IGF 2017 - Day 1 - Room XVII Plenary - Local Interventions, Global Impacts: How Can International Multistakeholder Cooperation Address Internet Disruptions, Encryption and Data Flows


The following are the outputs of the real-time captioning taken during the Twelfth Annual Meeting of the Internet Governance Forum (IGF) in Geneva, Switzerland, from 17 to 21 December 2017. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 



>> TEREZA HOREJSOVA: This is a session that will kind of tackle these three different but very related issues, namely, Internet disruptions, of encryption, and of data flows.  And the way that the session has been planned is that we will perspectives from speakers from across the stakeholder groups who will give us their perspectives on this debate. 

I will first start by explaining how this session is organized.  It is a three‑hour session, it is a very good session, that's why we need to be planned time‑wise very well because you will probably agree with me that we do not prolong this beyond the three‑hour mark.  We will have three 50‑minute segments each covering one of the topics I have described and each speaker will have four minutes for their initial intervention.  After that we will continue with the Q&A session, with discussion, which will involve both of (?) in this room here as well as the remote participants who I would like to welcome as well.  We will aim to be very transparent in the way the microphone is handed, and the way it is going to work is we would ask you all who would like to make a comment or ask a question to queue at the microphone here in front on my right, on your left.  So if you feel that you would like to pose a question, please take your time and move around.

At the same time we will have a transparent procedure for the online participants which are handled by our colleague, Diego Cannabaro (phonetic).  So I hope this makes sense; if not, we will see how it works after the first segment then I can always clarify and we can figure out some details later.

We will start ‑‑ the first issue that we will tackle in the session concentrates on the issue of Internet disruptions.  We will have, as I said, speakers from various stakeholder groups, but for the introductory remarks, I would first like to pass the floor to Anriette Esterhuysen.  Welcome and thank you for coming.  Anriette is the executive director of the Association for Progressive Communications, APC, which is an international network of organizations working with ICT to support social justice and development. 

Prior to that, Anriette has served as the director of Sanguinet (phonetic) which is the Internet service provider and training institution for Civil Society, labor, and community groups, organizations.  Now, Anriette, the question we would like to start, would you give us an overview on how has the debate around Internet disruptions evolved in the past years and what are the new motivations on disruptions and how they impact the global infrastructure of the Internet.  You have up to five minutes. Thank you.

>> ANRIETTE ESTERHUYSEN: And apologies for being late. I'm also actually not the executive director of APC any longer, I'm now the director of policy and strategy.  I'm also very stupid when it comes to snow.  I come from Johannesburg, sunny Africa, I have no experience whatsoever so I'm very I'm sorry, I'm late. 

And I think that the story about how the debate has evolved is actually quite a sad one because on the one hand there's more awareness of shutdowns, there's more discussion about shutdowns, there's been resolutions about how Internet channels actually disrupt people's ability to exercise their human rights through the Internet.  At global level, at regional level at Africa at the African commission but shutdowns and disruptions are actually increasing and there's a trend where there's an immediate reaction, the global community which react, local business community, even local businesses would react but then what next?  There seems to be a gap of any real remedy or any real recourse to counter shutdowns.  I think the other important difference, though, and I really have to commend Access Now as an organization that initiated a campaign called Keep It On which now has very broad‑based participation and also various academics and people from the business community who have done research on the cost of Internet disruptions and Internet shutdowns.  So I think the debate has evolved from one where it is a debate that has been led by human rights defenders, by journalists who have approached it from a rights‑violation perspective but increasingly the business community has come on board and has provided data on what the actual economic cost is of shutdowns.  And I think where the debate needs to go next perhaps, and it's beginning to emerge, is that with ICTs and the Internet being such a vital part of people's lives, in developing countries, it's a way in which people communicate with their families, do business, transact money, that these shutdowns actually have a very profound effect on people's daily lives, not just on their freedom to express, so, yes, I'm not sure if that covers it sufficiently as an opening statement but I think that is, for me, the real concern is that even though there's more awareness, there's more exposure around shutdowns, they continue to happen ‑‑ they happen in different ways, sometimes they are complete shutdowns, sometimes the eruption of certain platforms or certain services and I think the other note as one is they happen everywhere, they happen in the northern hemisphere, they happen in the southern hemisphere, and I would like this process to actually produce some consensus on how multistakeholder corporation can actually get teeth around this and not for us to just bemoan the fact that these disruptions continue because I think ‑‑ this will be my closing statement ‑‑ I think that we talk about a multistakeholder approach and Internet Governance, but we ‑‑ at a national level, for so many individual users of the Internet, it's still the power of their states to instruct an operator or instruct a regulator to disrupt the Internet in some way or other that has real impact and that just blows the whole multistakeholder open approach to Internet Governance apart, in my view.

>> TATIANA TROPINA: Anriette, thank you for setting the stage for the discussion and kind of bringing in the aspect that it's not only local‑to‑global impact in the policy sense of view but we as individuals need to take into account.

I would like to go immediately to another lady on our panel sitting on my right, Ms. Melody Patry from Access Now.  Melody is the advocacy director at this organization and she leads on the global advocacy communications and campaigns to protect the Internet, and previously he has worked very extensively on the issue of censorship and human rights. 

Looking at the Civil Society point of view, could you please tell us a bit more on the issue, how you see this, also bringing in some examples from the work of your organizations, and, in particular, look at the local‑to‑global impacts.  Over to you, Melody.  Four minutes, please.

>> MELODY PATRY: Sure.  Thank you very much, Tereza, and thank you, Anriette, for the introduction previously about the work of Access Now as part of the Keep It On campaign.  So Access Now is an organization defending and extending the digital rights of users at risk.  And I'd like to start by giving you a few detail about our work in the context of the Keep It On coalition, and I'd like to focus especially on how Civil Society can address the increasing and disturbing trend of intentional Internet disruptions, namely, the national and regional actions and policies that we can take.

So the Keep It On campaign is a global coalition of over 140 members across 60 countries.  The members are from multiple sectors but mostly from Civil Society and we have four pillars on our work on shutdowns which is advocacy, norm‑building, detection and mediation.  This means that we are doing our utmost to record instances of Internet shutdowns and Internet disruptions across the world.  We're also trying to provide solutions when they are available to the populations affected, whether it's via circumvention tools or other technical mechanisms that can be at our ‑‑ at our disposal when it is possible.  And we're also trying to raise awareness on this issue and to engage with the authorities and with the different Internet service providers and operators who are enforcing the orders to cut off the Internet or to suspend or slow down connectivity or access to crucial user‑to‑user communications platform.

What we have noticed is that, as Anriette said, this trend of voluntary Internet disruption is increasing.  We have recorded through our shutdown tracker optimization projects 77 instances in 2017.  And just to give you an idea, there were 18 instances recorded in 2015 and 56 in 2016.  So this increase is really alarming, especially because, as was previously mentioned by Anriette, it is mainly the single order of states to Internet providers and operators to suspend or slow down or interfere in one way or the other with the Internet or with dedicated platforms that are primarily designed for user‑to‑user communications so that includes WhatsApp, Twitter, Facebook and so on.

So as a Civil Society what can we do when indeed it looks like it's the State that is the main actor in this new trend?  Well, one of the first thing that we can do, especially at the local level is to alert when we can the coalition and ask for solidarity to not just let the people know that a disruption is happening, but also to continue to alarm the authorities and to try to gather some interest to the situation that is happening.

We're also trying to protect the communities affected because something that can be ‑‑ that has already been proved, and there is a lot of evidence and data supporting these findings, is that Internet disruptions undermine human rights and they have lots of other consequences.  They harm local economies, they are detrimental to the work of emergency services, they isolate communities and I think that it's quite fair to say that they impact all of our goals at the itching, it's a really intersectional issue.  So further evidence is required in terms of norm‑building although we have strong initiatives that we can build on namely the U.N. resolution about the ‑‑ about the promotion, protection and enjoyment of human rights on the Internet.  And last year at around this period as well, 30 governments of the freedom online coalition issued a historic statement against Internet shutdowns and I think that these initiatives should be pursued at the local level.  I think that Civil Society actors can approach authorities either to review agreements and licenses with operators and telecommunication companies and Internet service providers to make sure that licenses don't include unfair obligations to shut down the Internet outside the rule of law.  It's also necessary in some instances to encourage states to implement legislation that protects the Internet.  And these are just two examples that we can pursue, but it has to be said, though, that the states remain the main actors although in 2016 we identified one instance of an Internet shutdown that was perpetrated by a non‑State actor.  So I look forward to our discussion and to further engaging on local and regional solutions to this issue.

>> TATIANA TROPINA: Thank you very much, Melody.  That was useful to bring the perspectives, the role of Civil Society and responsibilities of Civil Society and finding solutions to how to address the problem of interruptions where they lie.  And thank you also for stressing the kind of local actions, the actions of the Civil Society that need to be taken on the local level because very often these issues are very local.

Before I get to our next speaker, I would just like to update the ‑‑ in particular, our online participants that the U.N. Secretariat is still working to get the captions from the session in, so it is a problem that is being looked at and tackled with urgency.

Thank you, once again, Melody and coming to another lady on our panel, Ms. Farida Dwi Cahyarini, who is the head of the Indonesian delegation here at the Internet Governance Forum.  She serves as the Secretary‑General of the Ministry of Communication and Information Technology in Jakarta, and now, after we've heard some inputs from Civil Society, could you please tell us more from the government's point of view and some specificities in Indonesia?  Ms. Farida, over to you.  Thank you.  Four minutes, please.

>> FARIDA DWI CAHYARINI: Thank you, Mr. and Mrs. (?). I would like to thank, most (?) country has Internet disruption since they are still facing the digital divide.  For example, in Indonesia, as a developing country, has the same situation in which digital divide is our major challenges, especially the diversion of connectivity between the eastern part and the western part of Indonesia.  Just for your information, that is an archipelagic country, having around 17,000 islands in the geographical condition where it's from one island to the other ones and the remaining area are higher than urban area.  This situation is implying the condition I just mentioned (?) that the regional digital divide will be our (?) in order to provide Internet connectivity, available and affordability to public.

Further, Indonesia also lies on the Ring of Fire, that's (?) often hit and is more vulnerable to the Internet connection.  For example, an (?) hit on October last year, (?) Papua New Guinea, a neighbor of Indonesia.  It cost communication and Internet disruption in the eastern part of Indonesia (?).  This is (?) cable in the region.  Taking into account the above condition in which Internet disruption will happen, the government of Indonesia is trying to provide the solution by rolling out the broadband fiberoptic infrastructure project, we call it called it (?).  This project is undergoing in the (?) region and the (?) will conduct it in the last 2019.  (?) is divided in three parts: in the west part, in the center part, and then also in the east part.  There are 13 6,000 kilometers, fiberoptic will online 440 cities our district and on the region.  Besides (?) the government, in cooperation with private sector also, many Internet traffic with Indonesia Internet exchange, also Indonesian exchange program.  Now we are discussing our current policy and regulation, government enables to terminate all access to the unlawful electronic information are connect by electronic system provider.  This is governed by electronic information and transection law.  We call is EIT law.

I think this ‑‑ our presentation ‑‑ thank you.

>> TATIANA TROPINA: Thank you very much, Ms. Farida, for complicating the issue by bringing another perspective of how natural disasters and similar events can have effect on Internet disruptions.  It was certainly useful for our session. 

Looking at the example of Indonesia, I would like to go to our next speaker who will tell us more about some experience in Brazil.  I would like to introduce to you Mr. Demi Getschko who is a key player on the team that established the first Internet connection to Brazil.  He's a member of the Brazilian Internet steering committee CIGBR, and he played a critical role in the definition of the Brazilian domain name system tree and in defining the rules that govern the Brazilian registry. 

Demi, looking at the Brazilian case and the question of how disruptions affect specific countries, could you tell us more?  Over to you with four minutes, please.

>> DEMI GETSCHKO: Thank you very much, Tereza.  I will just give you first some context about the Brazilian situation.  We are quite involved in the Internet from '89, '91, more or less, and we began maybe (?) academic initiative and then the academic initiative expanded to the whole community.  And you have some special situations in Brazil that in some ways relate to the issue today.  We ‑‑ in '95, we created a committee, the steering committee, as Tereza said, that in some way gives structure to the work of the first academics and so ‑‑ and now this is a multisectorial, multistakeholder body that predates even ICANN for some years.

And another important issue in this area is that in Brazil, since the CGI, the steering committee and since '95, Internet is not considered a telecom issue but an added value of the telecom infrastructure, and in this way we have a quite few regulations on the Internet, and I think it's a good thing.

Even in this situation of not having strong regulations over the Internet, we had some problems.  I remember 2007 we have a blockade in one platform, YouTube in that case because of a video of a Brazilian model, so not important, but anyway, we asked Internet persons involved in this situation, thought that it was quite a disproportionate measure, and the steering committee took two years to deliver a decalogue of principles that aimed to protect the main Internet concepts.  We presented this decalogue in IGF, if I remember, in Latvia, in (?) not Lat‑ ‑‑ yeah, and it was very well received. 

Since the promulgation of this decalogue, there was a lot of initiatives trying to build laws in the country.  And we also, after two or three years of struggle, could get approved the civil framework of the Internet.  That is a kind of law that establishes the views and the rights of the Internet citizens beforehand of beginning to criminalize or trying to take some measures on the dark part of the network.

And I think this civil framework was also very well received from the Internet community, you have a lot of good opinions on that.  I remember it was signed in the beginning of the (?), an interesting conference in Brazil that delivered two documents.

But just to go right to the point, some thoughts of mine, I think Internet (?) people are (?) to say, brought a lot of disruption in many areas of the community.  And along with disruptions, it's also in some way not well understood what is the role of the different ‑‑ of the thousands of networks that accomplishes the Internet as a whole. 

