IGF 2017 - Day 2 - Room IX -WS31 Cybersecurity: Balancing security, openness, and privacy


The following are the outputs of the real-time captioning taken during the Twelfth Annual Meeting of the Internet Governance Forum (IGF) in Geneva, Switzerland, from 17 to 21 December 2017. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 



>> Thank you very much.  You don't want me to take any talking points, right? 

>> MODERATOR: Next I will ask chi to present himself. 

>> PANELIST: Good morning.  This is Kai from a Germany-based company from Munich.  I'm working for a company called Seclas.  It's all about data privacy and returning control to the individual and I will provide you some more information about this in the next 1 1/2 hours.  Thank you. 

>> MODERATOR: Now I will go to Duncan. 

>> PANELIST: Good morning, my name is Duncan Macintosh, executive director of the AP Nick foundation based in Australia.  The foundation is actually under the Internet registry for the Asia‑Pacific region.  It stands for the Asia‑Pacific network information center.  So we provide the IP address space and connectivity for the 56 economies of the Asia‑Pacific region.  Thank you very much. 

>> MODERATOR: Thank you.  And next, Michael. 

>> PANELIST: Hi, good morning, everyone.  My name is Michael.  I'm a Belgrade, Serbia‑based independent consultant.  I'm here as a Civil Society member and as really someone that's trying to be really in the middle of the privacy versus security debate. 

>> MODERATOR: Thank you, Michael.  I'm Luis Martinez at the University of Mexico.  So thank you, everybody, for being here.  Now, I will open the floor for a quick round of introduction.  We want to sense who is coming from Civil Society, which sector do you belong.  So if you want to please take a couple of minutes to tell us what is your interest in this session.  So anyone wanting to take the floor?  Yes, please. 

>> Press the button.  Thank you.  I'm from Greece.  I'm from a community network (?) We are building a network in remote isolated areas, providing open Internet connectivity for people.  It's very interesting to see how we can tackle the challenge of privacy in the scope and the context of the community network. 

>> MODERATOR: Thank you very much.  Anyone else?  Yes, please. 

>> PARTICIPANT: Good morning, everyone.  I'm Beatrice, I'm from Brazil.  I'm a socioanthropologist trying to build what we are now calling the digital anthropology field, which would be ethnographically.  And I work at the University of Sao Paulo and University College London with privacy versus security when it comes to violence against women and exposing women online. 

>> MODERATOR: Thank you very much, Beatrice.  Anyone else want to share your interest.  No?  Okay.  So I will ask Tatiana to please give us some words. 

>> PANELIST: Thank you very much.  I might have a bit unconventional position.  Even when I look at the title of the session, it gives me stomach cramps.  Because I think that we have to get rid of this concept of the balancing.  We have to get rid of this concept of privacy versus security.  We've got to get rid of the concept where we just put them and antagonize them.  I don't think that by securing networks or by providing cybersecurity, we are securing some random devices or random technologies or equipment and networks and infrastructure.  The main focus of security should be people, should be humans.  This is why we care about cybersecurity.  This is why we want anything from this forum to critical infrastructure to be sure because we are protecting human beings.  And I think that when we think about this from this perspective, when we think from human‑centric approach, it becomes an integral part of cybersecurity.  And this is why I think we have to share these concepts completely.  We have to get rid in our language and our concepts these antagonizing things.  We have to stop putting them apart.  And we have to think about ‑‑ start thinking about cybersecurity as about as an integral part of cybersecurity.  We have to think about the approach to cybersecurity, and then it will become much easier, you know, than any policymaking, any law drafting, anything will become easier when we think about previously as integral part of security, cybersecurity and so on. 

And I don't have time to go into details here like how we can do this and whatever.  But just if you are interested in anything like this, I know that freedom online coalition working group 1, for example, it's a kind of multistakeholder group where governments are working together with Civil Society to create some paradigm shifts.  And I know that they issued some principles on human rights, centric approach to cybersecurity.  They didn't go there, as you know, far and violent as I went with my statement about getting rid of languagewise, but I think that these principles are already endorsed by governments like U.S., Canada and so on by Civil Society organizations.  So they do have some, you know, outlying principles of how we can possibly do this.  So this is my intervention.  I think we have to stop balancing.  We have to bring them together.  Thank you. 

>> MODERATOR: Thank you, Tatiana.  Yes, I think we should discuss the balance between privacy and security.  They are in the same time at the same, every moment, we cannot take them apart.  Yes.  Thank you for your remarks.  Then I will invite Kai for his remarks, please. 

>> PANELIST: Yeah, I 100% support what Tatiana was mentioning before.

I would even mention it more dramatically.  For me, digital privacy is really a human right.  Honestly speaking, I don't understand why we separate, let's say the digital world from the analog world.  In an analog world, if someone were to enter your house in some countries, you can even shoot that person.  In a digital world, we have completely lost control of our data.  We have no clue what's gathered about us.  We have no clue what's happening with the data, and we have no clue how to really revoke that information.  And also, like in this workshop, we are talking about balancing between openness and security and privacy.  Honestly, the first step for me would be what is openness?  Because for many institutions, openness means okay, I get all the data.  I get all the information which I can get from my customers.  That's openness.  For governments, they gather all the information.  They get about their people and use this in their interests.  It's not in the interest of the individual.  And this is something which we need to change. 

And as I was mentioning in my intro, I founded a company a couple years ago focusing on data privacy topics.  I felt a little bit guilty because in the '90s I was working for a huge company, convincing the big enterprises to gather more information about their customers.  And in using this to sell better products and so on.  And after a couple of years, I realized it's getting more and more out of control.  And that's where we are.  And that's where we need to change something. 

