IGF 2017 - Day 2 - Room IX - OF40 The New Corporate Digital Responsibility: Duties of Care and the Internet of Things


The following are the outputs of the real-time captioning taken during the Twelfth Annual Meeting of the Internet Governance Forum (IGF) in Geneva, Switzerland, from 17 to 21 December 2017. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 



>>> Good morning, everyone.  Welcome to the forum called the new corporate digital responsibility duties of care and the Internet of things.  I'm moderating the session.  And just to set the stage, I'm going to hand the microphone over to Andrea Booker with the Dutch national security council.  We'll set the stage for this session and then we have a very open discussion together on this topic.

>> MODERATOR: So welcome, everyone, to this open forum by the Dutch Cyber Security Council and the Ministry of Security and Justice from the Netherlands.  My name is Andrea Booker, I'm a deputy secretary of the Dutch Cyber Security Council.  And the Dutch Cyber Security Council is, as you may know, an independent, high level public/private academic strategic advisory body that advises the government and through the government also the private sector about all matters related to cybersecurity in the Netherlands.

The Cyber Security Council was established by the minister of security and justice in 2011.  The Netherlands has the ambition to be an secure and open cyber domain in which the opportunities over our society by digitalization are exploited, threats are mitigated and fundamental rights and values are protected.  The Cyber Security Council contributes to this ambition by looking forward, highlighting developments with imminent impact on the Netherlands and providing advice about what action parties in the Netherlands should take. 

The CSR has a unique composition of high ranking representatives from the public sector, the private sector, and the academics.  This composition allows the CSR to evaluate national and strategic cybersecurity challenges from multiple angles, an issue well considered advice.  Of course, the issue of cybersecurity requires a global approach.  One of the topics that obviously needs a global approach is duties of care. 

In April 2017, the CSR published the cybersecurity guide for businesses.  Every business has duties of care in the field of cybersecurity.  It includes also a checklist    yeah    a checklist.  And the goal of this document was to make Dutch legislation in the field of duties of care accessible and manageable.  The document presents a strong case why companies using ICT having duties of care for itself, its customers and its environment. 

A company has duties of care if they possess personal data using ICT, use ICT in its operations, and develop, manufacture or supply products or services that includes an ICT component.  This guide points companies toward action that ensure viable cybersecurity measures and solutions.  The document is a project or of joint national public/private and academic working groups.  It's important to share good practices here at the IGF, and this is the good practice the Cyber Security Council would like to share with you. 

Other states can transform this cybersecurity guide into their own judicial framework and make a checklist as well and make the information accessible and manageable.  The number of devices connecting to the Internet runs into the billions and counting.  The concerns around security arises while IoT touches our personal security.  The goal for duties is rising with some stating that the opportunity for self regulatory measures is about over.  However, production and distribution of global hence industries' goal for regulation or self regulatory measures. 

During the Dutch presidency of the European council, the CSR published this EU report.  Europeans for cybersecurity.  This report containing recommendations with regard to the Internet of things and the harmonization of duties of care across the EU.  All of these publications, you can find on our website.  It's cybersecuritycouncil.com. 

So this open forum acknowledges the need for global harmonization.  In fact, it was also the main outcome of the discussion about duties of care we had at the NL event of the IGF.  So the question is, is IGF suitable for this and in which form, either in an IGF working group or in another group.  There is already interaction with the dynamic coalition on Internet of things and also with the best practice forum on cybersecurity, and they are also willing to bring this important topic further. 

>> Thank you, Andrea.  Well, this is the moment that we're going to open up the floor.  The idea is that we really exchange views and ideas, and there's no preset presentations here.  There's no panel.  It's all about your thoughts.  And we have invited a few people to say something about it from a specific perspective.  But we're going to go to work and we're going to go to work with three questions that I'm going to ask the room, and just raise hands just to see how we feel about this topic.  And then we'll go into more detail. 

But the first question is do you see a need for harmonization concerning duties of care in ICTs.  Who thinks that is a good idea?  Just raise your hand.  Who thinks it's a bad idea?  And who thinks I don't know?  Okay.  At least we have some sort of a positive setting for these topics to start off with. 

The second question that I have is do you agree that these challenges and harmonization take more than one stakeholder group to solve?  Who agrees?  Who disagrees?  Also, nobody, I noticed.  Perhaps you don't dare to raise your hand because I will ask you for your views.  But I'm going to ask the others for their views also in a moment. 

The final one is we are the IGF, and do you see the IGF as a potential forum that can facilitate ongoing discussions on critical, complex Internet issues as presently discussed?  So would the IGF be a venue to discuss this further together?  Yes or no?  Who's in favor?  A few.  Who's against the IGF as working on a topic like this?  Who doesn't know presently?  Several.  A skeptic. 

But I think we have a basis to discuss this session from a multistakeholder point of view from complex critical question point of view.  So let's start, and I would like    is Mr. Donahue present from the EU?  No, he isn't.  He would have to leave at 9:30, so he may not show up at all anymore.  That would be a pity, but that's how it is. 

Let's go to industry.  Industry produces a lot of these products.  What is the point of view that you're at at this point in time concerning duties of care?