First of all, there is no direct mapping between the networks autonomous systems and the country boundaries.  Then if you want to in some way shield the country from some kind of application or site, of course, I'm not in favor of that, but this always has some kind of collateral effects in other regions or even in other countries because the mesh of the networks that constitutes the Internet has transferred between parts of the autonomous system has no direct, in my opinion, between these networks and the boundary ‑‑ the countries ‑‑ the boundaries of the countries. 

And then, of course, if you don't take the right measures ‑‑ and I don't think there are really right measures ‑‑ the ‑‑ your aim to blockade some platform or some site to your citizens normally has collateral effects much worse than you intended at firsthand.  If you add to this the losses, the financial losses you have impeding your citizens to access normal services, it put in balance, I suppose the result is not good. 

Then we are trying in our country to speak against laws or try to make this kind of suspension of services because they are not effective in a technical way and, of course, it's not appropriate also in keeping the Internet whole, as a whole, a single network for everyone.

Then, just to finish, I want to call your attention to the civil framework.  We have three pillars in this law.  One is the protect of the privacy, the other is the neutrality of the network, and the third one is the responsibility of the intermediaries in the process.  And I think we've got, really, a good set of laws trying to protect the Internet in this ‑‑ and the basic concepts and trying to keep the Internet open and available to everybody.  Thank you.

>> TATIANA TROPINA: Thank you.  Thank you very much, Demi.  I would like to maybe stress one other point, that the effect of local action in Internet disruption can never stay local because of the very nature of how the Internet works.  So that would be the key point from ‑‑ that I would take from your intervention.  Thank you very much.

After Demi's perspectives, let us bring in another stakeholder group, being the private sector.  We have with us here on the panel Mr. Christoph Steck from Telefonica.  Christoph is the director of public policy and Internet at the company, and he oversees the strategy and defines positions of the company on digital policy.  To add more, he is the chairman of the IG working group of ENOA, the European Network Operators Association, and at the same time the cochair of the Digital Economic Commission of the Internet Chamber of Commerce. 

Christoph, how are telecommunications providers affected by Internet disruptions, and how do you suggest, from the company's point of view, to tackle the issue?  Thank you.  Four minutes to you.

>> CHRISTOPH STECK: Thanks very much and good morning to everyone.  We are very much affected, of course, because our business is to offer access to the Internet, so any disruption, of course, is affecting our business very much.  And I think, actually, it's not just the private sectors we referred, I think we have a common interest as stakeholders between all groups to keep the Internet working and to keep access to the Internet.  I would even go so far to say that network shutdowns are a kind of lose‑lose position, basically everybody is losing.  I don't see how you can really see a big benefit in shutting down services and the network especially.

So the impact, you asked for the impact on us.  It's very obvious that when we have to impact through our licenses because we have obligations on our license when we operate, if you have to implement any kind of disruption, this has operational costs on us, it also has special costs because usually our call centers where the customers can call us usually immediately go down because everyone calls and says what's going on, and we have, of course, a huge reputational impact because people, in general, do not like at all any kind of shutdown.  So it's obvious that we have a business interest to keep the Internet on as much as we can.

And I think we have to ‑‑ I don't want to get into the taxonomy of Internet shutdowns, but, I mean, there's, of course, a big difference between getting down the whole Internet access network for all services so basically the Internet disappears, the access to the Internet disappears in a certain region or in a country which is, of course, the worst case and service act shutdowns which is happening more frequently recently which is basically that, you know, that government usually wants to block access to a certain service, a certain application.

I think the first one, where networks are shut down I think going forward they are not sustainable, to be very honest.  I think that the more you get into digital economies, the more you depend on connectivity.  There's simply no way that you bring down the whole network.  I mean, we go in great lengths to basically provide the Internet without any disruptions, as we just heard from Indonesia how complicated that is, and basically, I mean, to bring it down basically on ‑‑ due to the pure will of someone or a government, I mean, that makes certainly no sense.  All kind of services depend on that and we heard that from Anriette already, financial services, health, even the functioning of the proper government agencies depends on that.  So I think this is not going to ‑‑ I mean, cannot be sustainable the more you get into more developing economies. 

Having said that, I mean, service shutdowns, so taking down a specific service on the Internet and shutting down the access to it is, of course, something which we see raising.  Again, I mean, I think there are different motivations for doing that.  Sometimes you see the head of elections in some countries, which are usually not the most democratic ones, and where you see that, you know, basically there's a will to bring down services to avoid too much of policy engagement, but sometimes you see even democratic states.  There was a case in Brazil, despite the net neutrality laws and everything, a judge ordered shutting down access to WhatsApp for 24 hours to all operators in the country.  That made a lot of headlines because Brazil is, of course, a democratic country, and so that was an interesting case, and maybe we can discuss it later on.

What's the problem here?  Usually the argument from government side is national security.  Usually there's always a reason why operators, for example, have legal obligations in their licenses provided by the governments that we have to implement that.

So what's the way forward?  What's the solution?  I think, first of all, I mean, we have to work together, we have to work together to raise awareness, and we are doing that together with a lot of other companies from the technology sector and operators in GNI, the Global Network Initiative is trying to make exactly that, raise awareness, engage, and try to make sure that the governments understand that this is not a good idea. 

But apart from that, I suppose we should also think about, in a case that really governments ‑‑ a judge, for example, which is not exactly government, tries ‑‑ decides to do it, what are the processes of doing that?  Because sometimes the process can help here.  So we believe that it needs to be very transparent because sometimes it's not transparent.  Sometimes these are orders coming to someone, and it's not transparent that the government is behind that, you know.  And so basically we need transparency from governments.  We're trying to do whatever we can, of course, being transparent as a company, if that happens to us, but we basically also ask governments to do that.  

There needs to be adequate oversight mechanisms.  It can't, of course, not be that it's an idea easy thing to shut down any service on the Internet, I mean, let's be fair, there are huge human rights implications here, and despite the fact that there might be an argument, I mean, we have to have a proportionality test here, and basically this needs to be a higher barrier, needs to be adequate oversight.  And I think we need redress mechanisms once that happens, I mean, how can you really go and redress and go against it? 

In the case of Brazil, for example, there was redress to other judges, and in the court system, and finally the decision was overruled.  So I think this shows that you also have a redress mechanism, even in cases where you have a legal way of shutting down access to a certain service.  So that would be my first remarks.

>> TATIANA TROPINA: Thank you.  With companies being such an important player, obviously you're enlightening of the situation from the business perspective since your interest in that is very relevant for this discussions.  Which leads us to the formal part of the panel with the interventions, and the remaining time that we have available here should serve for a discussion. 

Once again, for those of you that have joined the session a bit later, we would like to follow a transparent procedure of you asking the question.  So if you have a question, comment, or an intervention, please be so kind and come here to front and we will use the order in which you stand there.  You can pose a question in general or a comment to either of our speakers, or you can also, obviously, pose the question to specific speakers, commenting on their previous interventions. 

The same procedure would be valid for our online participants, and I will be waiting for my colleague Diego to alert me when we bring them in.  Mr. Vint Cerf, could you please introduce yourself and state your affiliation.  

>> VINT CERF: There.  Amazing.  Maybe I should say nothing now. 

My name is Vint Cerf.  I'm representing Google today, but I wish to speak on behalf of the global commission on the stability of cyberspace.  Those of you who were around for Day 0 will know that a publication was made from the New Delhi meeting describing an attempt to defend what they called the public core of the Internet from interference and some of what we have just heard about could be considered interference with the operation of that public core.  So I guess I would like very much to invite comment from the panel on the importance and utility of the statement coming from the global commission as a means of drawing attention to the harms that some of you have already alluded to.  Thank you.

>> TATIANA TROPINA: Thank you very much, Mr. Cerf.  Would any of the speakers on the panel as well as any of our speakers for the next segments like to answer?  Anriette, please.

>> ANRIETTE ESTERHUYSEN: Thank you very much, Vincent, you helped me, I was going to bring that up myself.  And having the privilege of working on this commission.  Absolutely.  I think that can help.  What the commission has done is to develop a norm, and I'll read it, its title is noninterference of the public core.  Without prejudice to their rights and obligations State and non‑State actors should not conduct or knowingly allow activity that intentionally and substantially damages the general availability or integrity of the public core of the Internet and therefore the stability of cyberspace.

And I won't go into the detail of what this means, but I think what this signifies is that different stakeholders can come together and develop some normative guidelines that can, then, be adopted and adhered to, and if not adhered to, can be ‑‑ accountability can be demanded on that because I think there's a little bit of a vacuum, I think as Christoph said national security is often used as the premise for Internet disruptions, there's lack of transparency, lack of due process, and that's become the norm.  So what we need are different norms, norms which actually can be used to hold those actors involved in these disruptions accountable.  And I think from a Civil Society perspective, we also need to be able to hold the private sector accountable and I think one of the challenges here is that when you do challenge the private sector, they often say we had no choice, it's in our licensing agreement with the telecom's regulator that we have to follow these instructions.  And I think in terms of changing this and really stopping this from happening, we need to be able to have recourse where we can challenge states and operators and not allow them to blame one another.  So, yes, I think this norm, Vint, definitely can make a contribution.

>> TATIANA TROPINA: Thank you, thank you very much, Anriette.  I would like now to go to an online discussion.  Do we have a question, Diego, from the online space?  Then we go immediately back to you.

>> DIEGO: Yes, we do, Tereza.  "Mr. Getschko mentioned net neutrality as one of the pillars of Internet policy in Brazil.  How do you think that each country's net neutrality position and regulation affects cross‑border access thinking of how local interventions affect global impacts?"  The speaker is not identified.

>> TATIANA TROPINA: Uh‑huh.  Very timely issue of network neutrality.  Over to you, Mr. Getschko.

>> DEMI GETSCHKO: Very quickly, I think neutrality is more related to the Internet providers, and providers is more related to the national structure to the local structure.  Of course there will be some effects if you drop the neutrality in other places in the world because of platforms you normally use, but, of course, I think this is more a (?) located problem if you deal with the local providers.  And, of course, there is a lot of discussion on that.  But in the Brazilian case, we have this written in the law, in the Brazilian civil framework, that you have to provide the Internet in the same fashion you got it from the others.  Then you, as a provider, cannot alter or change or in some way interfere on what your customers are finding and looking and searching on the Internet.  But this is a complex issue, of course.

>> TATIANA TROPINA: Thank you.  Thank you, Demi.  For ‑‑ any questions?  Because we have for your information not more than ten minutes to continue with Q&A.  Please limit to two minutes, max, same thing for questions and answers, if possible, shorter.  Over to you.  Please introduce yourself.  Thank you.

>> SUBIT: Thank you very much.  My name is Subit (saying name), I come from India.  I had public affairs and policy for the Cellular Operators Association of India.  We have over a billion connections, and yet when it comes to numbers, as a paradox, just 28% of India is online which also means that we have a lot more we need to bring online.  When we look at another equation, there's just 26% of that who are women.  So my question really is to Anriette and to Christopher.  I hear you, Christopher, when you talk about the fact that there are Internet shutdowns, and let us remind everyone, it affects business, which means we're losing billions of dollars when we're told to shut down the net for over 14 days at a stretch because there were some local exams that were taking place, and there was a possibility of cheating.

So it's not like the private sector enjoys shutting down the Internet.  What we do call for, and which is the core of this discussion, which is enhanced collaboration and cooperation.  So it's easy to point fingers, but it would be wonderful to hear from the panel if we can look at multistakeholders on the panel proposing a way forward on how we can work together when we're called to order.  And we are licensees, we're obliged to shut the net down when the government asks us to do that.  So these are rare problems, and we don't want to brush them under the carpet. 

My second important question is to Anriette, when we speak about the public core and ransomware, wannacry, these are real instances which have had a ripple effect, so while we understand that there are several layers and applications to Internet Governance if we can speak a little more on a Geneva‑like convention perhaps because the time is really now when we could truly work together thank you very much.

>> MODERATOR: Thank you very much, Subit (phonetic).  First to Christoph, then to Anriette with their reactions.  One minute, please, if you can, thank you.

>> CHRISTOPH STECK: Well, I think I told you, Anriette tried to say that before that we have no business interest of doing that.  I mean, so if you have a private company, I mean, of course you're not all operators in the world of private companies, some are state‑owned.  But if you have a private company you will not see anyone saying hooray when you have to intervene your service which you're offering to repeat (phonetic) to your customers so that's for sure. 

What can we do?  As I said, I think we need to kind of, first of all, fight for the rights ‑‑ legal frameworks that if these things happens there are redress mechanisms.  You have to be able to go somewheres and say this was not the proportionate measure.  I think the case from India, I don't know in detail, but it sounds like a weird case, you know, so it sounds like a case you should not really shut down the Internet for cheating on exams, I mean, that's obvious.  I mean, there might be other situations where there might be a good reason to do it, and I think there are people who should take these decisions in the objective and neutral (?) and not by political incentives.  So I think I would ask for this kind of framework where you can basically redress mechanisms.  Apart from that we have to lobby together and we have to speak to governments together and make them aware that this is really a bad idea.

>> MODERATOR: Yes, thank you for bringing in the practical aspects.  Quick update, live captioning is on.  Thank you, IGF Secretariat.  Now our online participants can have the full experience.

Quickly, with a reaction to Anriette, then Melody, and then we move to another question from online participants.

>> ANRIETTE ESTERHUYSEN:  I'll try to be very quick.  I think on the first question, I want to affirm what Christoph said.  I think you cannot solve social problems, or problems in the public sector, the educational system, or lack of effective protection of children in your society, in the offline world, by disrupting or overly filtering or blocking content flows in the online world.  So I do think there's a tendency sometimes for states to look at quick solutions to quite deep‑seated problems and that just doesn't work. 