And one thing I spotted, I'm a technology guy, and one thing I spotted is that looking at our technologies, we are still like in the medieval times because all we have in regard to data protection is like a couple of hundred years ago where we basically build big walls around the cities to protect the cities.  The concept had a little problem that if someone wanted to trade something or communicate with others, they need to open the door to let someone in.  And basically, we have the same problem with our data at the moment because even when we talk about encryption, which is the key standard at the moment, we need to remove the encryption when someone wants to use the data.  So I cannot control the data because I need to remove the encryption, and then I have no idea what's happening to my data.  That's the reason why we need to change something. 

Another matter in regard for the security problem is that when we talk about authentication, we're still, like, in the medieval times because a couple of hundred years ago, you need to show your passport to be entering the city.  That's exactly what we're doing now.  Because access control is you're providing ‑‑ your username, your passport, you're providing other information.  And at the end, you're in.  And this needs to be changed.  And this is basically what I'm working on.  We provide solutions which are changing the way how we interact and how we handle our data because really privacy needs to be an integrated part of the data.  That's the only way how we can protect this.  That's the only way how we will be able to control what's happening to our data, and it's the only way how to be able to revoke data at the end.  Because only if it's part of the information itself, you're able to control it.  And therefore we need a paradigm shift, and that's what we're working on. 

>> MODERATOR: Thank you, Gary.  I apologize, the transcript has stopped.  So if anybody knows what to do.  If anyone here knows what to do, it will be appreciated.  I think you bring up a good point about human rights.  The right for privacy and the right for being secure.  And all of us, we are sure that there are only a set of human rights, not separated.  So it reinforces Tatiana's point of view.  Thank you.  So then I will ask Duncan for your remarks, please. 

>> PANELIST: Thank you very much.  I think you can probably guess from my opening remarks that I represent not a different viewpoint but a diversity viewpoint.  Coming from the Technical Community of the Internet, I'm interested for those in the audience who know about Internet registries.  I won't go into too much detail.  It's one of the five Internet registries around the world providing IP address space.  Here in Europe, the registry is called RIPE based in Amsterdam.  There's one in Latin America, Africa and the U.S.

And we are part of the Technical Community as we like to call them names, numbers and standards.  So we are the numbers providing the connectivity the IP address space the names are handled by ICANN which I think many of you would know.  And the standards are developed by the Internet engineering task force.  A very important body which sits at the back of the Internet's infrastructure developing the standards. 

One of the interesting things I find about the IATF is it does not exist as an organization.  It's a voluntary group of engineers that meets at least twice a year developing all the standards that allow the Internet's infrastructure to operate.  But from my community's point of view, we're a nonprofit membership organization.  All of the registries are nonprofit.  And if you're a service provider providing connectivity, a mobile operator, you will come to us, request address space for your customers and your devices.  This is how your customers will connect, through the Internet protocol, the IP address space.  

So we have around 15,000 members in the 56 economies of the Asia‑Pacific.  And these are all of the companies and firms providing the connectivity to everybody around the region.  As a membership organization, it's essentially acting like a Secretariat.  So we have open and transparent election processes that appoint a board for our organization that's elected from right across the whole region, and all of the registries around the world operate on the same basis. 

So we're very open.  We're very technical.  We don't generally discuss the issues that you're looking at today.  However, we are very interested, and it's why we come to the IGF to be engaged and involved in the discussions.  Because how the infrastructure operates and how it's managed and the policies that govern the infrastructure that we talk about today is a key thing for us.  Our policy process, for example, is completely open and transparent.  Any one of you could come at any time to our meeting twice a year and propose a policy impacting or affecting the allocation of address space in the Asia‑Pacific.  It's an open process.  And all of it is online, and you can see how it's allocated and how the decisions are made.  It's a very technical process.  So some would say there's a very high barrier entry into the process because of its technicality.  But it is still very open.  And this is one of the things that we certainly want to convey to the community here at the IGF

In terms of the membership and the other communities that we engage with for this morning's discussion, I've already mentioned the Internet service providers around the region that we connect with.  Our natural community, our network engineers.  Some of them are involved in Internet governance discussions, but many of them are technical people that don't directly engage in these sort of discussions. 

The second community that we engaged with are the cert community, the community emergency response teams that exist within government, infrastructure and large network providers.  And the third community which I think starts to get much more into what we're talking about this morning is we engage with law enforcement.  And we engage with law enforcement right around the region, but globally as well such as Interpol, the FBI even in the U.S.  In several areas.  One is in training to ensure that law enforcement agencies understand who we are and what we do and the role we play and what is an IP address.  And when they're looking to identify some behavior on the Internet, that they understand where that IP address that they're using to identify people comes from and how it's managed and it's not owned by government, that it's an international public good.  That's one area.  So education and training is a key part of what we do with law enforcement and government justice officials. 

The other area is law enforcement has an interest in our policy process.  Just to get a little bit technical for a couple of minutes, for those of you who know us, you'll know one of our central technical issues is a technology called IPV‑4.  If you know IPV‑4, it's Internet protocol version 4.  This was the address space decided on in the 1990s around 2 billion addresses globally for the world.  We have run out of IPV‑4.  We are now moving to what we call IPV‑6, which we are assured we will never run out of for those of you who like numbers, IPV‑4 was around 2 to the power of 32.  IPV‑6 is 2 to the power of 64, I think.  So billions and billions of addresses. 

What that means is with IPV‑4 and the network that you're operating on now, one device can be sharing an address with ten other devices.  So from a law enforcement point of view, it can be very difficult under the IPV‑4 network infrastructure to identify users.  Think of the old PABX in your office where you had one line and the PABX in your office going to ten phones around the office.  That's what many network operators are using now.  They have one address and they're sharing it with 10 or 15 users.  Under IPV‑6, because we have billions of addresses, every device, every individual will have its own unique address.  This is not permanent.  It's a dynamic situation.  So as you log on every day, you have a different address for your device.  But it will mean every device has its own unique address.  And so the implications of this is something we perhaps can discuss in a little more detail this morning. 

