Main Session - Security, Openness and Privacy

Sixth Annual Meeting of the Internet Governance Forum
27 -30 September 2011
United Nations Office in Nairobi, Nairobi, Kenya

September 29, 2011 - 14:30 PM

***

The following is the output of the real-time captioning taken during the Sixth Meeting of the IGF, in Nairobi, Kenya. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the session, but should not be treated as an authoritative record.

***

 

>>CHENGETAI MASANGO:  Good afternoon, ladies and gentlemen.

[scribes have translation instead of English]

 

>>MICHAEL KATUNDU:  -- as the exchange of diverse ideas and experiences has proven to be extremely useful for our participants. 

 This year, we will focus some attention to cross-border Internet governance issues, Internet of security, openness and privacy. 

 Some examples we hope to touch upon include actions taken by a range of Internet actors -- that is, government, private sector, civil society, among others -- in relation to whistle-blower sites, the seizure of domain names, proposals of blocking of Web sites, and filtering of networks, the role security operations centers and law enforcement can play in protecting the Internet and its abuses from cyberattacks and cybercrime, and the impacts of action taken to cut across -- I mean, to cut access to the Internet for individuals, groups, or entire countries from the global Internet.

Last year, we focused on the role that intermediaries can take to protect freedom of expression and innovation, and we will continue to build on that this year as well.

To keep up with the times, we will also discuss the role of traditional and new media.  (indiscernible) what we have launched in the past year is that these issues should not be traded off against one another.  That is, privacy, cybersecurity, and openness.  Or they should not be seen as opposing priorities.  Instead, what our exchange of experiences has taught us is that these issues are, in fact, very interconnected in many ways.  We must take advantage of this unique multistakeholder gathering to continue to build some consensus around these issues in this regard.

A cross-cutting theme this afternoon, like in previous years, will be the implications of these issues on human rights, democratic societies, and freedom of expression -- (no audio) -- the workshop organizers from the various workshops. 

 In order to manage this session, there will be three moderators to ensure the dialogue.  Our moderators this afternoon are going to be Ms. Katitza Rodriguez, seated on my left, Mr. Lee Hibbard, on my left-hand again, and Mr. Paul Muchene will moderate the remote participation. 

 Katitza, Lee and Paul, I want to hand over the session to you. 

 Are there some moderators I've not introduced?  I guess not.

So I'm going to hand over the session to the moderators and I'll request them to make a very short statement before we open up to the rest of the participants.

You are welcome.  Please be quite interactive.  We really want to appreciate and listen to your contributions to this cross-cutting issue, and we also hope that we are going to benefit from various experiences in various countries, organizations, and various consumer groups.

Thank you.

I hand it over to the moderators. 

 Can we start with Katitza?

 

>>LEE HIBBARD:  Thank you, Mr. Chair.  Hello, my name is Lee Hibbard.  I'm from the Council of Europe.  Welcome to everybody.  Welcome also to those who are connecting remotely with us today.  I hope you're going to send in your comments and your questions.

Just to say how we're going to proceed with this session, both Katitza and myself, we're going to frame it into a first introductory framing part of the session, with comments from the panelists and the moderators, followed by going into the issue of openness as a block, followed by privacy, and then followed by security, followed by a close, a wrap-up, with some short takeaways from the panelists and from the chair.

Before I go to introducing the panelists, I'd just like to say a few words about the whole session.

I think it's clear that we're increasingly interconnected in our everyday lives, in our work, in our private life, online, and I believe that when -- there's no going back, and I think you believe that too, because you're here.

We talk now about "do no harm" to the Internet.  I think that's proof of the fact that we really do care and we really do invest our time and our efforts, because we realize that it's an asset for economy, for growth, for our social connections, for the fulfillment of the U.N. MDGs and also of course to exercise and enable a number of human rights.  And the Internet is proven by the daily recurrences of issues in the newspapers, the concerns, the developments that we hear about on the -- on television, WikiLeaks, the G8, for example, the reports of the U.N. on human rights and business, on freedom of expression, for example, and also the plethora of meetings and discussions about things like principles, parameters for the Internet, and the number of meetings that we all attend on a regular basis.

I think that means that there's a great dependence, certainly a reliance on the Internet, for many of us, most of us, and I think we've come to a point where, as users, we have a legitimate expectation that we can do business, we can express ourselves, we can assemble, and we can associate.

But there is a reality to it.  Bad things happen. 

 As Carl Bildt, Swedish foreign minister, said recently in a regional meeting in Europe, EuroDIG, bad things happen and the Internet mirrors society.  That's a fact.  And quite recently, too, just a point, OSC released a paper, a report, on legal provisions and practices regarding the Internet, and they were discussing alternative approaches to our online content regulation.  I think that's quite telling.  They said, "While rules and boundaries still exist, enforcement of existing laws, rules, and regulations to digital content becomes evidently complex, problematic, and at times impossible to enforce on the Internet, so we need to consider alternatives."

So I think at least for me, that means there's no silver bullets (indiscernible) it's openness and privacy.

On that note, I'd like now to pass to the -- to a quick introduction of each panelist.  I see that Frank La Rue has not arrived yet, and neither Neelie Kroes --

 Ah, Frank has just arrived, so we'll wait for Frank to take his seat.  And then we'll start.

So while Frank is taking his seat, he has written a report on freedom of expression which I'm sure he will mention now, and I think there's a second report coming quite soon.

Mr. La Rue, are you ready to make an introductory statement?  Thank you.

 

>>FRANK LA RUE: I am.  Thank you very much.  I apologize.  I was in -- I was in a working meeting, but I believe that Internet, first of all, one of the issues we have emphasized has to be seen, number one, as a very open space with as little regulation as possible and no censorship whatsoever.  As open a space as can be.

I was just commenting in the meeting I was in right before this that the Internet should be what we call in Spanish an espacio publico, the public square where people can actually come, meet, chat, discuss, organize, and mobilize, and I think this is crucial that we defend this constantly, and in order to use this espacio publico, this public space, we have to feel safe in it, so we have to feel protected in the information we put in it.  We have to feel that our privacy is not being bridged.  We have to feel that those that facilitate the access to it are not being threatened with demands and with the use of criminal law to sanction them.

So I -- one of the issues I have repeated in several of the panels is I am very much aware that there is a progressive fear of Internet by many states, and this progressive fear is provoking, number one, a use of more and more criminal law and I would call the world on a campaign to decriminalize the use of freedom of expression.  With all crimes like defamation, but also with new crimes that are being created like the one in my own country on financial panic or the one created in the state of Zacatecas in Mexico on promotion of rumors and at the same time, the idea of not charging criminal liability on those that are serving as intermediaries for the use of this public space, for the use of the Web.

I think it's important in this process to protect the intermediaries, but as well as the responsibility of intermediaries, and of everyone to protect the privacy of all the information uploaded on the Web.

Only when everyone feels safe, but everyone feels that there's easy form of using the Internet will it totally fulfill its function.  Thank you.

 

>>LEE HIBBARD:  Thank you very much. 

 Okay.  We have Ms. Neelie Kroes with us from the European Commission.  Would you like to make a short statement as we -- thank you.

 

>>NEELIE KROES:  With pleasure.  I apologize that I wasn't in time but that is the attractiveness of this conference that you are passing so many people who just try to catch you.

So apologize, and again, saying how great this conference is and how important it is that it is an open dialogue, and that is what, for me, it means.  It is, indeed, food for thought that I am gathering and if you allow me to make just a couple of remarks.

We are realizing that more than a fourth of the world's population is using the Internet, that is really something, and that as a consequence, social networking, e-commerce or new technological application such as cloud computing, very fascinating, to name just a few, have allowed operations and means of communication in a way that society and political systems have never ever imagined.

And this is the new reality, and the new reality goes beyond traditional boundaries of innovation.

What we were used to talking about as innovation is a completely different issue than what we are facing now.  Productivity improvement and economic growth, yet new forces of fragmentation, repression, and disregard for fundamental rights of property, security, privacy, and human rights are challenging the future of the Internet.

So the current landscape demands more than ever striking the correct balance between, on one hand, openness and security and privacy.

It is a triangle that is really changing, and all of them understood as essential factors that will help us create an environment of trust.

And that is what we are talking of.

And just to name an example in my own territory -- so to say Europe, the European Union -- still 26% of the European population is not using the Internet.  And I made statements and I took it as a really not only this is what I believe, but this has to be done that those people who are not yet using the Internet, that they will use the Internet, and therefore I need trust for -- in most of the cases where people are not using Internet, it is a matter of trust.  And even if they don't have arguments, it's quite often emotion, but trust is the main thing to get everybody in that mood to use Internet, where essentially levels of security, of privacy, of protection of intellectual property rights, protection of children, by the way, consumers, online personal data, and freedom of expression are fully guaranteed.

Only when you can communicate those issues then trust is, indeed, a guarantee.

We also should not forget, ladies and gentlemen, that the Internet, as we have seen it in the so-called Arab Spring, has an enormous potential for the promotion of democracy, of social participation, and the strengthening of human rights.  And that is why thing I believe that good governance positions should promote openness and be grounded in respect for human rights, pluralism, and the rule of law.  Universal values that we all share, I imagine.

However -- and that is no news for you, but it has to be said -- there can be no real freedom on the Internet if there is no protection against crime or no safeguards to prevent and swiftly respond to unauthorized accesses to information or cyberattacks to private sector.

And lately, also very frequently to critical government network infrastructures.  And we were also faced with that type in Brussels.

In recognition of the crucial role that Internet and other ICTs play in our lives, and in boosting economic growth as envisaged in the digital agenda for Europe, we have presented a number of matters and a reinforced level of network and information security, improving European capabilities to prevent, to detect, and respond to new security threats and reinforcing global cooperation.

Just to name a few, we are modernizing the European network and information security agency, ENISA.

We are building up the future computer emergency response time, the CERT, which will cooperate with well-functioning CERTs at the national level.  We support cybersecurity exercises at the E.U. level, such as CyberEurope 2010 and we have established an E.U./U.S. working group on cybersecurity and cybercrime.

