Security, Openness and Privacy

(No.149) Freedom of Expression Online: Key Challenges and Best Practices

Go to Report
Workshop Theme: 
Security, Openness and Privacy
Theme Question: 

Question 4

Concise Description of Workshop: 

In an environment characterized by growing internet access, legislative measures to regulate user activity, and new technologies with the potential to empower citizens, the key challenges to freedom of expression online are rapidly evolving. The pace of change has been especially notable since early 2011, as states in the Middle East have experienced unrest or regime change, millions of new users have come online via mobile phones, and various countries are considering the deployment of filtering systems to control access to information.

Organiser(s) Name: 

Freedom House, NGO, WEOG. Freedom House staff and delegates have participated in over 15 IGF workshops as panelists, as well as other international meetings with diverse stakeholders, though we have not organized an official IGF workshop before. Freedom House has participated in IGFs in Egypt, Lithuania, and Kenya and has sponsored the participation of large delegations of internet freedom activists from around the globe. We have also helped to organize and/or participated in national and regional level IGFs, including in the United States and Asia-Pacific region.

Previous Workshop(s): 


Submitted Workshop Panelists: 

Ms. Sanja Kelly, Project Director, Freedom on the Net, Freedom House, Civil Society, WEOG (confirmed)
Mr. Ross LaJeunesse, Global Head of Free Expression and International Relations, Google, Private Sector, WEOG (confirmed)
Ms. Dunja Mijatovic, OSCE Representative on Freedom of the Media, Inter-Governmental Organization, Eastern European Group (confirmed)
Ms. Marietje Schaake, member of European Parliament, Netherlands, Government, WEOG (confirmed)
Mr. Daniel Baer; Deputy Assistant Secretary; Bureau of Democracy, Human Rights, and Labor; US State Department, Government WEOG (confirmed)

Name of Remote Moderator(s): 
Sam DuPont, Program Officer, Internet Freedom, Freedom House

(No.88) Online Child Protection Toolkits: Preventing and Prosecuting offenses related to Child Pornography

Go to Report
Workshop Theme: 
Security, Openness and Privacy
Theme Question: 

Questions 1, 2, 4, and 5

Concise Description of Workshop: 

The workshop will focus on the Commonwealth Internet Governance Forum’s Online Child Protection toolkit which was launched in 2010 and compiled by John Carr. The toolkit was a collaboration of the CIGF, ITU and International Centre for Missing and Exploited children and is premised on the 6th edition of the Model Legislation for Child Protection. This provides recommendations of Best Practice with a focus on implementing legislation to effectively deal with offenses relating to child pornography.

Backgroung Paper: 
Organiser(s) Name: 

COMNET Foundation for ICT Development runs the Secretariat for the Commonwealth Internet Governance Forum and the Commonwealth Cybercrime Initiative. It is the lead agency of the Commonwealth Connects Programme, which is the Commonwealth’s official ICT4D programme. COMNET is involved locally in the Malta IG Group, on the advisory board of the ‘Be Smart Online’ Project, a local initiative, aimed at raising awareness of Internet related discussion. COMNET is also an organisational member of ISOC and is supporting the establishment of a Maltese ISOC Chapter.

Submitted Workshop Panelists: 

A representative of the CIGF, where the Toolkits are hosted will provide an overview of what they have to offer and how they can be used.
1. Sandra Marchenko, Director International Law & Policy, International Center for Missing and Exploited Children, NGO, North America, will speak about the advantages of implanting the legislation using case studies to illustrate examples. Status: Confirmed.
2. John Carr, Executive Board Member, UK Council on Child Internet Safety, Government, Europe, will speak about the update since the first version of the Commonwealth toolkit was launched in 2010 in Vilnius. Status: Confirmed.
3. Representative of ITU will speak about their contribution to the toolkit and update.
4. Fred Langford, Director of Technology and Content, IWF, NGO, Europe. Status: Confirmed
5. Mr Tracy Hackshaw, DiploFoundation, Academia, Caribbean. Status: Confirmed.
6. Ms Lara Pace, CIGF, International Organisation, Commonwealth. Status: Confirmed.

Name of Remote Moderator(s): 
Jasper Schellekens
Gender Report Card
Please estimate the overall number of women participants present at the session: 
About half of the participants were women
To what extent did the session discuss gender equality and/or women's empowerment?: 
It was mentioned briefly in the presentations and discussions
Reported by: 
CIGF - Jasper Schellekens
A brief substantive summary and the main issues that were raised: 

ICMEC’s model legislation to combat online child pornography and their research on the current status of legislation in Commonwealth countries was central to this workshop.  A commonwealth toolkit on online child protection was compiled by John Carr in 2010 and presented at the IGF in Vilnius. The toolkit is available as a resource on the Commonwealth Internet Governance Forum website. The workshop also shed some light on the reporting mechanisms available regarding online child abuse through IWF and InHope, represented by Fred Langford.
The format of the workshop was an open discussion. To set the scene for the discussion the panellists briefly introduced their areas of expertise and current projects.
- Sandra Marchenko briefly explained what the activities of ICMEC are. ICMEC runs different initiatives that range from research initiatives, including work on child pornography to model legislation online and online grooming.  They developed a child protection model legislation and also provide law enforcement training on computer facilitated child abuse crimes all around the world.  The development of the model legislation and subsequent Toolkits resulted from the need ICMEC had identified for countries' legislation to address the issues of child sex abuse images online.
- John Carr indicated that in the ideal situation child abuse should be prevented before it resulted in images online, however that did not diminish the importance of dealing with those images.  The images serve to repeat an abuse on the child and create a demand for images of this nature. Images of child sexual abuse represent a small minority of all children who suffer sexual abuse.
- Fred Langford explained that IWF International offers a means by which members of the public in any country can report through a reporting page straight into the Internet Watch Foundation’s team of analysts who can trace the reported content and work with the wider network at their disposal to have the content removed.
- Tracy Hackshaw indicated that child protection legislation was fairly recent in Trinidad and Tobago, but it was growing in importance rapidly.  Trinidad and Tobago are currently working with the Commonwealth to try to establish harmonized legislation with the other islands in the Caribbean in order to have the appropriate mechanisms in place to address online child protection within the cybercrime portfolio.  He thinks the legislation and accompanying capacity is not yet at a stage where children are effectively protected.  Trinidad and Tobago are looking to learn from the experiences of other countries, particularly their activities in terms of setting up hotlines, and are interested in learning and perhaps implementing some aspects of what they learn in-country.
-In relation to the images and protecting children online, Mr Hackshaw raised the question of the dilemma prosecuting of children (under 18) who have captured other children in compromising positions, sometimes voluntarily. This is a situation that occurs with increasing frequency due to the cameras on mobiles and the high rate of mobile penetration in Trinidad and Tobago.
 - The CIGF Toolkits are scheduled to be updated at the end of the year to more accurately reflect the current situation of Commonwealth Countries with respect to online child protection legislation, and Tracy’s assertion that the awareness of online child protection is growing rapidly can be confirmed by the developments that took pace in 2012. For example, in the 2010 toolkit, about 11 Commonwealth countries had four to five of the ICMEC criteria for complete online child protection implemented in their legislation.  In the new edition, about 21 or 22 Commonwealth countries now meet four to five of the criteria, demonstrating that the amount of countries that prioritised online child protection legislation has nearly doubled.
- Regarding the progress in Commonwealth countries its shows about 17 countries that don't have any of the criteria yet, indicating that there is still room for improvement.  Furthermore, about 15 countries fall somewhere in the middle, having between one and three of the criteria in place. The significant progress shows an awakening on the issue, demonstrating that countries really understand that it is an issue, but there is certainly much more that needs to be done. 
- Peer-to-peer came up in the discussion as an area that people involved in child protection online are going to have to start focusing on in the near future, because it has not been adequately dealt with up to now.  A large chunk of the sharing of child pornography images happens through peer-to-peer networks. Extrapolated from the statistics available it can be deduced that there are 200 million child abuse images shared via peer-to-peer and this is an area that needs to be addressed.
- Lara Pace drew attention to ICMEC’s work with the Financial Coalition Against Child Pornography and Sandra Marchenko explained that the basic idea behind the coalition, namely, seeking to stop the flow of funds for purchasing of child abuse materials over the Internet.  It is primarily between leading banks, credit card companies, electronic payment companies, and networks, third-party payment companies and Internet Service Providers in cooperation with their NGOs, but also works directly with law enforcement. 
- ICMEC’s model legislation included in the Toolkits has the option to address “pseudo-images”, which can be computer generated or cartoon images of child abuse.  Of course, it is up to the individual nation what to implement. Alexander Seger raised the point that the Budapest Convention on Cybercrime also covers this area and although it is also left to the individual nation to decide, the Council of Europe strongly discourage States from making an exception to realistic images and persons appearing to be a minor.  Swedish MEP Amelia Andersdotter questioned the Council of Europe’s attitude on discouraging states to make this exception.
- Alex Comninos raised the question if there was scope for the internet to be used for children to protect themselves, rather than protecting children by removing abusive content from the Internet.  The audience responded with examples where the Internet was being used as a tool to protect children, indicating the organisations that are using the Internet as a way of helping sexually abused children.  Child Focus developed a chat where children who have been sexually abused can contact them.  They are mainly contacted by children who are afraid of going to the police, because they don't want to report their father or their older brother or someone within the family, because they don't want to destroy their family.  In fact, not only children wanted to report and found it difficult to do so, but also wives and husbands.
- The importance of technology in protecting children online was emphasized, not only in relation to the reporting, but also in relation to identifying images. Microsoft photo DNA prevents known child abuse images from being uploaded. There is a demand for industry to become more involved in creating similar solutions.
- In response to comments by Swedish MEP Amelia Andersdotter, it was highlighted that 70 percent of the images that were seen over the last year were children under ten and 8 percent were children under two, so this does not figure to be a discussion about borderline cases.
- Furthermore, Alexander Seger highlighted the fact that online child protection has real implications in preventing abuse. There have been cases where online images have led to rescue of the children. Images posted online contain information that can guide investigators to the location.

