FINISHED TRANSCRIPT
EIGHTH INTERNET GOVERNANCE FORUM
BALI
BUILDING BRIDGES-ENHANCING MULTI-STAKEHOLDER COOPERATION FOR GROWTH AND SUSTAINABLE DEVELOPMENT
22 OCTOBER 2013
11:00
SESSION NUMBER 42
FAIR PROCESS FRAMEWORKS FOR CROSS-BORDER ONLINE SPACES.
********
This text is being provided in a rough draft format. Communication Access Realtime Translation (CART) is provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings.
********
>> BERTRAND DE LA CHAPELLE: Okay. We will be soon starting. So if you want to move, find Chairs. Grab any friends that are outside who don't know about this workshop, but could add to the attendance, they are also welcome. We will be starting in a couple of minutes.
Okay.
I think we will start.
Maybe we can temporarily close a little bit the door, not that we don't want anybody else.
Am I alone here?
>> Oh, yes.
>> BERTRAND De La CHAPELLE: So, first of all, thank you all for coming. May name is Bertrand de La Chapelle. I'm the Director of The Internet and jurisdiction project. This is a workshop that actually follows activities that we had this year in various meetings, and something that we started when Paul Fehlinger was over there, doing the remote moderation.
We started at the beginning of 2012. In a nutshell, this is a process that is dedicated to addressing the tension between the cross-border nature of the Internet and the patch work of natural jurisdictions.
And as a matter of fact, if some people want to come, this is a structure where it's not panelists on a panel. People are distributed. So if you want to come and fill the different seats that are available, including here, you are welcome. Don't hesitate.
So we started this thing two years ago, and the challenge is the tension between the cross-border nature and the Internet and the national jurisdictions.
As a matter of fact, I want to take the opportunity of this workshop as a starting point to identify how it fits into the general process. We started that two years ago, with fundamentally two legs. One is an observatory that has now 25 people in different universities that are regularly crowd sourcing cases related to jurisdictional conflict between different countries. And every month there is a crowd ranking exercise that produces a newsletter of 20 cases. Every six months, there is a synthesis of trends coming out of those cases. That is one part of the Internet and jurisdiction project.
The other part is a dialog facilitation, which is a multi-stakeholder facilitation process, where the goal is to bring the different actors around the table from Government, from Civil Society, and the private sector to discuss this tension, which is actually a common concern for all the different operators. And the way to organise this dialog is something that we've developed progressively as the time evolved as a combination of meetings that we participate in, as the two facilitator, third-party meetings that are organised. It can be local IGF. The global IGF. It can be thematic meetings of various sorts in various places, where basically we raise awareness and give feedback on the process.
But the other part is meetings by invitation that are voluntarily limited in numbers to make sure that the discussion in one and a half days can be intense and fruitful. And those meetings are gathering in different regions the local Government, including in many cases the law enforcement, the Civil Society actors, technical community, businesses, and DNS operators.
This year we organised in that context four meetings, four workshops. One in Brazil, in May. One in Paris in July for Europe. And one in Delhi in September. And the last one in Washington in October, as a preparatory process for this meeting at the IGF in Bali.
One of the big challenges that actors are confronted with is the fact that a lot of operators are acting across borders, and there is a growing challenge of what we call digital co-existence in shared online spaces of very different norms between the personal norms of individuals who are on the Internet, who are in a growing number, but also more and more diverse. But also the legal norms of the countries that they live in.
And so what we're trying to do with the project is to facilitate a discussion about this. We don't have a particular vision or agenda of a solution to propose, but the goal is to characterize the discussion and the discussion has gone through various stages.
The first year in 2012 was basically what is the problem? Do we agree that there is a problem? And is there a way to frame the problem in the same manner among the different actors?
And you will see on the wall a certain number of questions, like what is the geography of cyberspace? What are the transborder impacts and the size on the local operators? What are the frameworks that could be envisaged for various issues, like domain issues, content take down and access to data?
Those questions have emerged from the discussion in 2012. And the outcome of these discussions, at the end of 2012, was basically the different actors, without getting into too much detail, shared a very strong message, which is: We have a common problem among law enforcement, among Civil Society groups, among platforms and DNS operators, which is the following: When we talk about domain seizures, content take down and access to data for criminal investigations, for example, there is no framework that exists today to ensure that there is fair process and efficiency. Usually it goes against one another. In most cases, for those of you who are not familiar with the way it works, in most cases, you can add efficiency, somebody picking up the phone and calling the DNS operator in another country and I have a problem with this content and this actor, can you cooperate? Yes, no. It works in some cases relatively efficient, but no fair process guaranteed on either side.
On the other side, there is a mutual legal assistance Treaty. The problem is that it's relatively long. And in the workshop that we had in India, it explains that when you want to use a mutual legal assistance Treaty, the Administrator has to ask the home ministry when they can make a request. And if the answer is yes, they go through court to validate the request. Then when the validation is done, they go back to the home ministry and the home ministry passes this to the foreign ministry, which sends it to the U.S. Department of State or any other country which screens the request, brings it to the Department of Justice, which then goes to the beautiful, fair country. It takes 24 months on average between the moment you make the request and you get the answer.
So in between, there is this tension between efficiency and fair process. And the message at the end, to make a long story short, the message at the end of the first year was how can we collectively develop procedural interfaces between those different actors, the triangle that you will see inside this little brochure, how can we develop procedures to organise this?
And so what we want to do today is to, first we brought a certain number of people who have participated or have followed the process during the year, and it will -- I will list them briefly, no particular order. Sunil Abraham who is here is from CIS, Centre for Internet and society in India.
Let me point to people and introduce yourself so that we can get in the flow.
>> Hi. I'm Aki Vidas from Facebook.
>> I'm Anne Carblanc from OECD.
>> I'm Linda Steneberg from the European Commission.
>> I represent the French Government.
>> Patrick Ryan with Google.
>> Jan Malinowski from Council of Europe.
>> I'm Carlos Affonso Souza, Fundacao Getulio vargas.
>> Anriette Esterhuysen, Association for Progressive Communications.
>> I'm from the International University of Delhi.
>> I'm Fiona Alexander from the Department of Commerce.
>> BERTRAND de La CHAPELLE: There are a few other people in this room who looked at the process or participated. And it's an open format. It's not a discussion that is presentations by the panelists.
What we want to do in this workshop today is just between the two sessions, because it is not an event, it's an ongoing exercise. And what we want to share is the outcome. The first outcome of those discussions has been to identify a certain number of components or building blocks that could help build a framework for interfacing the different actors. And although we're not in a classroom format, I would almost take a teacher position and say could you please open your books at page 2. If you look at the brochures that you have on your page, you will see on the internal second page -- sorry, on your desks, on the second page, there are six components that we have identified or that the groups who have participated have identified as elements to develop a framework to move forward.
And the second part of this workshop we will get into more details in that regard.
But as a starting point, because I've already spoken too much, I'd like to ask whether people who have participated in the process or who have observed the process, or even any other participants looking at the topic, whether they want to chime in regarding why in their view this issue is important. Why is it of concern? And, basically, why did they participate in the exercise? Who wants to start? It's always difficult to be the first one.
Jan?