Turning now to our policy on critical information infrastructure protection, on the 31st of March of this year, the commission adopted a second communication on critical information infrastructure protection, which outlines our next steps to reinforce efforts to prevent, to detect, to mitigate, and react to cyberattacks and disruptions at both the European and the international level.

But no matter how much effort we make in isolation, we all know that cyberspace has no borders, and therefore, the establishment of fruitful channels of cooperation among all the types of stakeholders and international partners is vital to our objectives.

And together, ladies and gentlemen, we must ensure the utmost protection of users' privacy of the freedom of access and of the trust in the digital environment, mindful of the ever-changing and global nature of present and future Internet issues.

And I would like to end recalling the urgency to have a structured cooperative approach among all the stakeholders within and outside the E.U., so that with one single voice, we combat a response to the challenges we are facing today.  Thank you.

 

>>LEE HIBBARD:  Thank you very much, Madam Kroes.  Let me pass the next panelist to Ms. Heba Ranzy from Microsoft.  You have the floor.  Thanks.

 

>>HEBA RANZY: Thanks very much.  It's tradition to say that I'm delighted to be here, and indeed, I am.  Especially to share this panel with such distinguished speakers.  And another point is that to talk about a topic that is on top of mind of a number of people, especially in my home country.  I come from Egypt.

So it's a great opportunity for us and very timely.

At so many conferences where I speak, I come with a clear message with what Microsoft can do and is doing to resolve specific issues.  However, today, my message is a little bit more complicated.

To put it in a simple -- to put it simply, my argument is there is no simple yes and no answer to the various issues we are discussing.  I will take the next five minutes that I have to explain, like, why.

The Internet is the great

 (indiscernible).  In the information age it levels the playing field that has traditionally been slanted in favor of those who have.  But today, for relatively moderate cost of an Internet-enabled device and a network connection, the opportunity of the cloud are open to all.

It offers benefit to every part of the society from more effective and efficient health care to vibrant education system with better outcome, to improved business opportunity and to enhance government services at low cost.

The cloud and the mobile is tremendously powerful tool for government, business, civil society, individuals, here in Kenya and in Africa, and all across the world.

But with power comes responsibility.  The Web is entering its maturity phase.  To put it in human term, you know, like transitioning from a childhood to adulthood.  And as we all recall, the transition was never an easy one, because we struggled to reconcile greater freedom with increased obligations.

There is no freedom without privacy.  And there is no privacy without security.  The issues we are dealing with aren't as simple as a product functionality or business policy.

We are having to confront fundamental human issues, often drifting into the realm of philosophy.

We, at Microsoft, are the first to admit that we don't have all the answers, and I would also say that nobody has.  Ensuring, then, the Internet maturity into well-adjusted adulthood will be the work of so many different parents, as we heard Ms. Kroes saying that you need everybody to play a role.  And it is very important to have, you know, like all multistakeholder dialogue going on.

Unfortunately, it is the debate that is increasingly being polarized.  We now have two camps, and if I can summarize, we've got regulation good and regulation bad.

The regulation good, a standpoint that sees the Internet as a wild free-for-all that needs to be strictly controlled to stop cybercrime generally and distributed denial of service attacks specifically.

Regulation bad, where the ghost of the big brother, 27 years later, threatened the openness and creativity that have made the Internet such a dynamic force in the modern world.

You could argue that I am oversimplifying it.  Well, indeed, I am.

It is a charge that should be leveled at the two antagonists.

Let me explain a little bit, like the opinion of the pro and anti-regulation camp.  The regulation bad lobby say that  regulation will kill off creativity, but this is the missing the point.  A completely unregulated Internet will lead to increasing cybercrime and distributed denial of service attack which will scare people away from the Web and strangle open and free communication as assuredly as the restrictive regulation they fear.

On the other hand, the regulation good lobby saying that strict control is the only way to bring the stability that business needs.

And like an overly controlled Web will restrict the free flow of information across borders, which allow global business to take advantage of the cloud and SMEs as well.

It's not very clear, I would say, and there is no kind of a black and white framework in that respect.  The spectrum is full of gray areas that we need to understand.

Let me take you a little bit into the gray area word.  I am going to use the regulation bad and give some example just to illustrate the point but it is equally compelling that there are numerous examples for regulation good camp as well.

The compelled disclosure.  When an government or organization force technology company to reveal someone's identity, in the back-and-white world it is fundamental attack on the animosity [sic] and basic human rights of every Web user on the planet.  Sounds straightforward, doesn't it?

But the European court of the human rights disagree.  It has ruled that the rights to privacy of someone who maliciously posted the identity of a child to an online sex Web site were superseded by the rights of a child to privacy and security.

Now the traditional response to this kind of example is putting a simple example, like, to undermine the general principle.  But truly I believe that the general principle are too rigid in such a fluid environment, and we need to reconsider that.

We believe that accountability or, to put it more precisely, responsibility is critical to the maturity of the Internet.  But accountability must be done within the framework that respects privacy of individual and the international law.

So how can we introduce the attribution without breaching privacy and freedom?  And if I might quote what we have published in our citizenship report, we are committed to promoting strong methods of authentication on the Internet that can lead to greater accountability online while also respecting personal privacy and that's very important.

If we are to square all the circles, as we have heard, you know, like I believe we need to have a three-prong approach where, you know, like, all the players are accountable for.  It is very clear that the role for industry player, there is a role and they have to be responsible role and responsive.

Government need to cooperate across the global.  And to enshrine human rights within the cloud, ensuring a robust privacy and security legal framework exists to protect and provide users' right and benefit.  The rule of law, as we heard Mrs. Kroes saying.

Predictability and self-accountability by government is very, very critical.

And finally, it is important that the Internet Service Providers and the intermediate providers are not legally liable by illegal harm content generated by a third party.  Like if they are, there are real danger that it will skew incentive away from the free flow of information, which would benefit neither the pro or the anti camps.

It is intelligency regulated -- In an intelligency regulated world that I am advocating, there are, of course, exceptions such as the need to report and act on child abuse.  That is very, very important.

I started by saying there is no simple yes and no answer.  Hopefully I tried to explain that.

So many of the questions posed by a developing Internet and the potential of the cloud cannot be answered by a blended yes or no.

To the pro regulators, we are not calling for a light-touch control, but, rather, effective regulation, incorporating industry self-regulation that is flexible enough to deal with rapidly evolving reality.

To the anti camp, we are not advocating an end to privacy.  Rather, a place where privacy sits within the rule of law, granting the ongoing freedom and safety of all.

I have to say we must pool our resources and expertise to create smart and flexible regulation that will allow the Web to mature into a creative dynamic and responsible adulthood.

Thank you.

 

>>LEE HIBBARD:   Thank you very much, Ms. RamZy.

Let me call on Christine Runnegar from the Internet society.

>> CHRISTINE RUNNEGAR: Thank you.  The Internet has revolutionized communication giving ever increasing numbers of individuals across the world the ability to communicate as part of the growing and vibrant global community. It has enabled nonlinear content distribution and created the phenomena of distributed “crowd-sourced” “peer-reviewed” information and knowledge. 

An often cited example, and with good reason, is Wikipedia.org, - self-titled – “the free encyclopedia that anyone can edit”. Perhaps the Internet pioneers will remember the time when encyclopedias were expensive and updated annually.

We have entered the age of Information Egalitarianism.  But, that does not mean it is perfect.  More work is needed if we wish to embrace this objective globally.

Openness plays a key role - in obvious and sometimes less obvious ways.  Continuing with our Wikipedia example, an academic study of contributions when access was blocked by one country showed that individual contributions significantly decreased from contributors outside the country.

One author concluded this is because many contributors are motivated by the idea that people are watching. (It is important to emphasize that the contributions are voluntarily and provided with the knowledge that the platform is open and observable. This does not mean Internet users want their activities and private communications monitored.)

Another conclusion one may reasonably draw from this study is that blocking access in one country can also diminish the overall value of a public resource for the rest of the world.

Openness also has a technical dimension.  It is that dimension that has enabled the development of the Internet we know today that has become so fundamental that access and prevention of access are now part of the human rights dialogue.

Openness in the technical sense involves transparent Internet standards development where anyone can participate on an equal basis, and open non-proprietary protocols that anyone can implement.

It provides more opportunity for diversity of thought.

Openness is also the ability to develop and deploy Internet applications and services without “approval”. Closely aligned to openness is interoperability.  These two features have enabled extraordinary creativity and exponential innovation.

Openness in technical standards development has also played a role in enhancing security.  DNSSEC, developed by the Internet Engineering Task Force, is one such example.  OAuth, a Web authentication protocol, is another.

A trend that seems to be emerging is the resort to technical measures to solve legal, political, or social problems. This is, perhaps, most apparent recently in relation to the protection of intellectual property online, but is not limited to this area.

Altering the way technology functions to solve a non-technical problem carries inherent risks of collateral damage to the proper functioning of the underlying technology, security and privacy as well as other potential side effects.

DNS-filtering, for example, is incompatible with DNSSEC, runs the risk of collateral harm, and drives services underground, thereby undermining the stability, reliability, and global interoperability of the Internet. At the same time, it does not solve the problem, as it does not remove the content or all means by which it may be accessed.

In closing then, one of the overarching challenges we still face is a lack of a shared global understanding of the borderless nature of the Internet and the related inter-dependent objectives of security, privacy, openness and user choice.

The IGF, by its nature and format, is an ideal place to build this global understanding.

 >>LEE HIBBARD:   Thank you very much, Ms. Runnegar. 

 Let me pass to our final panelist, Ms. Katarzyna Szymielewicz from the Panoptykon Foundation.  You have the floor.

 

>>KATARZYNA SZYMIELEWICZ :   Thank you very much.  I represent human rights defenders in civil society.  My great pleasure to be on the panel.  Looking at the three broad areas -- security, openness and privacy -- from human rights perspective, there are a few very worrying trends that I would like to address very briefly. 