On the question about the treaty or the convention, and I'm not saying that that's not one day possible.  I think what we're trying to do the work of the commission and it's easy to go and look at it, it's cyberstability.org, is to see if we can get this nonbinding, this norm adopted, and with that norm comes the notion that the Internet is public, that it belongs to all of us, not public in the sense that governments can control it, but public in the sense of a common resource.  And if we can get massive or wide range, multistakeholder support for this norm that the public core for the Internet should not be disrupted, then perhaps that can lead to a more firm binding agreement that we would like to start with ‑‑ with promoting the idea of this norm at this point.  

>> MODERATOR: Thank you, Anriette.  Melody.

>> MELODY PATRY: No, I just wanted to quickly jump on the fact that India ordered the government shutdown with the justification to prevent cheating for ‑‑ during school exams, it's actually not a unique case.  In 2016 and 2017 we recorded over 30 instances of Internet shutdowns around the world during school exams.  So this justification alone, it took place in India, it took place in a number of countries in Africa, in the Middle East.  So this justification is a serious issue and, actually, it's not the only justification that is used to justify shutdowns.  Sometimes, you know, you can also question the good will of the government and whether they really believe that cutting off the Internet will prevent exams.  Sometimes, you know, it is that these shutdowns happen at the same time as social unrest and protest, so these are all considerations that we have to take into our mind when talking about possible remedies and means to redress and also contest at courts these orders.

>> MODERATOR: Thank you.  So from the global problem of exam cheating, I apologize, there is no question online, so we can go directly to you.  Thank you.

>> Good morning, thank you for the presentations.  My name is Patricia, I'm a fellow at the Internet Society Proletariat (phonetic) Law School.  And I have a question specifically referring to the differences in taxonomy about the Internet, of the shutdown of the entire infrastructure, not the applications.  The whole debate usually points to developing countries or authoritarian regimes.  But I would like to ask to the members of the panel, this practice, as far as I know, has also been in the debate of the well consolidated democracy.  Probably for very different reasons that ‑‑ of authoritarian regimes or developing countries.  How do that do it, well, by affecting some layers of the TCP/IP protocols.  So I would like to ask you how much do you know about this debate and these incidents in the well established democracies.  Thank you.

>> MODERATOR: Thank you, Patricia, for your question.  Would anybody from the panel like to tackle this one?  Would you like to?  Melody?

>> MELODY PATRY: Yeah, I mean, I don't have the specifics, but something that we did at Access Now as part of the Keep it On campaign, and thanks to all of our members in our efforts to record and monitor instances of shutdowns, is we also look at the justifications that are used and also at the technicality that is being used, whether it's even like slowing down ‑‑ slowing down the connection or any form of interference with communications, Internet connectivity.  And we developed, with ‑‑ thanks to our tracker, we have this map that shows the number of countries, and if you look at the map you'll see it's not just authoritarian countries and developing countries, there were also allegations that Spain, during the Catalonian referendum somehow interfered with connections in the Catalonian region.  So we really need to be more cautious and very alert at the countries that are implementing shutdowns and looking at the justifications that are used and the technical means that are used to bar or prevent or slow down connections.

>> MODERATOR: Thank you very much, Melody.  We will need to speed up in order to accommodate two of you, if possible, at least.  Please, over to you.

>> IAN BROWN:  Ian Brown speaking here in on a personal.  I know, Anriette, there's a lot of work on human rights and others have mentioned that topic.  I co‑authored a report for The Global Network Initiative a couple years ago called Digital Freedoms in International Law, and we addressed many of the issues that have been talked about.  Those rights are already there in international law.  So I think, as a multistakeholder protest, we need to find ways to involve the U.N., the Human Rights Council, the Human Rights Committee, and then at the regional and national human rights authorities to start enforcing these rights and doing all the good things that the Telefonica gentleman was mentioning about oversight and proportionality and recourse, they're all there.

>> MODERATOR: Thank you, Ian.  Would you like to react?

>> ANRIETTE ESTERHUYSEN:  Just ‑‑ just ‑‑ you're absolutely right.  There's no accountability.  Doesn't mean we shouldn't try to use these mechanisms.  I think what we need to is to use them in a concert way, to use global, regional, and national mechanisms and to get serious cooperation.  And, as I said in my opening statement, I think we also need to be willing to be a little bit more disruptive in how we practice the multistakeholder approach.  I think we sometimes hold back from really confronting actors who violate rights, and I think that the approach should be able to accommodate that confrontation and holding actors accountable.

>> MODERATOR: Thank you.  Ms. Farida, would you like to elaborate a bit on the global norms aspect of the ...

>> FARIDA DWI CAHYARINI: Thank you, Mrs. (?). (?) the digital economy and the stability within our agenda.  I think it's ‑‑ Indonesia is open, they're doing with the another partner or democracy.  Thank you.

>> MODERATOR: Thank you very much.  I will move ‑‑ if you cooperate, Bertrand, and limit three 30‑second quick questions so that we can have everybody ‑‑ because we will have to move to the next segment and we will be fine.  Thank you.

>> BERTRAND de la CHAPELLE: Good morning, I'm Bertrand de la Chapelle, I'm the executive director of the Secretariat of Internet and Jurisdiction Policy Network. 

Just a quick point to complement what Demi was saying regarding the question of the collateral impact of the transbander (phonetic) impact.  For your information, the Council of Europe in 2011 had a recommendation included a provision regarding the necessity for national governments to make an assessment of the transbander impact of any national decision. 

The second element is Anriette was mentioning the core, and there was a discussion of ‑‑ we use the expression the common heritage of mankind for other things.  Actually, the Internet is the common creation of mankind.

And the final element we mentioned the WhatsApp or the blocking that might happen at a technical level.  Sometimes we pay too much attention to the symptom and sometimes we need to look at the cause.  And here the cause is the problem that ‑‑ access to user data for criminal investigation is not a problem that is solved and I just want to highlight this.

>> MODERATOR: Uh‑huh.  Thank you, Bertrand.  I take it as a comment.  Yes.  Thank you please.

>> Hi, I'm (saying name), I work as an Internet free analyst with the BBC World Service.  And basically to get to the point, I think there's a need for better monitoring of Internet shutdowns.  Access Now have been doing a lot of great work, but they're always ‑‑ approach is that we can't use because if people in countries who are shut down don't have access to Internet, how can we know there's no Internet? 

And the second point is that I notice that governments often seek to target the Internet because it's a soft target, and they really fear the spread of information, and I think that their adversaries will always use the Internet to get back at them.  And for that I think there's a need for the Civil Society to engage in building the capacity of governments and using the Internet to actually improve peace and security and communicate with their audiences.  So, yeah, that's it for now.

>> MODERATOR: Thank you very much.  I also take this as a comment.  I'll ask, please, Fiona.

>> FIONA ASONGA:  Fiona Asonga, CEO of TESPOK, a communication (phonetic) search point.  Mine is a comment to support the entire discussion of Internet shutdowns.  And I speak here wearing several hats.  A number of you know me as one of the core (?) of a proposal for the African Internet Registry that shut down governments that shut down the Internet.  But why we are doing that is because we wanted to engage the governments where there is no engagement.  We, the government, by the technical community, not the Civil Society, the technical community, the owners of the infrastructure, there are Internet shutdowns.  Kenya is a case study.  We've had a lot of upheaval in Kenya in the last one year because of elections, because of exam cheatings, but we never shut down the Internet.  Instead, the Internet was used to make the exams better and more accurate instead of it being shut down because of the cheating and the cheating issue is addressed differently because it's a different kind of a problem. 

Because of all the election upheaval and the reruns of the elections and everything we've done, there's a lot of social media instability and everything, communication and everything, but we were able to work with the government, and we were able to ‑‑ as the private sector, as the owners of the content management platforms and the infrastructure and we were able to solve the specific problems. 

What many governments don't know is that it is technically possible to address specific problems on the Internet.  And if we don't teach them that, then they will say no.  There's a problem on WhatsApp, block WhatsApp; if there's a problem on Twitter, block Twitter, block this, block this.  Shut down the entire Internet.  Why?  Because they don't understand.  But it is the responsibility of the technical community, the people who build the infrastructure, who set up all these platforms to be able to educate government on what is possible and what is not possible, and what can be achieved, because if we then collaborate in that setting, we can achieve once more.  When Civil Society come in, Civil Society sometimes don't understand the issues that the investors in that infrastructure are going through.  So ‑‑ and that is why we take from a business point of view is that this is a discussion that should happen between the owners of the infrastructure, the technical community, and the government so that we build capacity in government to help them address very specific issues online.  Thank you.

>> MODERATOR: Thank you.  Thank you very much, Fiona, for this comment.  We certainly follow the logic of the session where we try to have a dialogue about it.  This is not an issue or responsibility of a single stakeholder group.  And we are happy to have the technical community to join this discussion. 

I would like now to ask you to join me, thank Demi, Melody, no longer present, Tomas, Ms. Farida, Christoph, and Anriette, for their excellent contributions at this panel.


>> MODERATOR: And we will now have a quick speaker reshuffle.  Thank you.  Please join our table in the middle.  Do not leave the room because we would very much welcome your contributions for the segments of encryption and data flows.  And I would now like to invite Riana, Raúl, Luis Fernando, Paul, Nicholas, and Moctar to join me up front. 

Thank you.  There are some disruptive elements in this discussion.  So here we go.  We are starting the second segment of this main session.  Welcome to anybody who has joined us right now.  This is a session looking at the local interventions and global impacts on the issues of Internet disruptions, encryption and data flows, and we are entering the second segment. 

I would first like to give the floor to my colleague on my right, Ms. Riana Pfefferkorn, who is the cryptography fellow at the Stanford Center for Internet and Society.  Her work concentrates on investigating and analyzing the U.S. government's policies and practices for forcing encryption and influencing crypto‑related design of online platforms and services, devices, and products. 

Riana, how do you think the debate around encryption has evolved to a point where it poses a threat to public and national security that we believe might require an international action?  You have five minutes, please.

>> RIANA PFEFFERKORN: I'd like to start by saying that encryption is not a security threat.  Encryption promotes public security both in ‑‑ in both senses that Anriette mentioned, both as to countries and to individuals.  And I'd say it's vital that the world's democracies respect and support and the use of strong encryption both for communications and for stored data.  And that's for at least two reasons. 

The first reason is that encryption is very important to human rights, which is a point I think I probably hardly need to make before a group like this.  It protects activists, dissidents, journalists, NGO workers, and minorities, be they religious, ethnic, sexual, or political minorities from governments that don't respect human rights.  So if a democracy that purports to respect human rights stands up and says we don't support strong encryption, that makes it easier for oppressive countries to stand up and say neither do we.  And if those countries undermine encryption, they make it harder to use strong encryption in devices or in apps or other software or for web traffic then the people that they persecute within their borders will have weaker security and they're at greater risk at persecution from their governments.

So if a democracy says it supports human rights and yet refuses to support strong encryption, it's giving cover to oppressive countries to carry out the very persecution that democracy says it abhors.  And it's given up the moral standing to push back against that persecution.  So if a democracy says we need to undermine encryption so that we can investigate crime, it's harder for it to criticize an oppressive regime that is doing the same thing, but the crime in question is saying something bad about the king or being gay. 

The second reason that it's important for democracies to back strong encryption is that ‑‑ again, I hardly need to say this here ‑‑ but we're all interconnected.  We might use a mobile device that's made in one country running in an operating system that's made in another country and on that mobile OS maybe we're using an app that's made in country number three to access an account that we have on a server that's physically located in country number four, and maybe we personally are located in none of those countries at all, country number five, like many of us probably are right now.

So if one country bans strong encryption and a company in that country, we can get services encryption to comply with the law, that undermines the security of all of the companies' users worldwide, not just the users in jurisdiction.

So information security is a global matter.  It's also a temporal matter in that laws that weaken encryption today, by mandate, will end up having consequences in the future that we may not even understand today.  We already have seen in the past how the U.S.A.'s previous regulations on export grade cryptology had security ramifications years after the fact even in the last couple years, well after the United States lifted those export restrictions. 

And the flip side of this is that if one country bans strong encryption but other countries don't, then there's an incentive for some entities to move to those latter jurisdictions that they can keep doing business without weakening their products and without losing users.  And that makes the first country's ban kind of pointless.  All they did was push the entity to a place outside the reach of its laws that it's trying to regulate and it may not even be able to keep its own citizens from accessing those encrypted products and services because they are still available from abroad.  Or if the country technically blocks users from accessing those encrypted services after they've moved abroad, then those users may turn to less secure alternatives, and that just has the effect of placing the country's own citizens at greater risk because they've forbade strong crypto and now its own users are using something that provides weaker security than would be available from abroad.

But it also puts those users who do still use products after they've moved abroad at the mercy of whatever the new host country's laws are.  So maybe the new host country that an entity moves to doesn't ban strong encryption but maybe it has other laws about cybersecurity or privacy or bulk surveillance or data localization or restriction of free expression that will still end up affecting those users assuming that the entity complies with all of its new host country's laws. 

So if the world's democracies chase away the developers of encrypted devices and services off to countries that have laws that those democracies aren't okay with, then those democracies end up subjecting their own citizens to those other countries' laws as an unintended consequence of their own laws about encryption. 

And so those are a couple of the reasons I wanted to highlight for democratic countries that have a strong rule of law to realize that strong encryption promotes the rule of law and promotes public security, it doesn't undermine it the way that so many law enforcement officials, even in democratic countries, are so fond of saying.  Thank you.

>> MODERATOR: Thank you, Riana.  That was a great intervention on the spillover effects of the local action.  Thank you also for respecting the time perfectly. 

Now we will bring in perspectives from various stakeholder groups.  And I would like to start with a colleague at my left from the technical community, Mr. Raúl Echeberría.  He's the vice president of global engagement at the Internet Society, and he's the former CEO of LOCNIC and former mock (phonetic) member. 

Raúl, what are some of the dilemmas in the debate on encryption in the spirit of the session?

>> RAÚL ECHEBERRÍA: Hello?  Thank you.  Okay, thank you very much for the opportunity to speak in this session.  I think that Riana almost covered everything so that makes my work much easier. 