I think finally, I just want to emphasize our interesting collaboration.  Even though we're very technical discussion like we're having this morning is of great interest to us because we feel it can lead to discussions around regulation that can directly impact on our community, and that is something we're very interested in.  So thank you very much. 

>> MODERATOR: Thank you, Duncan.  I'm sure as well from the Technical Community that in terms of security, cybersecurity, we should start bringing a unique community, yes, with different point of views.  Again, we cannot split privacy from security.  We cannot split in this theme technical from social from law enforcement.  Yes.  And we together have to build knowledge.  Yes.  So let me pass the floor to Michael.  And we will hear his remarks. 

>> MICHAEL OGHIA: Thank you.  So first of all, before I even begin saying anything, how many people here are with law enforcement?  Are there any representatives from law enforcement here?  Kind of ‑‑ one?  See?  This is exactly ‑‑ that's ‑‑ this is the problem.  Because the more that ‑‑ I don't necessarily know the entire makeout of the room, but the fact is if most people here are within Civil Society, this is not going to necessarily accomplish anything.  Nobody came here to be lectured to.  The fact is is that we have to be talking to each other.  We have to be ‑‑ those that are in favor or care about privacy, those that are passionate about privacy and those that are passionate about security for various reasons, if we're not talking to each other, we're not ever going to really accomplish much.  The fact is that security and privacy and openness at the same time, they are not black and white.  We need both.  We can't have ‑‑ we can't have a robust and a lively and vivid cyberspace unless we have both the privacy of our data, the privacy of users, but at the same time, we have security in our networks and security to browse the Internet however ‑‑ you know, within law, and we are exercising our right to be a part of it.  But at the same time safe. 

Now, kind of my take on this ‑‑ and I want to come out of the gate a little bit more ‑‑ a little bit more contentious is that I wrote this the other day.  I said any party that frames the relationship between privacy and security as mutually exclusive and someone is unwinnable as one or the other, frankly that's lazy.  I think that's really lazy.  It doesn't accomplish anything.  But what's harder is building trust.  Building trust between the private sector and its remediaries, building trust between firms and law enforcement officials and building trust with Civil Society, privacy advocates, et cetera.  If we don't want to accomplish anything, if we ever want to get to this point where we're really more understanding of each other's perspectives, we're really understanding more of this ‑‑ of how we can have ‑‑ we can have security and privacy, they cannot ‑‑ they have to co‑exist.  They can't be one or the other.  It can't be that way.  If we want to have that, we have to learn how to trust each other.  We have to learn how to be open with one other to have conversations, hard‑hitting.  We need to be able to say absolutely law enforcement, you're right, we feed to do something against child porn.  We have to be able to do that.  At the same time, privacy advocates who say that, well, you know, they're absolutely right, that they shouldn't have private citizens shouldn't have all of their data mass surveilled.  You know?  But the fact is there are solutions.  It takes work.  It takes creativity.  And it takes trust in all of the parties between them in order to accomplish that. 

And then lastly, it takes transparency.  And I think ‑‑ and that's a huge part of the trust‑building process.  How can we trust each other if on one hand I'm saying this, while on the other hand I'm going to different fora and different events and doing the exact opposite.  Or if I'm going to my government, let's say, or my Civil Society group and I'm trying to undermine the process.  Basically, this is how I hoped to also encourage this discussion to say how do we build trust?  How do we encourage transparency?  And how do we reach the stakeholders that regardless of whether they're in the room or not, how do we build those connections so that we can really take this debate into real policy and into real implications for our security ‑‑ for our security, for our networks and our protocols?  Thank you. 

>> MODERATOR: Thank you, Michael.  I think you have this point on trust.  And from the Internet society, that is one of the four pillars of the Internet, the trust that will create a sense of security, of privacy.  I will make, before opening the floor to all the participants, to all the delegates, this analogy.  As children, we were thought that going to the toilet was dangerous.  There was dangerous stuff in there.  But also, it was a private environment.  And we cannot separate privacy from security in that area in the house.  So how do we learn that?  How do we exercise both things, security and privacy?  Maybe something we have to reflect and talk.  Fundamental to speak to us, technical, social, law enforcement.  So we can build knowledge together.  So now I will open the floor to the delegates.  First. 

>> PANELIST: Thanks a lot for giving me the floor.  My name is Gamel.  Just a quick remark.  I decided to attend some of the sessions that are related to cybersecurity.  Due to the humble experience I had by participating in the group of governmental experts that were established by the secretary‑general of the United Nations and cybersecurity.  And the first remark I noticed about the kind of deliberation and discussions we are having here is that when we tackle security, we tackle a little bit from a national and domestic perspective.  While we are still lacking the international aspect of the issue. 

And this is, I guess, goes to the question that was raised by the distinguished panelist here about the lack of the presence or the participation of all the necessary stakeholders in order to have some sort of a comprehensive or holistic approach.  So this is the general remark I would like to share. 

The second point I would like to tackle was raised by Duncan here.  And I have an interesting discussion with him before the starting of this session.  The problem of sharing the IP addresses in my perception is related somehow to the problem of attribution.  And this is one of the issues that we addressed in the work of the DBE on cybersecurity.  Because some member states tried to somehow to implement the right of self‑defense using Article 51 of the Charter of the United Nations.  If there is some sort of cyber attack.  Again, it's what they call the critical infrastructure. 

So the difficulty of attribution will somehow lead to the misuse or the abuse of the right of self‑defense, if there is somehow an attack, for example, a nonstate actor within a specific state.  Again, it's the critical infrastructure of another state.  And this goes to another issue as well which is the definitional problem.  What do we mean by cyber attack?  Cyber wall?  What do we mean by cyber crime?  I just decided to intervene to raise all these issues from a little bit different perspective which is an international perspective.  And I'm glad to hear any specific points or reaction to the point I raise right now.  Thank you. 