 Firstly, which we all know, more and more data is being collected by the companies that operate online, and then this data is used, can be used, for both commercial and law enforcement purposes.

This happens not only beyond users' control but often even without their awareness.

We all know that even the most sensitive data of the users moved into the cloud.  But it's not just the cloud that poses serious privacy risks.  Also, traffic data may reveal a lot about our private life, about our routines, about our social networks, our interests, even religious beliefs.

What happens with this wealth of information?  Well, it tends to be used for profiling, interrogating by consumers by the companies.

We do not have an effective regime at that point that would protect our privacy in that context.  The maximum protection we can obtain now from some of the leading companies is the possibility to opt out.  It does not seem to be the effective safeguard.

We know that European Commission is currently considering a revision of the legal framework with respect to e-commerce directive so it will be very interesting to hear the possible -- the considered solutions from our respected guests.

The same companies that users entrust the data for provision of services sometimes are forced by the governments to reveal the data for law enforcement reasons.  Of course, there is no doubt that under certain circumstances, this is a good solution; that law enforcement should be given access to our a data.  But there must be safeguards, and it shouldn't happen unless it is necessary for, for example, gathering evidence in criminal proceedings.

Unfortunately, there are countries that do not have such safeguards, and the most striking example being U.S. law and infamous Foreign Intelligence Surveillance Act that actually allows or forces U.S. companies to hand over data of their foreign customers without any safeguards, without any criminal proceedings behind it, even for political surveillance.

Another issue which we have to address is mandatory data retention.  Government agencies throughout the world are pushing for laws that force companies to collect even more data than is needed for their own business purposes.  For example, we have a very controversial data retention regime in the EU which is currently under review.  This regime forces all Internet access providers to store traffic data for the period of up to two years so that it can easily be accessed by law enforcement entities.

Data retention needs to be seen in a broader context.  The principles we are crafting today will be more and more relevant in the future along with the development of new Web-based services.  I am I thinking about Internet of things, about new geo-location services which are becoming very popular, about smart grid.

So this is the time to think about the basics such as what limitations should apply to the scope of data being collected by all types of entities, be that search engines, Internet access providers, online shops, social networks, and so on.

Secondly, whether there should be a legal obligation at all to store any of this data.  If so, for how long and for what purposes.

Finally, what should be the conditions for law enforcement agencies to obtain access to our data, regardless of whether this data is stored for commercial or law enforcement purposes?

Finally, a very worrying trend is that privatization of law enforcement in online environment.  I will again referring to EU just because I know this context best.

Currently European Commission is encouraging ISPs to be a sort of Internet police for the enforcement of intellectual property rights and also for tracking various types of illegal content.  One example is Internet blocking based on self-regulation.  This is the policy that encourages blocking of the Web site, which allegedly contain child abuses -- sorry, child sexual abuse images without any due process.

We have already seen a very controversial activity taken by private sector such as arbitrary revocation of the domain names, and this trend is not going to change, apparently.

At the same time, we hear a lot that there is concern for net neutrality, for freedom of expression, for securing access to information.

 So the main question we have to ask to each other and my main concern is whether these trends are not in contrary, whether we can reconcile them, or maybe one of them will have to win.

Thank you very much.

 

>>KATITZA RODRIGUEZ:   Thank you, Kasia. 

 Now we are going to give the floor to Mrs. Xianhong Hu, who is the rapporteur from workshop 85 organized by UNESCO.

 

>>XIANHONG HU:  Thank you, Chair.  It's a pleasure to present our workshop. 

 As you know, UNESCO has successfully hosted the feeder workshop on free flow of information and social networks:  A role for democracy and social participation on the first day on the morning of 27th.  This was chaired by Mr. Janis Karklins, the UNESCO Assistant Director General for Communication Information. 

 We have gathered six panelists representing governments, private sector, civil society, from Africa, Asia, Arab states, North America and Europe.  We have 80 participants attended the event with some remote participants.

In light of recent social movement in Middle East, our panelists shared observation that social networks, such as Facebook, Twitter, and YouTube are being widely used in many parts of the world, including in Africa, for not only personal communication but also to tackle political and other sensitive issues which are not addressed by traditional media.

Panelists and participants also noted with much concern much risks and the challenges that arise from the use.  Some of the risks identified related to quality and ethical standards which might be applied for user generated accounts, some privacy of citizens in security and inadequate online protection for children, opacity of personal data collection, as the processing practice, as several panelists already mentioned, and also government surveillance and filtering.  They are quite concerned about those risks.

I also want to share that the representative from Council of Europe presented drafts of recommendation on measures to protect freedom of expression and the right to private life with regard to social networking service, which we found very useful.

Participants also debated several burning issues, as under what conditions and what might constitute appropriate regulatory framework for cutting off of social networking and Internet during riots and other extreme occasions.

All in all, the discussions are far from being finished.  Participants recognize the need for ongoing exploring and shaping of the policies and regulatory issues of the Internet.  And more efforts should be made to reinforce democratic participation via the social networks and to best protect freedom of expression as human rights within a coherent and comprehensive legal and regulatory framework.

We also would like to take this opportunity to invite all of you to participate in UNESCO's future workshops on the subject, at the next IGF in Baku in 2012.  We hereby reiterate UNESCO's commitment to promoting freedom of expression and the privacy protection on the Internet and our engagement in fostering full and local content declaration and education initiatives.

Thank you.

 

>>KATITZA RODRIGUEZ:   Thank you, UNESCO.

Now we are going to pass to make a few questions -- we are going to make a few questions, give the floor for engage in dialogue.  And before the end of this session, we will give a futile for the panelists to make a very quick intervention.

So now we are going to discuss this session regarding freedom of expression.

We have heard about the importance of government --

(scribes lost audio).

Of creating immunity liability for them.

((audio cutting in and out).

The discussion we should make to the panelists is should online intermediaries be granted or expected to play more hands-on role in governing Internet activities vis-a-vis copyright or child protection?  Should we worry?  Why?

Would transferring code of conducts here help?

Another question the organizers make is, it is appropriate or desirable to ask companies to police their customers, either voluntarily or otherwise?

When is self-regulation equal to censorship?  Is censorship a bad trait?  Such restriction?  Trade barrier?  What threats do such models pose for online innovation, openness, freedom of expression, and civil liberties?

Is it even proportionate to cut, block access to people, groups, and even countries from the Internet?

What are the cross-checks on limitations?  Should the limitations to freedom of expression be limited? 

 I open the floor for discussions and please raise your hand and I will moderate this session.

Please.

 

>>JEREMY ZIMMERMAN: Thank you.  Hello.  I'm Jeremy Zimmerman.  I'm the co-founder of a citizen advocacy group, La Quadrature du Net, and I have a question directed mainly towards Mrs. Kroes.

We all agree that the Internet relies on its openness.  We all agree also that its openness, on a technical point of view, is the interconnection of a vast amount of networks which results in one network, one universal network, being shared by everyone.

We are now witnessing practices from Internet service providers for them to reduce, restrict this universality by restricting online communication, such as by blocking or throttling access to content, services, and applications.  They're in that debate called "net neutrality," going to practices that will have radical impact on fundamental freedoms, on the freedom to innovate, on free competition, and ultimately on the universality of the Internet. 

 We recently launched a citizen platform called "Respect my Net," where citizens go and report practices by operators that restrict their connections.  We have dozens of reports from most E.U. member states of such practices, yet in your report you acknowledged that there was no problem and no reason to act.

How, without an intervention of the regulator, can we ensure that the Internet remains universal and that openness will be protected?

 

>>KATITZA RODRIGUEZ:  Thank you.  In the back and then on the right.

 

>>ALUN MICHAEL: So is that me?  Yeah.

Two things.  There was a comment -- sorry.  Alun Michael, member of Parliament from the U.K.

Two things.  There was a comment which referred to privatization of law enforcement and related, if I understood it correctly, to the blocking of child abuse sites, in inverted commas, without due process. 

 I'm sorry, that's a complete misunderstanding, certainly of the situation in the U.K.

What you have is an illegal activity.  This may come as a surprise, but it's illegal to abuse children.

And the blocking of sites is something that is operated through agreement between government, law enforcement, and with the support of child protection organizations, civil society, and of parliamentarians. 

 It has had sensible oversight.  Now, it's not privatization; it's engaging those bodies that ought to have some responsibility for making sure that children are protected and ensuring that it can happen quickly. 

 Nor is it self-regulation.  It's not just left to the industry. 

 It's what I would describe as cooperative regulation, which is in the age of the Internet is absolutely vital that you have the basis of law but you have a partnership involving proper oversight, proper engagement.  It's very much a part of the IGF's approach to things.

And I think it's necessary to understand what's being done there and not to mischaracterize it in the way that the speaker appeared to be doing.

The second issue that I just wish to touch on briefly, I'm getting a bit fed up of hearing inaccurate references to the closing of social networks.  It's been suggested, I believe, that there was an attempt to close social networks during the riots in the U.K. in August.  That is not true.  I believe that it's based on a misinterpretation of something which may not have been a very wise remark by our prime minister.  I'm not going to defend his comments.

But the Home Affairs Select Committee, on which I sit, has taken evidence from organizations like Twitter and Facebook and BlackBerry on the way in which their facilities were used, in some cases from people who were organizing criminal activity, during those events in August, which were, of course, not political activities, they were criminal activities.

But there was no closing down.  What actually happened was that people like the police engaged.  There's a very good example of the police in Manchester, when they saw that people were being gathered in order to raid shops, that they Twittered back and said, "Yes, and we'll be there too."  And the evidence that the committee had from Twitter was, "Well, this is an open space, it's a public space, it's a place where -- which is open and neutral."  And that is correct.  And we're looking at that as a piece of evidence. 

 But we need to look at the good and the bad in relation to the variety of different places. 

 A regulatory approach is not necessarily the right one.  Common sense and understanding, but working together very much is.

 

>>KATITZA RODRIGUEZ:  Thank you.  Please, I would appreciate if you could make short statements so we could incorporate as many people as possible.