I would like to take some of the ideas that she already mentioned.  Encryption should not be ‑‑ encryption should be the norm and should not be seen as an area for cybersecurity and the Internet is a critical tool for strengthening user safety and human rights. 

And the issue with encryption is that you either have it or not and there is nothing in between.  And so the choice is very easy.  We don't have too many options. 

Law enforcement agencies and also intelligence agencies claim to have options to access encrypted contents and communications, and it is important to make a distinction here.  It's not the same.  Sometimes we just speak about governments in general, but it's not the same when we speak about law enforcement ‑‑ law enforcement agencies that's ‑‑ have legitimacy under local laws and it's a different thing when we speak about intelligence agencies, that's just motivated by this type of doing surveillance, massive surveillance, so it's absolutely different.

The issue with the law enforcement agencies is that there is an illusion somewhere that some people have this illusion that encryption ‑‑ a tool for breaking encryption could be available only for the good guys.  And this is a very common ‑‑ we see that in the speeches.  And in this world the bad news is that it's very difficult to differentiate who are the good guys and who are the bad guys.  It's not like movies that it's much easier.  But even if we would be able to define who are the good guys, it is impossible to provide warranties that the tools for breaking encryption would be available only for them and there are plenty of examples of how technologies that have been used by intelligence agencies at the end of the day are available for hackers and other people. 

And some governments would like to have those instruments available only for them, but I'm sure they don't want the same tools that would be available for other governments.  So that makes it very complex, or not, or it could make it simple.

So the ‑‑ encryption ‑‑ why encryption is important ‑‑ and Riana covered it very well ‑‑ is it's important for protecting personal data, it's important for companies' information, and it's important for protecting government interest in different ways.  It's ‑‑ the economy today is based on many activities that happen around the world.  So the security of the information is very important for the stability of the economy.  So look at ‑‑ if the encryption in financial transactions are ‑‑ is broken, so it would have a huge impact in the economy of the countries. 

But it's important also ‑‑ as I said before ‑‑ for the confidentiality of the communications of the government and also for the businesses of the government like paying taxes.  That's ‑‑ the governments need secure ways of collecting money from the taxpayers.  So it's also important in that ‑‑ in that sense.  It is very important because it's important for enhancing freedom of the people, of course.

In a few words, we ‑‑ our life is a digital life at this moment, at least for half the population of the world, and so we need tools for protecting our privacy, our interests, and our freedom in that world, in the digital world. 

So the real dilemma is how to provide tools for law enforcement agencies without affecting the trust of the Internet.  This is through collaboration.  So we need to find other ways to provide ‑‑ okay ‑‑ we need other ways to work together for providing tools that don't affect the trust of the Internet, and collaborative security, working together, is the best way forward.  In the Internet Society we have very successful experiences working with the African Union, it was developed last year, we called it Internet infrastructure or cybersecurity guidelines, this is the way forward, working together among stakeholders.  Thank you very much.

>> MODERATOR: Thank you, Raúl.  It's a hard job to stop because you have excellent interventions, but the other choice is I get criticized for doing a bad job.  Excellent intervention on the dilemmas.  Thank you very much, Raúl.

I would like now to go to the perspectives from the international organizations' point of view to Moctar.  Moctar Yedaly is the head of the Information Society Division at the African Union Commission.  He's an engineer with MBA international business, and he has more than 20 years of international experience in communication and (?) management. 

Now, Moctar, Africa is one of the unique regions that has put together the convention on personal data protection already in 2010.  You were visionary in a sense because you envisaged a link between data protection and cybersecurity.  Could you tell us more about that?  Again, keeping it with the spirit of the session of the local actions and global impact for a minute.

>> MOCTAR YADALY: Thank you very much.  To make it very good, I will just display a few slides I had a chance to present quickly.  And if you will allow me, I will speaking in French, the reason being is to show a kind of diversity within the Internet Governance Forums and to allow the interpreters, some of them, to rest a little bit because speaking all the time English will be ‑‑ so but this meeting doesn't count on my time, by the way.


>> MODERATOR: Because you have the presentation, you can see the timer, but I have the timer here.

>> MOCTAR YADALY: So I'd just like to say that Africa or the African Union Commission saw a long time ago that it was important to provide Africa with a certain framework which would allow us to benefit from the technology advances.  You know that we cannot miss that turning point.  We cannot fail to use the new technologies for our own purposes, and especially the transactions in terms of health, education, and so on.  So the heads of African states and government decided to set in place a convention on cybersecurity and transactions and especially on the protection of private data.  That's extremely important, and it is the only convention in the world today which deals with data protection, because there are two types of convention, the Budapest Convention and the African Union Convention.  One relates to cybercrime and the other relates primarily to data protection and data transmission and so on.  So this convention is made up of three main parts. 

And one of the main reasons which led to the establishment of this convention ‑‑ well, actually, there are three reasons ‑‑ the first relates to the fact that Africa is now a leader in financial transactions worldwide. 

The second is that the introduction of what we call digital identities such as electronic passports and IDs, for example, have led to a number of questions with respect to democracy and elections.  You will recall the Rwanda genocide where a certain number of ethnic groups were identified, and subsequently, it was essential for us to ensure that there was a convention in place to protect all private data.  And so the next slide, please, next point.

So the convention is made up of three parts.  So the first relates to electronic transactions, the second to personal data protection, and the third to the promotion of cybersecurity and combating cybercrime. 

What is crucial ‑‑ could we go back?  Thank you.  The convention defines cryptology and cryptology activities.  It also specifies the tools and means available for cryptology, and it includes coding and encryption.  It identifies what authorized access is, it defines what health data is, and also what the interconnection of personal data is.  And that's the topic of our session today. 

Moreover, it defines personal data, a personal data file, the processing of personal data, the obligations and duties of those who receive personal data that has been processed, it defines secret conventions, and especially sensitive data.  And I'll stop here because I think my speaking time is up, and I thank you very much for your attention.

>> MODERATOR: Thank you very much.  You kept within the limit perfectly.  Thank you for bringing in this case that you have implemented in your region.  And it was certainly useful for discussion, and we can come back to it in the discussion alert that also for this session, if you want to intervene, ask a question, we will be using a queue here at the microphone in the front, on your left.  Feel free to stretch your legs and to move in the direction already to assure your spot.

I would like now to move to Luis Fernando García who is the executive director and co‑founder of R3D, the Digital Rights Defense Network, which is a Mexican organization that defends human rights online.  He's a law graduate that has worked as a policy fellow at [Spanish] in Argentina, sorry, and he's got ample experience in human rights and technology issues. 

Can you talk to us a little bit more on the risks of encryption?

>> LUIS FERNANDO GARCÍA: Thank you.  Thank you for the opportunity to speak.  I want to reiterate it because it's important to make sure that everyone understands that at a personal level why encryption and privacy is important, and maybe many people here understand it, but I want to give some examples on why and what the extent of the importance of this is, and, of course, encryption and anonymity provides essential protections for security, privacy, and freedom of expression, but, for example, in México, journalists are under constant threat from private and public actors.  In the last 15 years more than a hundred journalists have been killed or disappeared.  This has created several problems with regard to flow of information in México.  It has even created what we are calling zona silence, places in which violence is so grave that traditional media do not dare to report on what's going on on those zones.  And it's in these zones in which digital media and digital journalists have become some of the only sources for information.  And for them privacy encryption are essential tools to protect their lives and protect the lives of their sources.  So I wanted to mention this to understand the value of encryption in a context like this. 

And because of this, many civil society groups have invested lots of resources and time in teaching journalists on how to protect their privacy and how to use and adopt encryption.  And definitely we've seen a lot of progress in the adoption of encryption from many companies, and I think that's great progress.  However, I want to raise a problem that is now evolving. 

The attackers ‑‑ and I really agree with what Mr. Echeberría was saying ‑‑ particularly in a place like México, you can't differentiate between the good guys and the bad guys so easily.  You can paint the government as the good guys and other people as the bad guys because, in reality, on the ground it's mixed up, there's people in the government that work for organized crime and vice versa.

So a trend that we are very concerned is that keeping this proliferation of encryption now bad guys, both in government or outside of government, are using tools like malware attacks that circumvent the problem of encryption, and particularly they are buying those ‑‑ those capabilities from commercial vendors.  In a way, we are very concerned that encryption is leading this trend into governments with ‑‑ like México or Ethiopia and others purchasing these tools to circumvent the encryption and to target journalists and (?) have been revealed in the last ‑‑ the last year. 

So I really want to leave the discussion for now with this idea.  We need to think about, of course, keep pushing for encryption adoption, but do not forget that there is this problem here.  And it's a particularly important problem because, in a way, many governments like México are investing and giving money to an economy that is dedicated to break our equipment, to break our software.  And this creates ‑‑ this is a local problem that creates a broader problem.  We are fueling an industry that is harming the trust and the safety of our ‑‑ of the devices and of the Internet in reality. 

So we need to figure out a multistakeholder approach to really make these type of actions accountable and these type of governments and other actors accountable for disrupting not only affecting the lives and security and safety of journalists and (?) offenders but the overall trust and resilience of the Internet.  Thank you.

>> MODERATOR: Thank you, thank you very much, Luis Fernando, in bringing in the examples from México and related issues of strong encryption and human rights.  This gives also a very nice bridge to the intervention that we will have from the private sector, and I would like to welcome here Mr. Paul Nicholas who is the senior director at Microsoft, where he leads the strategy and diplomacy team which focuses on advancing cybersecurity, Cloud computing, and risk management.  And prior to joining Microsoft in 2005, Paul has worked at the ‑‑ in the U.S. government focusing on emerging threats. 

Paul, please tell us more about the perspective from the private sector on encryption and your opinion on the nature of international cooperation that we should seek here.  Four minutes to you.

>> PAUL NICHOLAS: Certainly.  Thank you.  First of all, I couldn't agree more with some of the statements that have been made by my colleagues on the panel.  I think the world is going through a profound period of diffusion.  We're watching a diffusion of power and of insecurity and of opportunity at a scale that I don't think we've ever seen before.  And in some ways rapid advances and Internet connectivity and advances in Cloud computing are taking ideas and capital further than we've seen them go, probably at any point in human history.

But this shift is making some governments really nervous, and it's causing them to want to try to block encryption, weaken encryption, because ideas are powerful.  As a provider of technology, we look around the world, and I think in some ways, not to seem like I'm ‑‑ reflecting things that have been stated, but encryption saves lives.  As Riana I think just artfully talked about, you know, whether you're a member of a minority community or a journalist or a human rights worker, in many parts of the world, encryption is what protects you and your family and your business.

Secondly, encryption is core to how we manage risk in the modern enterprise, it is how you protect data, it is how you protect operations.  I think after the Snowden allegations of 2013, you saw many governments start to ‑‑ excuse me ‑‑ many enterprises really reinvigorate their view of encryption, looking at how do they actually implement end‑to‑end encryption, what are the things they need to do.  And so I think there have been some really positive advancements in that space as people start to take a new look at risk management and the types of things that are capable for them.

I also think it's very interesting, James Comi made a statement in the recent past that goes something like this:  "I love strong encryption.  It protects us in many ways from bad people.  But it takes us to a place we have not been before ‑‑ absolute privacy."  And I think that in some ways sums up the challenge that we have in many respects with governments when it comes to law enforcement and what is the appropriate balance between this.  And as a private sector company, we live in the middle of this space.  How do you strike that balance between providing strong products that protect your customers, no matter where they are in the world and in the various jurisdictions that they travel.  And I thought your point, Riana, was great about the fact that nobody stays in one place anymore, people are mobile, and I have to live and survive in different environments.

But what is that structure that provides appropriate law enforcement access, how do you establish something that is both principled, protecting of human rights, and actually something that does not undermine the fundamentals of the technology?  And for that we actually do need a multistakeholder approach.  We have to find that balance.  And there was something that Anriette said, I think, on the first panel that was really important.  We have to find a way to hold others accountable for enforcing human rights and protecting those human rights, and I don't know how we do that.  I think there's a lot of different ideas on the table, certainly, in the law enforcement space, several companies have come together under the rubric of reformed government surveillance to put ideas out there, but then there is another issue we still have to think about and that is it's not just governments that have the ability to break encryption, it's also criminals and others who will use that technology to undermine.  So we have to have a joint solution that allows us to cross boundaries if we're going to succeed.

>> MODERATOR: And you finished one second before your timer went off. 

>> PAUL NICHOLAS:  Whew, a lot of pressure.

>> MODERATOR:  Thank you very much, Paul, not only for that, but also for this very accurate intervention, talking to us about the challenges that you as a private sector are facing.  You've said that encryption saves lives.  Also coming back to the point that Anriette said at the very beginning of the session when she was discussing issues of disruptions encryption in general, that these are issues of immediate concern to us as individuals, not only as the policy issue.  Thank you. 

Which leads us to the questions and answers segment.  We have about 20 minutes.  We are using the queue.  If you want to make an intervention comment or a question, please make your way to the microphone.  Subit, please introduce yourself again as we have people changing in the room.  Thank you.

>> SUBIT:  Thank you, very much for the floor, my name is Dr. Subit (saying name) I come from (?).  I work on policy and public affairs.  It really warms my heart when I hear you say that encryption truly is the defender of human rights.  We have an interesting problem.  When we're looking at governments across the world, especially developing countries and emerging economies, while there's a bank of India calls for 48‑bit encryption, the licensor calls for 16‑bit encryption.  So you, when you're working in syntax (phonetic) especially, are in constant danger of being in violation of one law enforcement agency or another ministry.  What is wonderful to look at is if we can look at governments not working in silos and also look at national and global processes where maybe an intersessional that looks at best practices, encryption, and privacy.  What is also amazing about the IGF is the fact that there is no one stakeholder which is dominant, and every single stakeholder is equally important, has a say at the table. 