What is the stage that industry is in?  I have Mr. Paul Mitchell who works for Microsoft but represents the international chamber of commerce, the ICC, here personal. 

>> PANELIST: So good morning.  I'm not sure I can actually represent a single position across the industry.  So I'll give you just a few thoughts that are reflective of conversations amongst different industry participants in ICC and in basis specifically around the topic. 

There are generally a lot of questions around duties of care concepts.  The good news is the discussion is progressing.  And there's general agreement on the need to understand current practices as they exist in various places.  As well as the need for multistakeholder model of cooperation, which we just saw with a show of hands. 

It's true also that while laws and regulations surrounding the operation of networks vary widely around the world.  So what's actually in scope in a duties of care discussion is not universally understood.  The Internet itself is not a uniform thing.  But rather a collection of disparate systems and processes that work together loosely based on agreed technical protocols.  And in this kind of a system, the responsibility boundary between the various players can be unclear and often is. 

At the very least, it shifts about as new services enter the market and take share and there's new harms and threat factors are discovered.  So those that are offering services clearly have a duty to do what they can to keep networks and users safe.  The complicated questions surround implementation of that simple statement.  So to date, service providers have steadily improved reach, performance and capacity of their networks.  And at the same time, have enhanced the security and consumer protections.  Mostly through voluntary measures.  The industry develops at an exponentially accelerating pace.  And it's amazing to stop and consider just how much progress there has been towards improvement in these critical areas just in the last decade. 

The progress has come almost exclusively through industry self regulation and cooperation.  Not entirely because there's also been the emergence of various specific regulatory actions in some cases around the world.  So this discussion asks whether duties of care should be globally harmonized.  I think    and it's at least partially the view of some of the other participants in ICC that the question is, in some ways, premature.  Instead what might be asked is what duties of care could be harmonized globally?  Because any harmonization is inevitably a compromise.  A central challenge in much of the Internet discussions    Internet governance discussions is on the nature of compromise.  Whether it be through a globally accepted set of norms, new national laws and regulations or codes of conduct or even a treaty, as Microsoft, for example, has suggested relative to digital Geneva Conventions.  These compromises necessarily will impact how the ecosystem moves forward. 

So in thinking about that, we need to remember that there is a necessary economic foundation that must be supported if the networks are to continue to scale and to improve, especially through    with the emerging Internet of things.  Without a sustainable economic model, eventually the system will collapse.  The reality is there are actually many models in use around the world that address the unique circumstances in particular locations.  And I would now presume to recommend that they all be harmonized.  Whatever responsibilities we agree to harmonize must be possible within this diverse set of economic models. 

The secondary to consider is sociopolitical because the reality is that the global population does not share all of the same values and priorities.  Today that diversity is generally a strength for the Internet, but it could become muted if certain services were suppressed to serve the goal of harmonization broadly. 

And finally consider that the technology is a moving target.  So harmonizing anything based on a particular state of technology we have today without the appropriate allowance for forward innovation would be harmful.  So with that as some food for thought for the rest of this discussion, I look forward to the comments from everyone and learning more about how this could move forward.  Thank you. 

>> MODERATOR: Thank you, Paul.  I think there were several interesting points made on how this discussion can progress.  First I'm going to ask the other representatives from governments in the room or who have a view on this topic.  So if there is someone representing a government, would you like to speak up on this topic?  The answer is no.  At least a lot of silence. 

Well, let's move on there and try and find out what already happens at this point in time.  So who currently is in some way working together already in trying to find answers to this specific topic of duties of care vis a vis the Internet of things?  So Martin, please. 

>> PANELIST: Very smoothly.  He also asked me to speak.  Thank you for organizing this because I think it's very relevant, with the fast move of society and change.  It's clear that we cannot rely on legislation alone to understand what we need to do and to continue to create a world that we can feel comfortable in.  So also, the element indicated by the gentleman with Microsoft on a sustainable economic model is crucial, and that's one of the reasons why the IGF is also hosting the concept of the dynamic coalitions. 

First, dynamic coalitions are coalitions on subjects that go over time, that we don't have a simple solution at one IGF.  It requires more time, and so you can see that dynamic coalition or Internet of things makes sense from that perspective.  Basically, it started in 2008 IGF when it wasn't as full on the agenda as it is today.  And the role that the dynamic coalition, in my view, can fulfill and I have the honor of chairing that is that it can bring together stakeholders.  And indeed industry is one of those stakeholders.  It's such a clear area where now a stakeholder can get it done alone.  Because to get to an environment in which Internet of things is not only serving us but also in a way that we can feel comfortable with that.  It is one where everybody takes responsibility. 

Industry by delivering safe, secure models on which it can count that they are secure in which we know and understand how they work and which data sharing is involved, for instance, but also where it's clear that end users have a responsibility.  I think service providers are the ones who will need to make sure that the responsibility that end users get to deal with are those they can deal with.  So they're overseeable.  And just like with healthcare, we are also self responsible for our health.  We cannot rely on our general protectioner for making sure we are healthy. 