Please, sir.

 

>>JOHAN HALLENBORG: Thank you.  Thank you, Katitza.  My name is Johan Hallenborg and I represent the Swedish government, the Ministry of Foreign Affairs. 

 On behalf of the Swedish government, we're pleased to make a few comments in this important session, which are building on our intervention with it last year at the IGF.

The past year has seen a lot of important developments in the world, several of which are relating to freedom and openness on the net, and we believe that the theme for the IGF this year, "The Internet as a Catalyst for Change," is indeed very suitable.

As a response to people's legitimate aspirations to make their voices heard and claim their rights, several countries have tried to use the Internet kill switch in their country to obstruct communication and to prevent information on human rights abuses to reach a global audience.  We are happy to see that this tactic, by and large, has failed.

However, such actions slow down effective reporting and information sharing.

In the Swedish government's view, to extensively limit access to the Internet in this fashion is a violation of freedom of expression.  It is also necessary, according to us, to acknowledge and highlight the effects that reduced access has on freedom of assembly and association.

What we of course need instead is more access to the Internet, and we need to find innovative ways to support this.

For this reason, the Swedish government has earmarked funding for a special initiative on democracy and freedom of expression.  We are doing what we can to encourage and support new innovative ways to promote freedom on the net.

Here, the civil society play an important role.

Another worrying development in the past year is attempts by governments to broaden censorship and filtering on the Internet.  Several countries have or are in the process of adopting laws that put responsibility to monitor content on the Internet on the service providers.

This is not acceptable.

The ISPs or any intermediary should not be held liable for third party content.

This principle, regarding intermediaries, along with several other principles on human rights and the Internet relating to anonymity, censorship, and access were included in a cross-regional statement on freedom of expression and the Internet in the United Nations Human Rights Council in June.

This statement was supported by more than 40 countries from all over the world, including some of the most influential countries in the global south.

The wide support makes it evident to us that freedom and openness on the Internet, based on the international human rights framework, is truly a global endeavor.

The cross-regional statement had not been possible without the work done by Frank La Rue, the Special Rapporteur on freedom of expression.  His report to the Human Rights Council on freedom of expression on the Internet was the first ever to be presented to the council.  We warmly welcome his work in trying to enhance our knowledge of how human rights apply on the Internet.

In conclusion, we acknowledge and appreciate that human rights have become a more visible part of the IGF and we believe that the IGF, through its multistakeholder character, has an important role to play as a facilitator of a human rights based approach in Internet governance.

Therefore, my government supports the proposal put forward by APC and others to make human rights the main theme of the IGF next year. 

 Thank you.

 

>>KATITZA RODRIGUEZ:  Thank you.  And the representative from PayPal and then the guy in the back. 

 Please share information.  Help me with my work.  It's difficult.

We only have 10 more minutes and we have to pass to the other team.  Unfortunately we have this year only two hours.  After these two questions, we are going to pause for a quick reply from the panelists, if they want to reply.

 

>>BILL SMITH: Sure.  I'm Bill Smith with PayPal.

I wanted to thank the panelists.  I found it a very interesting discussion, presentations, and was very happy to listen and learn.

I was especially struck with the comments around security, openness, and privacy being a triangle.  I want to point out that triangles are also three-legged stools and as long as all legs are roughly the same size, it's stable.  However, if any leg becomes either too long or too short, it rapidly becomes unstable.

And at the risk of mixing even more geometric metaphors, I suggest that we need to add context in order to square these circles and to make sure that no leg is outsized or undersized and that in different contexts, different things will be slightly longer or slightly shorter, potentially.

As an example, "open" is frequently talked about -- when it's frequently talked about, it relates to anonymous access, okay?  However, for openness, there are also times when attribution is, in fact, important.  Who am I to contract -- or who am I transacting business with?  Okay? 

 Similarly, the privacy.  Do I want to disclose any personally identifiable information to someone on the other side?

I can't make a reasoned decision unless I know who they are.

And so mechanisms need to be put in place, I believe, if we're going to make these types of things happen and allow individuals to make informed decisions.

Generally, cooperation amongst all of us is required.  The discussion we are having here and elsewhere is invaluable.  Absolute immutable positions are not going to be helpful, if we agree to enhance security, openness, and privacy. 

 And each can be enhanced, but not at the expense of any other.

And finally, I believe private action is likely to remain an essential component for many types of cybercrime.  It's just going to be impossible for law enforcement to detect the crimes or even come up with the information necessary to prosecute them, if it's determined they -- that prosecution needs to happen.  But private action is going to remain an essential component for distributed denial of service attacks, account takeovers, fraud, et cetera.  Thank you.

 

>>MANU BHARDWAJ: Manu Bhardwaj with U.S. State Department. 

 I just want to thank all the panelists for the excellent presentations.  Generally, I think with the growth of cloud computing, with the advent of global data transfers, there are going to be legitimate -- very legitimate questions on personal privacy, and I want to echo the statements of a prior speaker, to make sure that these discussions and dialogue are grounded in fact and not myth.

I mean, with respect to the United States, we have been strong supporters of a global open Internet. 

 On the commercial privacy sphere, I just want to point out we recently published a green paper which called for, publicly, a consumer privacy bill of rights centered on individual control, respect for context, other principles and rights that we're very proud of promoting internationally and domestically.

With respect to the criminal privacy issues, I would submit that the law enforcement and national security considerations that are contained within U.S. laws are very complementary to frameworks across the globe, and I think, you know, to the extent that people would like to have dialogue, we -- it's an open-door policy.  Don't ever hesitate to try to reach out to the 15, 20 government officials that are here at the IGF today, but it's important that we have these dialogues so that we can kind of clear misperceptions and also find ways to improve.

Because, you know, I -- as I started the remarks, there are certain legitimate issues that need to be discussed, and we look forward to that opportunity and to the IGF as a multistakeholder forum to have the discussion. 

 Thank you.

 

>>KATITZA RODRIGUEZ:  Thank you.  Now we are going to the panelists, if -- who wants to reply.  Kasia, please.

 

>>KATARZYNA SZYMIELEWICZ:  Thank you.  I would like to briefly comment on the comment made by the British MP, but also make a general statement about the role of ISPs.

Please kindly note I did not refer to U.K. in any of my statements, but indeed, we might work on this example.

There are more problems with this recommendation.  If I got the point right, it says that we do not need any legal safeguards because we deal with clearly illegal content.  That sort of logic undermines the whole concept of modern justice systems we have.  

 Precisely this is the role of the court, to decide which content is legal, which is not.  The threshold between legality and illegality will always be vague and will have to be determined by somebody who is not -- who does not have any vested interest in that.

Contrary to popular belief, the whole dealing with so-called child pornography is a very complex issue.  There are many discussions around definitions or where it is, where it's not illegal, many approaches in various countries and so on.  Also experience shows that it's not possible technically to block exclusively illegal content even when we agree it's illegal.  There is naturally more content involved in a blocked Web site. 

 So these issues are much more complex and it shouldn't be for ISPs to decide how to deal with that complexity.

So that's the -- the remark here.

But the general statement about the role of ISPs, I think they have an extremely good and positive role to play in encouraging enforcement, in helping law enforcement agencies and justice system to make the Internet a better place, but there is no -- I mean, the burden on them, making them replace the justice system, is -- well, that's the mistake in thinking.

It's also undermining essential values of democracy.

So it's neither good for business nor for democracy and for citizens.  Thank you.

 

>>KATITZA RODRIGUEZ:  Anyone -- anyone would like to make another...

 

>>FRANK LA RUE: It is true that openness, security, and privacy go hand in hand and have to be understood together, but they're only equal parts if they're seen from a human rights perspective, because they can be seen from many perspectives. 

 For many governments, security is a priority because there is a real threat, but security policies are only legitimate if they're framed within the legal standards of human rights. 

 And the same thing happens with respect to privacy.

So the important issue is, how do we focus the human rights perspective into this.  And this is why openness is a crucial element in terms of freedom of expression, but granting that security is a legitimate concern and the protection of privacy as well.

And in that sense, the state has a paramount responsibility that it cannot delegate.

But when we talk about the state -- and I agree with my predecessor in the sense that what is correct in terms of security measures should be clearly defined by law, and where we cannot allow sort of subjective interpretation of any particular government in any given moment is the application of limiting measures, because if we allow that to be a political decision, governments change and opinions change, and different parties come to power and leave, and that cannot be a political decision, an arbitrary political decision of those in power at a given moment. 

 There has to be legal standards, there has to be the rule of law normally that should be implemented by the judiciary.  And this includes precisely the non-privatization of state responsibilities. 

 A state cannot just transfer responsibility to the intermediaries.

And finally, on child protection, I have nothing against blocking if it is ordered by a court -- and it should be -- blocking a Web site with child pornography, but the real responsibility of a state to protect children is to prosecute those that are fabricating child pornography and disseminating it, because oftentimes -- and here's a good example -- it's very easy for a state to block a Web site and with that they feel comfortable, when in reality, they have, according to the optional protocol of the Convention of the Rights of the Child, child pornography has to be seen in connection to child prostitution and to child trafficking and is normally an activity of organized crime.

So it has to be seen in that light, and the state should investigate organized crime that is abusing children.  And this is the real solution and not blocking Web sites.

 

>>KATITZA RODRIGUEZ:  Thank you.  Commissioner Kroes.

 

>>NEELIE KROES:  Just adding to the line that my colleague did already take, the intervention of the U.K. member of Parliament rightly mentioned that no action was taken, and I'm grateful for that mentioning, for there is a lot of misunderstanding.  And I can assure you if the U.K. government had taken that action, that Brussels absolutely would react, like we did, for example, in a couple of cases in northern Africa.

No way that the U.K. government did act at all.

Having said that, a couple of issues are at stake.

Openness, transparency, name it.  And I think it was rightly said we are in a development from a young girl or boy in the '90s and now an adult and facing with a lot of issues that we never ever had experience with.  So we should be alert, we should have discussions like this, but we should not give up one issue, and for me that is a real principle and that is that there should be one unified Internet and them globally speaking.  And we have to do quite a bit of work, but that should be the goal.