That brings me to García.  When we looked at WannaCry ransomware, we also looked at what abilities that governments held against corporations.  I'll just rest here.  When we're looking at cases like Uber, we're looking at states and cities bringing about class action suits, bringing about cases.  So if we can look at accountability from the government, if we could just speak to that a little.  Thank you.

>> MODERATOR: Thank you very much, Subit.  Please, because the line is getting bigger, limit your question to one minute max, and the answers, if possible, 30 seconds.  Mr. García, would you like to react to Subit's question?

>> LUIS FERNANDO GARCÍA: Yeah, very rapidly.  I think governments have shown not to be able to protect secrets about how to break into computers and software.  The cases that were mentioned, for example, the U.S. government having the ability to perform very sophisticated attacks and they ‑‑ they lost that knowledge and that was used against their own citizens and other companies. 

So when we're talking about encryption and about maybe creating a key that only the government can use, I think there's lots of evidence that governments, when they have this power, they abuse it, or even when they are willing to just use it in limited ways, they are not able to protect that knowledge just for themselves.  So I think that's why this is not a road that we can go forward with the problem with encryption and limited interventions by authorities.

>> MODERATOR: Thank you, Luis Fernando.  Please, the floor is yours.  You have a timer up front should it help you.  Thank you.

>> AUDIENCE: Okay.  (Saying name) speaking.  I'm here by myself, and I really agree on everything that has been said about encryption and how it protects human rights, but I have this question about what is being done to support the technologies that are working on the encryption tools.  And I know a lot of open source software such as create (phonetic) or PGP that have been facing struggle at some point in terms of people working, developers, or even people working on the communication side and writing to (?) translation and stuff like that, and I would like to know if the private sector and the public sector, what is their investment, their commitment on this point?  Because we rely on tools that are not being supported enough, in my opinion.

>> MODERATOR: Thank you.  Thank you very much.  Paul, would you like to react to this?

>> PAUL NICHOLAS: Sure.  You know, I think much more needs to be done to support open source encryption tools in this space.  I think people are looking for lots of flexibility and opportunities to be able to plug and play that into ‑‑ whether it's Cloud solutions or desktop solutions, I think that's something that, as a community, we have to find new ways to work on that and new ways to advance that.  I think it's interesting when you look at some of the investments in open source, they have been rather small over time, and we have to find a way to sort of shift the balance in that area.

>> MODERATOR: Thank you, Paul.  Quick reaction from Riana and Raúl.

>> RIANA PFEFFERKORN: So I think this is an area where governments and stakeholders have a part to play.  In terms of standing up for strong encryption, one thing that governments can do is to really put their money where their mouth is.  So, for example, the way that the Tor Browser, which enables people to sort of (?) anonymously originated was in part with backing from the United States Department of State.  And so I think that's an opportunity where helping to support free and open source software solutions might be something where governments could, instead of retreating from strong encryption, really signal and commit to their support for it by helping out the people who are developing it.

>> RAÚL ECHEBERRÍA: I always forget.  I think that's ‑‑ encryption has been a priority for the Internet Society for many years.  We have contributed to the development of tools, working to understand the design of technologies in working on all the aspects of this.  We support, in fact, some initiatives that are being developed now, big initiatives, to provide open source solutions to ‑‑ yes, I think we can do always more but we do a lot.

>> MODERATOR: Thank you, Riana and Raúl.  Going to our online participants, thank you for your active discussion in the online space.  Jamila, please.

>> JAMILA:  Yes, we have one question here:  Can we please clarify if he was indicating or if you would agree that governments should share vulnerabilities that are found so the vendors and the public can protect themselves, that these weaknesses shouldn't be kept secret for surveillance purposes but shared to protect users.  The user is not identified.

>> MODERATOR: Important question.  Please.

>> LUIS FERNANDO GARCÍA: The questions say hello (phonetic) yes, of course. 


>> LUIS FERNANDO GARCÍA:  Yes, of course.  That's the contradiction between countries that say they're concerned about cybersecurity, but they are being one of the most ‑‑ or the biggest threats to cybersecurity by hoarding this knowledge and not sharing it with the people that can patch it and protect their users.  So definitely.  It's a big contradiction in countries that say the same two lines, I mean, we have to call them out that this is not consistent either.  You are either for cybersecurity or you are for hoarding knowledge about how to break into devices that everyone uses.

>> MODERATOR: Uh‑huh, thank you, Luis Fernando.  Raúl and then Paul.

>> RAÚL ECHEBERRÍA: Yes, this is a very pertinent question.  Of course, the answer is yes, as my colleague already said.  And, in fact, this is very important to consider now that there's a lot of discussion about the lawful hacking.  And, in fact, Europe have ‑‑ has some initiatives for lawful hacking, and I think that it is very important to include in those initiatives, no matter which country is managing that, that it includes the communication, the reporting to the manufacturers when they find some vulnerabilities in software or equipments.  This is essential.  As my colleague already said, if we have commitment with the security, it's important that we identify the vulnerabilities, report to the right sources.

>> PAUL NICHOLAS: Yeah, I think that question was fantastic.  You know, from a private sector technology provider, when governments hold vulnerabilities about your product to use for exploitation, it creates a dangerous imbalance, and I think that's a global imbalance.  Today we see many governments who are overinvesting in offensive capabilities, and there is not enough investment in defensive capabilities.  I think we need a multistakeholder dialogue about how do we move forward in this space. 

Someone earlier mentioned the concept of a digital Geneva Convention or some kind of norm‑setting effort that we begin to take on at an international level.  That's something that Microsoft strongly supports and is working very hard to try to open that dialogue with governments.  It's not an easy dialogue to begin, but it's one we have to have.

>> MODERATOR: Thank you, Paul.  And we can go to questions from the room, please, limit your question to one minute.  Thank you.

>> AUDIENCE: I'll make a quick point.  I am Rupindar (saying name) from Internet service provider, the association of India as well as on the executive council of (?).  What I would like to share here is I have got experience of working alongside the industry as well as with the government also.  Now, what I'd like to say here, it is absolutely right for a bank to protect ‑‑ to encrypt its data when it is doing its business.  It's absolutely right for a telecom company, when it is dealing with its customers, for an airline or for any other business when it is only doing the encryption for running its own businesses.  But ‑‑ but ‑‑ there is a rider here.  Now, suppose we are today living in violent times.  We have got ‑‑ a large part of the world, we've got governments which are democratically elected.  So let's not make the governments into some kind of Frankenstein monsters.  After all, they have been elected by us.  Now, they have got security agencies.  Those security agencies' job is what?  To protect its citizens.  So if they are to protect their citizens, well, we have got all kinds of people on the net who are out to harm various interests.  So if that is so, well, if the governments need to monitor the traffic, well, they need to do it.  It's for our benefit.  Thank you.

>> MODERATOR: Thank you, Rupindar, for your comment to which I would like to ask Moctar to react and then Raúl.

>> MOCTAR YADALY: I think the comment is good with regard to the government itself, however, not every government is as responsible as it should be.  Yes, we elect them sometimes, but they overpass their confidences, so we need to make sure that we have balances.  I am for the governments, if I may cite, but I believe also that on freedoms, and then the freedom of expression, but at the same time I believe in cybersecurity.  So we need to put some kind of security guard for everybody.  And to make sure that with the balance, we have system to control the government what they have to do, but at the same time we have to make sure that our security's taken care of.  Thank you.

>> RAÚL ECHEBERRÍA: This is a very good comment.  First of all, it's our position that most of the population of the world live under nondemocratic regimes, and all the democratic regimes are not equally democratic.  So this is what I tried to say before; it's very difficult to define who is good and who is not.  And democracy, by the way, is not a universal value.  So probably there are other countries that are not democratic that claim to have the same legitimacy on this.  But they (?) so it doesn't matter where we break the integrity of the information.  That's ‑‑ it has a global repercussion.  So it's ‑‑ it's ‑‑ this is the illusion that I spoke about.  If we think that one government, because it's a legitimate representative of the citizens, has the right to break the encryption and to access the data of their citizens, we are ‑‑ we are saying that any government can do it, and not only the government, as my colleague pointed out, the technologies are available, they're available for everybody.  We cannot just put the technologies inside of a safe box and available for only those that we want to use them.  So this is ‑‑ I say at the beginning, there are no options in between, it's ‑‑ encryption is something that you have it or not.

>> MODERATOR: Thank you, Moctar, and Raúl, please over to you.

>> AUDIENCE: Thank you, my name is Richard Wingford.  I'm from Global (?) in London.  And my question sort of links to a couple that were already asked.  But first I think it was important to note the trend that has been seen from some governments not to look at measures which necessarily weaken encryption itself but which undermine its use through lawful hacking or other forms of surveillance.  I think the Commission proposal referred to this, I think as alternative investigation techniques. 

So my question really is:  Should we be as concerned about these alternatives as we are about proposals which weaken encryption itself?  And if the answer is yes, are there ways they can be developed which would be consistent with human rights and the legitimate ambitions of government to protect us from crime and terrorism, and so forth, is there a solution that would satisfy all parties, do you think?

>> MODERATOR: Thank you, very much, Richard, if I got your name.  Well, should we be concerned, Riana, would you like to answer that?

>> RIANA PFEFFERKORN: So I would agree that we should be concerned about the use of government hacking techniques, partially for the reasons that Luis mentioned, which is that sometimes these techniques are used by the government acting in it's role as bad guys to crack down on journalists or even I believe it was proponents of (?) attacks in México that Luis did some excellent research about. 

One thing that I think differentiates the lawful hacking discussion from the encrypted discussion is that I think that we don't necessarily yet understand the full computer security ramifications of government hacking to quite the same degree as we do the ramifications of undermining encryption where we've had two decades or more of very consistent research and consensus from the cryptographic community about what those risks are.

So I think that that is something that definitely needs to be taken into consideration by governments that are ‑‑ try to deploy lawful hacking as a way of doing an end‑around around encryption rather than to try to break encryption directly. 

I think it is difficult to find a solution that satisfies all parties.  If it were easy, we wouldn't have to have a big conference like this.  And so while a number of cryptographers have pointed to it as a preferable alternative to back doors for encryption, I think that there is a long way to go before we can get to a place where people can be in any kind of agreement about that.  Where not only do we need to understand the security ramifications, but we would, at the very least, need some sort of multistakeholder‑informed policy or regulation that would govern the conduct of governments that use these measures, whether it's the German government or the Mexican government.

>> MODERATOR: Thank you very much, Riana.  Going to our online participants, now, Diego, Jamila, can I ask one of you, please?  Diego?

>> DIEGO:  Yes.  The question is the following:  Are back doors and other techniques as such effective to increase cybersecurity and protect human rights in tandem?

>> MODERATOR: Thank you.  Who would like to address this question, including speakers from other segments?

>> PAUL NICHOLAS:  I'm sorry, if I could understand the question, do back doors ‑‑

>> MODERATOR: Back doors and other techniques as such, whether they're effective to increase cybersecurity and protect human rights.

>> PAUL NICHOLAS: The answer to that would be no.  I think whenever you start to create those types of things in a product, you're creating something that you will lose control of.  It will be exploited by purposes that you do not intend to, and that has never been ‑‑ never been a good idea.

>> MODERATOR: Uh‑huh.  Thank you very much, Paul.  We have five minutes left in this segment.  So Vladimir Radonovich (phonetic) from the (?) Foundation, can you be concise?

>> VLADIMIR RADONOVICH:  Coming back to reality.  So we've been talking about the government capabilities for offensive actions and so on.  There are many information about that.  We just did the mapping of about 20 countries which actually officially say within their form of (?) that they have these capacities.  We'll published that map later today, that digital watch. 

But my question is:  If that's a fact, can we actually expect that the countries are going to step back?  And out of those 20, we have all the nuclear powers and many more across Europe, Africa, and so on.  Can we expect that they're going to hear us and step back?  Or what is the best alternative that we might possibly ask them to do if they're not going to step back? 

We've seen the U.S. publishing the vulnerability disclosure process.  Is that something?  We've seen Switzerland at least saying how they might be using and what circumstances offensive cybercapability; is that something?  What the IGF can possibly do or what is the other field that can possibly do to impact that process?  Thank you.

>> MODERATOR: Thank you very much, Vlada.  Mr. García, then Mr. Echeberría.

>> LUIS FERNANDO GARCÍA: I think if governments are acquiring unprecedented powers to surveil people, they have to accept unprecedented accountability and transparency about how they use ‑‑ I think it's a basic trade‑off that they need to accept.  They cannot just hide under the national security phrase and expect that they can use these huge powers in the same secrecy ‑‑ secretive manner that they have. 

If we want to go forward with this and governments want to have these powers, they need to be way more transparent about how they do things than they have before.

>> RAÚL ECHEBERRÍA: Yes, exactly.  I still dream with peace in the world, even the fact that it looks difficult that some countries give up from developing nuclear weapon.  And it's the same.  We say we don't have to accept those technologies using for surveillance.  This is something we have to condemn.  Even if countries are ‑‑ now have the capacity to do it, yes, I ‑‑ I hope they stay back, they stop doing.

We have to work with and find solutions for law enforcement agencies, that is a different thing, but protecting the trust on the Internet.  And as Luis said, if some agencies use ‑‑ support lawful hacking, they should be much more transparent.  We already covered that in a previous question.  They should report the vulnerabilities they report and they should report all the technologies they ‑‑ all the capacity they have.

>> MODERATOR: Thank you very much.  Can I ask the two of you to ask telegraphic questions so that we can tackle them both?  Please start and introduce yourself.  Thank you.

>> AUDIENCE: I'm from Ecuador.  Could we (?) some kind of international instrument in order to, you know, make the government but not only the government, but the companies, the companies accountable, but about what they are selling to our countries?  I mean, thinking about hacking team ‑‑ and color, by the way, for the guy in India, our e‑mails, even mine, were published by the public ‑‑ the government media.  So we are not terrorists.

>> MODERATOR: Thank you, Marta.  Please.  We will collect these two questions and then tackle them together.