>> JAN: Yes. Why not. It is important, because there is a question of rule of law, of applying the laws. There are legitimate interests that have to be pursued. And there are Human Rights to be respected. There are tensions there that need to be resolved, in practical terms, in order to be able to do what society expects. In this respect, there are cybercrime issues, there are civil law issues, there are a number of issues that need to have practical responses, and they have to comply with the major principles, which we can get into later on.
>> Yes. Jurisdiction is one -- sorry.
Jurisdiction is one of the most difficulties we have tried to tackle in different fora, including the OECD. It's really important, because the Internet and Internet policy and all the issues related to the Internet are complex. It's really important to try to get the actors to discuss and to try to find practical ways, pragmatic ways, to solve a number of the conflicts.
And because it's transnational, it's very interesting -- it's a very interesting endeavor. It's going to be a long journey, but it's really interesting to follow that. It's some kind of soft flow, it's not regulation, it's not self regulation. It's inclusive. It's a new animal that we are creating, but that's really an important question.
>> ANRIETTE ESTERHUYSEN: APC has participated in this for two reasons, and thanks to Bertrand de La Chapelle for including us.
The first is that we have been working, have been and will continue over the next few years, on electronically filings against women. It's a new area. It involves various jurisdictions. It even involves different human rights and freedom of expression. And we are trying to come up with remedies that are legal and other forms of remedies that women will feel that they have been subjected to some form of electronically enabled violence can pursue. And doing this without resorting to censorship of certain types of content, which is the response in some parts of the world, it's actually really complex. And it also, of course, involves working with service providers as well as regulators as well as with community groups who are trying to counteract violence against women.
And we had an interesting experience with Facebook this last yeek, on the so-called Facebook.
Secondly for us, I think it's really a model. We are dealing with Internet Governance and we are trying to come up with enhanced cooperation, more inclusive equal ways of doing IGF. What I really like about this process is it's taken a narrow bit of problems, and it has a consultative, researched, and evidence-based process, which is now trying to come up with concrete solutions. And actually I think that is what enhanced cooperation should be about. It shouldn't be very general discussions about the role of Government at a generic level. I think it should be based on identifying particular gaps, particular problems, and then working out how they can be filled effectively. So it's a really valuable model for us in the IG sector as a whole.
>> BERTRAND de La CHAPELLE: Linda.
>> LINDA STENEBERG: Thank you for organising this seminar. We have had the benefit in Brussels of your team to identify what the project was about, so that was very, very useful.
I do agree with the colleague from the OECD that this is a complex issue. It's not the only cross-border issue where we had to create legislation that works. Banking and health, are other examples where it's been done, and I don't think it's valid anymore to say that the Internet is so exceptional it can't be done. We have to just ramp up our International cooperation.
But just to give you an example of how complicated this can be, for example, the adopt a EU domain, they are under the EU Director of The eCommerce directive. But this directive is very general. So it's actually not giving that much guidance to them.
And if there is a concrete case of a takedown demand, they will also have to defer to the Belgium law because they are located in Belgium. So here you have a bit of a contradictions and something that needs to be studied.
There is work going on in another Director General, DD market, so that's for the internal market, on notice and action. But we're not ready yet, because this is so complex. So I'm also here very much in a listening mode, to hear what is going on in other places.
So thank you very much.
>> BERTRAND de La CHAPELLE: You have Sunil next and then Carlos. Thank you.
>> SUNIL ABRAHAM: First, perhaps private sector reasons for why this is important, even though I'm from Civil Society.
(Laughter)
>> BERTRAND de La CHAPELLE: You're changing hats.
>> SUNIL ABRAHAM: This is a bigger problem for certain Governments, and these Governments address it through market access. So if you don't trust telecommunication equipment that is produced from a certain jurisdiction, then you ban it from your jurisdiction and other Governments take exactly that lead. So if access to user information is complicated, then you ask for those servers to be located within your jurisdiction so it's subject to local Regulation.
I'm not so certain preferential market access is a good thing for anybody. So that is a private sector reason.
The second, as I said, in Delhi, Civil Society rationale, is that I'm not -- I'm quite confused whether this is a bug or whether this is a feature. Whether the lack of interoperability across jurisdictions is a good thing. And if I was a Civil Society activist working in India, and activists are regularly killed in India, whether two years might give me two more years of life might be a good thing.
So when the private sector and Government are doing deals to increase interoperability, I'd like to be at the table because I wouldn't want the wrong type of interoperability.
>> BERTRAND de La CHAPELLE: Yes, the tension between something that was too efficient, I don't remember when that was, but in one of the meetings someone said that something that is absolutely efficient becomes totalitarian, and I see nodding.
Carlos.
>> CARLOS AFFONSO SOUZA: Just two quick notes. First of all, to think about the situation especially in Brazil, and what is this type of discussion, it will be pretty much interesting for the country itself for the single fact that you have today something around like the second or the third place in the ranking of the number of users for both Facebook and Twitter being Brazilian users.
So that itself -- well, as soon as -- well, as you said, I'm not with the private sector as well, but it seems like it would create an interesting thing for companies to take a look, especially companies that operate in a great amount of countries. Of course, with operations in Brazil it would be interesting to have procedures that were checked abroad submitted to a large and open discussion. It will definitely be something of value to be taken out of it. Especially for Brazil, not only Brazil but for all developing countries, we have this tradition of imported models that were applied abroad. So in this sense it is as well something important for us to have a larger discussion on those processes, on those building blocks, and the six components that you mentioned here.
Because it will be interesting to see that discussion being led in a way in which we get the input from different stakeholders. It's definitely something I would say that puts legislators and law enforcement agents in a developing country in a much better secure place to adopt this procedure, rather than simply import one or other option that has been applied abroad in this or that country.
So just a couple of thoughts about the situation in Brazil and developing countries as well.
>> BERTRAND de La CHAPELLE: Yes. There is a question of importing. But also the question of even if you develop it on a local basis, if it is done without any communication with what other countries are developing at the same time, then everybody ends up with a patch work of rules that are even harder to enforce and to accommodate because they are now more and more incompatible instead of just being difficult to harmonize.
Thank you.
>> The reason why we participated was, of course, to understand gaps in the current infrastructure. And in the meeting particularly what was interesting was that we had people from law enforcement agencies participating. And of course we knew this, but what was helpful in that discussion was the ability to discuss the current gaps in the MLAT process. And also it was infrastructure deficiencies, which we felt -- the consensus in the room was that it could be addressed by making sure that that infrastructure aspect was addressed.
For example, a longstanding demand in India has been that there should be an MLAT desk with, you know, with partners, with countries which have a lot of these services, you know, who they are offering -- which they are offering here in India, particularly in the US; and that hasn't happened.
So there are a lot of gaps that would address, that will definitely deal with the concerns, which is there. It's not like the current mechanisms are broken. There are certain amounts of inefficiencies in that. It became a very interesting place to have that discussion, in a practical sort of way.
The second aspect of the reason why we kind of participate is that we are interested in any discussion on future innovative instruments as you talk about. And therefore I think one of the elements which we were interested in exploring can we have a principle based approach which various Governments can agree to from a jurisdiction treatment perspective? And therefore that was our interest to intervene and participate in those discussions.
Thank you.
>> BERTRAND de La CHAPELLE: Shuma, you are next.
>> I'm not sure if anyone is here for the Government. Since you two talked from a corporate angle, let me suggest how this is good for Governments.
I think sometimes we make the mistake of homogenizing the way we think of Governments. In India, there are multiple channels in which takedown requests or other requests can be made. So it's not necessarily true that the people that make the rule and then the people that are officially responsible for following it are really able to track the minutia of how it's being followed.