And a globally consistent approach will help avoid fragmentation and will also make it clear, if it is transparent, the issues that were at stake and were mentioned by some of the questions that were put at the table.

So what was mentioned already, it is globally and we should cooperate and there is a working group, the U.S./E.U. working group, also on the cloud computing, also on the cybersecurity and cybercrime, and I think we should not only keep it between us, but it should be far more global, what's at stake.

And what I also want to mention, Madam Chair, is talking about what is our principal rule, anyhow, from the European Commission.  That is, the support of the multistakeholder model. 

 But we have to be clear about what that is.  It cannot and shouldn't mean that private vested interests can trump the public interest.  That is not at stake, not acceptable for us.  I won't accept it also not now, but also not in the future.

So governments have to treasure and to protect the Internet, but they overreach -- if they overreach, they will kill it, and that is not what we have in mind.

So we should be very careful in finding out when and how a government should act.

For me, regulation is a last resort, and even then, Madam Chair, even then, keyhole surgery rather than amputation, for otherwise we are losing quite a bit. 

 And it's clear in my Internet compact -- and quite a number of you have read it, I'm certain -- there is, indeed, talking about the transparency, talking about the confidence, talking about pro-democracy, talking about, indeed, an architectural sound and inspiring climate.

And I also was asked by one of the panel members, "What about e-commerce, the directive," but I'm not certain if you want that now or first the floor.

 

>>KATITZA RODRIGUEZ:  I prefer later.  Thank you very much, because we are on time.

Before we pass through the last two speakers, I would like to introduce our remote moderator, Paul Muchene.  He's Kenyan Internet Society ambassador to the IGF, and I would like to ask if he could summarize comments or questions that have been in remote participation, please.

 

>>PAUL MUCHENE:  Okay.  So far, no questions have been raised at the moment.

 

>>KATITZA RODRIGUEZ:  Thank you.  So please, the representative from Microsoft, please.

 

>>HEBA RANZY:  Thank you.  I think, you know, like the Arab Spring is like, you know, top of mind of a number of people.  I just want to make a few comments on that.

You know, like I truly believe, and we as a company believe, that the choice of the government is for the people of these countries to make.  It's not for any -- anybody else.

However, the technology has a major role to play.  It -- like, you know, it allows the people of the countries, you know, like to engage in -- in a number of -- in a number of things, whether it's using social media or what have you, and it also helps in fostering more of sustainable solutions for the various societies and various entities.

I have to emphasize also the fact that, you know, like there is the rule of law, and we have to ensure that the predictability and self-accountability by government is critical.  And, you know, like that will really address some of the acts that happened, you know, like in a number of countries during the Arab Spring, because like, you know, these two -- these two aspects, the predictability and the accountability, has to be there.  Thank you.

 

>>KATITZA RODRIGUEZ:  Last comment from...

 

>>MICHAEL KATUNDU: Thank you.  Thank you, Madam Moderator.  I want to underscore the importance of balancing of these three issues of the Internet:  security, openness, and privacy.

What we need to appreciate is that there are a number of ways of dealing with a number of challenges of the Internet and some of them cut across technical ways of dealing with them and also policy and law-related approaches.

Just to go back to the MP Michael Alun issue or comments, we appreciate that the intermediaries may come on board, yes, but if they come on board, under what kind of circumstances are they coming on board?  Are they well-defined and explained within the policies and laws? 

 So when we are developing the policies and laws which the government is the watchdog on behalf of the public interest, then the idea here is we need to have a bottom-up approach whereby all the stakeholders are involved.

This is at the exchange where then the stakeholders need to raise their concerns so that the three-legged stool, as the example which was given by one of the participants, is -- in terms of balancing, is observed and we make sure that as we enhance each of those three areas, that we do not compromise on any of each of them.

But we need to appreciate, as it has been put or said by our panelists here, that the government has a fundamental responsibility, and whatever goes wrong, then the government has to respond to.  But then the question again boils down to what does the law, what does the policy say, and was the law and policy development process inclusive or not inclusive.  Thank you.

 

>>KATITZA RODRIGUEZ:  Christine, please.

 

>>CHRISTINE RUNNEGAR:  Thank you. 

  We've covered so many issues in this section, it's hard to pick which ones to mention. So, conscious of the time, I'll just mention one very simple point, which is really just echoing what everyone else has said - the advantage of coming at the end.

So I think I would say that limitations to freedom of expression should be exception and not the rule, a principle that applies to both the offline and the online world.  Thank you.

>>KATITZA RODRIGUEZ:  Thank you.  I will introduce now my colleague, Lee Hibbard, co-moderator of this session.

 >>LEE HIBBARD:  Okay.  Thank you very much.  Let's keep the dialogue fluid with short statements.

I think I've heard a lot of the word -- either explicitly or illicitly the word "trust" in that discussion and the approach between different stakeholders.  I think we're in some respects singing the same song.  I hope, at least, very much. 

 I do think we need to think about the best efforts of stakeholder groups, what are those best efforts, and now we're moving to the -- the privacy chapter of this discussion, trying to keep the time.

I've been informed that we've had five mail interventions, mainly by corporations and governments, so I'd like other stakeholder groups to come through, and of course women, in that discussion.

In starting in this session, I'd like to call on the Feeder Workshop 160, Christopher Soghoian, to report back on global trends to watch, the erosion of privacy and anonymity, and the need for transparency of government access requests. 

 Christopher?

 

>>CHRISTOPHER SOGHOIAN: Thank you. 

 So our session began with a conflict between security and privacy.  To be clear, it does not mean that you cannot have both, but that attempts by governments to pierce the veil of anonymity and the protection of individuals' data through technology such as strong data encryption have been justified by pointing to a need to protect national security and engage in lawful investigations.

Examples of this include data retention, which is already on the books in several European countries, and has recently been introduced in the United States.  The bill in the United States that's working its way through the House right now is called the Protecting Children from Online Pornography Act of 2011.  Who wants to vote no on that bill?

A key topic that dominated our panel was the role of cloud computing companies and the way that the move to such services has changed the economics and dynamics of surveillance.

Quite simply, as consumers have embraced cloud computing and mobile technologies, law enforcement agencies and intelligence agencies have followed.

Companies like Google insist that they only respond to valid requests that are accompanied by a court order or subpoena.  However, few would place much trust in a subpoena issued by the Iranian authorities.

Even so, all governments believe that they should have the ability to spy on their own citizens.  Whether this is achieved by India forcing RIM to provide it with interception capabilities of BlackBerry services or the Iranian government hacking into the Dutch certificate authority, DigiNotar, recently in order to obtain the credentials necessary to intercept the communications of 300,000 Iranian Gmail sessions. 

 One topic that came up is the promise of privacy-enhancing technologies and the way that these technologies conflict with the business models of companies that provide services for free via advertisements.

Vint Cerf, from Google, acknowledged during the panel that if Google encrypted all the user data in its possession, it would not be able to operate as a company, as it could not target those users via advertisements.  This demonstrates that when companies' business models are in conflict with a need to protect their customers' private data, privacy often gives way.

One other issue that came up was the unique surveillance capabilities available to the U.S. Government, due to the fact that so many widely use cloud computing and communication services are located in the U.S.

Although European countries may have strong laws that protect the data of their citizens, the U.S. Government and its powers issued under the Patriot Act and the Foreign Intelligence Surveillance Act have a long reach, thus putting companies in a very difficult position where they're in conflict between the laws of the U.S. and of the countries where the data is located.

As European, Asian, and African governments consider placing their own citizens' data in the cloud, they will have to evaluate the cost savings against the legitimate desire to keep this data out of the hands of the U.S. Government.

Finally, existing laws and treaties do little to improve things.  The Budapest Convention on Cybercrime is a decade old and the U.S. Electronic Communications Privacy Act dates from 1986.  These both predate the modern Internet ecosystem, one in which we have free e-mail services offering gigabytes of storage, social networks, and the widespread practice of carrying GPS tracking devices, otherwise known as cell phones.  Thank you.

 

>>LEE HIBBARD:  Thank you very much, Christopher. 

 So using data and security coming together, as some of you have already pointed out.

So data.  More and more people use data.  It's collected more and more, analyzed and retained by companies and governments.  You've said that.  For different purposes.  Commercial and security, in particular.  In order to create profiles.

I think "commercial" means partially -- we have a partial understanding, perhaps, of the collection of data for commercial purposes, and the profiling. 

 With cloud issues, of course -- you've said it -- it makes things more uncertain, perhaps, about the framework of protection that citizens have when their data is in the cloud.

There's also the issue of security in that context.  You've mentioned it Christopher.

Arguably, are we less aware of the use of it for security purposes?  What's happening to our data in that context?  What about transparency? 

 And the rule of law, of course, you've mentioned it.  The need for legal grounds for any interference, which is proportionate to the aimed pursuit.

So what -- the question is what are the safeguards, legal and nonlegal, to be put in place to protect privacy?  And also, in addition to that, with regard to responsibilities, something else you've already mentioned, the social and ethical responsibilities of companies.

In particular, should companies, for example, take account of the human rights records of a given country when selling surveillance and filtering technology to it.

Now, I'm going to open the floor.  It's your call.  I would -- would anyone like to raise a hand and to comment?  Yes.  You have the floor.

 

>>TOM WAMALWA: Thank you.  My name is Dr. Tom Wamalwa.  I teach electronic business.  I think there's one panelist who talked about context, and it seems like our argument and debate seems to be really not focusing on the context.

Openness, if you look at the history of the Internet, it was really made for education and exchanging ideas in the '60s, and in the '70s, throughout the '80s. 

 The only major change when the context changed is in the 1990s when businesses now started taking advantage of the Internet and with using the old business models, that's where the challenge is.

Rather than focusing on the flawed design, let's review the design of the Internet, because the original purpose of the Internet was freedom, openness, and sharing, and really helping to improve science and so forth.  But right now, we are using the Internet for everything else.