>> MODERATOR: Thank you very much.  We'll make a first round and then we'll make comments.  I also will invite people following the session through remotely to participate.  So please. 

>> PANELIST: One issue that was not raised in the discussion was about data literacy.  So we have people who don't realize what data is, what privacy means, and how they should feel about that.  For example, we are offering interconnectivity to remote villages.  People are really happy to just have Internet access.  They're really happy.  But when you go about talking to them about Internet data privacy, they don't realize what that is.  And it takes a lot of effort to educate, to train these people.  And in turn, to lead these people to vote for politicians who understand what their data privacy is and when there's technicalities and implications of data privacy.  Because we also have politicians who do not understand what the discussion is all about.  They go about voting for stuff that they don't really understand.  So this is a really big issue. 

>> MODERATOR: Thank you.  Anyone wanting the floor?  Sorry.  You cannot move it. 

>> PARTICIPANT: Hi.  I'm director for the ‑‑

>> MODERATOR: Closer.  Sorry. 

>> PARTICIPANT: Sorry.  So my name is (?) I'm director for the Simontech, the number one cybersecurity company.  Also group 17 in the ITU.  So I heard the debate so far, and I have to ask a question regarding the problem of interception.  The problem we have is interception and how to reconcile both the law enforcement guys and the privacy guys is that unfortunately there is one interception that wants to be invisible, and there is one interception that accepts and wants to promote to be visible. 

So when we try to defend, for example, consumers or enterprise customers, we would like them to understand that there is a party, whether at the end point, on the network, or on the cloud.  How far, when I'm a government trying to find if you are that guy, I don't want you to know about it.  And this distinction between the two categories of interception makes both of them quite irreconcilable precisely at the moment with what is being developed at the ITF.  So for a reminder in the past, when 20 years ago e‑mail arrived and nobody knew what to do, when people started to implement interception, they did not have to hack anything.  They did not have to find anything.  They just used the products as they were there.  (?) And off we go.  And today that's how we do e‑mail interception. 

However, anything on the web was not put under interception.  Whether good, bad and ugly, that doesn't matter.  But today the problem is that http is not interceptable.  So when interception is a problem that led, for example, Gemini to issue back in June which basically allows them to attack their cities on their end point to intercept the other communication.  So if you push it one direction, it's like physics.  Action means reaction.  Of course, imaging and people to explain their government which is the champion of privacy and their engineers which are the champions of good design, that they have to rely on zero days and attack on their citizens, very interesting situation.

     Now, on the side of the enterprise customers, the possibility is to intercept one by one.  So that means if you want to defend the people, just defend enterprise customers in terms of where they are today is going to become more and more difficult.  Just even to debug your data center is going to be difficult.  So indeed, we need to find a compromise.  But I'm asking here, can we at the moment find a compromise between the two communities.  Thank you. 

>> MODERATOR: Thank you.  Yes.  Just before passing to you, is there any remote?  No?  Okay.  Okay.  So I will ask Tatiana to start and anyone from the panel, dialogue with these remarks. 

>> PANELIST: Thank you very much.  I also want to take this time because I will have to run away to another session.  I want to address law enforcement and interception issue, first of all.  I'm going to voice an unpopular opinion here because I'm the one who is working closely with law enforcement agencies on amending the interception law and making mutual assistance in interception possible.  In European countries.  And first I would like to address Michael's point about law enforcement agencies not being present here. 

I don't think that it has a lot to deal with cybersecurity privacy and whatever.  They intervene.  When cybersecurity measures already failed.  And their attitude is like, I have a criminal.  I have a drug trafficker.  I have a cyber criminal.  I have a child abuser, and this is a very emotional attitude of them.  You're talking about security and I have to solve my case. 

And the second, they mention a pillar of this is that we have to understand that interception or any other type of data acquisition will be very different for law enforcement agencies and intelligence agencies.  And law enforcement agencies are very heavily regulated by criminal law with many procedures and safeguards.  In most of the countries in Europe, for example, and not only in Europe and the world.  For a law enforcement officer to intercept, to investigate crime, they have to go to the court.  They have to obtain a Court order.  So they're saying why are you looking at us like we are violating your privacy?  We have to go to the court every time when we need data.  And most of the time we can't acquire them because they are encrypted.  What more do you want from us?  And this is why.  Many privacy advocates do not even want to listen to this.  They do not want to make this distinction between law enforcement, which is doing targeted surveillance, and intelligence agencies which have possibility to do more surveillance.  We ‑‑ I mean, many of us don't even want to work in law enforcement's shoes because, I mean, they have so many safeguards.  And if you think that they don't care about privacy, our judicial system doesn't care about privacy.  Our legal system doesn't care about privacy in criminal investigations, and then the whole pyramid fails and then what are we going to do to make another one? 

Now back to the interception.  Back to my point about law enforcement.  For law enforcement to intercept your phone in most of the countries, they have to go to the prosecutor.  They have to go to the court.  They have to obtain the warrant.  In many cases you cannot intercept e‑mail transmission.  Even if e‑mail is stored and the same procedure, obtain a warrant, there are many safeguards.  You cannot do it simply. 

For law enforcement, this norm exists ‑‑ I don't like the German one, okay?  I think it wasn't well balanced.  I think that it was pre‑election compromise, but let's not talk politics.  Let's talk country who really have this provision, Spain, France from what I know.  You extract the data.  In France, look in France.  To intercept communication or e‑mail, the crime has to have no less than three years of prison punishment.  (?) A heavy crime, aggravated crime, no less than seven years.  You have to have a senior prosecutor to participate in this process.  You have to have it approved by a judge.  Technically there might be a flaw.  But legally, there are enough safeguards.  Stop bashing law enforcement.  Start trusting in your law enforcement.  Or do something with your law enforcement.  Do something with your government.  It's not about interception.  Otherwise law enforcement will never come to this room. 