Conclusions and further comments: 

The format of the workshop allowed for an open dialogue and in addition to the presentation of the work that the panellists were involved in, it also brought to light some of the other projects in the sector, such as the activities of Child Focus and Council of Europe.
The research ICMEC has been doing on the online chid protection legislation in the Commonwealth countries clearly shows a positive trend regarding the implementation of such legislation. The development of legislation is increasing throughout the Commonwealth, however there are still a large number of states that require support in this area and the Toolkits can function to show them their current status and provide a model legislation to build on.  IWF International is able to provide reporting services on online child abuse, allowing countries to have a quick set-up without having to spend the time and financial resources normally required when setting up this mechanism from scratch.
The issue of technological advances and the necessity for new approaches was highlighted by John Carr. Technology for online child protection is an area of improvement identified at the workshop and supported by the audience and should be an area for discussion among technology industry leaders.
The CIGF Online Child Protection Toolkit 2012 will be published on the CIGF website at the end of this year.

Additional documents: 

(No.84) How can cooperation and multi-stakeholder collaboration impact the global fight against cybercrime and improve cyber security?

Go to Report
Workshop Theme: 
Security, Openness and Privacy
Theme Question: 

Questions 2, 3, 4, and 5

Concise Description of Workshop: 

The workshop will demonstrate the perspectives of relevant ICT stakeholders from different sectors, including private industry, civil society and government. The main focus of the workshop will showcase the progress of the Commonwealth Cybercrime Initiative (CCI) which aims to assist developing countries to strengthen capacity in two ways – by providing access to expertise, resources and tool kits on a cross-Commonwealth basis, as well as through customized, on-the-ground assistance, delivered regionally and nationally to individual countries.

Backgroung Paper: 
Organiser(s) Name: 

COMNET Foundation for ICT Development runs the Secretariat for the Commonwealth Internet Governance Forum and the Commonwealth Cybercrime Initiative. It is the lead agency of the Commonwealth Connects Programme, which is the Commonwealth’s official ICT4D programme. COMNET is involved locally in the Malta IG Group, on the advisory board of the ‘Be Smart Online’ Project, a local initiative, aimed at raising awareness of Internet related discussion. COMNET is also an organisational member of ISOC and is supporting the establishment of a Maltese ISOC Chapter.

Submitted Workshop Panelists: 

We plan on showcasing 3 perspectives: government, industry, and civil society. 1)Mark Carvell, UK, Dept. of Culture, Media and Sport, Government Europe, Status: Confirmed 2) Teki Akkuetteh, ICT Legal Expert/Legal Desk Officer at Ministry of Communications of Ghana, Government of Ghana, Government, Africa. Status: Confirmed. 3) Salanieta Tamanikaiwaimaro, Diplo, NGO, Pacific. Status: Confirmed. 4) Ms Lara Pace Comnet Foundation for ICT Development, Foundation, Europe. Status: Confirmed.   5) Vladimir Radunovic, Diplo, NGO, Europe. Status: Confirmed 6) Alice Munyua, Kenya, Government, Status: Confirmed 7) Bernadatte Lewis, CTU, Caribbean, Status: awaiting final confirmation. Mr Mark Carvell will provide an overview of the current status of the Cybercrime Initiative. Ms. Akkuetteh will describe Ghana's experiences working with the CCI. Salanieta Tamanikaiwaimaro and Vladimir Radunovic can provide the perspective of Diplo as a partner and can discuss the perspectives in Civil Society as Salanieta is involved as the co-ordinator of the IG Civil Society Caucus. Ms Alice Munyua is Chair of the CCI Steering Group and can give her perspective on the effectiveness of multi-stakeholder cooperation in addressing the problem of cybercrime. Ms Bernadette Lewis can speak of the work the CTU and CCI have done together, specifically the recent workshop in St. Lucia.
The idea is to have an open panel discussion and engage the audience for their feedback.

Name of Remote Moderator(s): 
Jasper Schellekens
Gender Report Card
Please estimate the overall number of women participants present at the session: 
About half of the participants were women
To what extent did the session discuss gender equality and/or women's empowerment?: 
It was not seen as related to the session theme and was not raised
Reported by: 
CIGF - Jasper Schellekens
A brief substantive summary and the main issues that were raised: 

The format of the workshop was a panel discussion, where –rather than have the participant give a traditional presentation – the audience was invited to participate in a moderated discussion with the panellists. Questions were asked by Mr Carvell, the audience in the room and remote participants which included the remote hub of the University of Aberystwyth.  Remote participation was central to this workshop, as Dave Piscitello participated as remote panellist.
Mark Carvell provided a brief background to the Commonwealth Cybercrime Initiative, highlighting that the Initiative was placed before participants at the IGF to seek final feedback before submission to Heads of Government.. He explained that following endorsement from Commonwealth Heads of Government last October in Perth the CCI has moved from concept to implementation.  The Initiative is composed of three pillars, the Executive Management Group composed of government representatives, the Steering Group, composed of organisations with expertise in different areas of combating cybercrime, and the Secretariat.
Lara Pace updated the audience on the current status of the Ghana project, as the point of contact for Ghana was unavailable to participate. A scoping mission was sent to Ghana in February and further assistance is expected to be provided this year.
- Lara Pace discussed the kind of assistance that can be expected from the CCI, namely that the CCI offers all-encompassing and holistic assistance from legal review to technical training. Additionally, despite being centred on the Commonwealth, when providing assistance regionally, it does not exclude non-Commonwealth countries.
- The involvement of the private sector was discussed, with specific reference to the banking sector.. Institutions such as banks often claim to have their own cyber security in place, but Ms Lewis pointed out that it was a wider picture than the individual cyber security of the specific bank. Awareness is key, which also included the need of wider reporting of incidents. Cybercrime can go unpunished if banks are isolated in their cyber security strategy and refrain to report incidents. Mechanisms need to be in place to protect the reputation of the banks when they report instances of cybercrime.
- Raising awareness of cybercrime incidents is needed at every level of involvement in the Internet, but language is one of the main barriers to raising this awareness. There is a need to accommodate different languages.
- The role of private industry in combating botnets and phishing was highlighted by Mr Piscitello. Further elaborating the multi-stakeholder model allows for governments to combine and tap into financial and technical resources that are available to the private sector.
- Using a multi-stakeholder model such as the CCI allows organisations to synergize in the broader remit of the CCI, thereby not constraining assistance to different isolated silos.
- The link between cybercrime and cyber terrorism was discussed, with Mr Piscitello highlighting the main difference which lies in the motivation behind each. Cyber terrorism may result in crimes, but it is based on ideology rather than profit. As an addendum industrial espionage was raised and also classified as a crime that perhaps had more unusual motives. It was questioned whether it was necessary to address this specifically or merely under the wider umbrella of cybercrime.
- Ms Lewis indicated that even in situations of cross-border cooperation there needs to be local/national engagement and then a framework internationally, or regionally. If the local situation was not functioning properly, it is naturally more difficult to fit in and operate within an international context.
- Harmonized legal frameworks were identified as a critical aspect to ensuring cooperation related to cybercrime across borders, ITU’s work in the Caribbean was mentioned as an example of this harmonisation.
- Experience or cooperation is not always available, best practices based on the projects currently undertaken are extremely valuable for any other attempts at multi-stakeholder collaboration.
- Vladimir Radunovic of DiploFoundation emphasized the importance of capacity building both across sectors and across locations and regions. Cybercrime capacity,  in the same way as Internet Governance covers so many different areas it needs to be built for stakeholders to cope with the fact that it cross-cuts so many sectors.
- Diplo further highlighted the fact that the Internet itself is an essential tool for  cooperation and capacity building.
- A strategy for dealing with Cybercrime is only as strong as the weakest link.
- Wout de Natris mentioned that governments may have to re-invent themselves outside the traditional “geographical borders” format.
- Audience raised the issue that the problem of cybercrime grows exponentially with each day that passes. Action needs to be taken now to be able to bridge that gap and not be left perpetually behind the curve.
- The question of treaties as an option for cooperation in dealing with cybercrime was raised, but the panel responded that treaties aren’t always the only answer. Yes, cybercrime is a global phenomena.  It must be that there is collaboration at the international and regional levels but there are things that countries need to put in place.  Ms Bernadette Lewis gave a simple example: When a country or on individual or an organisation receives a cyber threat, what do they do with that? What are the mechanisms for escalating that?  Those are things that have to be done at the national level. 
- Whatever activities are undertaken ensure that a holistic approach is maintained that includes all stakeholders.

Conclusions and further comments: 

The open discussion raised interesting questions and observations from both the panellists and the audience. Main themes in the discussion included raising the awareness of cybercrime and harmonisation of legislation. For a multi-stakeholder model of cooperation to work, the stakeholders need to be made aware of how they can participate and need to be drawn in to participate. The many questions raised by the audience demonstrated the wide scope of cybercrime, ranging from terrorism to commercial transactions. Best practice gleaned from the experience of the multi-stakeholder cooperation, from a practical point of view, could help other institutions should they wish to provide assistance to countries.