So this would create accountability. And it would help track through traceability and through safeguards what people within the system are treating the rule in which way. And it would help filter out both ignorance, because I'm assuming that the standards that are created would clarify to people what is acceptable and what is not. And it will also review verified requests, which are a range of requests that happen.
In terms of clear signaling, I think I would echo what Anki says. I think with this whole multi-jurisdictional system, part of the problem is that it must be hard for companies to figure out what is legitimate and what is jurisdiction. So in that sense a system like this would just give helpful information that helps people be more efficient.
>> BERTRAND de La CHAPELLE: One thing I picked from what you were saying before, giving the floor to Fione, the diversity of actors when we say Government. Inside of Governments, you have ministries and law enforcement agencies on one hand, you have the data protection on the other, the Ministry of Foreign affairs, you have the ministries of economy, and sometimes they have very legitimate divergent rationales and drives. And one of the things that we tried, and I think it worked so far pretty well, is to try to get the different dimensions, having a prosecutor for instance in the Brazil meeting, somebody from the central bureau of investigation in India, people from Europe, and this brings a different dimension to the discussion.
>> FIONA ALEXANDER: Just to echo what was said, one of the things I find interesting about this particular effort is that it's so evidence-based and it lets us get at issues. In the last years we talked about principles in the different fora, and this takes us to the different level. And we had a workshop a few years ago, and we took time to go around the world and bring stakeholders together in their countries, and then you see the commonality. So this really allowed for local discussions at a more detailed level to really see what the friends are across. And it's really kind of the implementation of a lot of the principles and a useful next step for a lot of this.
>> BERTRAND de La CHAPELLE: And I'll open another round for other actors to comment.
>> I represent the Council of India. One is the companies have legal obligations to local jurisdictions. And if they go to the local company, what will happen to their obligations? Suppose their operations are handled by local companies. That is one.
Another thing is we work with law enforcement agencies in India, and we support training purposes and investigation support purposes, also. And many times based on what the law enforcement agencies and the jurisdictions get, it results in jurisdictional problems. So we have to get these ideas into the discussion.
>> BERTRAND de La CHAPELLE: Thank you very much. Are there any comments in the room? Anriette Esterhuysen wants to say something. Jan, do you want to chime in on the topic and the issues? And then we will move to the different things. And Patrick. So Jan, Anriette Esterhuysen and Patrick.
>> JAN: Yes, my initial comment was very general. In fact we seem to have already moved into more specific areas. If we talk in respect of the specifics, I think that we have to make certain discussions.
There are some operators that have a responsibility and power over their content. And they exercise it in their own ways. And the ways that they do it today are different to the ways that they were exercised in the past with legacy media, with newspapers, and things like that.
So you have Facebook or Twitter that have -- or Google that have a different way of exercising editorial control, editorial process, and they have a certain scope of decision. And they will decide on content. And they will decide on content based on the territory, whether or not they are accepting certain content. It is provided by users, it is provided by other actors. Fine. But they are the editors of that. They are the curators of that content.
Now, this is one thing. Then there is the question of the territory and the laws which apply in that territory. In that respect, there is sovereignty. Yet, states have committed to certain values. Most of the countries in the world have committed to the Universal Declaration on human rights. 160 something countries have committed to the International covenant on civil and political rights, which has its equivalent in Europe, in the European Convention on Human Rights. The difference is that in the European context, that carries an enforceability mechanism that goes with it. States can be brought to account for their performance in respect of human rights before the European Court of Human Rights. So that introduces a higher level of observance and accountability in respect of those rights.
There is another that comes in, which is the noninterference with the sovereignty of other countries.
So if decisions within one jurisdiction can have an impact on content, or expression, or privacy, which is the duty of another country to supervise control, or ensure, which is the case in Europe, then that introduces an entirely different dimension.
At the same time, around the table there already have been comments in respect of law enforcement, for example. We have an instrument in respect of law enforcement, which is the cybercrime Convention. It has been ratified by a number of countries, both within Europe and growingly so outside of Europe. But the standard that has been set by the cybercrime Convention has been used in more than 100 countries, in order to align cybercrime legislation.
And the cybercrime Convention has certain elements of enforcement of cooperation, mutual legal assistance. There is a network of 24/7 for rapid assistance for ensuring evidence, digital evidence, so we have all of these things. And they are subject to rule of law and they are subject to human rights principles.
And as I said, the fact that in certain jurisdictions the enforceability and the accountability of the state in respect of human rights is higher, it doesn't mean that the standard is different in other countries that have committed to the same values and principles through other global instruments.
>> BERTRAND de La CHAPELLE: One thing that is, before I give the floor to Anriette and Patrick and we move to the next stage, two things I want to emphasize in terms of methodology. One, everything that we will be discussing within the framework of this project is not a replacement for existing modalities of interaction, either at the Treaty level or at the judicial level in each country and so on. It is a way to identify where procedures can become both efficient and accountable and fair, to facilitate the treatment of a growing number of cases. So it's not a replacement, it's a complement.
The second thing which is important, and I was happy to hear some of the issues, is as facilitator, we're exactly this. We are a facilitator team to help people discuss the different components that should be put in place.
Anriette, you wanted to chime in on the content briefly, and Patrick.
>> ANRIETTE ESTERHUYSEN: I wanted to ask some more challenging questions.
You know, in view of the project and everyone else in the year, I worked for years on telecommunication policy. And we use the term "harmonize" so I'll use it for want of a better word.
How do you propose to harmonize these agreements that will emerge from this process with existing rights frameworks? Maybe, Jan, you were beginning to touch on that. And then, secondly, how does one avoid, even with the best of intentions, an initiative like this becoming a little bit like some of the bilateral or small group country agreements that we have seen in trade and intellectual property enforcement, for example, which can become very exclusive and very limiting and difficult to penetrate and difficult to change. So how do you avoid this method resulting in that?
And then, thirdly, what happens when there is no rule of law? And when -- or when the underlying legislative framework is really flawed? And I'm referring specifically to the African Union cybercrime legislation that is being developed at the moment, which really is alarming when it comes to the lack of protection for free speech. And yet that is now the legal framework that 506 countries in Africa are using for their cybercrime legislation. So -- and it's really flawed. There is a poor rule of law. What then?
And then, lastly, I really like your triangular diagram: States, operators and users. But do you think -- what are the challenges that aren't really effectively operationalizing not the role of Government, but the power of users? And how will users really -- because it is still quite a complex framework. And I think it needs to be because it's dealing with complex issues, as Anne Carblanc said. What is it in there for users for the users to express and maintain their rights?
>> BERTRAND de La CHAPELLE: Thank you, Anriette. I couldn't imagine a better segue to the two sections afterwards.
Patrick, you wanted to chime in and I'll come back to the questions.
>> PATRICK RYAN: Why is Google involved in this process? Well, one, because it's a really fun, difficult, hard problem. It's hard to solve and I'm glad you're tackling it. As a U.S. Company with global operations, you know, when it comes to a conflict, when there is an issue, we tend to try to rely on the MLAT process. And the MLAT process is absolutely broken. First of all, no two countries have the same MLAT. The way that they work or it's administered depends on International politics and the individuals who just happen to know the system. There are many countries, significant ones, that don't have MLATs, right? And so what happens when there is -- Jan mentioned the criminal investigations and when there is something that is hot, and everybody sort of turns to the MLAT process. And they look at this thing, and there is no clearance, or a very frustrating, long answer, and everything just becomes a mess. Just imagine who is upset. Our users are upset, because they believe they want to be protected by their own Government laws. Civil Society finds frustration, and they want the answers to civil rights issues. And then the U.S. is upset, and it comes back to a unilateral approach. It's not unique to the United States, many countries do that, but it's certainly there.