Businesses and so forth.

And that's where we are trying to solve our problem that -- using the wrong tools, and my focus would be, let us look at the context.

The Internet has changed.  Its original purpose is no longer the same.  Can we look at the design of the Internet and see it we can meet the three ideas of openness, access, and security.  Thank you.

 

>>LEE HIBBARD:   That you can very much.  The design is an interesting point and we will keep that in our minds.  Any other points, any questions, any comments would you like to raise on privacy?  Yes, sir, please.

Your name.

 

>> My name, I am Francis Oreno (phonetic), project manager, SenTech systems.

I am deeply concerned in terms of this issue of faking, I say, stuff like documents and posting on Internet to our young boys and girls who are seeking up jobs in terms of con them, trying to con them up money saying they will give them jobs and then they end up losing money.

What can be done to block these kinds of postings on Internet to avoid loss of cash and stuff like this?

What can IGF do to save such a kind of situation?

Thank you.

 

>>LEE HIBBARD:   Thank you very much.  I think you are referring to the right to be forgotten.  I could be wrong.  I don't know.  You are talking about identity, I think, there and how does one conduct oneself online.  The question of responsibility.  I think that's something to discuss, too, maybe in the general context of this session.  We talk about different measures but are we doing enough to be responsible, both as users as well as best efforts of the other stakeholders, the states and the companies, of course.

I would like to take a woman, if possible.  No?  Sorry.  We have a gentleman here who came first.  I see your next.  Anton Battesti from CNIL.

 

>>ANTON BATTESTI:  Hi.  Anton Battesti from the French data protection authority, CNIL.

I just want to raise a question for the panel on the global standards.  Lee talk about exploitation of some technologies, and the problem is also that there are no global standards, binding standards, that will engage all governments to protect privacy.  It's a critical issue at the edge of global governance.

So I would like to have the opinion of the panel on this project.  Of course a treaty cannot be the only solution, but it is an essential piece of that solution, so let's hope we can achieve it, as the international conference of data privacy agencies ask in Madrid and Jerusalem.

Thank you.

 

>>LEE HIBBARD:   Thank you, Anton.  I will take some more questions.  Before I come to you, Joy, the gentleman here was first.  Thank you.

 Your name, please.

 

>>BRIAN HUSEMAN:  Hi there.  Brian Huseman with Intel Corporation. 

 There was been some talk about the tension between privacy and security.  I also want to point out that there can be positive synergies between the two.  For example, the fair information practice of data minimization or only collecting the data that you need for the purpose or the concept of privacy by design and building privacy protections into technology from the start can help minimize the amount of data and consumer information that would be lost in the event of a security breach.  And on the security side, strong security measures, obviously, help prevent the release of consumers' information without their consent in the event there is an intrusion or some sort of malware.

So I think regulation that protect privacy while also providing and not inhibiting strong security measures is important and a positive synergy worth considering.  Thanks.

 

>>LEE HIBBARD:   Thank you very much.

Joy Liddicoat from APC, please.

 

>>JOY LIDDICOAT:   Thanks, Lee.  Just a question around the notions of security, privacy, and the degree to which we are using security as a holistic category instead of breaking it down into constituent parts.  This is topic that has come up in other workshops, and also just sort of acknowledging the work of EFF and Katitza and pushing around these issues of security.

A particular question for panelists is the different types of security that are being used, or what's being done in the name of different categories of security appears to be uneven.  For instance, that done in the name of national security is different from that done in the name of data security and that done in the name of personal security.

So some comment from panelists on these notions would be useful.

 

>>LEE HIBBARD:   Thank you very much, Joy.

I think the question of security, we'll try to put that into the security chapter at the end, if I may.

The gentleman over there.  Yes.  Please, your name.

 

>> Igor (saying name) from Russian Ministry of Telecom and Mass Media.

I also would like to stress on the tension between privacy,  security and cybercrime.  Maybe it's too early, but Russian Federation remains committed to the fundamental principles underlying the Internet's development.  This openness, all inclusiveness, multistakeholder approach based model.

Away share the view that the Internet has now emerged as a critical global infrastructure for all stakeholders, including national governments.

As numerous public, financial, and social services have recently gone online, it has become critical for governments to exercise their fundamental functions.  To this end, we trust the government the last resort to which users will turn in the event of any serious disruption of Internet services.

So as it was repeatedly mentioned at the previous IGFs, we believe government should take responsibility for stability, continuity and security of information resources and services and reliability and security of the critical network infrastructure.

Unfortunately, the current practices and technologies in the Internet governance area provide national governments with very limited abilities in this sphere.

Also, I would like to stress that governments should focus on network reliability and security as a category separate from cybercrime.  The reliability and security from basic categories with regard to cybercrime, because an adequate level of reliability and security of the Internet prevents cybercrime.

 

>>LEE HIBBARD:   Can you wrap up, please?  We are running out of time.

 

>> Okay.  That's why we welcome continuation of the dialogue on the issues on both bilateral and multilateral format with our counterparts worldwide.

 

>>LEE HIBBARD:   Thank you very much.  We really are running out of time.  That's the crime of this, is that it's too short and too many things to discuss.  I apologize for that.  I also apologize for not seeing you at the back but to remedy that and the gender balance, I will jump.  To the lady please.  Your name and if you can keep it brief.

 

>>PATRICE LYONS:  My name is Patrice Lyons and I just want to make a quick suggestion that I appreciate the consideration of privacy as a separate discipline and what goes with it, but I have often been in conversations where privacy is but one element of information management more generally.  Specific example, medical records.  When you have a medical managed environment, and we are working on apps to deal with that managed environment.

So you are actually managing the boundary conditions of various objects, and you can set those boundary conditions.  So there's no uniform approach that's one size fits all in that context.

 

>>LEE HIBBARD:   Thank you very much.

There's a gentleman at the very far back there who put his hand up.  Yes, right at the back, please.  Yes.

 

>> My name is (saying name).

With respect to context, please, I want to talk about context and openness.  We discover it is a particular segment of the world that is more of the developed economies have context, and even in terms of security, too.  And the threats of security is global, from whichever country it is.  So the need for collaboration, strong collaboration, and also encouraging individual governments to have in terms of infrastructure development to ensure that there is security and collaboration.  Thank you.

 

>>LEE HIBBARD:   Thank you very much.

The last two before I go to the panel.  You, sir, please.  Your name.

 

>>ANDY SMITH:  Andy Smith from the BCS.

We keep talking about human rights and the right to privacy online.  Does anybody actually think about the human rights of victims of cybercrime?  We have got so many people, we have got millions of people that have their life savings stolen, their families destroyed, their lives disrupted.  What about them?  What about all of the victims of terrorism, terrorist acts that are organized online?  It's fine talking about rights to privacy, it's fine talking about human rights, and they are all very important, but you have got to think about the other side of the coin as well.  You have got to be in a position where we can allow law enforcement to protect us and prevent all of these people losing their life savings, having their families destroyed.  You really -- until you actually see what organized crime do to people, you just have got to have the other side of the argument.

 

>>LEE HIBBARD:   Thank you.  Yeah, thank you very much.  Very important point to note.

(Saying name) from the (indiscernible) of Austria, please.  Very short.

 

>> Thank you very much.  Maybe directly to comment on what the gentleman just has said, I think we should really try to avoid that we try to make human rights as a competitive field versus each other.  We need something like a comprehensive view.  All these things we are discussing here on privacy and security, openness and reliability of the Internet are prerequisites of human rights, and that's also the concept that the European Court on Human Rights is doing.

What I think, and maybe a very brief last question maybe to Mr. La Rue whose report also the Austrian government very much appreciates to the General Assembly, what is interesting for me as a lawyer, when we discuss all these, let's say, standards which are mostly turning out in soft law, why do you think are we dealing with -- do you think there is real guidance for courts authorities?  What's interesting, last sentence, the European Court on Human Rights is more and more referring exactly to this common understanding of Internet freedom, and also Mrs. Kroes might be very aware of the fact that also the Brussels court, the court of European -- the European court is actually dealing with a case where they are installing a system for filtering and blocking electronic communications in order to protect intellectual property rights, infringes fundamental rights so says the Advocate General Cruz Villalon.  Thank you.  This would be my statement.

 

>>LEE HIBBARD:   Thank you very much.  We really are almost at the limit.  Just before I go to the panelists to respond to some of those issues, if you wish, Paul, remote moderator, have you any comment, any feedback, please?

 

>>PAUL MUCHENE:   Well, still no questions from remote participants or remote hubs at this moment.

 

>>LEE HIBBARD:   No.  Okay.

Thank you.

Okay.  Panelists, do you have any immediate reactions to these questions?  Maybe we start in reverse order.  Frank La Rue, very briefly.

 

>>FRANK LA RUE:   In two words.  I don't think there is a competing approach between human rights and security, and much less with the rights victim.  Of course, human rights is particularly concerned with the victims, victims of all kinds, of any criminal activity or any action of the state.

So what I think we have to do is look at human rights as a global focus, which is what I was saying.  Privacy as a right, security as a right, because of the right of citizens, and the need to guarantee freedom of expression in the use of the Internet.  That's why I said at the beginning that all three aspects can be seen as equal if there is a human rights focus.  What you cannot do is impose the decisions of the security authorities or the current government even with the best of intentions, and sometimes they may have it.  But it has to be within the boundaries of law.  And if there are going to be any limitations of privacy for security concerns they have to be established by law first and they have to be interpreted by the judiciary.  And that should never easily preclude the idea of drawing information easily.

The other contradiction I find is many laws are talking about information of the noncitizens.  I don't like the fact that we are separating the rights, the human rights of citizens of a country from the noncitizens of the country.

Human rights are universal and equal for all.  The only difference may be in the political rights, to participate politically, to elect and to be elected or to vote.  But the fundamental human rights and freedoms should be applied even to foreigners, even to undocumented migrants.  These are the divisions that are now creeping on us that we should not allow.