Additional documents: 

(No.83) Exploring the IG dimensions of Open Government Data Policy: supporting development, promoting freedom, promoting development

Go to Report
Workshop Theme: 
Security, Openness and Privacy
Theme Question: 

Question 2 in Freedom, Openness and Security: Freedom of expression and free flow of information: how do legal framework

Concise Description of Workshop: 

Local and national governments across the world are rapidly adopting Open Government Data (OGD) policies, developing open data portals, placing government data online under open licenses, developing standards for data sharing, and supporting the emergence of new social and commercial enterprises to use OGD. These policies and practices are built upon the Internet infrastructure, and contribute to the emergence of a ‘web of data’.

Organiser(s) Name: 

Tim Davies, University of Southampton Web Science Doctoral Training Centre, UK Javier Ruiz, Open Rights Group, UK Adam Peake, GLOCOM, Japan Daniel Dietrich, Open Knowledge Foundation, Germany Marco Fioretti, Italy

Submitted Workshop Panelists: 

PS Bitange NDemo, Kenya Ministry of Information and Communications Daniel Dietrich, Germany, Open Knowledge Foundation Laurent Elder, Canada, International Development Research Centre (IDRC) Vagner Diniz, Brazil, W3C Keisuke Kamimura, Asia Pascific, GLOCOM Marco Fioretti, Italy, Digital Standards Campaigner We will also look to engage with a young panelist, either through remote participation on in-person once potential delegates are confirmed.

Name of Remote Moderator(s): 
Adam Peake, GLOCOM, Japan

(No.78) Internet Governance of Open Government Data and for Sustainable Development

Go to Report
Workshop Theme: 
Security, Openness and Privacy
Concise Description of Workshop: 

The number of open government / public sector information policy initiatives are increasing not only in the USA and Europe but developing countries as well. A European Union (EU) platform for open government data is being created and countries within its fold have been asked by the EU to make open government data available via this European wide platform. In Africa, Kenya has launched an open government data website ( as has Uganda (

Backgroung Paper: 
Organiser(s) Name: 

Keisha Taylor, Trinidad and Tobago, Independent researcher/NGO, Javier Ruiz, United Kingdom (Open Rights Group), Christopher Corbin, United Kingdom, An independent researcher on Information Society policy 

Previous Workshop(s): 

IGF 6: Workshop 212 - Privacy and Security in an Open Real time Linked data world IGF6: Workshop 123. Public Sector Information online: towards a Global policy framework IGF5: Workshop 120. Public sector information online: democratic, social and economic potentials IGF3: OECD Best practice Forum on the "Enhanced Internet-enabled access and use of public sector information"

Submitted Workshop Panelists: 
  •      Keisha Taylor (Trinidad and Tobago) independent researcher/Policy fellow, Access
  •     Bitange Ndemo (Kenya) Permanent Secretary of Kenya’s Ministry of Information and Communications
  •     Priyanthi Daluwatter (Sri Lanka) (Tutor, DiploFoundation)
  •     Javier Ruiz (United Kingdom) Campaigner, Open Rights Group
  •     Bevil Wooding (Trinidad and Tobago) Chief Knowledge Officer of Congress WBN
  •     Anne Fitzgerald, Australia, Queensland University of Technology, The Australian auPSI information platform – (Confirmed remote participant - Organiser of Australian remote hub) 
Name of Remote Moderator(s): 
Bevil Wooding, Chief Knowledge Officer of Congress WBN, Trinidad and Tobago
Gender Report Card
Please estimate the overall number of women participants present at the session: 
There were very few women participants
Please include any comments or recommendations you have on how to improve the inclusion of issues related to gender equality and: 

This can be done by trying to make it more explicit in the workshop proposal stage.

Reported by: 
Keisha Taylor
A brief substantive summary and the main issues that were raised: 

Internet Governance of Open Government Data and for Sustainable Development
Workshop #78
Internet Governance Forum
Baku, Azerbaijan
7th November 2012

The workshop gathered 31 participants in Baku and one remote hub from Australia. Two of the panellists were remote panellists.

The link between open government data & big data for development & internet governance/ICT policy
Keisha Taylor, Independent Researcher, Policy Fellow, Access (Remote Panellist)
Ms. Taylor spoke about how big data and open government data links to internet governance and ICT policy issues and made the distinction that open data can be part of big data but big data is not always open data. There is a big disparity in the generation and storage of data between regions. For example there is a lot more in the United States and Europe compared with Africa and Latin America.

Some open government data initiatives discussed/mentioned included:

  • Kenya -
  • Uganda Open Data initiative ( hopes to launch in 2013.
  • Somalia ( hopes to make all data about Somalia held by
    international development organisations available.
  • The African Development Bank Group (AfDB) launched an Open Data for Africa platform in the hope that it would increase access to the quality data needed to manage and monitor the Millennium Development Goals (MDG) in African countries.
  • Discussions were held recently in Trinidad and Tobago, Jamaica and the Dominican
    Republic to promote the potential of Open Government Data, Open Innovation and Open Source for sustainable development in the region.
  • Open Data for Public Policies in Latin America and the Caribbean project – led by the
    W3C Brazil and ECLAC
  • Brazil Open Gov Data Portal - aggregates 82 public datasets formerly scattered across the Internet.

Also discussed were privacy implications; how the quantified self movement is taking off and the possibility for predictive analysis based on big data to lead to the inventing of the future

She explained through examples how such data is transforming, industry, government, development and policy and described why the multistakeholder process, which has helped support the successful growth of the internet should also be applied to the use of big data and open government data for development.

Each of us is at the centre of the big data universe and this should never be forgotten in any attempts at harnessing the use of big data for social benefit. Skills and human insight is also needed. The way that various Internet Governance issues such as privacy, cybersecurity, intellectual property rights, infrastructure and access are linked to the generation and use of big data was also explained.

She also noted the way in which civil society organisations (CSOs) are usually left out of the equation and the importance of including the poor in data collection and analysis efforts to improve dialogue with government, collect better much data than professionals in a cost effective way in local languages, by eliminating cultural barriers and building trust.

Open Government Data - Kenya
Bitange Ndemo (Kenya) Permanent Secretary of Kenya’s Ministry of Information and Communications
Kenya launched open data because they wanted to enable the youth to access government data and create applications. They have seen more than 50 new applications, especially on the mobile platform, that have come out as a result of that. However, most of them need real time data not traditional data and this has become a challenge. He said that government  normally take an angle that's favourable to itself but citizens can look at its data in new ways and come up with new innovations
He explained the in the next few years we should be able to understand how we can provide data on food security so that citizens can have it on their mobile phones. He spoke of how mobile money is helping to bring in new applications which increase agricultural productivity in Kenya. This enables farmers to know what type of crops they need to grow, determine price and know their market. It can help citizens know where to find clean water. He also described the development of mobile money in Kenya.
The use of big data for disaster relief is helping to drive more confidence in the use of data for predictive analysis. He described how Kenya must begin to look at and change its culture so much so that farmers can also begin to estimate and predict with it. Government can make policy interventions, but citizens must also begin to identify issues that they want data to solve. They must begin to trust the data with their lives.

He also discussed how open data and big data could reduce the cost of health care and improve education and help consumers to find out if the food they buy is organic. Having open data would mean that even farmers will begin to understand the relationship with the markets that they work in. For example Africa and Europe, are intertwined, because a lot of Kenya’s food is exported to Europe for example. It therefore becomes a global issue for a European consumer.

Towards an Open Government an overview from Sri Lanka and South Asia
Priyanthi Daluwatte, Tutor, Diplo Foundation  (Remote Panellist)
The presentation discussed the overview of Open Government initiatives in South Asian region with special emphasis on Sri Lanka. In the introduction, she noted the publication by Michael Gurstein on the topic, Open data: Empowering the empowered or effective data use for everyone? in which the author has described a model for effective data use. Seven factors have been noted as drivers of effective data use. Viz: Internet, Computers and software, Computer/software skills, Content and formatting, Interpretation/Sense making, Advocacy, and Governance. (Gurstein, 2011) The presenter stressed that penetration of internet is a critical factor in the provision of open government services to the masses. World Map of Open Government Data Initiatives provided by Google shows the distribution of Open Government Data Initiatives around the globe and it is evident that these initiatives are concentrated in the US and European region.
She then focused the discussion on the overview of Sri Lanka with regard to Open Government initiatives. Sri Lanka is an island in the Indian ocean with an area 65,610 sq km and a population 20.8 million. It is a middle level income country. (HDI 97th)  Literacy rate 92.5% whereas the IT literacy  is 40%.  Ranks 71 on the Network Readiness Index. Telephones per 100 persons (including cellular phones) 105.1  Internet penetration (as a percentage of total population) 4%.
Initiatives by Sri Lankan Government in the provision of IT to the masses were noted. The key player in this initiative is the ICT Agency in Sri Lanka which is under the Presidential Secretariat. Sri Lanka does not have an Open Government Data portal yet, but the country is laying the ground work by providing e-services, knowledge and formulation and adoption of a national ICT policy, ICT action plan and necessary legal framework in order for the effective use of Open Government Data initiatives when it is taken off ground.