The same is true, I think, for dealing in a good way with cybersecurity, also in the good care of use in IoT.  The other side, obviously government, it doesn't mean they're not important anymore.  I think governments and with regulation where necessary enforce, they see to it that public interest is guarded.  And to balance that out across borders, we also have the benefit of Civil Society. 

One of the big dilemmas governments have nowadays is that various    it used to be in the Westphalian model as they say pretty okay to arrange legislation within your own jurisdiction.  And you covered an important area of your economy in society.  Now, society economy is flowing over into a global one where it's more difficult to have exact limits.  So that's where calibration is needed.  Governments level, international level, bilateral level but cannot do that all in fast moving society. 

Industry serving markets across the world has their own tool.  And as the gentleman from Microsoft explained and yesterday on the panel, a group from AT&T, industry understands they have a responsibility there.  So finding the balance, what better place than IGFIGF set up not to come to conclusions about what needs to be done, but at least to discuss topics, what is relevant and how could we go about it? 

So we'll have a session again at 3:00 this afternoon with the dynamic coalition is to get a clear view on what we understand to be global good practice from a multistakeholder perspective.  It needs to be economically sustainable from business and to be doable is clear.  It also will need to be socially sustainable from a Civil Society or government or a people perspective.  It needs to be an environment we create that we are willing to leave our children behind when it's our time to go, you know?  And that way finding the balance, I think we really need to build beyond legal and also look at self regulation and an ethical approach which means for me because ethics around the world has different meanings.  But at least it means that wherever you are in this chain or whoever you are, or wherever you are in this world, that you're conscious about the choices you make because the mistakes we make may follow us for a long time.  So I hope that's useful. 

>> MODERATOR: Thank you, Martin.  For the scribe, I noticed that it said NGO twice, and Martin said end users.  So that is quite a difference who is being addressed in the text.  So that's just from a procedural point of view.  Thank you very much.  Who else wants to comment on processes around the world?  Please introduce yourself first. 

>> PANELIST: Navad Paulo with a human rights and consumer protection organization.  We've been struggling with this topic for quite some time, and we are finding it really difficult to come up with some concrete ways to address it.  So I think that is also a result worth sharing.  It's not an easy topic for us.  I also read this document that was shared as a background document, and I note that it does not say anything about the interface to consumer protection organizations, which is a key topic that I would have been very interested in. 

I would like to briefly remark on the Microsoft proposal for digital Geneva Convention.  I very much like this idea.  But I would point out that the offline Geneva Conventions, even though they are today very much governmental and all that, they did not start that way.  But they started as a Civil Society initiative of people really getting upset with an absolutely unbearable situation. 

And eventually when there was a strong movement from Civil Society, governments started to agree and they came on board.  So maybe it is something that could also be advanced as a Civil Society kind of thing with some industry involvement, of course, in this case to develop it to the point where it becomes acceptable and looks feasible for governments to get involved.  Thank you. 

>> MODERATOR: Thank you.  Any other initiatives going on at this moment?  Please introduce yourself. 

>> PANELIST: Good morning, my name is Moira deRoche, I'm the chair of the international federation for information processing and RP3 looks after professionalism.  In November 2017 RPC launched an initiative which stands for duty of care in everything digital.  And that has us saying if you start at the practitioner level and you have trustworthy ethical practitioners who produce products and then consumers, businesses, governments demand that they get products from ethical, skilled practitioners, then you've got some way to ameliorating the problem.  So we're working on that from our point of view really around the professional aspect.  So, again, it's something that's very much at the top of our mind and very much at the top of our mind at nongovernmental organization.  Thank you. 

>> MODERATOR: Thank you.  Martin, I see you've entered the room.  And best practice forum on cybersecurity has been mentioned as one of the what you call the groups where this topic is being discussed.  Can you explain a little bit about what is happening in your best practice forum?  Martin is the lead expert of that working group of the IGF

>> PANELIST: Sure, I'd be happy to.  Thank you.  So within the best practice forum of cybersecurity, one thing that has become very prominently featured this year is that in order to make progress with a multistakeholder community such as the one we have here at the IGF, one thing that really needs to be very clear is that there needs to be a culture of cybersecurity.  And that culture needs to be underpinned with a set of values. 

And we try to work on really identifying how we can make something like that very practical.  And one thing that came up was that we needed to have a clear definition of cybersecurity, which actually turned out to be very, very challenging.  There's been a number of definitions that were proposed that were being discussed, and there are some that sound good to many, but there's really none that sound good to everyone. 

Now, in order to make progress beyond the point where you have a definition of what cybersecurity really means and how you go and implement it, you need to find ways to gain a shared sense of responsibility for every stakeholder.  So stake holders need to have a clear idea of what it is that is expected of them to help make that cybersecurity culture a real outcome. 

And there were really two different areas that came up as potential areas of further discussion and development for this.  One of them is norms development.  So having a clear set of responsible behaviors that individual stakeholders can execute on is really important.  One of the challenges with norms is that the way that it is addressed today is that it mostly is all about nation states and states and the responsible behavior that they have in cyberspace.  There's actually fairly little involvement of other stakeholder communities, and in particular, Civil Society in that discussion today. 

