the exceptions are situations where, and it has to be documented, I hope, the communication of the fact that there is something going on is likely to be harmful to the process. And, by the way, I take the opportunity, because Afrinic is one of the participants and supporters of the projects so I take the opportunity to thank him publicly.

Go ahead.

>> BILL W.: Bill Woodcock, PCH.

When you talk about authentication mechanisms to the parties of this platform, are you envisioning this as being primarily implemented tech Nick logically using cryptography for instance or bureaucratically using human implemented processes?

>> BERTRAND D.: Well, it's a combination of both, and this is why I was talking about we're getting into the stage of the technical specification for that. The human part in a certain way is the identification of the point of contact. It's the fact that there is at least in the first instance it can be detailed more precisely afterwards. But fundamentally the idea is to take my previous example, if there is one person in Kenya, one authority in Kenya that basically says at least in the pilot implementation and in the beginning of the system, all the request that is will be sent to this ‑‑ through this format will go through this person to say yes, it is somebody at the right because the authority also that plays a role. It is not only is it a legitimate law enforcement entity it's also a legitimate law enforcement entity if they have the right to do that in the procedure. But this gatekeeper is basically the responsibility of saying because I identified technically in the system as the sender, say this is coming from an authorized law enforcement entity in my Country, it is the validation and the authentication.

To make a comparison for instance with the work that is going on in ICANN on the EWG regarding the directory services for the reform of WOUZ, they are conform wed a slightly different problem. Here is a database that has actual substance and what is at stake is not only authenticating but managing the rights of access to different Pcs of this information. In the case of this regime we do not have to manage rights of access. It's purely this is indeed Mr. So‑and‑so or the entity so‑and‑so in the Country that is sending the request.

So it is basically embedding in the technical layer a trust network that is recognized. Of course, there has to be accreditation mechanism, but if I may be labor just one minute on this, there was one important question at first, which was is this going to be a closed regime with high bar of accreditation and acceptance like only some countries would be allowed to take part in the system with obligation of having ratified 23Ts on this and that. It rapidly appeared that it would be difficult to implement. Where do you put the bar? Second, who has the thor tight e to basically say yes you, yes/no. You, no. So the solution that has been adopted is to put the bar in the request format and to make sure that the information that is provided, that the documentation of necessity of proportionality and so on is de facto raising it to a level that is as high as possible so that after all even countries that have a very bad legal system and so on, they may have a real concern sometimes. I mean, let's be Frank. And vice versa, there are countries with very good systems that may abuse it, but never mind.

So here the notion is the request format is basically the bar and even if an actor that doesn't have all the credentials elsewhere, if it is a valid request that is properly documented, it can be addressed.

>> MALCOLM H.: Thank you. My name is Malcolm H. I'm from the London Internet Exchange and also the chair of Urwhispers, which represents Internet services providers, access and hosting products across Europe.

Since I last engaged with the workshop in Paris, things seemed to have developed a little so as to maybe I'm getting the impression that you have rather de‑scoped your ambitions somewhat in two ways. Firstly, the discussion today, the explanations today, have been very much focused on transnational platforms, and you focused on the engagement that you have had with the major or some of the major transnational platform operators, FACEBOOK, Google, Microsoft, Yahoo; where as when this project started, I understood that it was ambition was to be to develop a process that would be applicable and useful beyond not just to that segment of the market but in deed to other operators, potentially much smaller operators and not necessarily in that providing those types of services that they offer.

And, certainly, the types of actions that are being requested speak to things that go beyond the services that those operators offer. You mentioned domains for example. And certainly when it comes to, you know, the law enforcement request to suppress content on the grounds that it is illegal, you're not really going to be satisfied with just getting it off FACEBOOK. The aim there is to get it off the Internet. So then you need to look to see whether the process that we're developing really meets the standard you set for yourself as being a transnational geo process. It could be useful and applicable to the range of service operators that are out there. So that it can meet the law enforcement need of not getting it off FACEBOOK but getting it off the Internet

And looking at how this is developing the other area where I see that you appear to be de‑scoping is actually in the due process element. There is a very developed focus on the requests submissions which I'm afraid looks rather like it that is the easy bit. There was in our workshop in Paris really a consensus that the core of this was around the decision‑making process, the adjudication process. As an operator, we have a request coming in saying that this material is unlawful, please will you remove it. And you have a customer who is paying you or otherwise providing value to you for having it there and you need to decide whether or not to do that.

Now, if the thing is unlawful under the law in which ‑‑ under the law of the Country in which you established and your person making request is law enforcement authority from the Country in which you're established and there are procedures for doing that, then all that is simple but once you get into the transnational space, then that becomes much more difficult. And what we are looking for is things to support how would we answer that question.

The request submission end of it, these are all things that enable a transnational geo process to be capable of happening, but they are not an establishing satisfactory in no way amounts to a due process element.