 

>>LEE HIBBARD:   Thank you very much.  And we are creeping into the time of the next session.  Any immediate remarks from the other panelists?  Kasia.   Very briefly, please.

 

>>KATARZYNA SZYMIELEWICZ:  I do endorse the comment from Frank.

Adding on security issue, I think it is a very dangerous logic to present freedom at the price for security, I believe.  So we need to seek alternatives at the model that will not sacrifice one for the other but will help us live with both of them.

On global standards, mentioned by many of the speakers, I do think we need standards that bind on both corporations and governments also relating to their relationship.

So it basically means we need international standards, global standards.  European Commission is about to start a great privacy reform where all the principles mentioned by the gentleman from Intel, I do agree with them, will be considered, I believe.  So we are doing our best.  The problem is, of course, how to implement them.  And I do think that the role of self-regulation here is vital, and corporations could self-regulate, adopt privacy by design, adopt public principles, and help us.  It's simply a multistakeholder effort.  Thank you.

 

>>LEE HIBBARD:   Thank you very much.  Mr. Chair, you wanted to briefly...

 

>>MICHAEL KATTUNDU:  Thank you, Mr. Moderator.  I want to respond to the question from the gentleman who was asking the role of IGF in this area of security, openness and privacy. 

 I want to say IGF forum provides an opportunity for a space for dialogue.  And basically what you get so much out of this is awareness and capacity building, among them also best practices, like what we are hearing from other countries, what they are doing.  I would like to underscore that Kenya specifically has benefited from this dialogue in terms of the bottom-up process of developing our policies and laws, which are also our -- which have given a mandate to a number of institutions on what role they need to play in terms of management of cybersecurity.

Specifically, the ICT regulatory authority that is the Communications Commission of Kenya is in the process of putting together a technical framework for dealing with cybersecurity issues at the national level in the name of Computer Instant Response Team.  This body or this framework will be a head of the national awareness of the consumers, operators and so forth in terms of how best they communicate and prevent or protect themselves, be proactive in terms of dealing with cybersecurity issues.

I would like to also underscore that in Kenya we are in the process of signing, digitally signing or other protecting our dot KE, which is a Country Code Top Level Domain, in terms of implementing the DNSSEC, which is a security and international standard for ensuring that your Country Code Top Level Domain, or whatever communications you do with it in terms of data or communications, data is protected and people's domains are safe from cyber attacks.  Thank you.

 

>>LEE HIBBARD:   Thank you very much, Mr. Chair.

A final comment from Madam Kroes, if you would, think.

 

>>NEELIE KROES:   Yes, please.  Just talking about the right of privacy.  If you would allow me two remarks, and I'm aware that perhaps you are not completely agreeing, but that is also possible in a dialogue.

I think we need to take into account when we are talking about privacy that there are differences in culture.  For example, Europe and the U.S., there is a difference in culture of talking about privacy.

Having said that, in my opinion, but that is my age, Mr. Chair, there is also a difference in approach in talking about privacy between generations.  I am aware that the younger generation, how they are using Facebook, how they are Twittering, that I am thinking goodness gracious, that is just interfering in privacy, but it is completely open.  So we also need to take into account.

Therefore, it's so important, absolutely main, the right to be forgotten.  There will be an initiative of the commission.  So hopefully, that will be a next point next year to touch upon.

Another issue that is at stake, and I found it a bit over the hill, so to say, and that is more than only over the hill, when we are talking about cloud computing.  It is completely a subject that we need to discuss in depth.  We are active in the commission now within my director general with a strategy for cloud computing.  I will publish it, I will present it beginning of next year.  And I am looking forward to a discussion, and not starting discussion already when we haven't yet an overview what is at stake.

Further, there are also a lot of very positive issues in the cloud computing strategy, in my opinion.

I couldn't agree more with this madam when you were talking about the medical collected data.  And in my country, you were already aware that I am Dutch, I am not a diplomat so straightforward.  And it is quite a sensitive issue.  I am always saying to those people who are against collecting the medical data in a way that is making sense, if you are crossing an artificial border now in the digital single market in Europe, when you are just coming over to Brussels, for example, imagine you get a very severe accident.  What would you prefer?  That there is no medical data -- collected data system that is in time or are you still taking your principles where nobody should touch upon and it should only be, and so on.

It is remarkable that when you are using such an example, they say no, of course, in such a case.  But then we should be very consistent what we want.  And, therefore, I got your point.

And talking about child abuse -- yes, that will be my last part.  And if you are interested still in the e-commerce directive, I will answer, no doubt, about that.

But talking about child abuse and child protection, for me, there are several key actions to be done, and we are active in that.  We need to ensure that online safety of children and, of course, young people through the Safer Internet Program that is run by my director general is making sense and it is coming over.  For if, indeed, our aim is to make every child digital safer via awareness campaigns, then a lot is already done that they are also aware what is at stake.  And then you can, of course, inform the parents.  But someone who is not aware of what is safe and what is not safe on the Internet is getting risks that we, indeed, are responsible for and we have to act.

Thank you.

 

>>LEE HIBBARD:   Thank you very much.  We are going to stop this part of the session and now go to security, so Katitza, would you like to come up for that.  Would I just agree with you, Madam Kroes, about the idea of generations, but I still think it's still incumbent on the older generations to protect the younger generations.  So it's incumbent to try to work together.  I think children and young people still need a framework in terms of how to live their lives and identity.  We're not wishing to tell them how to live their lives, of course.

 

>>NEELIE KROES:   I am 100 percent certain you are not a child.  I'm not certain about your age, but I am also not certain what you are publishing in your Facebook.  So it is perhaps my generation, and I am a bit older than you are, I assure you, is more careful than the later ones, where they are thinking it's part of the fun taking into account that in Facebook you have to contact with your friends and so on.

 

>>KATITZA RODRIGUEZ:   Thank you.  We are now on the session on cybersecurity.  We are calling on Liesyl Franz on the rapporteur of the workshop 202, cybersecurity:  Safeguarding the global Internet and emerging issues opportunities for developing countries.

 

>>LIESYL FRANZ:  Thank you very much.  Again, my name is Liesyl Franz and I am with Tech America, and I had the honor of co-moderating and co-organizing the workshop with AfriNIC, and I would like to sum up the discussion that we had -- it was very robust; we had a very diverse and expert panel -- into three key themes from the discussion and provide some examples that our discussion brought forth.

The first theme was that there needs to be a national attention to the issues of cybersecurity, and I believe the discussion that we have had here at this IGF and previous are evidence of that.  The examples that were given is that, first of all, there is an establishment of a new ICT ministry in Nigeria to encourage the buildup of the Internet infrastructure in Nigeria but also look at cybersecurity issues.  Recent cybersecurity exercises in Turkey brought together 31 public and private sector  organizations to conduct a cybersecurity exercise.  The need for the development of Computer Emergency Response Teams, or CERTs, that our chair already acknowledged was something that was discussed in order to conduct analysis and response and connect with colleagues on cybersecurity issues.

We talked about the strategy development and priority setting in the U.S., who has recently published an international cybersecurity policy outlining three principles of diplomacy, defense and development.

And it was well noted that the regional and international components of cybersecurity are important as well so you need to look outward for engagement.

Which leads me to the second theme, which was that cybersecurity is a shared responsibility and that collaboration is key.  We need to collaborate with international partners to establish norms for cyberspace that guide behavior.  It's also important to foster intragovernment collaboration to be able to share resources and put up a common defense against cyber attacks.  And there was a comment that attackers are everywhere, but so are the defenders.  They can be anywhere as well, including in the developing world, which is why collaboration is so key.  Cybersecurity is fundamentally the connection between those who want to work together.

We talked about shared responsibility, and it includes education first.  Discussion about responsibility of the end user to protect themselves, but also a discussion of the ability of resilient and secure systems that survive even when the end users fail.

We noted the importance of collaboration between government, industry, and law enforcement to address cyber attacks appropriately and there were some several positive trends in that regard.

Finally, the third theme was the complexity of the Internet and of cybersecurity as a real issue and something we have been grappling with in these discussions.

So capacity building is a key component of raising competence globally on cybersecurity.  The U.S. and Kenya recently hosted an East Africa cybersecurity seminar in Nairobi to that end.

There was also a discussion that there does not need to be inherent tension between cybersecurity and fundamental rights of freedom of expression as we have heard today, and policy-making needs to be done with bet, as well as privacy, in mind.

Collaboration is key.  But there is a tension between the speed of technology that we see and the time it takes to build trust and collaborative environments.  So that's something that we need to engender as well.

Finally, there was discussion that a new treaty is not the answer.  Technology moves too fast.  Collaborative action will have more impact.  Standards and global principles and collaboration are where we are now and where we can make a difference.

I would like to take the opportunity to address a comment that was made earlier today sort of separate from my workshop about the measures that might be taken under the guise of national security, and that is something we in the U.S. do not want to see.  There are legitimate national security concerns for all governments and societies, but we urge they not be construed to meet unrelated objectives.  And I just wanted to address that comment since I knew we were coming back to it in this part of the session.

Thank you very much.  I hope I did justice to the very robust discussion and comments of our panelists and audience.

Thank you.

 

>>KATITZA RODRIGUEZ:   Thank you, Liesyl.

Now I will read the two questions, we have agreed on the organization committee, and we give the floor to the audience for questions.

I will encourage women to raise their hands, if possible.  I hope so.

Okay.  The two questions.  What is the proper role that cybersecurity operations centers and law enforcement can play in protecting the Internet and its user from cyber attacks and cyber crime?  And which are the legal safeguards and oversight mechanisms that needs to be in place to avoid abuse of power?

Thank you.

Please make a brief intervention and raise your hand if you want to speak.

Please, sir, there.

 

>> Thank you.  I am (saying name) from Ministry of Foreign Affairs of China.  This is not a comment but is more of explanatory note.  Because we have interpretation service here, please excuse me for speaking Chinese.

In September 12, China, Russia

 Tajikistan and Uzbekistan sponsored a code of behavior on the cybersecurity to the General Assembly as an official document to be circulated among the General Assembly.