When we looked at some of the documents that were actually contributed to the lists by some people working on duties of care in the Netherlands, it became very clear that it's actually a very practical way of translating responsible behaviors and expectations on participants within cyberspace and participants that may deploy software or may utilize software to deliver services.  And make it very practical to them what is expected of them to be a responsible stakeholder within that environment. 

So I think that's a really interesting outcome, and we don't have a practical way forward today to integrate duties of care in that discussion.  But it's one of the topics that we're potentially looking at for next year if the best practices forum is continued. 

There's one thing I would also like to add from another perspective and actually another hat that I wear, which is out of the forum of incident response and security teams.  And within the first community, we're a global community of incident responders.  What is very interesting is that we all have similar processes and functions, and we have very similar ways of dealing with incidents when they happen.  But our priorities and our goals are often quite distinct.  However, one thing that is clear during the incident response process is that we always focus on minimizing harm.  And defining what harm is is actually a multistakeholder activity in terms that you need to understand what is important to the individual users that are affected, what is important to the corporation that you're supporting as an incident responder or to the state that you're supporting. 

And I actually feel that duties of care has some potential role there as well in terms of it could be very interesting to look at that minimizing harm in terms of what are the duties that every stakeholder has within this cyberspace Internet community to really take our responsibility when it comes to deploying things securely and having ways to minimize harm across our functions within this community.  So I think those are two elements that actually make it a very interesting train of thought and something that is probably worth investigating deeper. 

>> MODERATOR: Thank you, Martin.  I think we heard several interesting points and several very interesting angles in which clearly the topic is a concern for very different stakeholders.  So we've got somebody from a consumer point of view, and that consumer is perhaps missing.  We heard about the potential interactions possible within the IGF.  We heard industry saying basically a lot of things.  But what I think was a very important point is that duties of care is the whole world.  And what is actually possible to discuss at what point in time.  And do we need to chop it up in chunks that are actually digestible for communities to take on.  But if that would be the case, then I have a few questions.  What would be the most urgent topic that is possible to take on?  And the second is who needs to be on board to be able to have a meaningful discussion around it and perhaps a conclusion on that topic?  So are there any views from that angle?  Let's start there and then see where we can take the discussion forward.  So what would be real priorities at this point in time?  Are they acceptable to discuss topic?  And three, who do we need to invite to make sure that this is going to be the right discussion?  So please. 

>> PARTICIPANT: I'd like to give my comments.  I'm Anthony Wong.  I'm the president of the Australian computer society, a technical ICT professional body.  We are also part of the international federation for information processing.  My colleague over there, Moira, mentioned that.  And we were founded by UNESCO nearly 60 years ago in Paris.  We have many working groups working in many areas including IoT, cybersecurity and so forth. 

I think it's important, my background, I'm an ex CIO, I'm also an IT lawyer.  So I come from the perspective of a lawyer as well as a technologist.  And some would say as a philosopher some of the things we've done in the past and what we've got to do with converging technologies in the future. 

So my comments, because of my legal discipline, basically we think we need to quantify what we're trying to do here because we've got    the topic is about corporate responsibility care in IoT rather than generally about cybersecurity or artificial intelligence, which I've spoken on many, many times in the past.  So we need to better limit because the chance of success depends on what we are trying to achieve.  Because if you try to achieve too many things or broaden the aspects to AI and machine learning data and so forth, I think it will not succeed.  I think your topic is IoT, and I think we need to focus on that because I think that's the scope that we're trying to do.  So that's my first comment. 

As a lawyer, I agree with -- is it Paul or Peter Mitchell from Microsoft, you need to define what duty of care is.  So as a lawyer, there are many definitions around the world.  It's not one definition for everybody.  I struggle with that as a lawyer.  Yesterday or Sunday my colleague and I, we gave a presentation on Sunday about duty of care and trust and accountability as an IT professional and what it means.  And where does that actually arise?  It doesn't come from Norway.  It comes from history, regulation, common law in the English jurisdiction or in the case of Europe, the civil law system.  So they come around from something.  So we are touching on many things in the English system on the common law, the law of negligence, duty of care.  We have statutory laws on consumer protection for product liability, contractual law and many, many aspects.  So it's a very broad topic.  So we here need to define exactly what we're trying to do about duties of care, to whom, by whom.  And if something happens in terms of bridging that duty, what do you actually want to happen?  Because it's breach of data in terms of IoT, breach of data, privacy and security, loss of data, misuse of data.  Can you actually claim those things currently in the court system? 

So there are a few success stories.  Here in the UK and the U.S., class action for breach of duty.  So all that we need to weigh that in that light when we are dealing with this topic.  Because there's no point having a duty when you cannot enforce it to the regulatory systems of the different countries around the world or if the person who's affected by it cannot get justice at the end of the day.  Because for every duty, you want to make sure people can claim compensation or derive some compensation, it may not be a monetary sense.  It could be an apology.  It could be compensation which is not monetary in that sense.  Because when you talk about reputation and loss of your personal data, those things are very personal.  So not all financial payment can actually cover you for that losses.  Just as you are born with a date of birth that is lost, can you actually change your date of birth?  No, you can't. 

So what are we talking about here?  So that's my starting position.  Thank you. 