So please do harmonize this, Bertrand. I'm sorry that you're not creating a replacement system. Because we need to --
(Laughter)
>> Thank you. I'm Jamil. We heard about the Budapest Convention, which is more global than European, I think, when you look at a Convention like that.
Let me first explain why I'll talk about it a bit. We have a lot of countries basically saying I don't have a problem in my jurisdiction, which is cross-border. And I don't know how to solve this. And maybe the answer is I need to go to an International forum and be upset about it. That's one way to do it.
But then you ask yourself, well, are you creating the problem yourself by not joining these structures that exist? They are faster than the MLAT structure, which is definitely broken, Patrick. I agree. So you have a Convention which has a 24/7 network. You have an MLAT provision. It has realtime a lot of different things in that Convention.
And the point is that it lays on principles. It's not giving you details in that Convention, for example, about how you would apply it. So there is room there that needs clarification, especially for developing countries. If I sign on to this Convention, what does it mean for me in detail? It's a Convention which has transborder access, which is what developing countries want, because they want the data from Google, Yahoo! Or Facebook. But they want to do it through a framework. And the providers don't have a network in which they feel comfortable operating.
And human rights was just mentioned. Article 15 of the Convention deals with safeguards. And the UN Declaration of Human Rights. But by reading that Article, you don't know what it means. Does it mean it's a warrant process or do we have judicial or administrative oversight? What does it mean? So while we have the principles enshrined in the Treaty, it's a principle level, your project can help try to build consensus around what do these things in detail mean? So creating more efficiency, more understanding, maybe more harmonization. So I don't know about replacing, but it's a good second best way of replacing.
I think at the end of the day for businesses and users, what you want is certainty, and you get that through what you're trying to do. Thanks.
>> BERTRAND de La CHAPELLE: Or at least predictability. David, briefly, and then we will move to the next phase because time is moving fast.
>> So, briefly, why we like and why we support the project that it aims at conflighting.
>> BERTRAND de La CHAPELLE: It's an everlasting process.
>> DAVID: It aims at concluding and making proposals, and that's what we like.
Our concern is that we need laws to be enforced, we have a right for them to be enforced, and we are protected. And I would not say that the MLAT system is broken, I would say it's not efficient enough, fast enough, and it's not comprehensive.
>> Yes. True.
>> DAVID: Okay.
>> But beyond that, it's okay.
(Laughter)
>> DAVID: We could hire you.
I'm not sure.
Okay.
>> BERTRAND de La CHAPELLE: Can you cut that from the transcript?
(joking and laughing)
>> DAVID: Our question is how do we make it work? Because law enforcement agencies are under huge pressure. They need results, they need to catch the bad guys who run fast. And that's why we need to have a comprehensive system of MLATs, and why we need to have them not rely entirely on trust and International friendship. And I say that because at the Paris meeting, maybe it's not my duty to say that, but somebody from Europol came up with a fantastic idea. And I think that's the kind of idea that we should explore more. Maybe you'd better present it.
>> BERTRAND de La CHAPELLE: As a matter of fact, the interesting thing -- and people who participated in the India meeting can also testify in that regard -- it was for me a fascinating element in the process that the presence of people who were actually dealing with the concrete issues, like the law enforcement people and prosecutors and so on, has added tremendous impetus in terms of orienting things towards the reality.
And I would say one thing. The word "Sovereignty" has been mentioned. There is always a debate when we are talking, and I will use this as a segue for the second part and the building blocks.
Especially in the IGF and in other spaces, there is this real debate about sovereignty in the digital age. Is sovereignty disappearing or do we have to reaffirm sovereignty in the digital age?
The fact is that it's not one or the other. Sovereignty is essential. There is no doubt that if you have a country that has no Government functioning, we see that in failed States, the situation is awful. You need law enforcement, you need processes at the national level. You name frameworks, you need enabling frameworks. You need everything.
The thing that is at the core of the discussion here, if you are, for instance, I'll give an example. In the situation where there is a Frenchman in France insulting another Frenchman in French through Twitter, the likelihood is that it's going to be French law. Simple. You don't need an International Treaty to handle this, really.
If, on the other hand, to make things a little bit complex, you get an Australian traveling in Equador using Yondex to install a Brazilian who is traveling elsewhere, if you take the time -- not to mention where the servers of the company are located, this becomes more complex. And it becomes more complex because, to become serious again, the traditional way of saying there should be a rule for attributing jurisdiction and a simple rule that would be working in all cases. You get two things. One says the rule of the person who is using the Internet should be the rule of jurisdiction. Which means that anything that is published in one country should be respecting 190 laws regarding publication.
And the reverse can lead to certain extremes, where if it is the law of the country of incorporation of the company, it is an extension of the sovereignty of that country on the citizens in other territories.
So there are many cases where, because it is shared spaces, it is not about deciding whether this is the sovereignty of A or the sovereignty of B. It's how do you combine those sovereignties, which is something that is extremely difficult to do in the traditional InterGovernmental space. Because the traditional InterGovernmental relationship is that you don't mingle in my affairs and I won't mingle in yours. Which is different on how we work together to handle issues in shared spaces.
So this is a transition to highlight that the idea of developing a framework, of having actors discuss those procedures, led to six components. Building blocks, if you want. And I would like to take a few minutes to just briefly describe those six components.
Again, to put that in context, what we're dealing with here is situations where there are requests for domain seizure, content take down, or access to user data across borderes. The topic is not to deal with relationship between the national authorities and the national operators. It may apply, but this is not the purpose. Because it's supposed to be covered by the national laws.
One is authentication. There is a law enforcement that is making a request, or any other actor. A platform or operator of the DNS receives this request. How do you know it's the law enforcement agency that is making this request and that somebody was not pretending to be that? How do you know that the person who is making the request has the right hierarchy level to make that type of request?
How do you know that the request has been made following the actual law existing in that given country?
That's one authentication. It's a form of naming and addressing. And one of the typical cases is people are using in law enforcement sometimes e-mail addresses that are gmail or Yahoo! Accounts. Okay? So how do you make sure that this is the right interlocutor on the other side?
The second thing is transmission. As we said earlier, asks are being transmitted today either informally, through phone calls and trust networks, without fair process. Sometimes efficiently, or through a very lengthy fair process or at least documented process. But it can go through the diplomatic pouch in an airplane, actually going physically from one Ministry of Foreign affairs to another.
In between, there are many ways to transmit this information from the requester to the recipient. It can go first of all with should there be or could there be an agreed format for making those requests? Like the equivalent of tags or fields or things that describe the sender, the type of the request, the nature of the base law, and so on. So that there is an agreed Protocol to understand what the request is.
And, second, what is the routing mechanism? There are many options, and at this moment there is no -- we haven't gone into the process at the level of detail of picking one option versus others.