        And my last point because I really have to run away, I'm sorry, about the state's right to self‑defense and DGE.  I do believe that this is one of a national perspective.  And I do believe that we shouldn't work in silos.  When we are talking about cybersecurity, this debate is getting all over.  So I don't really ‑‑ I don't understand that the DGE debate has a lot of importance.  But it is a bit different from debate about privacy because when it comes to privacy, it will go to the national level.  We can do a lot internationally in terms of how we transfer data and so on, how we protect critical infrastructure transfer the data.  But gauging it to the level of DGE is a bit too much for me.  It ‑‑ it's too far from what we're talking about.  Thank you. 

>> PARTICIPANT: Quickly before you go, I want to be clear, and I hope in my opening remarks I wasn't criticizing law enforcement for not being here.  I meant that they have to be a part of the conversation.  And I think, you know, villainizing ‑‑ sorry. 

>> PANELIST: Michael, I think that they don't owe us anything except investigating crime with all the privacy safeguards.

And they don't have to be here.  They are doing their job.  We have to make them interested to come here.  And this is where I feel like I personally fail.  I'm failing to bring them to the IGF.  I'm meeting them at so many premises, and we talk a lot, but it's like the general concept is, guys, I don't have time to sit in this room with you and discuss how bad surveillance is when I'm not doing surveillance, you know what I mean?  That's it. 

>> PANELIST: Well, I would add something for the discussion before you leave.  I think we should stop seeing cybersecurity or security in any way as a hierarchical process.  We should look at it as an ecosystem, yes?  Everything is closely related and is growing and organic.  We should look at that.  And also, another point is when there is a complaint about some crime, some need of information, whatever the reason is, usually the guy that attends that is an engineer who is far away from the problem, and he only sees numbers, codes.  So we need to improve that knowledge.  Please, if you want to add something. 

>> PANELIST: I'm sorry, I'm running away.  I don't want to take the discussion over, but funny enough, with law enforcement on any legal projects, right, on any project on the international level, you go to law enforcement, and the main guy who's talking to you is actually a technical guy.  But who happened to know kind of law, you know.  So he knows how to operate technology in this legal environment.  It's interesting.  I totally agree with you.  And about ecosystem, you know, there was a book of Victor, the man who left.  So they stole children.  They put them into strange conditions when children grew into totally ugly people.  When we compare this to organic development and so on, we might have this (?) Which didn't grow well because we put some constraints, because we didn't pay attention to some things in the beginning.  So while we do have to allow it to develop organically, there is still a lot to do in terms of proper development. 

>> MODERATOR: Thank you.  We understand you have to leave for another session.  I hope we can continue this discussion at some time.  We have remote participation.  So I will open the floor there. 

>> PARTICIPANT: My name is Theochina in the United States where law enforcement hides behind the court and lacks technical knowledge of the courts to get warrants.  The problem is that the court is not interested in joining technical talks, at least in the U.S.  This was a reaction to the last person's comment. 

>> MODERATOR: Thank you for our remote participants.  They are invited to participate.  So, I don't know, Kai, Michael or Duncan, do you want to make any remark, or do we go again to the delegates? 

>> PANELIST: If I may just make another remark? 

>> MODERATOR: Yes.  Just after the gentleman, please. 

>> PANELIST: Yes.  I would like to do some remarks because we have a lot of points already raised which haven't been finally discussed.  First of all, I totally agree what is mentioned before, that we should really separate targeted surveillance with mass surveillance.  This is definitely something.  I think in general, we are putting too many different things into the same bucket.  As a general problem.  And this is caused by a lack of understanding.  And honestly speaking, I'm consulting companies for 20 years about the value of data.  Now I'm more consulting public services about the value of data and the interest of different communities to abuse the data.  And I think we feed to change that.  It was mentioned before, what is cyber crime, how do you define that?  For me it's pretty simple.  For me, it's data abuse.  It's really using the data against us or for purposes which we didn't agree on. 

Michael mentioned something before which is for me the most important thing, talking about security.  It's trust.  And I think that's the key thing when ‑‑ also in the consulting area, I'm trying to sell security not as something negative to protect something but really something positive.  And moving into the analog world, it's like if you had something of good quality, it felt reliable and trusted that it's working.  And security is the same thing for me in the digital world because if something is reliable, you trust that the information is quality, it's digital quality, and this is important to achieve. 

And the other thing, how to reach this trust is for me transparency and control.  And therefore, again, the point I raised at the very beginning, we need to get the control back to the individual because the individual should decide what's happening to the data.  And people who don't know the value of the data at the moment should be able to revoke that information at a later point in time, which is currently not the case.  And summarizing all of that, that's why we feed a paradigm change in data privacy and how we handle this, and that's what I'm working on. 

>> MODERATOR: Okay.  So now we pass it to the gentleman who wants to make a remark. 

>> PARTICIPANT: Yes.  Excuse me for the setup, but that was a remark regarding the U.S.  The U.S. actually, the DOJ made a very good article regarding its position (?) Two months ago.  I think it was Sweden.  I think the U.S. has another problem in the way the tech giants versus the (?) And various agencies.  Because they cannot find the compromise between I would say privacy and security.  So unfortunately, there is no good technical answer.  Until we find a good technical answer, it's going to be difficult to reconcile two worlds. 

So back to the trust and the people, I think it was said before that the biggest point that we have, actually, is the human person in this chain.  So today when you have ‑‑ when you are a person and you see a problem, what do you really see?  You see oh, there is a certificate problem with the other party.  That's all.  So people do not understand what it is.  Usually they ignore the problem.  And they continue.  So what are we really doing to give people a feel for trust, a feel for privacy and the feel for security?  Because if you are not able to put the person ‑‑ and I mean every person on the planet in each of these culture and constituencies that makes a digital persona, it's going to be very difficult to find and appropriate mechanism to give back trust in this world.  Thank you. 