  • The e-Sri Lanka initiative started in 2004 uses ICT to develop the economy of Sri Lanka, reduce poverty and improve the quality of life of the people.
  • Establish rural telecentres (Nenasalas) 687 established throughout the country which provides affordable telecom services to the rural communities, e-citizen services, e-learning, IT literacy
  • Lanka Government Network – the information infrastructure backbone that connects all the government organizations.
  • Initiatives are made to make the government content made available in all 3 national languages (English + 2 local languages)
  • Lanka Gate (Lanka Interoperability Exchange) and Lanka Government Cloud have been developed to facilitate Open Government and Open data implementations
  • Lanka Gate initiative for eServices (Online Payment Services, Mobile Payment Services, SMS Services)
  • Open Government and Open Data are featuring in a significant manner in the e-government policy.
  • Human Resource Capacity Building – government employees to administer e-government services, basic ICT education through the telecentres, trained pool of professionals

The situation in India with regard to Open Government Data

  • Departmental websites for the government with contact details for officers, project-specific information, including annual reports providing information on activities and finances
  • National Data Sharing and Accessibility Policy has been recently notified by the Government through a gazette notification. According to this policy, all government departments shall soon release their datasets in open formats.
  • The Open Government Data Portal is a joint initiative between India and US
  • Countries like Singapore and Indonesia also have Open Government portals. Literature survey shows that other South Asian countries (Pakistan, Bangladesh, Nepal, Afghanistan, Maldives, Bhutan) have government web portals which connects Ministries.

Ms. Daluwatte lastly highlighted some factors for consideration with regard to provision of open government initiatives in developing countries.

  • Privacy of data
  • Reluctance to share data at departmental levels
  • Fear for technology
  • Issues related to infrastructure
  • Poor record keeping practices
  • Inconsistent data available
  • The available data is in English
  • No sufficient demand for the kind of sophisticated analysis encouraged by initiatives like the US and UK open data schemes.

Open Government Data - Caribbean
Bevil Wooding (Trinidad and Tobago) Chief Knowledge Officer of Congress WBN
Mr. Wooding spoke broadly about the need to develop the open data ecosystem and build applications based on  government data since they own some of the largest data repositories. Access to data was also noted to be tied to infrastructure and innovation linked to open data. While it is important to make data available in in open formats if emphasis is not placed on how people access it, then the work, or the effort, is in vain. An increasing number of countries are interested in and motivated to move into open data. Models are emerging in developing and developed countries.
However, transparency is not actually always desired, and while the benefits of open data should be obvious, sometimes the benefits of being closed should also be taken into consideration when trying to develop ways of overcoming resistance and obstacles.
He described the Caribbean’s first open data initiative in 2012. However, he noted that governments by themselves can’t encourage people to open their data.
In Trinidad and Tobago for example there is a Freedom of Information Act, which requires citizens to make an appeal to government for information, but open data gives citizens the information before they ask for it, and it is always there for you when you need it. When citizens get a sense of these possibilities they start to demand data in all other kinds of areas.
Entrepreneurs need to be enthusiastic about open data and start slowly creating public awareness by creating applications intended to reach the people. Having a friendly friend in government is important and so is celebrating success openly.

Questions and subsequent discussions circulated around issues of liability, and structure and validity of data. For example: does "Open", means creating licence, or does "Open", means truly open. The creative commons license was sited as one used and so was the Open Knowledge Foundation's definition of open knowledge. Regarding questions about data standards or formats, it was explained that a lot of this is still in the early stages of development in developing countries. Challenges also lay ahead in the use of real-time data, in terms of data quality and validity, but also getting such data e.g. from mobile phone companies used not just for competitiveness, but for the common good, and to solve problem.

Mr. Ndemo made the point that a focus on privacy does not enable innovation, however Javier Ruiz, of the Open Rights Group, who chaired the session, disagreed saying that from the get go there is a need to also legislate for privacy or there will be a backlash from the public.

Mr. Ndemo explained that they do have a data protection group, but for health issues like cancer we need to understand who gets it when do they get it. We must balance privacy issues with the sharing of public data to help solve such issues and provide more innovation services. There needs to be more transparent technology and algorithms so they can apply open peer review to generate trust. Data can also be anonymised.

He said that in Kenya the question is not who is on Facebook, but who is not on Facebook. Individuals give private information openly and service providers use it. Does this make the user of free services the user or the provider? Facebook is using this metrics to generate revenue. There is also the issue of regulation to consider from a Kenyan perspective

Mr. Ndemo explained that it took many years before MPESA for to be regulated by the central bank. If they had initially waited on regulation MPESA may have failed to exist. In addition, if Kenya did not have a forward thinking government they would not have the open government data platform needed to help them be more pragmatic.

Conclusions and further comments: 

The panel focused on discussions related to open government data portals and initiatives in developing countries.
Discussions pointed out that it is very important to develop an open government data content layer but also pointed to a variety of factors that are also vital for developing countries to help create the enabling environment needed for such platforms to be introduced, developed, maintained and used.
Because of the nascent nature of such portals in developing countries the extent to which the linking of open government data portals at the national, regional and international level could help with sustainable development was not yet addressed, but hope that this could be achieved was high.
There were varying views on how much focus should be on privacy in the early stages of developing an open government data structure. Representatives from developing countries, notably Kenya argued that a focus on regulation and privacy in the local environment would hinder use of the data and innovation.
The developing world is indeed examining the possibility of open government data and learning from developments in Europe and the USA. As more portals and initiatives unfold and develop it will be useful to have a follow up workshop which examine how successful some of these new initiatives have been and some of the lessons that have been learnt with a view to working together within common standards to help possibly introduce a global framework.

Additional documents: 

(No.77) Conflict in the Cloud - Policy Challenges for Stakeholders & Practical Solutions for Sustainable Economic Growth

Go to Report
Workshop Theme: 
Security, Openness and Privacy
Theme Question: 

Question 2: Freedom of expression and free flow of information: how do legal framework, regulations, and principles impact this?

Concise Description of Workshop: 

Cloud computing is the natural evolution of the continued growth and advancement of the Internet. However, the dialogue around cloud computing is currently moving to the next level. We intuitively know that cloud computing is a huge economic driver of growth and advancement in developing countries. This is particularly the case where broadband connections are strong.

Organiser(s) Name: 

Marc Crandall JD,CIPP, Sr. Manager, Global Compliance, Google, a multi-national business.

Previous Workshop(s): 

Report is at the bottom of the Workshop description:

Submitted Workshop Panelists: 


  • Scott Marcus, Director, Wissenschaftliches Institut fuer Infrastructur und Kommunikationsdienste (Confirmed)
  • Yoshihiro Obata, Board Member, Japan Internet service Providers Association (Confirmed)
  • Bertrand de la Chapelle, Academie Diplomatique Internationale (Confirmed)
  • Alejandro Pisanty, Universidad Autonoma de Mexico (Confirmed)
  • Jochai Ben-Avie, Policy Director, Access (Confirmed)
  • Adiel A. Akplogan, CEO, AfriNIC (Mauritius) (Confirmed)
Name of Remote Moderator(s): 
Dr. Patrick Ryan, Policy Counsel, Open Internet, Google will act as the remote moderator, consistent with Section VIII of the I
Gender Report Card
Please estimate the overall number of women participants present at the session: 
There were no women participants at all
To what extent did the session discuss gender equality and/or women's empowerment?: 
It was not seen as related to the session theme and was not raised
Reported by: 
Marc Crandall
A brief substantive summary and the main issues that were raised: 

Panelists and the audience discussed barriers to cloud computing, including policy. This was an interactive panel where panellists and the audience discussed some of the key contemporary issues surrounding human behaviour and the Internet.

Some of the themes raised include:

  • Advantages of Cloud Computing: it permits all users, regardless of location, to take advantage of data services afforded by cloud providers.  Large providers began offering spare computing resources and server storage to the user-at-large.  There is a tremendous advantage for the economies of scale.
  • Conflict of Law: Conflicts of laws, privacy, security, and government access rules can impede the growth of cloud computing in both established and developing markets: particularly for small and micro businesses.  This is even a challenge for regions that try to create common frameworks.  There's always been a perception that diseconomies of scale represents big negative impacts, big losses of macroeconomic benefits, and therefore, a desire to harmonize, if not make things uniform.  For example, in jurisdictions such as the EU where uniform regulation is attempted, there has been a corresponding a transposition of that regulatory framework into 27+ different legal systems.  As such, there is a substantial variation in the details of implementation.  This has resulted in compliance uncertainty for those operating across multiple jurisdictions.
  • Jurisdiction: there is tension between cross-border cloud platforms and the international jurisdictional systems that are based on national boundaries.  Jurisdiction may be based on the location of the user, where an entity is incorporated, where data is stored, the type of domain name, or where a domain name is purchased.  This creates particular challenges for cloud computing, because something that is relatively straightforward from a jurisdictional perspective, like the location of the server, is becoming more ambiguous, as systems are load balanced between servers in different geographical locations.
  • Open Internet: the ability to store data outside of one’s local jurisdiction may create an enhanced environment of confidence and security, particularly if one does not want to store data locally because of little confidence in local rule of law or a repressive government.  It some jurisdictions, it is better that data is not stored locally, not only for civil society purposes and freedom of expression, but in order to make sure a business runs - local censorship efforts have little effect on a global cloud service outside the problem jurisdiction.
  • Appropriate Data for the Cloud: all forms of data may not be appropriate for cloud computing.  Mission critical information may be appropriate for the cloud from an integrity and availability perspective, but for entities dealing with sensitive or classified information, there are serious considerations.  From a confidentiality and sensitivity perspective, a government agency may choose not to store extremely sensitive or classified data in the cloud, unless it's within country, and the agency has complete sovereignty over that data.  Data involving national security may also fall into this category.
  • Importance of Geographic Redundancy: recent natural disaster events have shown the importance of geographic redundancy inherent to cloud computing.  For example, in Japan, many local governments followed local regulations requiring that personal data be stored only within a given town or village.  That data was destroyed by the tsunami, making it very difficult for local governments to resume operations.   Personal information - such as data related to healthcare or real property ownership - was lost because of these local regulations.  As such, in Japan there is a positive trend towards cloud computing to help protect against these situations.
  • Wealth Transfer: There was consensus that cloud computing offers those in developing economies with equivalent cloud computing resources to those in developed economies.  However, there is a concern as to whether this causes wealth-transfer from developing countries to developed countries, and how the impact of this long-term on developing economies.  Other panelists felt that customers should have a right to choose cloud providers or platforms regardless of geographic location: a right to a freedom of market. You should have a right to market and therefore have a right to do business. You do that by providing ads. And if users want to be able to use an inexpensive service because ads are there, it’s the users’ choice.
  • Bandwidth challenges & IXPs: the use of cloud computing in developing economies fundamentally rely on access to bandwidth, Internet Exchange Points, and other similar resources.
  • Advertising and Big Data: There is a concern that nothing is free with cloud services.  Depending on the service, data may be used for advertising purposes.  A question that should be asked therefore is whether such advertising, if it takes place, is appropriate for the cloud customer, based on that customer’s own assessment.  Concerning big data, and trends that may be gleaned from a large corpus of information, the key question is whether such information has social and economic value.  When it has social value, everybody wins and it's all beneficial. When it also has economic value, it brings back the question of how this economic value is being distributed, and whether the cloud customer can (or should) take advantage of any related economic windfalls.
  • Government Access: the use of the cloud raises privacy concerns among users.  A user’s right to privacy is threatened if a service provider discloses cloud information to government agencies without valid legal process.  Unlike the act of searching through a person's physical belongings or home or correspondence, surveillance techniques can be performed remotely by asking application providers to turn over data.  Online procedural protections, for online data, often lag very far behind off line protections and must be reconciled.  There is also a concern that government interception of intelligence-gathering purposes may not be held to as high a procedural standard as law enforcement investigations.
Conclusions and further comments: 

Recommendations and Moving Forward: Regarding conflicts of law, agreements should be implemented among at least a certain number of countries, a certain number of platforms, a certain number of large users and civil society entities, to make sure that a minimum set of rules apply across various territories.  Governments that accept such a regime would have established guidelines for addressing problems that may arise.  Such agreements can involve lawful access to private data, if there is a legitimate crime inquiry and if the requests complies with relevant protections in terms of due process.  In controversial cases of content blockage on user generated content platforms, rules provide for granular and proportional action and an appeals process.  There is a also message to national governments: that if they want a development of a local cloud industry, they need to implement Internet-friendly regulations.  Regarding appropriate data for the cloud, The cloud is appropriate for certain type of people, just as it is for certain types of data.  A global cloud solution may not be appropriate for classified information; it depends what one is trying to secure.  The same restrictions likely do not exist for the 99% of other data types, including that which is handled by governments or the private sector.  In these cases, cloud-based security, availability, and integrity may be an improvement when compared to users may be able to provide for themselves.

(No.62) Digital Citizenship: Can It Translate in the Face of Language. Cultural & Economic Differences?

Go to Report
Workshop Theme: 
Security, Openness and Privacy
Theme Question: 

Question No. 4

Concise Description of Workshop: 

Over the last decade and a half, a tremendous amount of attention has been placed on "online safety" and protecting the "vulnerable" online, i.e., youth and the elderly. We think the term Digital Citizenship includes but necessarily goes much farther than Internet safety. In keeping with the 21st century's highly mobile and user-driven Internet, it's proactive and participatory, modeling positive behavior toward fellow participants of digital environments and today's networked world.

Organiser(s) Name: 

Anne Collier, NGO executive

Submitted Workshop Panelists: 

Anne Collier, - Confirmed                                                                                 
Pamela Covington, Verisign – Confirmed 
Elizabeth Metraux, The Metraux Group – Confirmed
Kim Sanchez, Microsoft - Confirmed
George DeBakey, DeBakey International - Confirmed  
Berdia Natsvlishvili - Professor of Media and Communications at Georgia Institute of Public Affairs, PH Country Director, BoD Open Society Institute in Georgia - Confirmed
Sandro Asatiani, Renowned social media practitioner in the Caucasus, published author of numerous digital advocacy books/articles - Confirmed
Representative from Government of Azerbaijan - TBD
Youth Participants:
Nargiz Huseynova, Azerbaijan - Confirmed
Ms. Arzu Geybullayeva, Azerbaijan and Turkey – Confirmed
Mr. Giorgi Iakobashvili – Georgia - Confirmed
Ms. Tako Shakarashvili – Georgia - Confirmed
Ms. Mariam Mkheidze – Georgia - Confirmed
Ms. Keti Lomadze – Georgia - Confirmed
Ms.Ana Arabuli – Georgia - Confirmed
Mr. Irakli Togonidze – Georgia - Confirmed

Name of Remote Moderator(s): 
Anjan Bose
Gender Report Card
Please estimate the overall number of women participants present at the session: 
About half of the participants were women
To what extent did the session discuss gender equality and/or women's empowerment?: 
It was not seen as related to the session theme and was not raised
Reported by: 
Anne Collier
A brief substantive summary and the main issues that were raised: 

Youth Panelists:
Pat Chung Chi Pang (Hong Kong)
Arzu Geybullayeva (Azerbaijan)
Berdia Natsvlishvili (representing youth in Georgia)
Victor Neufeld (Denmark)
Olivia Bang Brinck (Denmark)
Luca Kyllesbeck (Denmark)
Anna Fogh Gransøe (Denmark)
Jack Passmore (UK)
Rebecca Cawthorne (UK)
Matthew Jackman (UK)
Facilitated by:
Anne Collier
Jim Prendergast
Kim Sanchez
Digital citizenship is necessarily as global, multicultural, and multistakeholder in nature as Internet governance is – because the Internet and digital media are for citizen Net users of all ages in all countries and cultures, using all manner of devices and types of access. Digital citizenship is also dynamic and needs to be "crowd-sourced" because we are collectively learning about and developing it as our use of the Internet and digital media evolves.
Workshop No. 62 featured youth voices in the global conversation about digital citizenship because the organizers continue to feel that youth have not to date had as strong a voice in the discussion as their use of and interest in digital technology merit. So we brought together teens and young adults representing Azerbaijan, Denmark, Georgia, Hong Kong, and the UK to discuss what "digital citizenship" means to them in their work, lives, and Internet use. Co-organizers Anne Collier, Jim Prendergast, and Kim Sanchez (with Pamela Covington listening from the US) facilitated the discussion in this highly interactive workshop in which more than half of the 50+ people present actively participated.
We began the discussion by pointing to various elements of digital citizenship that have turned up in discussions, research, and conferences around the world:

  • Access and participation
  • Norms of behavior ("good citizenship")
  • The 3 literacies of the digital age: digital literacy, media literacy, social literacy
  • Rights and responsibilities
  • A sense of belonging or community, online as well as offline

But we suggested that these are merely talking points, not a definition, because there is still little consensus as to what digital citizenship is – or even whether it's the best term to use everywhere in the world.
Then, to get the conversation moving, we asked our youth participants about their experiences with digital media in their own lives. They reported that they use the Internet and social media, increasingly on their mobile phones as well as computers, for a great variety of activities, from research and homework for school to socializing to games, music, photo-sharing, and other forms of entertainment – "8-13 hours a day, depending on how much schoolwork I have," said one Danish secondary-school student.

Adult digital-literacy differences, East & West
In Denmark, Victor Neufeld said, school is gradually going "paperless," so the Internet and digital devices are increasingly in use, at least at his school. When asked if discussion about responsible Internet use, privacy, reputation management occur in school before all the devices go into use, he said, yes, those discussions happened in his schooling "mostly in social sciences…. Every fourth social science class would have the focus purely or primarily on the Internet and how you act and different questions. We work on that from an early age.… But it is [also discussed] more on the broader scale … [part of] how we are raised," suggesting the discussion happens in families and is part of general socialization, whether online or offline.
In Hong Kong, Pat Chung Chi Pang said, there is no such discussion in school. Tech instruction is focused on how to use specific computer applications not on socialization, and there is little if any such discussion in families, he said, suggesting that youth are left more on their own concerning online activities.
Olivia from Denmark said that there wasn't much discussion in her school, but that, where there is discussion about sociality in Net use, it should be less about schools imposing rules and more class discussion about what the best rules should be.
A 17-year-old UK student said that, where she and her peers are getting school-based Internet socialization discussions, the lessons coming "a bit late" in students' experiences – after they've long been using the Net and social media. "I have been accessing the Internet all my life, and [in the UK] it is when you get to an age that you become more independent that you get taught about what you should be saying and what is right and wrong – whereas you should be starting [that instruction] from the very beginning when you first access your Internet."