>> MODERATOR: Thank you.  I think what the Cyber Security Council tried to do is show what's already there, and from there you can find out what is possibly missing.  So in other words, to go a little bit deeper in what you were saying, maybe before we start a whole discussion on harmonization, that it's important to find out first what we already have and what already can be made accountable or whatever system that specific countries work on.  And that's going to be very global, of course, so there's going to be a lot of differences.  But would that, then, be a starting point for a discussion to find out what is it actually that we already have as consumers or as institutions, et cetera?  So what would your starting point be?  Any other thoughts in the room? 

>> PANELIST: Could I have another go?  I will welcome the harmonization of duty of care.  It's a challenging position, but it needs to be done, especially for IoT.  So I embrace that and voted yes to do that.  As I said, it's not easy.  So I think you are on the right track.  Your report, I commend you for the report you have written.  The secretary of the Dutch security council actually spoke on our panel in Sydney, Australia, in December last year on cybersecurity and some of the duty of care aspects.  So we are across the work that the Dutch security council had worked on.  Also, our past president Leon Strauss was actually participating in that process as well, being based with the Netherlands. 

>> MODERATOR: If I then return to Martin, suppose that the cybersecurity best practice forum continues, that duties of care would be a topic that is acceptable, would that be a starting point to make an inventory of current best practices? 

>> PANELIST: Well, to the point of the previous presenter, I think it's important to understand the scope of duties of care.  And I think there is a distinction between the levels at which duties of care becomes a useful and usable concept.  And I personally very much like the work that was done in the Netherlands with the document that was compiled.  I have to tell you when I read through it, it felt a bit like a refreshing breath of fresh air because it explained individual actions that a corporation could take.  And more importantly, it rooted those actions into applicable law, applicable policy and best practices and I think that for me was an interesting concept.  The fact that those three were combined.  It wasn't all about legal requirements.  It was all about best practices that had previously been published by for instance the Dutch government.  I think that's very interesting. 

Where I think communities within the IGF may perhaps come short a little bit is in actually being able to compile this information at a national level from each of the governments or groups that are participating.  So I think there's an interesting exercise there, which is for other states and perhaps even beyond states, other groups and their constituents to come up with a set of best practices that makes sense and really describe what duties a particular organization has working within that state or constituent group. 

I am unsure whether that's something that is doable within the scope of the IGF because of the relatively low lack    I'm sorry, low level of hard commitment to go about things on a national level.  And there's an interesting question to be asked.  This is a topic that would be valuable to bring up in some of the national and regional IGFs and see what can be learned from them in terms of efforts that have already been done domestically.  But in the end, it feels like the concerted effort that the Dutch government invested in bringing all of those different elements together and writing them out clearly is something that probably requires some form of professional approach within each country to compile it and then feed it back somewhere.  I think the best practices forum on cybersecurity is one place where some of that information could be collected.  I'm a little bit hesitant to make it the place simply because of the inability of us to really have a hard commitment from the national level to get that information together.  And I feel that there's some more professionalization that in the Netherlands clearly has been provided that could be really valuable.  So I think that's an interesting thing to think about, which similar organizations could exist in these other countries and groups that could actually be in a good place to collect that information and really spell it out in a very clear way that afterwards could lead to that concept of harmonization which I do think especially for Internet of things, for instance, should be a main goal. 

>> MODERATOR: Thank you.  From your point of view, please introduce yourself again. 

>> PANELIST: Navad.  I appreciate the point that some information needs to be compiled in view of the national level, especially where laws differ from country to country.  I would say that there is something that is at least in my current understanding universal, and that is the difficulty of actually finding out what happened.  I mean, if you buy a toaster and it sort of explodes, the consumer knows what happened.  If you buy an IoT device and it violates privacy, the consumer will not know.  It will be difficult even for a professional to figure out what happened.  And coming back to the point of artificial intelligence perhaps not being totally in scope, in that respect, I would say the interface to artificial intelligence must be considered because once the data from IoT devices is not processed by readable algorithms but by some kind of neuronetwork based artificial intelligence, it becomes even harder to figure out what precisely is happening.  And if as a result of something nebulous happening, in the end, we have discrimination against some people, I think we really need mechanisms to figure out what happened, who is being discriminated against on the basis of what kind of criteria, these are problems I think which are totally independent of the country or legal framework that needs some concerted action so that we can actually know the what before figuring out what to do about it. 

>> MODERATOR: Thank you.  I think you pointed out something very nicely, is that if I buy a Smartphone or a laptop or online camera, whatever, if that thing explodes, I can just go back to the shop, saying my laptop exploded.  And I will get another one.  Or they'll repair it.  But what happens inside of that laptop, the shop owner hasn't got a clue.  The manufacturer perhaps doesn't even have a clue because they're all sort of components in there that nobody knows how they ever got in there, perhaps.  So in other words, there are all sort of services coming onto the laptop that are no longer regulated by anybody through consumer law.  And I think that's a very interesting point to arrive at because we have so many different partners in this discussion that we may not even know about and have never, ever visited the IGF

We go back to industry.  You heard several ideas about where perhaps to start, what sort of inventories could be made, et cetera.  What is your response from that point of view? 