>> MODERATOR: Thank you.  You?  Ladies first.  Okay, yes.  And then we'll go to the gentleman. 

>> PARTICIPANT: Hi.  My name is Luiza.  I'm a student in the southeast of Brazil.  And still on this topic of trust and transparency, openness as the title of this talk suggests is indeed essential when we are talking about privacy.  And, uh, when we are talking about privacy, focusing on third parties' actions against users.  But when we think about the structure that the state constructs around cybersecurity, it is very hard to talk about openness and privacy because throughout the ages, most states have shaped their own security actions around secrecy.  And I wanted to ask you if you see a way of us turning around and doing the exact opposite and constructing law enforcement security through transparency strategy. 

>> MODERATOR: Thank you, Luiza.  Gentlemen? 

>> PARTICIPANT: Hello.  My name is Solomon.  Earlier there was a question about whether there's a government security officer here, and I raised my hand because as I work for government.  A question that usually comes up at IGF regionally and also national is the one question, should a government have a kill switch?  Should we?  Anyone here want to answer that?  Should we?  Should the government be able to switch off the Internet at a certain point because of security?  No?  Yes? 

>> MODERATOR: Please. 


>> PARTICIPANT: Yes.  Because sometimes to ensure your security, both physically and also in terms of your data or whatever the reasons, government needs to have that power to be able to switch off and get things in control.  It's happened once in Liberia next door when we have the Internet of things, this virus that was attacking the system openly.  And the government needed to put a stop to it.  But more so importantly, someone sent out a fake message during the Ebola crisis that asked people to drink saltwater and wash in it.  Thousands of people fell for that fake news.  It could have killed a lot of people.  The government had to come in, and we switched off the Internet, switched it off just to get the message out that that is fake news.  So also in terms of balancing, there has to be that amount of balance and to allow government to secure you as well as also to secure your privacy.  Thank you. 

>> MODERATOR: Thank you.  Just before that, in Mexico, there was a recent earthquake.  There was a lot of fake news.  And the government can do nothing because they were attending their own crisis.  So who finally made the balance was the Civil Society who actually started to verify information.  So they have to double check and fact check.  But you cannot do that every time.  So I will pass the floor to the gentleman. 

>> PARTICIPANT: Thank you.  Thank you for giving me the floor again.  I think I have to begin by saying that if we want to address a specific problem comprehensively, then we don't need to work in silos.  Particularly if you want to address this issue from an international perspective.  I wish Tatiana was still here with us, but I would like to say our discussions in the DGE, specific delegations tried to bring issues related to Internet governance to the work.  And the rest of the delegations refused.  Because we were working under the mandate of the first committee of the United Nations general assembly.  And this mandate gives us only the mandate to work on issues related to security, international security. 

And they perceive issues related to Internet governance, not as part of this mandate.  The second issue I would like to address is the need to have a technical opinion in order for member states participating in such kind of forums to make an informed decision.  So people participating don't have the technical capability in order to take a specific decision on a specific problem.  And one of the problems that was raised was attribution, as I have just said.  So we need to know from a technical perspective if attribution is an easy process to do.  So as to give the right to a state to use its right to self‑defense according to the charter of the United Nations to use force.  And this is not an easy problem.  It's a very complicated problem because it might lead to a war.  And I don't need to repeat the examples that we have witnessed in the near future about the accusations or charges that were leveled against a specific state participating in the electoral process of another state.  Does this give the right, if I have a clear attribution, for this state to use the right of self‑defense?  This is not an easy question. 

And the third point I would like to address to the gentleman here, I don't really know your name ‑‑

>> PANELIST: Kai. 

>> PARTICIPANT: When he said cyber crime is a data use, I think this is an oversimplification of the problem.  In order to take a clear and an informed decision, we need to have a clear definition for such kind of issues.  These are the kinds of challenges that we are facing from an international perspective when we deal with issues like this.  Thank you. 

>> MODERATOR: Thank you for your remarks.  Does anyone want to have ‑‑ please. 

>> PARTICIPANT: Thank you.  Maurizio, a lawyer.  Some comments, I think that cyber crime, you had mentioned, support so simple.  And we are trying to move in different countries to sign the convention in order to have some certain concepts about cyber crime and how to move on the 'net. 

On the other side, I agree with the concept of trust and privacy.  Because cybersecurity and the control the user has on the 'net will provide us more trust in our suppliers.  And to the gentleman from Africa regarding how the government and transparency, I think that transparency and privacy are not encountered concepts.  They are compliments, sorry.  Because one point is access to information, all of the governors are obliged to provide to citizens.  And the other thing from the private perspective is a power we all have as citizens to control our information.  And that kind of privacy is not with the access of information.  All the governments are due to provide us. 

During the earthquake, you mentioned Civil Society.  Giving Mexico a great example of how to manage information against the limited access the government in Mexico had.


>> MODERATOR: Thank you, Maurizio.  We have a remote participant, and then we go with you and with her.  Please. 

>> PARTICIPANT: Okay.  This is from the organizer.  The guy from the government who made a comment on Internet shutdowns, I don't think at any time the government should shut down the Internet.  There are so many things, so many other ways the government can ensure people's security without interfering with their right to access the Internet.  There is no reason to shutting down the Internet because the cost is huge and very high most of the times compared to the reason of shutting down.  We have so many cases in Africa where this happened, creating more problems that they think they are saving.  That they think they're saving.  Yeah. 

>> MODERATOR: Thank you for our remote participant.  I will pass the floor to the lady. 