>> AUDIENCE: Hi, I'm (saying name) from (?) but I'm speaking in my personal capacity.  I would like to follow the same reasoning that was made Luis Fernando in order to expand our perspective what is at stake on cryptography, because I remember from (?) analysis two, three years, or four years ago, there was a strong interest debate on that retention, and seems that now the public debate on cryptography is blurring the important debate that the data rotation should have the same protection as the content of our communication.  So I would like to know some thoughts on that.

>> MODERATOR: Thank you very much.  Going to Moctar to answer Marta's question on international instruments.  So what should we practically do?

>> MOCTAR YADALY: Well, first of all, let me comment on the previous things with regard to the governments sharing or backing on what they're going to do.  And this is my ‑‑ I'm speaking in my personal quality that I don't think that any government today, no institution will be sharing any information with regard to what other capability they do have.  Rather, we're entering into what I would call a cyber race.  And everybody will be trying, actually, to make sure that its cyberdominance, actually, is really on top of things.  We are actually ‑‑ I see a bit of a cold war happening with regard to the cyberspace.

So having said that, trying to do some kind of international regulations with regard to these kind of things is, same thing, trying to have a convention, internal convention on cybersecurity or on Internet Governance and which is actually ‑‑ the moment we open the door for these kind of alternatives, we are entering into a very critical situation that probably will trigger the entire concept of Internet as its place for freedom and for innovation and creativity.  Thank you.

>> MODERATOR: Thank you very much, Moctar.  Reacting to the second question, Paul, please.  What is at stake at a public debate with relation to cryptography and data retention?

>> PAUL NICHOLAS: So in terms of ‑‑ I might alter that slightly.  There was the question about do we need some sort of international instrument.  I need to speak into the mic, sorry. 

In terms of that, I do think there is a lot of discussion and positive direction.  It has to start first with the development of actually norms and normative behavior in this space, both for governments but also for the private sector, that's the only way we're going to make progress in this.  Long‑term we probably do need an instrument, but we're a long way away from that happening.

>> MODERATOR: Yes, sorry, we misunderstood each other.  I thought you wanted to comment on the second question, but you commented on the first one first.  Fine.  So could I ask you, Luis Fernando, to comment quickly on the second question?  And then we will close this segment.

>> LUIS FERNANDO GARCÍA: Yes, I would just say that it's a similar problem, that intervention is a similar problem to the ones that we've been discussing.  When an intervention is discussed, it's says it's just ‑‑ we're just storing information about a lot of people, but limited access to that data, and again ‑‑ again and again ‑‑ it has been proven that when you create this and you amass this ‑‑ these huge amounts of data, they end up being accessed by actors that you were not thinking they were the ones that were going to access it. 

So we really need to think about ‑‑ about ‑‑ see history and see what's ‑‑ I mean, many of these things are ‑‑ we're expecting them to happen.  If you store all this information, it will get leaked.  If you ‑‑ you hoard vulnerabilities, they will get stolen and be used against you.  And we need to go forward.  And if governments won't accept transparency, then we can't accept them having these powers.

>> MODERATOR: Thank you very much, not only you, but please join me in thanking Paul, Riana, Raúl, Luis Fernando and Moctar for their insights.


>> MODERATOR: And we will again need to have a speaker reshuffle, so please take your things.  Thank you.  And I would now like to welcome the speakers for our last, third segment on data flows.  I would like to welcome here Vint, Stefania, Fiona, André, and Stefan.  At the same time, I think we should be fine with the seats for Anne and Bertrand, so feel free to join us as well. 

Thank you for those who have joined late, welcome to the main session dealing with local actions and global impact in the field of Internet disruptions, encryption, and data flows.  This is the third and last segment dealing with data flows. 

Data clearly is crucial for human security.  As we know, there are many businesses that rely on data, International Corporation for Development also relies on data to increase the effectiveness in which we can also think about the sustainable development goals.

And I would like to start this session by giving the floor to Mr. Vint Cerf who probably needs no introduction, but still, for the records, I would like to say that he's the codesigner of the TCP/IP protocols and the architecture of the Internet.  He began his work at DARPA, the U.S. Department of Defense Advanced Research Projects Agency, playing a key role in leading the development of Internet, Internet‑related data (?) and security technologies.  Since 2005 Mr. Cerf has served as vice president and chief Internet evangelist at Google and he also helped form ICANN. 

Mr. Cerf, it's a pleasure to have you here.  Could you tell us more about what are the desirable properties of Internet ecosystem when it goes to data flows?

>> VINT CERF: Well, let me start out by making an observation about the value of being able to distribute information around the world through the Internet.  Today Cloud‑based systems are used to do a great deal of computation and provide services to people.  And the value of being able to distribute that data freely is important because it allows us to replicate the data, to preserve its integrity, and to assure that it isn't lost.  And a regime in which one is inhibited from moving data from one data center to another across international borders, the ability to protect that information is going to be inhibited or reduced.  And so freedom to move data around the world I think is a very important feature.

The second thing, with regard to the previous segment, is that there's a great deal of insecurity associated with moving this data across borders in the absence of encryption and strong authentication to assure access control and to assure confidentiality in the transfer of the data, and, in my world at Google, we also believe in encrypting the data once it is at rest in order to protect against its exposure should someone manage to penetrate into the storage systems. 

There's another element associated with transporter data flow freedom, and that has to do with the ability to simply interconnect.  This notion of being able to link anything to anything else on an end‑to‑end basis is, in fact, a core element of the organic expansion of the Internet and the evolution of Internet‑based applications protocols. 

As we watch the Internet, things evolving, despite the fact that some of us are very concerned about its potential abuse, the casual ability to say I can connect this thing to any other thing on the Internet has been quite a powerful tool because it has allowed applications to be developed without too much concern ahead of time with whether or not connectivity is feasible.  And so by removing that concern, we create all kinds of applications that would otherwise not be possible.

Finally, with regard to transporter data flow and its inhibition, as soon as this becomes a practice, then we not only risk but we almost assure the fragmentation of the Internet.  And the thing which makes the Internet so valuable is precisely its connectivity and the ability of anything to reach anything else.  And so a fragmented Internet isn't the Internet anymore, certainly not in the sense that my colleagues and I have conceived it. 

So I think I will stop there, Madam Chairman, because I know you have much to get done.

>> MODERATOR: Thank you, thank you very much, Mr. Cerf, for setting the stage for the discussion on data flows, and we will now continue in our discussions from perspectives from various stakeholder groups.

And if you'll allow me, I would like to start with Mr. André Laperriére, who is the executive director of the Secretariat for global open data for agriculture and nutrition.  And during his career, he's led numerous large‑scale projects on behalf of both private corporations and within the United Nations. 

André, how has data been used in different countries and by intergovernmental organizations, from your experience?  You have four minutes, please.  Thank you.

>> ANDRÉ LAPERRIÈRE: Thank you very much.  Sorry.  Thank you very much.  Actually, the world is full of very creative, very smart people, so as part of GODAN, we are now in just about every country around the world, from Argentina to Australia, having partners dealing from genomes to satellites.  And what's very interesting is to see at the national, regional, and international level, how people can combine their skills, ideas, and how to best share, combine, synergize data together for innovation, food security, and improvement of quality of life of all. 

I'll just share with you some examples.  First ‑‑ this is just a personal observation ‑‑ in my lifetime, as yours, I guess, we went through three quiet revolutions which are really changing the shape of the world. 

The first one was, of course, the Internet because the Internet connected the world together, so that was an important thing. 

The second were intelligent phones.  Intelligent phones brought the Internet and everything that goes with it, Internet banking, transactions, even in the most remote places where there were no phones, there was no electricity, so people just came up with honky‑tonky generators or other ways to recharge their phones, and now they're doing business in the most remote parts of the world. 

The second ‑‑ the third revolution, rather, is really the culmination of this and it's open data.  That's what we promote as a key tool to promote innovation and agriculture, nutrition, and business in general.

And governments are following suit.  We have many governments as part of our partnership, as well as private sector entities, and we see them opening up data, making it available to their citizens which pay for it, in any case, through their taxes, but also because it's good for business.  Now we have banks that are getting involved in open data.  So one of the most conservative environments, as ‑‑ as far as it used to be.

Big data, which used to be the privilege of big companies, big countries, rich ‑‑ the richer world, is now available through many different forms, to small farmers in very local areas.  I'm thinking of examples, applications such as Wheat Scout or Plant‑wise which allow farmers in the most remote parts of Africa and of Asia and other parts of the world, when they see a disease coming to their maize, or whatever they're growing, they can just take a picture of it, and through artificial intelligence, in a fraction of a second, the disease is identified and they get feedback as to what they should do with it.  And I'm skipping, of course, weather data, which is becoming more and more important in the light of climate change, where they have to adjust the way they do farming. 

So these are some examples.  But technology is allowing these countries around the world to leapfrog some development steps.  The mobile phones was an example of this.  But at the same time we see other things happening because in one way there was a brief period where technology went faster than the human capacity to absorb it.  I'm think of geodata, for instance, which is extremely important, especially for small countries and others which struggle to afford and to manage things such as basic surveys which cost a lot and take a long time and sometimes have to reach places which are difficult to access, yet geodata is just massive.  So until a real short time ago, you needed very large equipment and very highly qualified technicians to be able to handle it. 

Now through user‑friendly research engines and local applications, you can just access the data that you need.  You don't even need to download.  At most times you can just process it within the Cloud.  So technology is allowing access to this big data, to this big Cloud that was only reserved to the few before.  So that's one thing we find.

So this leads to a few things.  My colleague before spoke about encryption, but beyond that, there's the issue of privacy.  Of course, the more you open data, the more the question of privacy and ethics related to privacy comes up.  And we see a lot of initiatives in various countries around the world and in private sector, where this is discussed in very large ways and where ethics codes are being developed and other means, but yet there's another element that links to that which has to do with anonomization ‑‑ that's hard to pronounce ‑‑ of data as well as the curation of data, which is another obstacle for local countries to overcome when they deal ‑‑ when they deal with ‑‑ with data.  That will enhance the importance of building sound business models, which is one of the things that we, as other international organizations, try to do to help them.  There are many others.  There's data‑chasing, other ways that ‑‑ to overcome the fact that you have to chase data constantly or to feed your databases.  And the reason why you have to do that is because there's not enough, maybe, return to those who provide the data, it has to be a balance. 

Later in the discussion I hope I have a chance to give you examples of what is being done in Thailand and other places on that.

>> MODERATOR: Thank you.

>> ANDRÉ LAPERRIÈRE: I have only four minutes so I'll just hold it there, but I hope there will be some questions because I have many exciting things to share with you. Thank you.

>> MODERATOR: Thank you, André, and sorry for the pressure.  We certainly will hope to get to the Q&A, that's why we want to limit the interventions to four minutes.  Thank you. 

I will now go to some perspectives from the academia.  And I would like to ask Ms. Stefania Milan, who is the associate professor of new media and digital culture at University of Amsterdam and also an associate professor of media innovations at the University of Oslo.  Her research explores the interplay between digital technology and activism and social movements, in particular, in the space of cyberspace governance and data epistemologies. 

Stefania, we're sitting here at the IGF so coming from the context of the Internet Governance Forum, can multistakeholder dialogue be useful for the problems that we have met here and is the current model actually fit for that? 

>> STEFANIA MILAN:  Thank you very much, Tereza, and to all the organizers of this very rich session so far.  So I would like to address a little bit of an abstract question and a different way of thinking, the relation between local and global, I mean, what we are trying to discuss in this session today. 

So when we talk about data flows today, we cannot ignore that there are sort of new data controllers and new ways of translating data flows into practice.  And here I refer to the role of platforms such as Twitter and Facebook.  And I don't want to single out any of them particularly, but I'm just finding examples to help you think about what I'm talking about. 

So these social media platforms increasingly mediate our relations as well as various transactions, including, for example, economic transactions.  And what's more, for most of the younger generation, for example, my students, platforms are today the Internet, really.  And not just in developing countries, where maybe, you know, you have different versions of, you know, different limited options.  Universities, including one of the ‑‑ the one where I work, often force students to be, for example, on Facebook to interact with their teachers.  And so we entrust all these platforms with a lot of, you know, private data and private relations as well. 

One of my colleagues in Amsterdam, Annie Hellman (phonetic) has called it the platformization of the web to indicate ‑‑ and I quote ‑‑ the rise of the platform as the dominant infrastructure and economic model of the social web. 

What is it about?  Well, it's about the extension of social media platforms into the rest of the web and their drive to make external web platform‑ready.  Think, for example, about how Facebook and Google have become identity‑providers.  And, for example, you need to have one account, you know, with these companies in order to access many other services like, for example, public wi‑fi networks.

Now, we already heard in the very opening of today's session from Melody Patry, if I remember correctly, that the State, what concerns and disruption remains the main actor there, and the fact that in many countries the State regulates ‑‑ I'm sorry ‑‑ instructs regulators, somehow blows up, jeopardizes the multistakeholder model.  And this is true, and I believe it also is increasingly true when it comes to, you know, platforms and private companies.  They are playing a dominant role in the data market.  And I believe that this is a very important question for a space like this one today, Internet Governance in general. 

So if your server (?) rise of self‑regulation and private contracting and this privatization and data flows and data management stays largely outside the multistakeholder model, these are gray areas which is often inaccessible to final users, we need to interrogate whether the current model that we are so fond of, because we play it and we have seen it be very effective on many occasions, is indeed what we need looking forward.

So really we ought to ask ourselves whether current Internet Governance mechanism, most notably multistakeholder model, are fit for the challenge.  Take, for example, the terms of service.  These are, as they should be, because this is, you know, something that regulates access to a private space like someone else's living room, these are private agreements between users and platform owners, and they are well beyond the (?) in the regional stakeholder debates. 

So what does this all mean for Internet Governance framers and processes, do this type of regulation is accompanied by adequate safeguards, for example, the same safeguards that, for example, governments abide to and the national, international policy, what is changing there, in a way.