But, for instance, you can go from one extreme centralization that would be a global International portal for putting all those requests, to the completely decentralized system that would be like Facebook or whatever. They have their own portal for interaction with Governments, they go through third-party systems, you can have different modalities. But what is the mechanism that routes the request? Knowing that, to be frank, we're touching upon something that is extremely sensitive and we shouldn't shy away from recognizing that this is sensitive. It is not the tradition, nor is it in the legal framework, to enable the law enforcement or any actor in one country to directly interact with an actor in another country. It is supposed to go through an appropriate interGovernmental layer. And if we want to explore this, this goes to a lot of fair process, validation components. So routing and transmission is second.
The third one we labeled after the discussions the term traceability. This covers a certain number of things. How do you produce transparency reports that are accurate?
To give you a concrete element, when somebody in the U.S. receives a request from the Department of Justice to take down something or give access to user data, it is not indicated whether this is a request from the U.S. or whether it is a request that comes through an MLAT from another country. So if you get a transparency report, you have a certain level of requests that come from the U.S, but actually a certain number of them are coming from another country.
Regarding transparency report producing, are these numbers produced only by one actor? So is it only by the platforms that we report how many requests they receive? Or is it a joint declaration where the Governments themselves or the public actors themselves say these are the requests that we have made.
Another question regarding traceability is how are requests logged, particularly when they are not public, to enable any sort of audit or oversight to ensure that there is no abuse of some procedures?
Big question marks on each of these blocks. But traceability, of course, is connected with transmission. Because depending on what you choose as a mechanism, tracing is more easy or more complex or not?
The last three are determinations. IE, who decides to accept or not accept a request? Today, it is mostly the operator who is receiving the request, the DNS operator, ISP or platforms. And they have to make the determination, which is a problem for everything. It is a problem because it is a little bit strange for the community in general to see a private actor making something that amounts in certain respects to a quasi judiciary decision. Yes, this content is taken down. Yes, this data is being given. But the problem is that if you ask, and this was a very strong message from the platforms themselves, and if I'm misquoting or misexpressing, correct me.
But the message was we don't want this platform to be doing those determinations, because it's a burden. And it's typically a situation of damned if you do, damned if you don't. If you do give some of the data, for instance, you would be accused of having cooperated with some actors who were not following due process. But if you don't, you have your own people on the ground who are thrown in jail because they didn't comply with the court order.
I'm trying to go fast because I'm taking too much time. The problem is when you get to the determination, the natural fair process guarantee is court. The problem is that it's not completely scalable. It's not scalable in terms of handling every single small component of privacy data or content.
But it is not scalable, also, because you again have to determine which court. Is it validation by the court of admission or is it the court on the other side? And so if it's not a court, are there third-party validation mechanisms that may be trusted enough?
The last two are safeguards regarding user protection. When and why is the request notified to the user or not? When should it not be notified? When should it be notified? And when it is notified, are there contradictory procedures that allow the user of concern to respond? And are there other mechanisms?
And finally, under the label "Execution," if all the boxes were ticked, and there is a decision that there should be a content take down, access to data, et cetera, how you do it technically is not neutral.
You can either take down a domain or seize a domain and do it in a way that harms the infrastructure or not. You can take down content very locally or absolutely globally. And the granularity of the decision is important. And access to user data, there is a question of do you give the needle or the haystack?
So this is a bit of a long presentation, but the purpose of this session at the IGF is to bring the different actors up to speed when they have not participated in the process so far. And the challenge, and I think I will wrap -- bring the last 20, 25 minutes around this question. These are the six building blocks that we have identified at the outset of the process by the participants as potential components to develop a regime.
The goal is to continue next year and get into the actual development of an operational framework.
I have two questions for the main participants and the rest of the audience. One is are those building blocks more or less covering the right issues?
Are there contributions that we can take into account for the rest of the process, knowing that we would love to spend the whole day in the workshop, but that is not possible.
But the second issue was related to what Anriette Esterhuysen was saying before regarding inclusion or the small country. We are confronted with one very classical problem, which is how do you continue this exercise both deepening and broadening? We want to engage more actors, but at the same time we want to go in more operational aspects. So how to make sure that the process involves actors in other regions, and at the same time can work deeper. We will have a -- we will have a meeting in any case in March in Paris to bring the different actors so far who have participated together, and others, how to continue the discussion next year is also what I would like to hear about.
So sorry for having been a little bit long, but it was to just bring the presentation up to speed for other actors.
Jan, you wanted to chime in and answer?
>> JAN: Yes, I would start by saying that the six components are mostly procedural. They are the practicalities that one has to comply with in order -- and they have to respect the rule of law requirements in order to be consistent with human rights principles, and so on and so forth.
We have already heard of the 24/7 arrangements that have been created in connection with cybercrime. There are guidelines that have been adopted in connection with relations between ISPs and law enforcement agencies. And all of that seeks to give response to the specific questions that you were asking.
I think personally that one has to rise to another level first in order to be able to respond to these things. You have to think in terms, for example, concerning privacy and data protection and access to personal data. You have to have a human rights compliant system. And that requires, to start with, take account of International law. You have an International law in the ICCPR. You have Convention 108. You have Article 8 of the European Convention on Human Rights and so on. There are a number of things that stem from that. There should be no access, there should be no surveillance without a law that specifically provides for it. The law has to be clear enough to make the provisions and the application of the law perfectly foreseeable. Someone has to be able to say to me this will apply in this particular way. That is a clear law. There can be no general surveillance. There can be no a priori general data retention. There has to be a strict case-by-case decision in respect of access. And it should have a judicial component to it. It doesn't mean that there has to be a Judge, but it has to be -- it concerns fundamental rights and fundamental rights cannot be put aside by decision of someone. It has to be by decision of an authority that has been entrusted with judicial functions.
We know that in that context there are different types of panels and bodies that have a judicial role.
>> BERTRAND de La CHAPELLE: Sorry to interrupt you. But how would that incorporate, for instance, the use or not use of alternative dispute mechanisms? Panels that would be ad hoc built for a case by case analysis or permanently based? I don't know. Should it necessarily use existing judicial adjudication mechanisms? Or is there room for new mechanisms?
>> JAN: There is certainly room for developing that. We are talking about something that can involve a significant amount of numbers that would simply drown the legal system that we know and that we have today.
>> BERTRAND de La CHAPELLE: Scaleability.
>> JAN: So one has to think differently. But that has been accepted. There are cases where the human rights case law accepts and nonjudges who have been attributed judicial functions do perform those functions in compliance with human rights.
>> BERTRAND de La CHAPELLE: But there needs to be an agreement that these are the appropriately trusted actors to make a determination of sorts?
>> JAN: Yes.
>> BERTRAND de La CHAPELLE: Patrick, do you want to chime in on this one?
>> PATRICK: Because I think there are other limits that need to be complied with to give a system that is --
>> BERTRAND de La CHAPELLE: But if I'm understanding correctly, this is the -- these are the components that have been listed in the work of the Council of Europe regarding what is necessary, right? What would be the document of the Council of Europe that would embody those different criteria?
>> PATRICK: There isn't a single document. There are a number of different documents that respond to that, that determine human rights on the online environment. They respect to specific issues, in particular contexts.
>> BERTRAND de La CHAPELLE: Okay.
>> PATRICK: But I think that the framework exists. One simply has to read it and understand it. And that if the practical arrangements need to be developed further in order to ensure that we do it the right way, that we do it while respecting human rights requirements.