>> PARTICIPANT: Thank you.  I'm from Uganda.  My brother from Syria, and you responded to some of his questions.  This goes to mainly governments from Africa and those other governments that think that shutting down, you know, the Internet can solve a problem of false news or fake news.  I'll give you an example.  We had a shutdown in Kenya because of the elections.  I'm from Uganda.  We experienced a social media shutdown last year.  And we also taught that Ghana would shut down, you know, the Internet.  But it did not.  It showed us that there are alternatives to addressing, you know, such incidents.  In Kenya, the government was able to come up and counter this sort of false information.  So I think before clicking that, you know, the button to click ‑‑ you know, to switch off, they have to be alternatives to addressing different Internet‑related problems. 

>> MODERATOR: Sorry.  We have to go to the lady and then we'll come back to you, please.  Sorry, no.  I thought ‑‑ yes, please. 

>> PARTICIPANT: Hi.  My name is (?) I'm a researcher at a lab in the Federal University in Brazil.  I study theoretical cryptography.  And on the topic of targeted surveillance, when I hear the discussion about Internet security, I always hear people talking about the necessity of deeply identifying the Internet users at all times.  To make the user be easily tracked and that violates privacy.  But something that normally is forgotten is that we have more than a virtual world that have the material world, and it's necessarily modified when someone is doing something on the Internet.  Having a tube that can watch every step on the Internet, making it possible to watch every step in reality, too.  And this, too, is never necessary.  If you're doing something illegal on the Internet, you can be caught through the encoding of those actions.  The law enforcement agencies are training to work in the physical world, and they are good at it.  They do not need this kind of surveillance, too, that can easily misuse it and turn it into mass surveillance.  Thank you. 

>> MODERATOR: Thank you.  Now I pass to you. 

>> PARTICIPANT: Okay.  Just to respond ‑‑

>> MODERATOR: The gentleman ‑‑

>> PARTICIPANT: What I was trying to point out to you was that, yes, governments will look at all options.  And that's what we did in the case of the Ebola fake news.  We look at all options.  But my point is if we have to save lives, if we have to save lives, and I think that governments should ‑‑ I'm not saying will ‑‑ or governments should be able to save lives if that is the last option available.  That's all I was trying to say. 

>> MODERATOR: Thank you.  Now the gentleman, please. 

>> PARTICIPANT: I'm from Kenya.  I'm from the security sector.  And also, I'm a member of (?).  I would like to respond to my sister from Uganda.  Actually, in Kenya, we have a very liberal constitution that allows for freedoms.  And it's true that people anticipate during the election.  Because we have a very competitive election during that period that there would be a shutdown of Internet.  But because the government respects the constitution and they respect the rights of citizens, what we did was to ensure that we focused on the Internet was used by some people with ill intentions.  But what we did was to focus on specific accounts.  If an account is being used for nefarious or illegal activities, we focus on that and take specific action.  But we didn't go the way of a blanket shutting down because that would have caused much more (?) Thank you. 

>> MODERATOR: Thank you.  So, again, I will go into this analogy and I will ask who has the right to shut down the facilities inside a house.  So if someone from the panel wants to participate in the next round, we'll go with you first. 

>> PARTICIPANT: Yeah, I fully agree that shutting down the Internet is no option because for me it's because related to freedom of speech.  Also, companies have the same problem.  They would love to shut down the Internet sometimes if fake news is spread around them.  The only way how to cope with this is finding the right alternatives, being prepared, and react in the appropriate manner, and shutting down is simply no option. 

Another point which I wanted to address, because we had some questions before, like turning around security and privacy from the current status to something else is exactly what I'm pushing for.  We need to regain control, and it can't be that our data is spread around.  And we have to find ways how to get it back.  So therefore, we they'd to turn around security and privacy.  And pushing so much that this privacy mechanisms need to be integrated in the data itself.  And therefore, we need a change in technology.  And therefore also, disagree to what was mentioned before that there is no technical answer to balance between privacy and openness.  There is an answer, but we need to get rid of this what I call medieval technologies, which are decades old and have been built when the purpose of the Internet and the data, which is spreading around, was completely different.  During that time not even science fiction was at the level we are now.  So therefore, we really need to be brave enough to change things, and therefore we need to bring together the different parties to define the right solution. 

And you were mentioning before, I oversimplified the cyber crime topic.  I definitely did.  But let's say the only way how to be able to discuss on a different level topic is trying to simplify things.  And I also wanted to simplify the topic today now.  And talking about openness.  Because openness means for me trust, and trust means for me transparency.  And openness could also mean that we have a controlled access to the data.  And I think as Tatiana was mentioning before, we have the rules in place.  The problem is that the rules are not followed.  The information is abused.  And we need to simplify things to at least understand the big problems which we have and find the solutions for those. 

>> MODERATOR: Thank you, Kai.  Duncan. 

>> PANELIST: Actually, the gentleman here.  He wanted to speak. 

>> MODERATOR: Okay.  You have the floor now. 

>> PARTICIPANT: Thank you very much for giving me this enough time and space.  My name is Ernest.  I represent the delegation here at the event.  My point is that Internet remains almost beyond the environment when you can find a lot of independent information.  And you can handle it.  And you can not only help save lives.  The problem is that you cannot block the access to the Internet, assuming this is the only environment when people can feel themselves free there.  And so the government is very limited in helping people in saving lives by just blocking the access to the only source of information and the environment of freedom. 

Another thing is that you rather respect and educate people and teach them how to feel free, to be free.  And to respect each other rather than just being like a father caring.  So the matter is that blocking the access to Internet would harm both the government, the people, and the whole understanding of how to use the independent information for your sake.  Thank you. 

>> MODERATOR: Thank you.  Please, Duncan. 

>> PANELIST: Yes, thank you.  It's been a very rich discussion.  So I'm going to focus on a couple of broad points, I think, rather than anything specific.  One I wanted to highlight in listening to the discussion is the diversity of the different situations that we're describing.  I mean, we've talked about the situation in Africa.  And I think in the Asia‑Pacific region, again, you can see great diversity in how the Internet, privacy and security are considered.  And it makes it a real challenge to look at this discussion and try to find the strategy or ways to improve what we're talking about. 