And in order not to conclude ‑‑ so it's a bit of a gloomy picture that I've painted here.  I believe we have a major, major challenge ahead of us that we really should think about.  Many of these companies luckily are here with us.  But we also know that people that might not be here with us might be actually the ones who actually ‑‑ actually, in the end, create the infrastructure or set the rules for their enjoyment. 

So what's the way for the world to be less ‑‑ you know, to be a little more optimistic and not just paint a gloomy picture?  Well, I mean, it's nothing new.  We've already heard it in the two hours that preceded this section of this session.  So more transparency, we need more transparency on the side of the companies.  We need more literacy, which is something that really has not really come up yet.  And that's also something that a multistakeholder model can do as such, but I think it's a space that is something that (?) anyway and very much concerned with and also many of the players are sitting at the table today, and ultimately something ‑‑ and I'm sorry to repeat it again, but as the last session, you know, it's sort of inevitable not to repeat things, we need much more accountability mechanisms.  That goes in various directions.  And ultimately I do believe that we need to rethink a bit the multistakeholder model.  Thank you very much.

>> MODERATOR: Thank you very much, Stefania, also for bringing some insights from your research.  Let's take an advantage of the fact that we will have some perspectives from the technical community here, and I would like to ask now, lady on my right, Ms. Fiona Asonga, who is the CEO of the Kenya Internet Exchange Point and the Telecommunications Service Providers Association of Kenya.  Her role involves ensuring Internet uptake locally and value addition and the use of the Internet to the local community. 

Fiona, we have been speaking or will be speaking even more about the use of data in different countries.  Give us some perspectives from Kenya.

>> FIONA ASONGA: Thank you very much, Tereza.  Good afternoon, everyone.  We have basically looked at all the issues (?) for data transfer that are important for data flow and data sharing, and the Kenyan perspective is that ‑‑ two ways, there are two ways of looking at it.  One, from a government point of view, where government has gone full throttle to ensure that it's able to offer services online, and, as such, business has had to adjust their strategies to be able to look at the opportunities that this provides and to align a free team (phonetic). 

So having done that since 2015, in 2014 we found ourselves ‑‑ sorry ‑‑ 2016, we found ourselves with having to put together a multistakeholder group that developed what you call in Kenya the ICT Master Plan.  And in that document we have looked at how we can work together with government, as private sector with government, to ensure that government is able to access the data that it needs digitally, bearing in mind that governments have collected these data over years in manual forms, whether it is a death, birth, marriage, asset ownerships, all of these datas are regulated by governments.  The only difference is that when it now gets to an online space, it has to be handled differently. 

And so what we did was to put in place mechanisms to ensure that you could first get all this data online, and the government began to offer services through a platform we call Uduma services, Uduma means help.  And basically government is helping the citizens get access to government services and what we call the Uduma centers that are spread out across the country.  At these centers you have the opportunity to clarify your birth and registration of birth, registration details, you have the opportunity to register your children who are born, to register a marriage, to pay for your business licenses, to pay for your electricity, water bills.  So you sort of have ‑‑ like in Nairobi, which is the largest county and the most advanced county, it's a one‑stop shop for all your electronic government business transactions.  So the government is already collecting this data. 

What has private sector done?  Private sector's participated in ensuring that the standards and credentials of how that data is handled are right.  So we have sat down with government very clear with processes, internal standards on how ‑‑ who should access the data, how should the data change, how should it be handled.  So that when I register my car, someone else doesn't go in and change my car registration details and give themselves the car. 

So even transferring an asset, it's very clear how the transfer has to be handled.  If it is land, it's very clear how that has to be handled.  And the rules that have been put in place so far have been followed over the last two years that the Uduma service centers have been operational.  And that has demonstrated that we are able to work together in a multistakeholder arrangement to ensure privacy is adhered to, yet the debt is still available for the respective government agencies that need to access.  So the fact that someone is a civil servant doesn't mean they have access to the data.  They have to be authorized, they have to have the right credentials.  In the absence of that, then they have breached ‑‑ it's a cybersecurity breach and they get dealt with like any other civilian who would be found hacking into the databases.  So we are very clear on how that is handled, and this has enabled us to be able to improve and expand the system.  We have a digital learning program that enables our educational content to be available online, for the teachers to be able to access and the students to access and to do this online, and as such, even when we had the examinations, as opposed to as having to shut down the Internet because we had challenges with exam leakage, we told the security agents to just make sure no enter the exam room with electronic devices because you don't need them in the exam room.  And this is an example of how we've been able to work and ensure that the right data is handled by the right people, is used for the right purposes, and the Internet solves and the technology solves what it's supposed to be solved in the right way. 

We know there may be challenges, but even then, the challenges are easier to solve when we're working together at private sector, business, technical community, and the government in one full‑on goal.  Thanks.

>> MODERATOR: Thank you, Fiona, for the perspectives from Kenya.  Very relevant for our discussion. 

Going to another country perspective, I would like now to ask Mr. Stefan Schnorr to take the floor.  Before I do that, we will have our Q&A session after Stefan's contribution.  No, I have not forgotten that Bertrand and Anne are sitting with us, but they will then provide a kind of conclusion covering all segments after the Q&A dealing specifically with data flow. 

So if you want to ask your question, in case you've come late, let me remind you that we have a queuing system, so you should come here to my right to ask your question or give us a comment.

Now, back to the session flow on data flows, Mr. Stefan Schnorr leads the department of digital and innovation policy at the German federal ministry for economic efforts and energy.  He has been at the ministry since 2010 and leading the department since 2014. 

Stefan, in Germany can you tell us a bit more on the approaches and your flow in Germany on the free movement of data and data ‑‑ data protection?  And please elaborate also on the local to global aspects.  Four minutes for you.

>> STEFAN SCHNORR: Tereza, thank you very much.  It's a great pleasure for me to be with you today. 

The principle of free movement of data is indeed essential to Germany.  Our strong economy and our export‑driven economist depend on the free flow of information around the globe.  Our democracy, which is underpinned by the rule of law, depends on the free flow of data for lively debates and discussions and to allow people to form an informed opinion.  Civil Society work and support of our own people, environmental protection, neighborhood aid, and many other causes depend on the free exchange of information.  Our strong science community in Germany also depends on being able to network with our colleagues around the globe whenever they need to do it.  And our development and humanitarian actors need the free flow of data to fulfill their important tasks around the world.  This is why we support the principle of having a free and global movement of data similar to what has been set out in the agreements on the free movements of goods, services, and capital.

But we also have to protect our citizens' legitimate interests when it comes to data protection and security.  What role can international organizations play in this situation?  Are they a part of the problem or are they a part of the solution?  I want to highlight these questions with the example of the European general data protection regulation.  It has been argued that European Union is stopping the free flow of data because the GDPR regulates data exports in sort (phonetic) countries.  Our understanding is that a high level of data protection and data security is a precondition for free flow of data and not a barrier to it.  The GDPR explicitly provides for the principle of free movement of personal data within the European Union, and the GDPR also provides for personal data to be transmitted into states outside the European Union, however, this is subject to the following conditions: either the European Commission must have found that the sort (phonetic) country provides for a sufficient level of data protection, or the private sector companies involved must take security safeguards that have been approved by the data protection authority or the requirements must have been met in another way, in particular ‑‑ particularly by a contract covering the flow of data or by consent given by the person whose data is affected.

The example of the GDPR shows that European and international organizations can help to strike a good balance between the need for a free flow of data and data protection which are both very important.  Once the GDPR enters into force in May 2018, we will see where further adjustments may be needed to guarantee just this balance.  To work out this, the government will depend on the input of Civil Society, industry, and science, and the Internet Governance Forum is, in my opinion, just the right place to discuss it.  And this is why Germany has applied the host ‑‑ to host the 2019 IGF conference in Berlin and also, very important, in June 2019, my ministry, the Federal Ministry for Economic Affairs, will also host the Internet Jurisdiction Conference, and Bertrand de la Chapelle is here with us. 

We are convinced that this meeting will deliver important outcomes that can feed into the IGF 2019, so we have a lot of work to do up to 2019, together with you and together in the multistakeholder approach.  Thank you.

>> MODERATOR: Thank you, thank you very much, Stefan, for giving us also the outlook of the discussion, how they can be taken forward, the IGF in Germany in two years.

While you are making your way, the participants, to comment or intervene in the session, to the microphone, up front, Mr. Cerf has alerted me throughout the session that there is one important aspect that we haven't touched upon in the debate yet.  Please.

>> VINT CERF: Thank you, Tereza.  This has to do with integrity; in addition to protecting access to the data, making sure the data isn't altered is important.  Toomas Ilves, the former president of Estonia, makes the point very simply.  He says that he's not so worried about other people seeing his medical information, he's worried that someone will change his blood type in the records so that if he needs a transfusion, this might be fatal. 

So I want to emphasize how important it is for us to keep in mind that the integrity of information is just as important as its ability to cross borders and be accessible.

>> MODERATOR: Thank you very much.  I would like now to ask our online moderator, Jamila, to please ask a question from the remote participants.

>> JAMILA:  Thank you, Tereza.  This question has a strong link between this session and the previous one on encryption.  It asks why governments are beginning to understand that weakening encryption brings security threats and harms human rights.  Some are moving toward surveillance through meta data.  How can countries develop proper safeguards to this type of surveillance once meta data can also review sensitive information about citizens?

>> MODERATOR: Thank you.  The question of meta data and the government's responsibilities in this respect.  Are there speakers at this panel who would like to address this?  Speakers from the previous two segments are very welcome to do so too. 

I will first ask André and then you, Mr. Cerf.

>> ANDRÉ LAPERRIÈRE: Encryption is a very important issue because it has to do with a couple of things.  One, it has to do with the protection of data, which, for legitimate purposes, is ‑‑ is reasonable and the misuse of encryption for not so legitimate purposes which is, I think a different kind of issue. 

But I'd like to say a word on the importance of protecting privacy, protecting data.  We often have discussions with ‑‑ especially with commercial or research entities for which recuperating their initial investment in research is the only way for them to reinvest again and further research.  So there has to be a mechanism to protect that kind of privacy, which is not necessarily encryption, it can be some other mechanism, in fact, which I think would be more transparent. 

And second, the individual protection.  I appreciate your flexibility in disclosing your medical records, but some people don't feel equally comfortable about that, and, I mean, it's a matter of being able to choose, to have some control over your personal data.  And for this we encourage private companies as well as governments and Civil Society to be more aware of this, to insist on ethics codes, and as far as governments are concerned, because they do have a lot of information on their citizens, so to have a basic set of rules that will, while allowing the aggregation of data, aggregation of medical data is important to detect epidemics, for example, but while protecting individual privacy.

>> MODERATOR: Thank you very much, André.  Vint?

>> VINT CERF: So this is a tricky problem.  Meta data is sometimes considered to be somehow anonymous or not revealing of any particular entity, and yet we also know about the reidentification problem where data, which appears to have been anonomized is reunited with information outside of that database in order to recover the identity of the party about whom the data refers. 

I don't have a magic wand to fix this problem, and I think, in fact, the computer science community says this is an unsolvable problem, that if you do have extra information which you can recombine with the data then you are capable of revealing personal information. 

So I don't think that we can separate the meta data problem from the more general problem of protecting personal information and otherwise anonomized information.

>> MODERATOR: Thank you.  Thank you very much for that.  Please, if you can introduce yourself briefly.

>> KATHERINE TOWNSEND:  Katherine Townsend, African Open Data Collaboratives.  I wanted to ask the whole panel, probably Dr. Cerf a bit, about the role of the government's responsibility in ISP regulation and Internet company regulation with net neutrality.  As has just happened with the United States, that's affecting data flows and that's affecting the kinds of business growth that can happen particularly for small businesses, and the implications, as we said, of even if you're a democracy and if you're a leading country and you promise that you will have ‑‑ that you will respect people's rights, that other countries will easily follow suit.  So what is the implication for other countries and what can a global community do to protect?  Thank you.

>> MODERATOR: Thank you very much for this timely question.  Mr. Cerf, please.

>> VINT CERF: I'm not sure that I'm happy to be the beneficiary of that question.  First of all, I would argue that the battle is not over.  The whole question of net neutrality, which is a question that varies from country to country, so we should be very careful not to misunderstand the use of the term "net neutrality" as interpreted in different parts of the world, but in the U.S. net neutrality was largely to do with inhibiting anticompetitive behavior in an environment in which there wasn't very much competition among the providers of broadband service. 

And as all of you know, the FCC made a partisan decision, partisan vote, to eliminate the net neutrality provisions that the previous FCC had introduced.  There is very clear evidence that responses to that are already under way; in some cases lawsuits, in other cases the application of what was called the Congressional Review Act which would essentially allow the Congress to examine the decision made by the FCC.  There's even another possible outcome which is the introduction of legislation to change the Telecom Act which governs the FCC's responsibilities to incorporating new title that's specific to Internet which might incorporate the net neutrality provisions which had been erased.  This is really an issue all around the world in various and sundry forms, and it's one that I hope we do not give up trying to introduce it in forums that will ensure freedom, access to the Internet and essentially avoid inhibiting that freedom.

>> MODERATOR: Thank you very much.  Stefan?

>> STEFAN SCHNORR: Yeah, thank you very much.  I also think that net neutrality is one of the key points for the free Internet, and I absolutely agree with what Vint said.  As you know, we also had in Europe a very intensive debate about net neutrality, and since 2016, we have new ‑‑ the first net neutrality regulation, and this is complemented by guidelines by BEREC, the body of European regulators. 

This legal framework guarantees for Europe the equal treatment of all data, but it also allows expections (phonetic) within very narrow limits such as traffic management.  The European legal data must prove now that they're future oriented and cover the current and future requirements.  The commission, the European Commission, will give a report about their experience with this regulation in May next year. 