In many cases where you are looking to suppress material, to suppress somebody's expression or to otherwise engage with their ‑‑ do things that would engage with their fundamental rights, you have essentially a requirement to, if you are saying you're doing a due process, to actually see how the balance of rights should be ‑‑ should result in an outcome in the given case. Sometimes one way, sometimes the other.

Now, to be honest, a lot of this isn't, you know, it rather looks like you put that to one side and focused on the mechanical or administrative process of executing the request, but I'm certainly what you said a moment ago about whether or not a user would have a right to be represented or indeed to ask themselves, no, hold on a second I don't agree with this request.

In a ‑‑ I'm struggling for the words here N a general sense, as in a universal list sense, the user must have that right if you have any sort of due process.

This is the distinction between dealing with specific platform operators and dealing with the market as a whole. Nobody has a fundamental human right to engage in their freedom of expression on a particular platform. It is not somebody's fundamental human right to have a FACEBOOK page, you know. The operator there has a right to say well I don't want this on my platform. But once you extend this across the market so that you're not just trying to take this ‑‑ something off FACEBOOK or YouTube or whatever, once you're trying to make sure it is no long other the Internet, then the human rights of the person who is doing this are engaged at that point.

So if that's the ambition, and that is indeed the ambition of the law enforcement side requesting party, then if you are going to say that you have a due process element, you have to meet standards generally acceptable standards of due process, not ‑‑ I know the term is one that comes from American law and I don't mean the exact standards to reply in the American context need to be applied at all, but generally there are broadly accepted expectations of sometimes in European society it is sometimes called natural law or fair process rights or so forth, which include things like the right to be heard in your defense. The right to challenge. The right to an independent decision maker.

Now we don't have a right to an independent decision maker vis‑a‑vis YouTube. YouTube that have a right to decide what they have on their platform, but if you're going to apply this generally for the purpose of insuring that this is a mechanism for law enforcement to ensure that their laws are applied across boarders for the internet generally, and if you are going to say that you have a due process mechanism then you need to start to look at both things. That seems to be so far undeveloped.

>> BERTRAND D.: Thank you for two reasons. The first one is you're absolutely right on the ‑‑ apparently limited scope that I've presented today and I want to highlight that this is not limited to the kind of platforms that I was mentioning. Particularly because, for instance, significant number of DNS operators and TLDs are part of this exercise, as you know, and one of the elements is, as I mentioned in the presentation, to make sure that the norms and criteria that apply to the domain seizures request are along the lines that I was mentioning. So basically there are different types of requests and different rules that apply on the platforms that host content o the domain operators, on the ISP and mobile operators, in particular, but also on the IP registries.

For instance, the IP registries have a desire to make sure, and I think it is valuable, that the request that may be addressed to them are basically diverted because it's not the right layer to address content issues. It harms the infrastructure. It has collateral damage and so on.

So part of the discourse is actually, indeed, the range of actors that are potential interlocutors not to set target to the request so that only the appropriate type of proportion request is being handled. So in that regard, the first part of the system and the request format may look like mundane in plumbing, but it is an element that embeds the criteria that I mentioned in the second dimension to make sure that all this different interlocutors have elements to refuse or accept the request. So I confirm that the range is broader than just the companies that I was mentioning.

On the second element, first of all, I think it is a great testimony to the value of this discussion that more and more of the business operators, including you and also the platforms and the workshops that we're organising are actually the ones who say we need a due process thing.

It is sufficiently remarkable to be noted. Normally it is should be a civil society group that says it is not acceptable. It's remarkable that you and a few others are going in that direction.

Two elements, finally, because we're running out of time on this to answer directly. One, I reaffirm, if I was not clear enough, that the notification of the user by default is fundamental element that I think goes in the direction of embedding due process in there.

The second component is as important but more delicate. The right to an independent decision maker is extremely difficult to implement today because a normal independent decision maker is a national court. And if you want a national court, which one is it, as you perfectly know. If it is a Country that wants some content to be taken down because it's illegal in that Country, there is no way to an independent decision maker whose decision should apply worldwide.

If, on the other hand, we say the ultimate decision maker is the independent court in the Country where the platform is incorporated, okay, we're saying that the law of the U.S. or China or Russia should apply worldwide because you just used one of their platforms.

So the challenge we're confronted with today is going in the direction of due process requires to create independent decision makers. This is where the procedural appeal can relatively be easily independent decision making, because it's procedural.

On the substance element, the goal is to go as close to an independent decision maker as possible without thinking, I believe, unless there is a global agreement to do that, that the sort of court could be put in place that would have all the guarantees. This is exactly the challenge that you're pointing to.

The desire to put in place a due process framework requires, as independent decision making as possible, but the current situation is that there is no such international or transnational structure. And the discussion is also still underway among the different actors who participate in the process. So this is why I left a list of questions.

***