And at the same time, that we do it efficiently in this new environment that requires the speed and responsiveness that the traditional systems do not necessarily have.
But I think that we have advanced a fair amount on those fronts.
>> BERTRAND de La CHAPELLE: Okay. I have Michael and Patrick and Anriette. Excellent.
So Michael...
>> MICHAEL: Thank you. Michael Yoko from the Behr Centre, Moscow, Russia. I will be very brief and I would say that the answer to your first question is yes. So it's acceptable to continue with these six components. They are good. And of course it's possible to go deeper and to discuss and show them separately. But I think it's not an appropriate place to do so.
But as for what to do next, I would say that talking about jurisdiction will inevitably touch the Governments, their law or legal framework, et cetera.
So my question, it's not maybe the answer, but my question to you as the project, whether it's high time now to start talking about not only soft law, which would address some of the soft issues that were raised, but to go to the hard law, like the International Convention that would solve part of these issues, based, for example, on these six components.
There appears -- when Internet appeared, and the issues that we are now talking about appeared, it gave a new dimension to the International Regulation. Previously, there was only one, and we talked about the jurisdiction and sovereignty. Now we have other types of dimensions like human rights, and of course Internet is kind of a new dimension here. And I think it should be regulated not only on the level of national Governments and national legislation, but also on the higher level of International law.
So my proposal would be to be prepared to move further and not only limiting ourselves to the soft laws the Council of Europe, for example, does, but also to think about how it could be described in the terms of an International legal tool.
>> BERTRAND de La CHAPELLE: Thank you. I will continue, but it turns out that it's appropriate to keep your question. And if the different interventions afterwards want to also say whether they say it's the right approach or not, it would be great.
Linda.
>> LINDA STENEBERG: Thank you. Well, for the components, I think they are good. They need to put some meat on the bones, for sure.
>> BERTRAND de La CHAPELLE: Yes.
>> LINDA STENEBERG: A skeleton is okay. Yes. And that leads me to some of the other comments that Anriette Esterhuysen made. And I agree that users' rights need to be improved. That is part of the safeguard issues, so we have to keep that in mind.
But this is complex. And just to mention that equally troubling for us, it's difficult for providers to give their customers adequate notice on the conditions in which the data might be accessed by law enforcement. So this is, you know, further complicating matters.
I would also like to mention something that has so far not been mentioned, and that is cloud computing. Because if a Cloud is to realise its full potential, we need significant law reform experts in order to provide predictability to foster the confidence in this data storage and access.
We have made a first policy response. And we are doing the Cloud storage in Europe. And there are model contract terms and conditions and data protection of course. And the solutions need to encompass far reaching International dialog with third countries. We are already working with the U.S. and Japan on coordinating legal and technical issues related to the future of cloud computing. So we have already started this process.
Thank you.
>> BERTRAND de La CHAPELLE: The Cloud is definitely a word that is taken into account.
I have Marco.
>> MARCO: I'm from the Internet Exchange. And might I say this is an excellent process and it's been a good discussion. But I think at the heart of this, there is a fundamental lack of clarity about what we're talking about here, at least on my part. When we are talking about what kind of process we are talking about, when we talk about a fair process, are we talking about an administrative process or a quasi judicial process?
I'll put it another way. Are we talking about how to bring about an outcome across borders, or are we looking to enforce a law against someone?
Is there a person whose interests are being implicated that might need to be balanced against a request? Now, if we're talking about disclosing that person's data, do we have a privacy that might be a qualified right not to disclose it, but it's there?
If it's material that has been published, and someone says take it down, it's wrong, do they have a right to say well no, I want this, and it should stay up.
More particularly for this process, how are these rights intended to be protected and are they intended to be protected by the national sovereigns of the entities making the requests? You then determine it's an administrative process and it's already been determined that this is wrong, and then you have to just simply bring about the outcome of giving out that, or is this a quasi process?
Particularly, the credentials of the person making the request, the idea of compliance with the request, the determination stage, the language of that. It tends to suggest that it's actually merely an administrative process, this is just bringing about an outcome. But on the other hand, the language of fair process in the very title suggests to me that what we're talking about --
>> BERTRAND de La CHAPELLE: Does the part that deals with safeguards and notification and contradictory procedures and so on, doesn't it cover most of what you're saying? Because -- we are clearly in the situation where it's not one jurisdiction or the other that --
>> MARCO: In principle. The issues that are raised in the safeguard section might end up doing so. But the way that this is being presented, I mean, even though safeguards would be the kind of things -- presented as being safeguards in a process that is ongoing, IE, it's going to a determined outcome, suggests to me something that --
>> BERTRAND de La CHAPELLE: Let me rephrase to see if I understand correctly and you tell me if I'm wrong.
If we call it safeguards, it seems to be that it was an afterthought, like this prevents things from going in the wrong direction. And I think this goes to what Anriette was saying and Linda before. It's an integral part of the process to have those steps in as opposed to be something that prevents it from going in the wrong direction. Am I --
>> MARCO; I'll go further than that. I would say that the determination step, as you label it, if it's considered a quasi judicial process, all of this comes into the decision should we or should we not take this action? Whereas everything else about the way that this has been writtenis suggestive that the action is being sought and maybe there are reasons -- the safeguards may be reasons when, in exceptional cases, that is just to be avoided.
But actually, the idea that it's a mutual thing, that it might be yes, the action should be taken and the other is no, it shouldn't. If it's an administrative process, it's not appropriate. If it's a judicial process, it's okay.
>> BERTRAND de La CHAPELLE: Let me shorten this. I'll jump on this one second and then we will move. What you're describing is making me think, and sorry for thinking out, on the fly.
In the six blocks there is actually a chain whereby authentication is the. Excuse is the end of the chain. And in the middle you have you have two connected boxes that are somehow like this. One is transmission and traceability together. And the other one is determination and safeguards as the procedure, whether it is quasi judicial or administrative and so on.
Just as a suggestion, we will test that further in the discussion, but thanks for the contribution.
I want to move because we are nearing the end, and let me ask all the different next speakers as we go through the list to give an indication in their comments whether they are interested, willing to participate in the meetings that we will organise next year.
So I have -- I don't remember your name. Sorry. You were next on the list. Then I have, yes, then I have Sunil, Anriette, Patrick, Zahed, Carlos, David and the gentleman over there, and Anne Carblanc. And we have three minutes.
As usual.
(Laughter)
So we will expand just a bit, if you are not bored yet. Please.
>> Hello. Louise Bennett from the BCS.
I think there is an element that is missing from this. I realise that it's meant to be about human rights mainly and personal data and so on. But I think there is also an important element in a lot of this of consumer rights between countries. And I think that is a big concern of many users, that they are frightened of doing commerce across borders, because they don't know whose jurisdiction they're in. And so I think you need to bring in an element here of consumer rights as well as fundamental Human Rights.
>> BERTRAND de La CHAPELLE: Thank you.
The next was Sunil.
>> This was a process led by Anriette Esterhuysen and Carlos and others. We don't call it takedown and access to information. We call it transnational censorship --
(Laughter)
And if you think through those three areas carefully, the target of the increased interoperability and regulation is users, citizens, and consumers, mostly. You rarely hear of the Government website being taken down.
So, therefore, then you move into the competence. And if you were to structure it against a grid, whether each stakeholder played a passive or active role, you would find that the citizen plays an active role only in --
(Lost audio)
(Trying to re-establish audio connection)
>> -- the stakeholder can participate and influence this process.