Who should teach digital citizenship?
Who should do the teaching? "Everyone," said 13-year-old Danish participant Olivia said – not just parents or teachers. "Everyone should have responsibility for who should make online behavior how it is."
In the UK: A UK student cited Childnet's survey of youth for the IGF saying that the respondents "don't want to be taught by their friends how to act online.  They want to be taught by teachers [62%] or by their parents [51%]."
In Africa: But some youth participants said that not all teachers and parents know enough about the Net and social media to provide guidance, so what students get is unpredictable. Kate (Katarzyna Pawelczyk) of UNICEF, who said she recently moved to New York from South Africa, said that "in many African countries teachers probably have much lower digital literacy than what you [student participants] are describing in your situation.  So there are far more teachers who don't feel that they are equipped to provide students with support on this topic or that they are just overburdened."
In the Caucasus: Who should and does train young people is very much a cultural question, said youth panelist Arzu Geybullayeva of Baku. In some cultures, parents are not online, generally. Also, gender is an issue – schools or institutions feel girls need special training in social media, and brothers and male cousins "want to assist in the training because they feel girls should not be left alone" in social media. And there are geographical and socioeconomic differences as well. "If you walk into an Internet cafe in a remote village, you won't see girls in there," Arzu said.
As for socialization or online behavior, in Azerbaijan, people "either learn on our own or you learn it from the trainings or learn it from your friends…. We don't really learn about how to behave in schools.  It is really difficult to explain to people how to behave."
Another Azerbaijani participant said he will decide for his daughter what she can see online until she "is grown to an age when she is an independent adult person…. We are a more traditional society."
In East Asia: Does "digital citizenship" make sense to someone who grew up in Chinese culture? Pat, from Hong Kong, said that he feels the main focus this concept should be rights and responsibilities. "You find your rights and responsibilities in the real world and also you can find those in the cyber world –freedom of speech and the responsibility to respect others, to protect the Internet…. Also I think a very important concept of digital citizenship is self‑discipline." He also mentioned self-knowledge. "Know who you are. You've got to be aware of what you say and you've got to express your speech responsibly…. Instead of using policy, using the law, education is more important to the youth…. Digital citizenship should not be limited by the law, by parents, by the school – for the youth, they've got to understand. That's called self‑discipline, I think."

Beyond behavior or social norms
Perhaps the disagreement has more to do with definitions of "citizenship." The element of citizenship that seemed most central to, or at least referenced by, the UK youth was norms of behavior, whereas for youth in other parts of the world, other elements seem more key.
Berdia Natsvlishvili, who works with 30% of Georgian schools (740 schools), said that his NGO focuses more on "civic education as a subject … most importantly teaching students how to be engaged in solving local community problems…. We are very much integrating and bringing social media tools there. We were the first organization to print in Georgian books on SMS and social media at school … and we started to teach students [and peer mentors] how to use social media for civic engagement and spreading their knowledge of citizenship," for example, through being "good online journalists," writing blogs and commenting on others' blogs.
But the idea of citizenship has experienced a lot of change in Georgia, Berdia continued, "If you go to older generation, 'citizenship' it is a very unfamiliar term for them – they do not understand what good citizenship means because in the old times, you know, you were not responsible to solve any community problems or do any actions. It is kind of like a new time for practices in Georgia and, you know, we are integrating citizenship into education." Rather than teaching digital citizenship as a subject, per se, he said, "our organization is … teaching [students] how to be good citizens and how to use the online instruments to be good citizens."
Beyond 'digital'
But shouldn't we drop the "digital" part, asked an adult expert from the EU, since we al make less and less of a distinction between online and offline life?
UK student Matt Jackman said he understands the point but cited the Childnet survey, which found that half of respondents say they "do act differently online and the Internet is a completely different stage.  The way I interact on the Internet … is completely different. The idea of digital citizenship with the word 'digital' I think is important…. You are belonging to a larger community, a different community online than you are in your day‑to‑day life, and you have to respect that and you have to realise that your audience is much bigger and that you must adapt your citizenship from your day‑to‑day life and your culture to the online world because of the vast kind of podium it is."
Anne Collier asked the student how he behaves differently online. He said, "Cautious.  Definitely cautious. Respectful. I take [into consideration] other people's views. I understand people are from different countries. More respectful and conservative and cautious. Definitely."
Danish student Victor Neufeld said that the norms he uses online he learned from his offline friends and peers. "That's how the youth or how my generation learned to act on the Internet because my parents didn't tell me how to do it…. I wrote some stupid things when I was young and people reacted to it in a negative manner. And I wrote some positive things and people reacted to that in a positive manner and I got the reaction I wanted and I started writing like that. That's how I learned to act on the Internet and that's the implementation of norms on the Internet."
An adult who works with 25 European NGOs representing youth said that her organization decide "digital citizenship" is not a good term, the key reason being, "well, we are all citizens, and the norms go on and the work in the offline world also applies to the online world. Maybe you have to be more cautious or behave more respectfully online.  But for us, 'digital citizenship' is not a good term.  We actually started talking about 'citizenship in a digital era'."

Transitional term for a transitional moment?
Another UK student said that he agrees with Matt, that the term is needed, that "perhaps there may come a time in the future that we can use 'citizenship' to sum up everything, when the online community becomes more fused with the real world as such, but for now I think that 'digital citizenship' works pretty well."
Another student said she liked the idea that the term is a transitional one – that, "as more and more people spend more time online it becomes about citizenship and not digital."
An adult member of the audience suggested that citizenship means "empowerment." Another participant said he liked the idea but that, "at least in Azerbaijan, I feel like there is a lack of knowledge of what it means to be a citizen and the empowerment that it gives you."
Does user empowerment support greater order on the Internet? Going forward, will order be less about law, as in the past, and more about self-regulation or, as Pat from Hong Kong put it earlier, self-discipline, as well as collective social norms that "regulate" behavior online?

A work in progress
A student participant asked if digital citizenship is practical. "Is it even possible? Is it just too idealistic? No one controls the Internet. So who is going to do it?"
Another young person responded that it does come down to user empowerment: "I completely agree with how you say that the Internet is empowering citizenship … but, as Victor said, he got some things wrong [when he was younger]." He continued referring to remarks from an adult in the audience: "You said that 95% of the people aren't getting it wrong or something along those lines, that most people are not getting it wrong. But people will get it wrong at some point. I think that, as you asked, is it idealistic to think that people can get it right all the time? And in a way, yes. It is impossible for everyone to get it right all the time but … if enough people want to and want to make sure it happens, yes, it can. So instances where people are getting one thing, two things, maybe three things wrong can be kind of get reduced, as such. So I think we should always aim for a reduction in the way that people misuse the Internet."
So perhaps the term "digital citizenship" is aspirational, suggesting rights and responsibilities for all Internet users and setting a universal standard or common goal of respectful participation worldwide. Not all participants agreed that this treatment is meaningful or necessary, and participants from some countries suggested that "citizenship" itself does not have the same meaning for people in all regions of the world. But it is a term that resonates well with both the Internet-safety and Internet-governance discussions. All that's clear is that this highly participatory discussion needs to continue, with more perspectives included.

Conclusions and further comments: 

In some countries, though the term "digital citizenship" is only beginning to become familiar, NGOs and governments are providing school lessons and curricula on this topic. This is happening in the EU, the Caucasus, and parts of the US, for example. In other countries, the term is completely unfamiliar. But what we have learned from our discussions about digital citizenship at the past three IGF conferences is that, even in countries where it is being taught in schools, there is still little consensus about what digital citizenship is. It is a work in progress as people all over the world become aware that they are increasingly participants in a global medium, and youth are key to this discussion and consensus-building because they are growing up with this global consciousness.
So we collectively can't yet know the answer to the question this workshop raised, but we do know that the discussion needs to continue, as the IGF - a forum devoted to international discussion of global-scale governance and citizenship, online and offline - moves to another region of the world to gain the important perspectives that are there.

(No.59) Internet Privacy and Freedom of Expression: UNESCO launches a global survey on legal frameworks

Go to Report
Workshop Theme: 
Security, Openness and Privacy
Theme Question: 

Promote internet freedom and privacy in Internet goverance

Concise Description of Workshop: 

The workshop is a follow-up of earlier well-attended discussions on privacy protection and freedom of expression in relation to social networks at IGFs conducted by UNESCO since 2008. UNESCO will use the event as an opportunity to present the findings of a global research study aimed at mapping the issues in the current regulatory landscape with regard to Internet privacy, and to provide an overview of legal protection, self-regulatory guidelines, challenges, and case studies relating to the topic.

Organiser(s) Name: 

UNESCO; Global Partners & Associates(Civil society); Council of Europe (Regional governmental organization); Article 19 (Civil Society)

Previous Workshop(s): 

2011 feeder workshop: Free flow of information and social networks: a role for democracy and social participation

Submitted Workshop Panelists: 


9:00   Opening and Introductory Remarks by Chair


Mr Guy Berger

Director, Division of Freedom of Expression and Media Development, Communication and Information Sector,  UNESCO

9:05  Presentation of the report by Mr Andrew Puddephatt, Director of Global Partners & Associates, and Ben Wagner, Researcher at the European University Institute in Florence and Associate of Global Partners & Associates

9:30  Comment by panelists:
Mr David Souter, Founder and Managing Director, ICT Development Associates
Ms Sophie Kwasny, Council of Europe
Ms Katitza Rodriguez, International Rights Director, Electronic Frontier Foundation, based in USA
Ms Ceren Ünal, Instructor, Bilkent University Faculty of Law, Turkey
Mr Max Senges, Google´s Policy Team, Berlin
Ms Gabrielle Guillemin, Legal Officer, Article 19

10 :00  Questions and Answers  (also open to remote participation)        

10:25  Closing Remark by Mr Guy Berger


Name of Remote Moderator(s): 
Cedric Wachholz, Programme Specialist, Section for Universal Access and Preservation, Knowledge Societies Division, Communication and Information Sector, UNESCO
Gender Report Card
Please estimate the overall number of women participants present at the session: 
The majority of participants were women
Please include any comments or recommendations you have on how to improve the inclusion of issues related to gender equality and: 

Although time did not allow for raising gender equality issues during the workshop itself, the publication that was launched and disseminated through it includes a section on useful resources for further reading on gender issues in relation to Internet privacy and freedom of expression.