>> PANELIST: So it's been a fascinating discussion so far.  And there were a couple things I did want to come back in on.  First of all, the gentleman that sort of referenced the beginning of the Geneva Conventions as being something started by Civil Society and not by governments.  I think that is a key important part for all of this discussion because really what happened there was the ability to get to a harmonized understanding of a particular set of harms that everybody could agree did not -- that they did not not want to perpetuate.  You know, harms that during war, kind of a weird thing.  But nevertheless, that's how that happened. 

And in this discussion, whether it's IoT or any of the rest of the services that are on the Internet, I think the most difficult part to do is to identify that cross section of sort of uniformity into which everyone can agree.  And still today, the vast majority of sort of law and governing principles that by which the Internet more or less is regulated across the world is still based on a series of largely, you know, Western developed nation law and economic principles which, you know, personally works well for me.  But we are sorely lacking viewpoints and experiences and cultural references from large parts of the world that are increasingly coming online and that are sort of changing what the Internet looks like.  That's one point. 

The second point sort of relates to the broad concept of how you identify the    maybe the regulatory, you know, insertion point.  We just talked about exploding toasters versus essentially what are data services and data services that are self evolving through artificial intelligence.  Another comment earlier on was related to the sort of responsibility of the user themselves.  So with the concept of healthcare.  You have your own responsibility, you know, to be healthy.  It's not just all up to your doctor.  We haven't figured out, I think, generally how to ensure that the population of people that are exposed to services actually has all of the right tools and, you know, knowledge and understanding to be able to exercise their own responsibilities in the same    to use the healthcare analogy, you know, your doctor can tell you to eat right and exercise.  And generally people tend to know whether they're doing healthy or unhealthy things.  But that's not necessarily true on the Internet at this point in time.  Especially in emerging markets. 

And we haven't figured out how to address that problem holistically.  I think the last point to make just relative to how at least some parts of the industry certainly where I sit view the entire problem.  We are trying to, on the one hand, move the technology forward and, you know, allow the technology and enable the technology to do more and better things for humanity.  To create broad benefits for society.  That's generally why we do all of these things.  I mean, there's an economic motive, but we get up in the morning trying to figure out how to do things that are positive. 

But as we do that, we're always    the industry as a whole is pushing the boundary between the science and the art between sort of the social    you know, social interaction and the humanities based constructs and pure science and technology engineering.  As is often the case when you do things like this, we create lots of disruption, and the disruption itself tends to give rise to perhaps early and not fully informed drives to regulate things that are not fully understood.  And that tends to be attention that doesn't have an easy answer.  So because you want to balance the ability to move forward, you don't want to shut that down necessarily and preclude, you know, the finding that next advance that cures cancer or is a big help in solving climate change issues or whatever.  And at the same time, recognizing that, for example, in the field of what is    what defines work today or what will define work in the next ten years, there are a lot of unknowns. 

As we work through this discussion and try to involve all the sectors in the discussion of what are    what are the responsibilities of each sector and at what point and how do you put governance structures around them, that that is    that is the challenge.  What we don't seem to spend much time talking about is how to make    how to create that balance.  We tend to be polarized whether on the pro regulatory side or the self regulatory side.  People like to have black and white.  And it's really not that way.  We talk about developing norms or codes of conduct or the Geneva Conventions or any of these other things.  It's all with the understanding that there is    there are these, you know, these sort of conflicting attention elements that have to be balanced over the long term.  And it's in that    it's the discussion of that balance that seems to always be lacking in the posturing for, you know, one side or the other, and that even assumes that there's two sides, and there's always multiple sides.  And that's the conundrum for large global corporations, you know, like Microsoft and others that offer services all around the world in, you know, hundreds of countries. 

It is a challenge to figure out, you know, what's the intersection that threads the needle through all of those differing viewpoints. 

>> MODERATOR: I think that's one of the questions that we're trying to answer in this session and how to proceed.  We'll go to recommendations after final comments.  Please introduce yourself. 

>> PANELIST: Hi, this is Barry Liba.  I want to challenge one point that you've made because you've hit on an area that I rail about a lot.  And that's teaching the users to be healthier is a way to go.  I want to make sure that we don't rely on because it's doomed to failure if we do.  It's perfectly fine to teach users not to stick their fingers in electrical sockets or touch the hot toaster.  But we have designed electrical sockets that you can't stick your fingers into, and we've made toasters that don't get hot on the outside.  And I think that's where we need to go.  We need to make it so that these systems work even with naive users, even with users who are not trained, and even with users who intend to misuse the system.  So, yeah. 

>> MODERATOR: Thank you. 

>> PANELIST: So just to come back, I actually agree with you, right.  I'm certainly not suggesting that we just rely on figuring out how to educate.  But I am trying to point out that that is a major gap in large parts of the world that just helps to exacerbate the problem, and we need to use both sides. 

>> MODERATOR: We're sort of starting to run out of time because it's 10:00, the next session will be starting here.  I've still got one major question to ask the room is that we've heard several points of view, several options to go forward on, several topics that could be addressed, the need to prioritize, et cetera.  What is the best venue in the world, not necessarily the IGF, to take this discussion forward?  Because I think we all seem to agree that it has to go forward in some form.  How do we best go about it, and what should be the recommendation?  This session is going to publish on the website of the IGF and perhaps even present to a best practice forum or the dynamic coalition or even the MAG to take steps in 2018 on the topic.  So please, your thoughts, because this is your session and not really ours here behind the table.  So who would like to start?  Where are we going? 