I also think that under platform operator, you have to add Internet Service Providers. In some countries, like mine, in South Africa, we have an association that deals and processes these requests that interfaces between service providers and user, and it is provided with national legislation. I think we are not all yet using the Cloud, even though the Cloud is important. And we are not all using our mobile phones to access the Internet, thank goodness.
And then I think on three, on safeguards, I think beyond -- I think accessibility there is extremely important. You know, safeguards are only meaningful if they have impact, and if they can be used, and if they are truly accessible. If they are just a legitimacy, you'll not have --
>> You mean if there is a stepping --
>> There needs to be layers of how information is made available and to whom and support for accessing those safeguards. So it's actually safeguards in itself is a very complex area.
And then I think there is one building block that is missing. And I think what I like about your process is that you started with common problem identification. But I think it could only really work from my perspective in, in a legitimate way, if there were also some common principles. And if the -- I'm not -- you know, maybe the jurisdiction, administrative -- I'm not tracing that, but I think this process does mix them up. But you need compliance with existing legal frameworks and existing human rights standards. And so maybe a 7th building block which could be principles. Very specific principles related to the specific problem that you are addressing, takedown requests, for example, and that these principles reflect both consumer law issues as well as human rights principles.
And I'll use it as an example. One of the recent developments, not the very recent development, because that is ICANN Brazil, the recent one, which was the other one. There was something developed that was called necessary and important. They are principles that should be applied to surveillance, and a lot of Governments like those principles.
>> I can respond to this.
>> So having such a state of principles agreed for every time you apply this model could make it more transparent. It could add more of a political statement to it. And I think it would give it much more legitimacy.
>> BERTRAND de La CHAPELLE: I fully agree. And I was talking with Bret Solomon yesterday on the necessary and proportionate, and we were mapping almost each of the 13 principles that they have developed with one of the different building blocks. So the articulation is not a 7th building block. There are some issues that are principles regarding the substance and a certain number of their principles are actually process principles that are related to.
So the mapping is being done, but thanks for reminding us.
Patrick?
>> PATRICK: Well, this is working out great, because the other point I wanted to make is to jump in on the processes and how important they are. As a former lawyer, we are like hammers and we like to see every problem like a nail. Sunil asked whether it's a feature or a bug. I think it's a thug. These are back stops, all of the jurisdictional issues and the process are back stops. We have to solve the problems to the extent that we can, through informal process, through principle. And the extent that we can merge these two, I would argue, Bertrand, it's worth a seventh principle. It's worth considering and building into the plan.
>> BERTRAND de La CHAPELLE: Okay. I would make it an overarching thing, which is a connector with the exercises that are underway.
>> (Off microphone.)
>> BERTRAND de La CHAPELLE: No. It's such a good number that we have a logo that is a heptagon. So thank you. We were missing the seventh one.
That is the result. If it's worth saying that seventh is worth it, then it's perfect.
>> I have three or four points. So much has been discussed. One, I would encourage you and caution you to stay away from the International Convention Treaty. Do we need another one, going that way? Not because it may not be a question that people should ask or should not ask, I don't want to get into that.
>> BERTRAND de La CHAPELLE: Shouldn't be a starting point.
>> You'll get pulled into a lot of politics. So I want to caution you.
Number two, I think the principles and ideas is a good one. And mapping with the best actors in the world, you know, which country has a judicial oversight over intelligence? Maybe that's a good principle to start with. One, the recent events included.
The other is these sorts of issues tend to attract the most difficult issues first. So you want to tackle the most difficult issue. And when you were discussing the principle, maybe you start with what are the other common grounds? I think in this area you'll find this is cooperation with ISPs. When they see an efficient website, they know what is happening there. So start with a common ground and work towards more problematic areas.
I actually like what you're doing, Mark, because it seems to me to be forum neutral. If I'm doing an administrative process within a corporation, I can use this. And I think those principles applying to everything would be a better way. That will help -- because eventually, if someone is going to have a dispute, you are going to end up at a court or a quasi court, right? You cannot -- and keep in mind, you cannot arbitrate criminal law. You can do it for civil but not criminal. So it's going to be part of the process. You're setting up a model and I look at it as a model and not much more. So we have to be sensitive to courts. We can't take away that jurisdiction.
So where do we get the precedence from? If you want to build examples of cases, it could be expert advice which is shared before Judges, it can be precedence or expert advice, some people may want to read it if it's good. Me, for instance, I'd be happy to take to it our Judges and say well, this is not a binding precedent, but this is an example of how a conclusion may be reached. The other is when you talk about safeguards.
I'll be more specific. Drafting legislation in my country, the law enforcement didn't want the right of search and seizure to be limited by a warrant. They said whenever there is due cause, we should go in. But there was a fight that you should have a warrant. Criteria for arrest is different, preservation, or production, or realtime may be different. So the way you go, and depending on the question, it might be useless. But it's a great model that you're trying to work on. Thank you.
>> I'm from ISOC, Bangladesh. I'm reading out the comments right now. Thank you for organising this excellent panel. I found this important.
When we talk about fair process on cross-border spaces, is it appropriate to think of the process framework of platforms first? Platforms have become so dominating in the Internet these days that it is sometimes irrelevant to talk about the fair process on the other actors without ensuring that the platforms have a transparent fair process that considers cultural diversity and norms of different countries.
Have we made any progress in that since last year? End of question.
Thank you.
>> BERTRAND de La CHAPELLE: I think in a nutshell without opening this question, it is part of the discussion of moving precisely the determination outside of the platform, instead of asking basically the platform to become the quasi judiciary. And when I see nodding from the platform, we are heading in the right direction.
We need to go, so Anne.
>> ANNE CARBLANC: Thank you for organising this discussion. Just to say that the OECD is supportive and the building blocks I think are a very good starting point. And that if you could consider at some point coming to our members during one of our meetings to explain what you do, I think we can usefully relate this to other parts of our work.
>> BERTRAND de La CHAPELLE: Do you cover the travel expenses?
>> ANNE CARBLANC: It's in Paris.
>> BERTRAND de La CHAPELLE: I need the reimbursement of two metro tickets.
>> ANNE CARBLANC: I could invite you on our own money.
>> BERTRAND de La CHAPELLE: We are doing crowd sourcing.
Carlos, David, the gentleman over there, Fiona Alexander, and then we will close because we are already late.
>> CARLOS AFFONSO SOUZA: I was about to talk about the necessary proportions.
>> BERTRAND de La CHAPELLE: Access was in the workshop in Washington by the way.
>> CARLOS AFFONSO SOUZA: That's great. And one interesting thing is for us to think about what is the best way to have this whole idea of procedural principles inserted into the framework that you guys are trying to come up with.
>> BERTRAND de La CHAPELLE: Yes.
>> CARLOS AFFONSO SOUZA: And the way I was thinking about it, before Anriette's intervention, was that you have very substantive high level principles, and then you have a bunch of examples for that. Like the Internet rights and principles. The ten principles from the CGIPR and a number of other initiatives that end up crafting those. All substantive principles.
And on the other side, you have the components. But it will be interesting to have something that would connect those substantive high level principles with the components. So that's where the dual principles come up.
And if you look at the necessary and proportionate, we have a great number of principles that could be applied to that, such as legality, necessity, due process, transparency, public oversight.