Reported by: 
Guy Berger, Director, Division of Freedom of Expression and Media Development, Communication and Information Sector,UNESCO
A brief substantive summary and the main issues that were raised: 

Assessing the relationship between Internet privacy issues and freedom of expression was at the heart of this workshop, which was centered on a new publication of UNESCO (available at
Two authors, Andrew Puddephatt and Ben Wagner (of Global Partners and Associates), summarized the publication; and responses came from Gabrielle Guillemin (Article 19), Ceren Ünal (Ankara University), David Souter (ICT Development Associates), Katitza Rodriguez (Electronic Freedom Foundation), Sophie Kwasny of the Council of Europe, and Max Senges of Google. Several speakers contributed points from the floor.
The discussion registered that there are different interpretations of the concept of privacy, but the right could broadly be understood as “the reasonable expectation” of an individual, which was also distinct from “data protection” and “anonymity”. The authors of the UNESCO publication highlighted a diverse regulatory landscape around the world, and challenges related to discrepancies in legislation pertaining to the online and off-line spheres, and between national and international jurisdictions. It was noted that, in an interconnected world, the same model that works to balance privacy protection with free expression in one country can be emulated with negative impact on freedom of expression in another.
Also stated at the session, poor regimes in protecting freedom of expression are accompanied by poor privacy regimes as well. There was broad accord that most stakeholders needed advice about balancing of the two related rights when these came into competition.
The following points also emerged: 

  • Our understanding of privacy and free expression has evolved as the world has been rapidly transformed by the advent of “big data” and business models based around data.  Law enforcers want access to the “giant pool” of data, raising issues of privacy and free expression, as well as questions of the modality and parameters. Additional concerns include what happens to “digital footprints”, and to the security of data holdings in terms of possible abuse or theft.
  • The Internet presents particular challenges to privacy through its character as a platform where personal information can be easily collected, stored, shared, used, analyzed, commercialized and traced. Its trans-nationality, the speed and reach of information flows, the significant online market for personal data, and the growing convergence of devices connected to the Internet all make it difficult for users to have control over their personal information. These factors have also added to social habits of accepting terms of service or privacy policies without paying due attention. On the other hand, the point was also made that excessive privacy could limit data-mining possibilities, such as the raw materials needed to improve voice recognition and simultaneous interpretation.
  • Privacy can underpin many other human rights, including freedom of expression, such as by reinforcing anonymity as an enabler of free speech, and helping to protect journalists’ professional interest in keeping private the identities of whistleblowing sources. But cautions were expressed by the discussants that attempts to safeguard privacy online can sometimes undermine legitimate freedom of expression. Privacy regimes can be abused to maintain secrecy in regard to information that really deserves to be laid out in the sterilizing sunlight. The classic example is where those exposed by investigative journalism invoke a claim of violations of their privacy, even though the unearthing of this information can be in the public interest.
  • In these modes, privacy can also be used to conceal corruption and to limit the freedom of expression for those trying to expose it. Forging a balance is not an easy task, but the issue of public interest should be the deciding element to establish which should prevail if these come into competition on a particular issue. There is no hierarchy between the two rights, and neither is absolute, the Council of Europe pointed out. The overall public interest override is equally central when settling a conflict between privacy and the right to access information held by public bodies.

References were made to, and

  • It is hard for firms that provide Internet services internationally to navigate the complex landscape constituted by different national privacy laws. Ambiguity in the legal arena contributes to hinder privacy protection. There seems to be a trend, even among democracies, to establish legal regimes that facilitate the use of personal information for law enforcement purposes, without always giving due consideration to privacy concerns.  
  • Knowing or suspecting that your data could be released to law enforcement officers could have a chilling effect on what data was made available.
  • Most data protection regimes include a number of specific rules to protect various public interests, they do not provide for a general public interest override, so they do not always fully protect freedom of expression. Blurred relationships between the right to information and data protection laws often lead to confusion.  
  • The right to be forgotten was not much supported in the discussion, with the arguments that there are already safeguards about accuracy and limited preservation periods. In addition to being technically challenging, it was very labour intensive for the individual to indicate all the time when information should expire, and it could grow into a rewriting of history.
  • One argument was in favour of pre-emptive measures to protect privacy, saying that punitive measures were too late as the damage could not be reversed. However, it was also pointed out that European Court of Justice has thrown out the idea of pre-notification about publication of private information. 
Conclusions and further comments: 

Among the recommendations were:

  • Governments should establish a strong constitutional protection of privacy and freedom of expression, imposing positive obligations on the state, allowing only for limited restrictions on these rights and referring to the overall public interest to balance these rights. Privacy should be protected from threats stemming from both public and private actors.
  • Resort to civil laws should be the primary practical means to protect privacy, with criminal rules used only for protecting certain highly sensitive information (e.g.: linked to banking).  
  • States should set up strong data protection regimes, allowing still for exceptions to these rules for certain data, particularly when concerning freedom of expression.
  • Many corporations need to develop better policies to protect privacy. These should confer as much control over privacy as possible to users. User-friendly privacy policies and users´ opt-ins and opt-outs were recommended.  The Mozilla model was referred to.  Privacy by design was recommended in terms of devices.
  • Public awareness-raising on privacy protection and new technologies, and media and Internet literacy efforts, were strongly recommended.  Media and information literacy should promote tolerance in relation to content online. P2P violations of privacy should not be overlooked. Users were seen to have some responsibility as to encrypting and tracking their information and communications, and present uptake of this was very low (3%). However, if the Internet is to be a public plaza, as the UN Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression has urged, then privacy needs to be weighed against this. Privacy should not be the default, and there should not be a prejudice against data per se. 

(No.50) Aspects of Identity

Go to Report
Workshop Theme: 
Security, Openness and Privacy
Theme Question: 

This workshop addresses aspects of the following theme questions from Security, Openness and Privacy:

Question 1: What impact can security and governance issues have on the Internet and human rights? In this case the right to privacy
Privacy is a fundamental right, but so is national security and the right to feel safe which is derived from enforcement of law. Privacy is giving people the ability to protect and control the dissemination of their personal information. However even in the physical world it is not possible to retract or remove information from the collective conscious - for example something published in a newspaper. However the problem is not the balance of security v privacy it is actually security & privacy v anonymity.
We need to better manage and improve governance of the Internet and identity usage so that in general privacy is upheld but where necessary someone can be held accountable for their actions.
Question 3: What risks can Internet fragmentation pose to security, privacy and openness? If identity governance becomes fragmented and requirements change what impact does this have?
If identity use and governance becomes fragmented it will destroy many of the benefits of the internet as a global resource. The market may well deal with this as there are business and funding drivers that require the effective globalisation of identity. This will effectively come about by contractual relationships and an effective liability model as we have today with passports.
Question 5: What risks do law enforcement, information suppression and surveillance have on security, privacy and openness? Identity information can be used as a tool by state and law enforcement both for good and bad reasons, how do you strike a balance?
Anonymity is the biggest conceptual headache, not privacy. Privacy is good and hard to misuse - anonymity can be misused. Surveillance is often ineffective as you often only servile those that are law abiding when you capture internet logs. Law enforcement is fundamental to the security of nation states. The balance is probably more between anonymity and security rather than privacy and security.
Question 6: What measures can be taken to ensure freedom of expression, access to knowledge and privacy, including for children? Can anonymity really be possible on the Internet and does this have implications on providing a tool for criminal and terrorist organisations?
Anonymity will always be used by the bad guys. We already have organised crime using data protection and human rights especially article 8 to protect themselves against being traced, being prosecuted and general law enforcement activities. One way trust models and zero knowledge proof of knowledge are examples of ways in which pseudo anonymous activities can be transacted but with the ability to hold those who perform criminal activity accountable.
However this would allow suppressive regimes and those that misuse the information to have dangerous tools they could misuse. Until we have a fully democratic world we will have to find a balance between security and anonymity and become much better and improving privacy. For now we need to start defining the boundaries and contexts in which each identity balance should be tuned.

Concise Description of Workshop: 

This workshop is intended to enable the exchange of ideas around various Aspects of Identity on the Internet, allowing the panel of identity experts from the Middle East, Asia and Western Europe, to interact with the participants with the aim of achieving some consensus on key aspects of identity use. Importantly this needs to cover the global or “borderless” perspectives of identity over the Internet.

Backgroung Paper: 
Organiser(s) Name: 

Organiser & rapporteur - Andy Smith

Previous Workshop(s): 

The following is the workshop we conducted last year:
The resulting report is freely available here:
We also presented at the UK IGF 2012. The summary of workshop 1 can be found here:

Submitted Workshop Panelists: 

The following are the Confirmed panelists and moderator:
Louise Bennett - BCS - Chair of the Security Forum of Expertise (SCoE). Louise has many years’ experience in both security and privacy including commercialisation of the Internet and is representing BCS worldwide including the BCS Youth forum and women on the Internet.
Andy Smith - BCS SCoE helped set up one of the first Internet service providers in Pakistan and spent years working in the Middle East on Internet security. He now works for UK Government on identity assurance and is representing BCS worldwide and EURIM UK
John Bullard – is Global Ambassador for IdenTrust providing identity systems for online banking and funds transfers. He has many years’ experience helping banks in developing countries and Europe set up secure online identity system to help prevent identity theft and protect privacy
Asrar Baig -  Runs IT Matrix in Bahrain & Saudi Arabia - a consultancy that works across the Middle East. He has considerable experience with Internet security and online identity including prevention of identity theft and brings a unique perspective on privacy and use of identity for access to information from the Middle-East.
Sujit Christy - Is a member of the BCS in Sri Lanka and is representing the Indian and Sri Lankan interests in identity and preventing identity theft. He is a Director at Layer-7 Securo Consutoria Pvt Ltd with several years of experience in cyber security & compliance.