>> PANELIST: Actually, I think IGF will remain a very important place for this.  But as the gentleman from Microsoft said, it's truly important to recognize also that there will always be differences in the world in how people go about it and what people think is important and how well they're educated and things like that. 

So next to the global IGF to talk about the global issues, I think it's crucial to also continue supporting and feeding the regional IGFs and national IGFs.  I think they have a very important role here because at regional and national level, we also are able to get the stakeholders together around the table, we're actually going to do it. 

So I think we are on a pretty high level recognizing the use and state of the art and urgencies and education are not the same everywhere.  I think we can say useful things, and this to be brought back to regional and national IGFs and maybe have them inform us, again, for the global debate. 

>> MODERATOR: I think that makes a lot of sense because it would certainly derive a lot of input that perhaps we could go forward on.  Any other suggestions?  Please introduce yourself. 

>> PARTICIPANT: Hello, we are taking care of data privacy topics.  And the interesting part in this discussion that was one word was missing or mentioned very few times which was data.  And it doesn't matter whether we're talking about IoT or other things like Internet usage and so on.  We often forget that the key thing is data.  And I think there's some key questions that need to be answered in regard to data.  And the first question is who is owning the data?  I think the EU like GDPR is trying to move this towards the individual which I think is the right best practice.  But I think we need to get a general understanding who's the owner of data. 

And when we're talking about the individual as the owner of the data, we need to also bring back the control of the data towards the individual because for me, it doesn't matter whether I'm using an IoT device.  I want to control what's happening with the data.  I want to be able to have transparency for what purposes this data is used.  And I want to be able to revoke that data.  And I think the key questions which needs to be addressed, who's the owner of the data.  Because from a law perspective, we can balance this and have better control of all the activities.  And also for the companies, for the enterprises, more difficult also to do things which are not in our interest to reach that. 

And I think the IGF, because you asked for the right venue, the IGF is absolutely the right meeting and purpose to drive this ahead because it's a general topic.  We have multiple stakeholders involved, multiple interests in data because we understand the data is very valuable.  It has a lot of interest in getting as much data as possible, and we need to get the right balance.  And IGF is the right thing for that, and we have just a session after this talking about openness and privacy, and I think we can combine both if we have the proper understanding of who's the owner of data, which is the key thing.  Thank you. 

>> MODERATOR: Thank you.  This one. 

>> PANELIST: I'm also talking on that topic tomorrow at 4:30 on Internet of things.  I'm actually talking about who owns the data.  I also have a paper that I've written which is published with Sydney about that very topic who owns the data.  So those things are included, so interested in the perspective.  I'd like to think that we should start a working group to tackle some of the issues.  There are many.  Data is just one.  Security of devices is another for IoT.  The Australian government has, at the end of this year, going to publish a paper about giving ratings to secure IoT devices called the cyber kangaroo rating.  They're going to pass that report, so you should watch out for that. 

There are many technical bodies.  We are working on standards and security.  IFIP has a domain on IoT working on that very topic.  So we'd like to participate with your working group going forward.  Thank you. 

>> MODERATOR: In the back.  You, yes.  You said that consumer protection agencies are not involved enough in this discussion.  And I don't think I've met any at the IGF as far as I know.  How    what would it take to get    if it is important to you, to get these organizations on board in discussions like this on a global level from an Internet governance point of view? 

>> PARTICIPANT: I think a key problem is that many consumer protection organizations simply haven't arrived in the digital age very much yet.  We are a bit special in that we are specifically a digital one.  So obviously we have our roots in the digital world.  There is also a big tradition consumer protection organization in Switzerland.  I would not know how to bring them into this discussion.  Although I would mention that consumers international, they have    they are very aware of this problem, and they have this initiative called consumers in the digital age.  So I think they will be a good partner. 

>> PARTICIPANT: Good morning.  The European consumer association with 41 national associations on consumer with the consumer, so all the member states including the Swiss one and the Norwegian had actually a full day session on this topic two weeks ago in Brussels.  I'm happy to help out in getting that together.  Also ANAC is an organization for consumer products which is also very active and very willing to participate as well.  So I'm happy to help out in getting them on board so we know that they are very aware and they work with quite a few European commission and many others in the field. 

>> MODERATOR: Paul Mitchell, we return to you and perhaps wrapping up.  What would it take for industry to be able to commit to a topic like this and find the time to participate but on the premise that we try to find that middle way, which is obviously necessary to discuss this topic in a serious way?  Because I think we all agree on that, from what I hear. 

So if we are to work together in the future, what would it take for industry to be able to commit to a discussion like this? 