So maybe that would be a good idea for the next year after the Internet jurisdiction project to come up with how is the best way to fit this discussion in the framework that is already a very good start? But how do we connect that?
Because that could be something that could be highlighted as something that is missing in the structure, which is those connecting principles.
>> BERTRAND de La CHAPELLE: Okay.
>> CARLOS AFFONSO SOUZA: That would be my major comment. And of course the ITS is pretty much interested in the debate.
>> BERTRAND de La CHAPELLE: David.
>> DAVID: Thank you. One, we need the project to succeed. Two, as Jan said, Conventions already exist so we don't have to reinvent the wheel. We shouldn't lose time and energy on that.
Three, it's not my idea, but I like it, and I mentioned it before. I think what we are looking for now is kind of an International body that could be responsible for those six components that I fully agree with. We need something that could do the authentication, that could do the transmission, traceability, et cetera, et cetera. And we need it quickly, because again democratic law enforcement entities need results, they need changes, they need us to do that.
There are models that exist, and I'm sure we could find similarities like Interpol. Just similarities. I'm not saying that it has to be a duplication of Interpol. But there are things that we can explore in the way Interpol works to try and see how we could propose the creation of something like that.
And I know that International Treaties take a lot of time, but at some point we go we need that to be able to work.
Thank you. And good luck.
>> BERTRAND de La CHAPELLE: One quick comment regarding the presentation "An International body" versus "International bodies or components forming an International system" is part of the discussion regarding how this can be concretly implemented. And it's part of the issue.
>> ANKI: I just had one point to make. You mentioned that this could go on for a day. But hopefully we will see resolution at the end.
But as you walk through the session of meetings, I think from the India meeting, or at least in the developing countries, it's very important to make sure that there is Government representation on the table.
>> BERTRAND de La CHAPELLE: Yes.
>> ANKI: Because if you don't have them, we are not having a real conversation. And while the concepts may be appreciated in the north, they are not appreciated in the south. So you have to lift the participation across the world.
The second thing, as a short-term measure but a very important measure, we definitely need to address the MLAT infrastructure point. I know everybody hates talking about it, and we all know that the system is broken. But it was something that was required as of two years back and it has not happened.
So to the extent, particularly when you have the conversations in the U.S. And DC, it's important that we are raising this enough in conversations there.
>> BERTRAND de La CHAPELLE: Okay.
One quick one regarding Government involvement. Both Brazil and India were absolutely willing to participate -- I mean the Governments were willing to participate in the workshop. But there was a conflict with the main session.
And, two, the fact that one of the actors is only arriving tonight.
I have the gentleman, and then Fiona.
>> I'm just trying to visualize -- (Lost audio)
What we are talking about, we are talking about processing in each of these parts, our technical and participant participation.
I'm looking close to the implementation part. We can apply this to MLAT. I think MLAT was important. This talks about authentication and other parameters that are important.
>> BERTRAND de La CHAPELLE: Thank you.
Fiona Alexander.
>> FIONA ALEXANDER: I just have a question that I had not thought about until Malcolm's intervention. There was discussion with MLATS and Conventions and things like that. It would be helpful to understand a clarifying point, which is that these components that are here, I understood, and maybe it was incorrect, it wasn't just about Governments doing these things. It was about anybody in the triangle or any other user thing. So if you think about users starting this process, assuming that authentication is it, is it the intent of the exercise to talk about Governments? Or is it to talk about how all stakeholders do whatever this process or procedure may come about, or multiple ones. That would be helpful to understand. And that was Malcolm's question.
>> BERTRAND de La CHAPELLE: The question of whether in the process it's public authorities or also users is an element of the expansion of the system versus where we start from. There is a clear issue regarding the relationship between governmental authorities and platforms in another country, and making sure that the users are protected in the interaction.
Actually, the same building blocks apply pretty nicely to user requests in the future as well.
>> FIONA ALEXANDER: I just wonder, it's always the case after the fact that people think of these things, but does the use of the word "Jurisdiction" automatically bring out the rule of Governments? I mean, it's something to think about.
>> BERTRAND de La CHAPELLE: You wanted to --
>> I'm not sure I necessarily feel that the building blocks do apply equally in most cases.
If this is an administrative process, the decision that excuse is going to be needed, and then there will be safeguards against abusive process. But the idea that this should happen has already been taken. Then credentials on the authentication side is crucial, because you can't let anyone do that. We have to ensure that the decision has been taken by whatever the process is designed to ensure, and that that is executed, and a fair procedure for carrying it out occur, if that is what this is about. But if this is about a process for deciding whether or not something should happen, then indeed, you can open it up. You look at a component. It might be a Government or a law enforcement agency or a private individual or a company complaining about their rights.
>> BERTRAND de La CHAPELLE: I'll have to interrupt this exchange because purely of time. It's a fundamental question. And I'm not sure it applies in the same way. We have to discuss when it applies in the same way and when it doesn't, if I may.
Mary Lee and Linda, if you want to make a last comment? Thank you anyone, for those of you who are waiting.
>> Very quickly. Due to recent developments, we, the Brazilian actors, were called upon a lot and people see fragmentation. And I think that Brazil presents an example of how the failure or the exception with MLATS -- because like in my sphere, they have produced this provision that says that the centres --
>> The location.
>> Yes, the location of personal information of Brazilian citizens should start in the centres in the Brazilian territory. Not only that, we didn't have access to the text, so we know from leaked sources that it goes beyond and says that if one side of the communication is a Brazilian citizen, then it starts in Brazil. And if it's metered as well as elsewhere, then the Brazilian law should apply.
And I think this is a trend that not only Brazil but other countries follow as well. So one thing I'd like to suggest, I don't know if the purpose of the Internet jurisdiction is more academic or it's more politically oriented. And if it is politically oriented, that's why I think the next meeting we should make an effort to bring in Governments, and try to see how we can influence these measures that they are going to adopt.
And on your question regarding other people we should reach out to, I think that we usually overlook the fact that fragmentation doesn't only have to do with --
(Lost audio)
-- Interoperability. And some people that I usually miss in this kind of debate are people that work with standards and code and how we could establish a dialog with them.
So if I would search for a priority for a group to reach out to, it would be in the technical community.
>> BERTRAND de La CHAPELLE: Thank you.
Two closing words, because we are over time.
One, the context of multiplication of national legislations that produce fragmentation, that seems a short-term solution but is actually a long-term harm is exactly the reason why we are trying to have people talk together, because it's harming actually everybody.
The second thing is an attempt at making a balanced response to the question of Treaties or not Treaties. We are calling that roughly a framework of commitments. And the goal is to try to identify new types of arrangements between the different actors, where potentially the countries can then embed some of the components in their legislative framework. The platforms can embed that in the terms of service, the Civil Society groups can set up dedicated systems. It's not per se a Treaty. It's not a standard. It's not guidelines. It's a little bit of a hybrid system, potentially, that will take the form that actually the actors will want to give it.
I don't think we want to focus on this at this stage regarding what the format is. This is why the expression that we have chosen is a very generic one. Framework of commitments, and we will see how it evolves.
Thank you for the input. I wish I could have organised a whole day on this, to get more input. But it was great.
Thank you so much and I'll see you in Paris soon.
(End of session, 12:55)
********
This text is being provided in a rough draft format. Communication Access Realtime Translation (CART) is provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings.
********