To give you two examples.  For those of you who are familiar with Myanmar and the connectivity that has come to that country in the last few years and how the population of Myanmar has taken to the use of Facebook, I think you can safely say like no other economy on the planet, Facebook is adopted there through more than 90%.  And in a way that when you talk to the people there, it's a very positive tool.  And they use it from everything for women exchanging health advice and information and having discussion groups, to obviously business platforms, to everything many of us use Facebook for.  The sharing of personal information, the connecting of friends. 

But to anyone standing outside of Myanmar and looking at how that economy and culture has so rapidly and so widely adopted Facebook, I think some people would look at that and have some concerns.  And say, how is Myanmar looking at the use of that platform so widely in its community and in its culture? 

Another example that comes to mind in listening to the discussion of some of you I'm sure have read the articles about the experiments in China with the social credit system.  And how that has been used.  Just recently, I think it was in "Wide" magazine, where the interviews with people in China using the social credit system were actually quite positive.  One gentleman who was interviewed was hoping to get a Visa, I think, to come to Europe.  He had enough social credit points under the system to achieve that and was speaking quite favorably.  Now, I'm in no way doing any judgment here.  But I just put it out there as examples of the diversity of the cultures and the impact and how different cultures look at these things. 

The last one that I'd mention is that an area that we work very closely in in the Pacific, which is how connectivity through satellites for some time, it's expensive it's not particularly rapid, but now the big development agencies, the world bank are investing heavily in submarine cables to the Pacific islands.  And it's a real game changer to introduce that level of connectivity and bandwidth into small communities.  By any development standard, it's a very positive thing.  But to introduce great connectivity into small island communities where they've gone from having almost no access or very limited access to great access, brings many challenges.  And one of the first ones is security.  And this would be my last point. 

The really crucial role of capacity building training and education in all of these discussions, I think all of us assume a certain level of knowledge as we have these discussions.  But by looking at these different communities, you can see that the need for education, capacity building, awareness is really fundamental if we're going to move ahead in many of the areas that we're discussing. 

>> MODERATOR: Thank you.  You wanted to add something, Michael?  Does anybody want to add something?  Yes, there is participation from the lady. 

>> PARTICIPANT: Hi, I already introduced myself.  I was thinking it was very interesting what everyone said.  But thinking from what interested me personally is everyone talked much about trust.  And I deal with misuse of personal information given by people we know or in cases when somebody exposes you online or tries to, at least.  So for me, we've been talking about state, law enforcement, companies and Internet providers.  But some things remain very unclear and abstract such as what is privacy.  I come from a country in which privacy is one of the constitutional rights.  But no law enforcement ‑‑ or almost no one has any idea what privacy actually means.  It means online privacy.  So those are just some of the questions that I have.  I don't expect an answer, just to contribute to.  Thank you. 

>> MODERATOR: Thank you.  As we are closing to getting close to the end of the session, I will ask my colleagues on the panel to please make a three‑minute or less summary of what it's caused.  What is the challenge?  What should be working for the next months in this discussion?  Thank you.  You can start, Michael, please. 

>> PANELIST: So I guess one of my kind of summary or thesis points is that when it comes to this debate or this discussion about privacy and security and openness, it needs to be a holistic discussion.  All the different actors that are involved in this discussion need to be together.  They all need to be contributing to that discussion.  And there needs to be trust being built between them.  One key point ‑‑ and I'm glad that, Duncan, you brought this up ‑‑ is that especially when it comes to individual citizens and individual Internet end users, the importance of digital literacy and of ‑‑ as someone said, data literacy ‑‑ I absolutely agree with that.  We are also responsible for our own privacy in a certain sense.  And I think that is really a key point going forward. 

And lastly, collaboration is really key in this regard.  And I just wrote this down earlier.  I said if you take anything kind of from this discussion, I really encourage everyone to, in the interest of collaboration and in the interest of trust building to don't demonize or vilify especially law enforcement agencies.  A lot of times ‑‑ many times they're not just really the enforcement arm of Big Brother.  There are significant issues at hand.  However, but that is also the role of citizen oversight to say well, you know, and also, like I said, the role of transparency.  Well, when ‑‑ where is ‑‑ you know, where is the government specifically or security services, et cetera?  Or even intermediaries acting on behalf of the people that they use versus not. 

>> MODERATOR: Thank you very much, Michael.  I will pass ‑‑ Duncan.  Okay. 

>> PANELIST: I'll be very brief.

I think the discussion and being aware is know your communities.  Know your forums.  There's a lot of discussion going on in this area.  IGF is a really important forum.  But there are several other really important forums, and I would encourage obviously the Technical Community has its forums.  If you're not participating, really encourage you to be involved in those.  Law enforcement, we mentioned already.  But I think it's really key that people recognize that there are some really important discussions ongoing already.  And we go out and find them and connect to them. 

>> MODERATOR: Thank you, Duncan.  Kai, please. 

>> PANELIST: Just following the point, what is privacy?  For me, privacy is that I control what has been shared about myself and that I'd be able to revoke information if I made a mistake.  Especially people not educated properly, they need to be able to revoke information.  And therefore what we feed to change is we need to fundamentally change the way how we handle data.  At the moment we need to get rid of old data technologies to be able to revoke data and control data.  And that's what I'm ‑‑ it's my aim and I'm happy to share it with everyone. 

>> MODERATOR: Thank you. 

>> PANELIST: A final reflection is a door closed and now has become very complex.  I invite everyone as Duncan said, we need to have a constant dialogue among all the ecosystems.  That's the only way we will create trust.  And I invite you, if there is no sensible activity in your area to start one, everybody gets benefit from dialogue.  So thank you very much for attending this session.  Now we are closing.  Thank you to the panelists.  Good day. 

[ Applause ]

(The session concluded at 4:30.)