In Germany we have the first case now, we discuss about net neutrality, which is an offer from Deutsche Telecom, it's called Stream On, and it's a zero rating for video and music streaming.  And the problem is that our national regulatory authority wants to forbid this offer from the Deutsche Telecom. 

There are two points:  First, you have a zero rating only in Germany but not in whole of Europe.  And we have a roaming regulation in Europe, roam like home, so you have to give the same possibility in other European countries.  This is the first point. 

And the second point is that in this system ‑‑ and this is very interesting to discuss ‑‑ the data transfer rate for video streaming is reduced to 1.7 megabit.  And so ‑‑ in some tariffs, not in all tariffs of the telecom.  And so we have the discussion if this straddling of the data transfer is in ‑‑ is allowed within the net neutrality regulation, and our regulatory body, the Bundesnetz‑agentur, says no, and the Deutsche Telecom says yes, and now the courts ‑‑ the courts have to decide this very important question.  And I think this is the first ‑‑ in my opinion ‑‑ the first discussion we have about net neutrality regulation, if it works or if it not works, and the courts have to decide now.  And I think the commission will take this into account when they give their first report next year.  So the discussion is very intensive, and we will have to look.

>> MODERATOR: Thank you very much for that.  With your intervention here, I would like to close the data flows segment and now would like to ask our two last speakers to reflect on all three previous topics that we have covered here: the issues of Internet disruptions, the issues of encryption, and the issues of data flows. 

I would like to ask Ms. Anne Carblanc, who is the principal administrator in the Information Computer and Communications Policy Division at the OECD where she has been responsible for policy issues concerning the protection of personal data and privacy already since 1997, and was previously also a judge in charge of criminal investigations at the Tribunal of Paris. 

Anne, we have tackled free issues here, but are actually not all these topics that we discussed about data flows?  And what is the role of international organizations in tackling these issues?

>> ANNE CARBLANC: Thank you very much, and welcome to all. 

>> MODERATOR: And sorry to interrupt, seven minutes.

>> ANNE CARBLANC:  Thank you.  Well, it was a very interesting session.  And now that the issue is about what international organizations can do to improve strategies, outreach, and effectiveness in the three areas that were discussed. 

I would start by saying that first these international organizations can help in terms of process.  Why?  Because, by definition, international organizations operate in a multilateral fashion, that the OECD, we bring together member countries, observer countries, Civil Society, business, trade unions, and the technical community.  And this collaboration in the policy world provides the flexibility and the global scalability which is required to effectively address digital transformation policy challenges.

OECD work is driven by committees, and these committees consist of representatives from these different stakeholders.  OECD is also a consensus‑driven organization, and it's policy recommendations are the result of collaborating including efforts very often called soft flow (phonetic). 

Now, in terms of outputs ‑‑ and I will speak only for my organization at this point ‑‑ but I would like first to start by saying that if we take a broad approach, from our perspective at the OECD, the three topics discussed in this session ‑‑ so Internet disruptions, encryption and data flows ‑‑ are all related to Internet openness. 

Openness is vital for the Internet to provide all its benefits.  The Internet was fundamentally designed to be open and global which has enabled it to become an engine of economy growth and innovation. 

The Internet can be open in multiple ways and to varying degrees.  Did I mention the openness include technical ‑‑ we had some examples ‑‑ economic and social factors, such as market conditions, governance, legal environment, we discussed privacy, procedures, and human rights.  Openness is influenced by the decisions made by all actors; governments, but also businesses and individuals.  And openness is also influenced by the multistakeholder process that drives much of Internet policy‑making. 

Among the pressures and the trends which affect openness, we can count Internet disruptions, tensions around encryption and data flows, and all three issues have the potential to greatly affect, positively or negatively, trust in the digital era.  Support for Internet openness is grounded in a council recommendation of the OECD which dates back to 2011 called Principles for Internet Policy‑making.  This instrument includes a consensus view that Internet openness leads to economic and social benefits, and it identifies a suite of mutually reinforcing goals for promoting the openness and the dynamism of the Internet. 

One of the implications is that Internet disruptions such as deliberate shutdowns by government impose economic and social costs on economies and societies.  A targeted study by the OECD done in 2011 on the economic impact of shutting down Internet and mobile phone services in Egypt showed that the direct economic effect of a five‑day shutdown was a loss of 90 million U.S. dollars or between 3 and 4% of Egypt GDP on an annual basis, and this only refers to the revenues that were lost due to the blocked telecommunications and Internet services.  It didn't take into account the secondary impact that was suffered by loss of business. 

I take from the discussion on this issue of Internet disruption that there is a need for action at national, regional, and at global level.  Because there are significant economic and social consequences stemming from Internet disruptions, the OECD could contribute to a multistakeholder effort to keep one global Internet and to protect it from disruption through mechanisms that would include and ensure transparency, proportionality, and due process, including recourse and redress, all basic requirements which are in line with OECD fundamental values, so I thank very much André who commented on the recent call for protecting the core of the Internet, but maybe it's not only the core of the Internet that needs to be protected from disruption so we stand ready to help. 

OECD has also developed soft low instruments directly relevant to the topics that we discussed.  All these instruments developed with all stakeholder aim to find a balance, an appropriate policy mix, and you all know that compromise is always the essence of, I would say, success, at least, or progress.

For example, the OECD cryptographic guidelines which were developed 20 years ago, 1997, and have been reviewed on a regular basis, provide an international consensus on how to promote the use of cryptography to foster confidence in the digital environment without unduly jeopardizing public safety, law enforcement, and national security.  I'm sure you recognize the two branches of the balance. 

Its eight principles were developed following very intense discussions among all stakeholders.  These principles recognize that national cryptography policy may follow ‑‑ may allow, sorry ‑‑ lawful access to plain text, to cryptographic keys, or to encrypted data.  But they also say that these policies must respect the other principles in the guidelines to the greatest extent possible, including that cryptographic methods should be trustworthy. 

The guidelines also underline the liability issue, saying that whoever has access to cryptographic keys should become liable in case of security breach affecting the keys.  And they also bring the need to respect privacy and the right to choose cryptographic methods as well as the need for international cooperation to avoid that cryptographic policies become an obstacle to trade.

Another example of an instrument is the council recommendation on digital security risk management, and this was stressed by Microsoft, Mr. Nikola, who said that approaching digital security solely from a technical perspective doesn't work; you need to include social and economic considerations.  And that needs to be part of a decision by ‑‑ for instance, in companies, the boards.

In terms of the discussion, what I took was that the question of how to enable law enforcement access without undermining trust is still the key question.  But so far, in practice, nobody has identified how to provide law enforcement access to encryption keys without damaging trust in cryptographic methods.  So OECD agrees with ISOC that collaborative security is likely to be the way forward, and this could be an element to add to the recommendation in the future.

>> MODERATOR: Thank you.  Thank you very much.  Sorry, sorry, sorry for the pressure.  Thank you very much, Anne, for your reflections and sharing the work for your organizations in this respect. 

I would like now to go to Mr. Bertrand de la Chapelle, who is the executive director of the Global Multistakeholder Policy Network, Internet and Jurisdiction.  He's the former member of the board of directors at ICANN.  He was France's thematic (phonetic) ambassador and special envoy for the information society, participating in all with his follow‑up activities in IT process. 

Bertrand, please try to reflect on what we have discussed in this session and help us, looking forward, on the issue ‑‑ on the question of what are the solutions, where to go from here.  You have seven minutes.  Thank you.

>> BERTRAND de la CHAPELLE: Thank you very much for a lot of people here.  It is an amazing feeling to be in this particular room where we have spent so many hours during the preparation of the World Summit on the Information Society, the CSTD sessions, and so on, and at least there has been an incredible improvement which is that the furniture has been dramatically changed.  

Anyway, I hope the substance, and I think the ‑‑ more seriously ‑‑ the session that we just had shows clearly an element of improvement because I think the way the problems were addressed was significantly different from the way it has been addressed in the past.  And I want to highlight a certain number of elements, drawing also on the lessons in the Internet and Jurisdiction Policy Network since 2012 regarding how does multistakeholder things work, basically, because we all are asking for a multistakeholder cooperation on those areas, but how do you do it concretely is always a challenge.

So a few points, and the discussion was very enlightening in that regard.  The first one is I think we can all agree that the topics we're addressing are actually complex, dynamic questions, and just like we say complex, dynamic systems, we use words like "unintended consequences," "collateral damage," "dynamic movements of actors," and this is what makes those issues so difficult, because of the multiplicity of actors that have to be engaged and the interpenetration of sorts of measures that are taken in one dimension for security matters and the impact that they may have on other issues in the economic dimension, for instance. 

Another element that was striking is the comment that Paul was making regarding the new era around encryption of absolute privacy.  There are considerable consequences to those technical evolutions that have policy challenges as well.

So first element is those issues are ‑‑ have to be addressed in a sort of holistic manner by looking at the different dimensions.  This is the main fundamental justification for a multistakeholder approach.  You need to have the whole picture and you need to move beyond ‑‑ we all need to move beyond the framing of the problem in terms of, I'm the government, I have a problem with the companies; the companies ‑‑ I am a company, I have a problem with the government, the Civil Society doesn't like what ‑‑ no.  These are valid questions.  But the real problem is that those are issues that people have to address in common.  They are common challenges.  And I want to highlight one word.  We hear very often words like "balance" or "trade‑off" and those things.  In the Internet and Jurisdiction Policy Network and the Secretariat, we try to push as much as possible for the wording "reconciling competing objectives."  Because in many cases all sides are right in what they care about, and, for instance, even on the debate on encryption, as was mentioned in one of the interventions afterwards, and even on shutdowns or disruptions, there are challenges of public order.  There are challenges of security that touches human rights in a big way when people are harmed.  And so how we reconcile those competing objectives is a major challenge that can only be handled by the different actors around the same table.

The next element is ‑‑ was not necessarily mentioned explicitly, but I think it was underlying most of the interventions.  We're living in a world of extreme legal uncertainty and growing legal uncertainty.  We don't know exactly how the national laws apply in the cross‑border digital environment.  Who is actually setting the norms?  There's a combination of international instruments, national laws, terms of service of companies, and all those mechanisms interplay with sometimes situations of conflict, where you are in the position of a company, have to abide by different national laws that are not necessarily compatible, or are trying to accommodate different levels of ‑‑ of legal commitments.

So this question of the environment of legal uncertainty can only be addressed if we move beyond the sort of siloed approach and what we sometimes and often label as a prisoner's dilemma type of situation, where every single actor is trying to solve the problem from its own perspective which means for governments adopting a particular law, for the companies adopting particular rules for their own services, but the problem of the cumulative effect of unintended ‑‑ sorry ‑‑ uncoordinated actions provides and brings unintended consequences that are detrimental, actually, for all different aspects.  They can be at the same time detrimental for human rights, for cybersecurity, and for the digital economy.  And a particular topic that was not directly addressed but I think is clearly in the context of the discussion we have here is the whole debate about mandatory data localization, for instance, which is a very important issue. 

But beyond explaining what the problems are or other challenges, I want to ‑‑ to highlight one ‑‑ one element.  We have a tendency to discuss a lot the symptoms and the problems that are raised by the actions that are taken in reaction to situations, but I want to highlight, for instance, that the whole debate about, for instance, disruptions or shutdowns, if you think about the most classical examples that we have, like the blocking of WhatsApp or the blocking of YouTube or things like that, there are actually measures that are adopted, whether we like it or not, in reaction or frustration because other problems are not solved.  And the other problems particularly are how do you handle cross‑border access to e‑evidence when the data is stored beyond your borders?  That's a very fundamental jurisdictional challenge.  Just like for contents, the question is what is the respective responsibilities and the geographic scope of the ‑‑ the content suspension.  So what I want to highlight is we are in an environment where there is an obligation for coordination in order to bring policy co‑areas (phonetic) because a lot of actors are doing ‑‑ addressing the same problem.

The second element is there is a need for more than coordination.  There is a need for cooperation frameworks.  You were asking for solutions.  Solutions are actually policy standards and cooperation frameworks that have to be developed not just by a series of panels, however important, this is a kind of reporting, but what is needed is processes.  And I'm very grateful to Stefan Schnorr for mentioning the Global Internet and Jurisdiction Conference in Berlin, which actually will be the third, and the second one will take place in Ottawa in February, this ‑‑ 2018, in partnership with the Canadian government.  And I just want to highlight this process as one example on three issues regarding cross‑border access to user data, content takedown, and domain suspensions that illustrate how there is a need to bring the different actors together in an ongoing process with appropriate support. 

Any additional information can be provided in the session that we have on Thursday at 9:00, in Room IX.  You're all welcome to attend, and please come to the booth, but it was a fascinating session.  Thank you very much.

>> MODERATOR: Thank you, thank you very much, Bertrand, for that.  Just to add, there are a number of sessions that are coming up at the IGF dealing with some of the issues we've tackled at this session, so please consult the program if you want to get deeper in that.

I hope that this main session has helped us, or helped us all to provide some views on the regional policy initiatives that do impact the global environment.  I also hope that it has helped to met the outlooks and challenges for the multistakeholder cooperation in this respect.

I would like now to thank the speakers from this panel, mainly, Bertrand, Fiona, Vint, Stefania, Stefan, and Anne for their excellent contributions.  Thank you.


>> MODERATOR: I would certainly want to thank the team that has been behind the session, namely, the mic facilitators, Professor Flavia Wagner, who is the professor for computer science and engineering at Federal University of Rio Grande do Sul, and my dear colleague Virginia Park (phonetic), who is joining the session remotely.  Thank you very much to them.  Thank you also to Diego Cannabaro (phonetic) and Jamila Venorina (phonetic), who have not only been the bridge with the online participants at the session, but also instrumental in putting this session together. 

And last but not least, I would like to thank you, participants at the session, remote, and here in the room, who have participated both actively and passively.  Thank you for staying for the three full hours.  Have a good rest of the day and the rest of the IGF