>> PANELIST: At one level, I think industry is already committed to the discussion.  I think the challenge that we all find is that there are, in fact, multiple parallels, simultaneous discussions at different levels with different interest groups at different points of times spurred by different things that happen in the sort of operational world.  It becomes economically infeasible for our industry to show up at every potential working group or discussion forum on the topic.  I know we struggle with this at Microsoft.  I know that, you know, colleagues at other large companies have the same problem.  So when it comes to this topic, which is a very broad topic, first of all, I commend the work of the Dutch government because it's done a tremendous amount to try to narrow things down and create some definitions and create a framework.  That's one and one government that sort of got a particular frame in mind, and there's a lot in there to be commended. 

So I can't really answer    I'd love to be able to say all we need is, you know, only this kind of meetings and, you know, like three cities so we don't have to figure out where we're going and it would be so much simpler.  But the reality is that how we end up participating in these discussions is driven by a combination of what's happening operationally at any given point in time, what are the economic interests?

I made three key points to consider.  There has to be an economic foundation for all of this.  And certainly from the industry perspective, that's key.  The second one is related to the sociopolitical, sociocultural thing.  And the third one is technology, but all three have to be considered.  And what you'll find is that the large organizations like Microsoft and carriers like AT&T tend to be involved in discussions that actually link those three topics.  We have the technology forums and you have the sort of sociocultural political forums which typically are the ones that have the most Civil Society inputs.  And then you have the economic foundation ones.  And I think the best way to be able to ensure that there is vibrant industry participation is to make sure that whatever forum is created, that it's fairly precise on the thing or things that it is trying to discuss.  Because when the landscape gets too broad, then there's not really anything that industry gets out of it for the cost.  And we are all operating on a day to day basis.  I don't know whether that's helpful, but I think it's reflective of the actual reality. 

>> MODERATOR: Well, I think that is something that I've heard a few times over the past three days.  So make it as precise and prioritized as possible with a predefined sort of desired outcome would make it more feasible to participate for several partners.  I have one last speaker, and I'll ask Martin from cybersecurity working group about best practices and then we'll wrap up because other people are waiting.  And very short, please. 

>> PANELIST: So, again, on this question, your question, the alliance for Internet of things innovation which was founded in Belgium, initiative commission has all    not all    but more than 200 industry players from the world both from Europe, from Asia, from the U.S. and other places already involved for two years and working on this already for two years.  Again, I think this is a very interesting group to contact and also to see what they are doing and to see where we can help out together.  So that's it.  Thank you. 

>> MODERATOR: Thank you.  I think that    we know that there's a lot of work going on.  And if we're going on in this direction, it needs to have an added value.  That is perhaps connect the dots that are now isolated.  So thank you for that.  And we'll definitely be in contact, Arthur.  Martin, have you heard anything that would help the best practice forum forward on this topic if it continues? 

>> PANELIST: So yes, I think the idea itself is a very useful addition to the tools that we have as a community to move forward a lot of the discussions around responsible behavior.  And in that sense I think there's a very interesting fit.  One thing I would offer up is that what happens with great ideas is that they get emulated.  And I think the idea and the concept that was done in the Netherlands and the documentation that was developed there is actually one of those great ideas.  I see a lot of organizations potentially deriving a lot of value from that document.  And I think an interesting step forward could actually be to identify a few similar organizations internationally that may be interested in developing something very similar for their specific institutions, using very much the model that has been created, the path that has been shaped by the Netherlands.  As that work starts, there will be more and more interest to widen that and maybe apply it to other areas as well rather than corporate responsibility when it comes to cyberspace.  So I think that could be a very interesting way forward, and I do look forward to identifying opportunities for the best practices forum, if it is to be continued next year, to use some of that and contribute to some of it. 

>> MODERATOR: And I'm forgetting Martin.  Other Martin, from your dynamic coalition on the IoT point of view, do you see any value of this discussion within your constituency? 

>> PANELIST: From me, and again, the Microsoft arguments are well understood, yet I think that if we don't find a way to balance these duties in a good way, we may end up with a GDPR like solution.  Because we always knew we had to take care of data.  But we all postponed it until the pressure now from legislation is big enough to really take action.  So I think at some point the call for responsible distribution of duties, we can take care of our duties is going to come.  And yes, this will have economic consequences, but you cannot have economic sustainability without social sustainability.  So in that way, I'll reconfirm what I said earlier, continue the debate.  What Martin said, indeed there's also other platforms where discussions like this are taking place.  And some of them are very relevant.  And one of them is, I think, the Internet jurisdiction conference that is taking place in Ottawa next year.  They're hosted by the Canadian government. 

>> MODERATOR: Well, thank you all.  I think that it's clear that we have a topic that is on the top of mind of a lot of organizations, a lot of people and that it's certainly worthwhile to continue.  Perhaps we can't really say at this point as a great grand conclusion that this is a way we're going to go forward.  But we have heard several very interesting thoughts on how we can continue this discussion.  And let's see if we can come up with the right recommendations that you've made and present them to the world and perhaps even a little bit further to the MAG of the IGF to see if this is a topic that they want to continue on. 

So with that, I'm going to conclude by thanking you all for letting us pick your mind on this topic, for listening to everybody, and have a real fine discussion on the topic.  So thank you very much for your time, and I hope you have a very pleasant IGF in the coming days. 

[ Applause ]

(The session concluded at 3:13 p.m.)