We call upon countries -- we call upon countries --

We call upon countries to discuss this question under the framework of United Nations.

Cybersecurity is a concern of many countries.

Many countries have come up with many separate security measures to battle this phenomenon.  The problem is we haven't come up with a comprehensive and uniform response to security.

We call upon all the country to come up with the uniform response.  These give rise to some multilateral forum.  China and Russia, in response to this kind of call, have tabled this motion to the General Assembly to provide business to take this kind of action.

However, United Nations as a universal organization is the best forum to come to consensus on these kind of code of behavior.

Including ITU and other international organizations, we have already reached some consensus which has already been reflected in these documents.  These documents have come up with some of the measures which covers economic, technological, and socioeconomic measures.

This is a formal document that doesn't have any binding effect on any country. 

 We call upon all countries to join this motion voluntarily.  We look forward to feedback from other countries. 

 Thank you.

 

>>KATITZA RODRIGUEZ:  Thank you.  The lady behind the representative of China.  Dixie?  Yes.

 

>> I just want to question whether there is consensus on that approach and whether that consensus is multistakeholder consensus or who exactly is consenting.  Thank you.

 

>>KATITZA RODRIGUEZ:  Any other question before -- okay.  Please.

 

>>BURT KLAASEN: Thank you very much.  My name is Burt Klaasen.  I'm from the Ministry of Security and Justice in the Netherlands. 

 I heard a lot of time in your recap the word "collaboration" and I have a question to the panel about this.

In fact, I want to recall what Mr. Bill Smith said.  He said that private action should be an essential component for cybersecurity, and this reflects, I think, very well the way that we implemented the cybersecurity strategy in the Netherlands where we worked very closely together with the private sector, and in fact, I think this is a key factor for success.

About this essential component, this private action essential component, I would like to hear the views about the -- from the panel about this and maybe especially from Mrs. Kroes.  Thank you.

 

>>KATITZA RODRIGUEZ:  Please, yes.

 

>>ZAHID JAMIL: Hi.  I just wanted to -- Zahid Jamil from Pakistan. 

 I just wanted to sort of pick up from the point of the U.N. General Assembly issue and, you know, the importance of having maybe a treaty.  I think that's what I heard one of my colleagues from China say.  Well, I come from a developing country, and the problem with trying to do this again, a do-over of having some sort of a convention, is that U.N. treaties or treaties in general take years to ratify, to get acceded to, ratified, and even for developed countries. 

 When it comes to developing countries, it takes longer. 

 And then the harmonization effects of that are disrupted within those developing countries, and all it does is confuses and makes developing countries subject to the politics that takes place between international organizations.

I think the -- there's an urgency -- we all feel it -- there's an urgency to move very quickly on cybersecurity and cybercrime, and if we don't do that quickly, with whatever resources we have at our disposal, I think we will be giving more time to the bad actors out there to say, "Well, let them keep fighting about this, let them be involved in the treaty processes.  In the meantime we're milking this whole process." 

 So I think I would really appreciate it if developing companies didn't have to be confused by these processes in various fora, and whatever there is already, let's move quickly, move forward, get everything everybody to become part of it and harmonize the legislation so we can really try and safeguard this area in cyber --

 

>>KATITZA RODRIGUEZ:  Thank you.  One last question.  A woman, if possible.  I'm trying to create gender balance.  Please.

 

>> Thank you, Katitza.  So going back to your question, because this -- that precise question actually came up during the Spanish IGF when we held this session.

I wanted to point out -- well, first to stress what a previous speaker said from a feeder workshop about this being multistakeholder and the user also having a responsibility, and thus requiring education, a lot of education.

And also, during -- like I said, during this session in the Spanish IGF, it was outlined the importance of early detection in fighting cybercrime. 

 And this includes participation of users, creating effective channels, and an adequate infrastructure to handle these claims.

Also, I would like to bring here the example of (saying name), which is a Spanish organization born from the government that has developed a network of security sensors and a panel including users and enterprises aimed to detect and identify security incidents and security threats. 

 And also the role of industry.  It is necessary to have them with constant updating, constant technology improvement and state-of-the-art technology and services for citizens, enterprises, and administration.

 

>>KATITZA RODRIGUEZ:  Thank you.  I would like to ask the remote moderator if there are any questions.

 

>>PAUL MUCHENE:  Okay.  There are no questions, but there's a comment by the remote hub sponsored by the Caribbean Telecommunications Union.

Concerning this discussion, they are saying that "We are just following the discussions very keenly and taking note of the various points of view.  It is very useful and interesting."  Thank you.

 

>>KATITZA RODRIGUEZ:  Thank you.  Now, we will give the floor to the speakers.

We will start with Ms. Heba Ranzy.  It's okay.

 

>>HEBA RANZY:  I just want to echo what Mrs. Kroes had said around the cloud, and we need to nurture the adoption of cloud services by taking a balanced approach that would provide clear guidelines to cloud service providers, to protect the data and like, you know, make the necessary security investment, with taking into consideration that we'll give the flexibility for the -- you know, the service provider to be able to invest there.

So just this is one.

I'd like to conclude by saying I think -- you know, I give my opinion -- the way forward lies in the hand of the people sitting in that room and the different organizations that are represented. 

 You know, like we should continue having this multistakeholder dialogue.  You know, like each and every stakeholder has a responsibility.  You know, like the industry has to be very responsive.  You know, like as we've heard. 

 Government, you know, like act in an accountability fashion.  The civil society be informed and accountable.  And the international organization has -- have got a major role to play to, you know, like create the enabling environment and the convening environment for the various stakeholders to come together to discuss, you know, like and have a very fruitful dialogue that would lead to like, you know, the right -- you know, like the right directions to help shaping the policies and the law.

You know, like and I think IGF, you know, like is a point of reference here that -- you know, like that allow for such an environment where you have these dialogues between the various stakeholders.

Thank you.

 

>>KATITZA RODRIGUEZ:  Thank you.  We would like to ask -- to make the intervention.  If you have a final remark, do it together.  You have a final remark?  Yeah.  Because we are running out of time.  Yeah. 

 Please, Commissioner Kroes, respond to the question and your final remarks.

 

>>NEELIE KROES: Couldn't agree more with the Dutch representative, and I'm completing online with the Spanish representative.

 

>>KATITZA RODRIGUEZ:  Thank you very much.  Chair?

 

>>MICHAEL KATUNDU:  No remark.

 >>KATITZA RODRIGUEZ:  Christine?

>>CHRISTINE RUNNEGAR:  Thank you.  Just a couple of points I'd like to take away from this very rich discussion that we've had this afternoon, and with the indulgence of the chair, I'll merge the points on privacy and security and say that I cannot overemphasize the importance of that word we heard today, "context."

One of the challenges we face with privacy, is that there is no universally agreed definition of "privacy."  Similarly in the security field, people use the word "cybersecurity" for different purposes and in different contexts.

Then, just a couple of other quick points. I'd like to pick up from what our moderator said at the outset - that the Internet mirrors society.  Solutions will only come from cooperative multistakeholder dialogue. 

And finally, do no harm to the Internet.

>>KATARZYNA SZYMIELEWICZ:  Thank you. 

 Well, for me, clearly the most serious dilemma we face now is how to reconcile the need for more efficient law enforcement online, maybe including some kind of private/public cooperation, with the need to respect the rule of law. 

 And having said that, my main question or concern to take away would be:  Is it possible for the governments to promote Internet freedom while at the same time advocating for data retention, lawful intercept capabilities, filtering and blocking of Web sites based on copyright, pornography, or national security concerns.  Thank you.

 

>>FRANK LA RUE:  My final comments.

I think security is a legitimate concern of every state and it has to be done, it has to be done well, and it has to be done within the boundaries of human rights. 

 And precisely, there was a speaker that said what's really important is that a legitimate concept, security, may not be misconstrued by those in power in any state, democratic or not so democratic, to their own interest, to promote their own interest, political interest in holding power or subjective and arbitrary decisions.  And this is the main -- the main concern.

Secondly, I think it would be important to make a separation between cybersecurity on a private level and cybersecurity on a public level, which is a private threat and which is a public threat, because both are important but they need different responses.

And finally, there was several interventions which I agree with.  The first responsibility of the state is to seek prevention and early detection.  Education and the -- the preparation of users is one of the initial factors in all this, to participate everyone in the protection of the cyberspace and the openness of the Internet.

And finally, I fully agree that this is a multistakeholder dialogue that we have to continue to engage in commonly protecting the Internet space.  Thank you.

 

>>KATITZA RODRIGUEZ:  Thank you very much, and with this, we are closing the session.  Thank you for your attendance. 

 Excuse me.  Here I have been told there is a final speech by our chair, so I apologize I close the session beforehand.

 

>>MICHAEL KATUNDU:  Thank you, Katitza.  I'll be very brief. 

 I think I'd like to thank you so much, sincerely, for the -- for making this session very interactive and informative.  Particularly, I would like to thank the moderators, the panelists, and I would also like to thank the interpreters for also making the session quite accessible to all of us.

We all appreciate that cybersecurity, openness, and privacy, they are very interconnected and we need to continue this debate, so that we can be able arrive at some consensus. 

 And we also appreciate that we all have responsibilities.  It's a multistakeholder responsibility, cutting across governments, law enforcement, private sector, civil society, manufacturers of equipment to ensure that the equipment are secured, application providers, and so forth.  We want to ensure that we all participate in this. 

 And I don't want to forget that we also need to thank our remote contributors who made the remote participation possible.  Paul Muchene. 

 We also want to thank the scribing team, who ensure very much that scribing is possible so that we can be able to make this session quite inclusive.

So I would like to imagine that we are going to continue deliberating on this issue.  We also are going to go back to our countries better informed and be able to use the knowledge we are learning here to influence our policies, laws we are coming up with, and also inclusiveness of the development process of those policies and laws.

And I think with those few remarks, I would like to adjourn the meeting until next time.  Welcome to Nairobi.  Thank you.