Name of Remote Moderator(s): 
Ian Fish - BCS SCoE - Ian moderated the Aspects of Identity session in Nairobi. Ian is highly experienced in Information Security and identity on the Internet and will manage external questions and input to the session.
Gender Report Card
Please estimate the overall number of women participants present at the session: 
About half of the participants were women
To what extent did the session discuss gender equality and/or women's empowerment?: 
It was not seen as related to the session theme and was not raised
Reported by: 
Andy Smith
A brief substantive summary and the main issues that were raised: 

Members of the BCS Identity Assurance Working Group (IAWG) supported by IT Matrix from Saudi Arabia and IdenTrust from London attended the UN IGF meeting in Baku in November 2012 to take forward one of the five calls for action agreed by the Policy and Public Affairs Board (PPAB) for BCS to pursue in 2011/12 .
The panel was chaired by Louise Bennett (Chair BCS SCoE) and the other members were Andy Smith (BCS SCoE), Asrar Baig (IT Matrix) and John Bullard (IdenTrust). Remote moderation was performed by Ian Fish (BCS SCoE).
The IAWG prepared a follow up workshop on “Aspects of Identity” for IGF 2012, following up on IGF 2011 and other workshops including InfoSec 2011 & 2012, EuroDIG 2011 and UK IGF 2012.  The outcomes of these events will be reported back at a joint BCS/EEMA Thought Leadership Seminar on e-ID Enabling Business Transaction on 27 November at BCS.
The IGF in Baku was the seventh meeting, each year the emphasis and themes are changed. This is the second IGF at which the BCS have run a workshop. This year the BCS workshop fed in to the Plenary session on Security, Openness and Privacy.
The IGF is described as a multi-stakeholder discussion. To date it has achieved consensus on a number of issues such as ways of dealing with child sex abuse on the Internet, where there is a large degree of international consensus. The attendees were: Parliamentarians, government officials, internet registrars (such as Nominet), business (largely the majors such as Microsoft, Google, Cisco, Nokia and some smaller  businesses and civil society (largely human rights, privacy and freedom of the Internet (or more accurately a free Internet) activists).
This workshop addresses aspects of the following theme questions from Security, Openness and Privacy The IGF questions that the BCS was concentrating on addressing were:
Question 1: What impact can security and governance issues have on the Internet and human rights? In this case the right to privacy
Question 3: What risks can Internet fragmentation pose to security, privacy and openness? If identity governance becomes fragmented and requirements change what impact does this have?
Question 5: What risks do law enforcement, information suppression and surveillance have on security, privacy and openness? Identity information can be used as a tool by state and law enforcement both for good and bad reasons, how do you strike a balance?
Question 6: What measures can be taken to ensure freedom of expression, access to knowledge and privacy, including for children? Can anonymity really be possible on the Internet and does this have implications on providing a tool for criminal and terrorist organisations?
There were three main objectives for this workshop:
1. To look at the governance of identity on the internet and its impacts on security and privacy.
2. Look at the use of identity in commercialisation of the Internet with particular regard to legal frameworks and economic development.
3. To look at the balance between privacy and openness, in the context of user norms and behaviour, including how to protect the naïve from themselves, and how to enable better use of identity for access to information resources and online services.
Feedback from Workshop 50 Aspects of Identity.
This workshop provided some surprising answers and changes in direction….
The fundamental finding from last year was that Proportionality between security & privacy is culturally and context sensitive but also very hard to define and a very emotive subject. It is unlikely that there is one balance and there will always be polarised views over the balance between security and privacy. However the surprise was that the balance is not necessarily between security and privacy, but between security and anonymity.
The Key issues for this year were:
To look at the governance of identity on the internet and its impacts on security and privacy.
Look at the use of identity in commercialisation of the Internet with particular regard to legal frameworks and economic development. Can identity be used as currency?
To look at the balance between privacy and openness, in the context of user norms and behaviour, including how to protect the naïve from themselves, and how to enable better use of identity for access to information resources and online services.
The key questions we posed for discussion were:

  • Is identity legitimate currency to fund the Internet?
  • How context sensitive is identity?
  • How do you protect the naïve from themselves?
  • Will we ever be able to balance the need for security with the right to privacy?
  • How internet identity framework can become e-business enabler for the masses in the east?

The balance may not be between Security and Privacy. Both of these are about protecting people and protecting peoples rights. The balance is more between Security and Anonymity. Privacy is difficult to misuse, anonymity can and is misused. Even though anonymity intrinsically provides privacy, there is a significant difference between privacy and anonymity:
Anonymity is the ability to perform actions without them being traced to the person - which means both that they have the right to free speech without fear of repercussions; but also that people cannot be held accountable for their actions.
Privacy is the ability to only provide personal information to those entitled to it by law or that the person chooses to provide the information to of their own free will.
Privacy protects peoples rights but does not damage the need for national security and law enforcement which is normally built in to privacy and data protection laws. However anonymity can. Anonymity is not necessary for privacy but is often misinterpreted as a requirement of privacy. Anonymity is not necessary for privacy and the two concepts should be separated.
Anonymity is only required where free speech or other actions could have negative repercussions against the person. In most western countries free speech is a legal right and anonymity can be used to avoid charges of libel and slander or for nefarious actions including cyber bullying.
Therefore the issue is not security v privacy. They both have the same goal of protecting people. The balance is between Security and Anonymity.
It is vital to have the right level of Identity assurance for the context of a transaction over the Internet. The assurance in the identity is context sensitive and can change from anonymously downloading pages from a news service to very high assurance when transferring funds between bank accounts.
In all cases the identity needs to be registered to the level of assurance required for the transactions, which means there needs to be effective methods for remotely identifying someone and issuing credentials.
Basing Identity on a liability model and using a contractual framework would significantly improve the trust and commercial use of identity on the Internet. Having some method of holding people accountable for their actions and for use of a trusted identity would significantly improve both national and global online commerce.
However for identity to stand up in court and be viable under a contractual framework, high assurance identity, meeting the tests (using a UK example) of ‘balance of probability’ for civil prosecution or ‘beyond reasonable doubt’ for criminal prosecution would be required.
Identity is used as a form of currency on the Internet, with people providing personal information in order to gain free or low cost services in return. This allows the "payment" of those services to come from targeted marketing and other sources. However this does expose people to risks they may not realise.  Datamining of the same aggregated data sets can be used for both targeted marketing and targeted crime.
There is still a lot of work to do with balancing and understanding the different drivers for security, privacy and anonymity, including how they pull against each other or overlap. This will be the theme for work next year.
Digital Identity is an on-going piece of work and becoming a critical subject for the success and globalisation of the Internet. The key is going to be to define a governance structure that will actually work and the conclusion was that IGF can play an important part in providing the stage for discussions, however such discussions are needed between the IGF meetings therefore a Dynamic Coalition is needed and the BCS has set one up for Identity. Anyone is welcome to join and can do so by sending an email to with their contact details.
Most digital identity is still fundamentally based on physical identity issued by a single authoritative source (normally Government) - the original documents tend to be the national passport, or other Government identity documents such as ID cards or driving licence. This may be used directly to set up a digital identity, or indirectly, where it is first used to get a bank account or credit card which is then in turn used to get a digital identity. There are currently no effective methods of creating only a digital identity. Every digital citizen is still a citizen of somewhere.
People need real incentives to get online and perform commercial activities, such as the card for blue collar workers originally started in GCC but now moving in to Saudi Arabia. Here a real world (physical) card can act as a digital identity and allow holders to go online and perform commercial transactions. But again this card is provided under a commercial framework and contractual model.  
People also need to be helped to secure their online profile so that they are not subject to identity theft and fraud. Weak identities that have been exploited for criminal acts and a few media stories is already resulting in fear of going online across much of the Middle East. Schemes like the GCC card will help to rectify this, but user education and in some places, media education is also required.
Fear of going online and being subject to identity theft is also prevalent in the West and much still needs to be done to help people to understand how to protect their identity and their privacy.
We should not be looking for a grand scheme, but rather small steps and maybe compatible standards so that small schemes can interoperate effectively. However someone needs to set the standards and this is another task that the IGF along with standards making bodies such as IETF and ISO could achieve.

Conclusions and further comments: 

The following are the notes and findings from the Panel Session
Louise introduced the session and the panel, explaining that we would have five minute presentations from the panel members outlining three key issues.  The first of these is commercialization of the internet with Louise covering the western view and Asrar Baig the eastern view of this topic.  Governance on the internet will be covered by John Bullard. Then Any Smith would cover the implications on identity of balancing of security and privacy.
The panel discussion was then about an hour and was a good interactive session.   Louise explained that the panel was organized by the BCS which is the chartered institute for IT. 
The Identity Assurance Working Group within the BCS has the aim to drive improvements that are needed globally on this subject through the U.N. Internet Governance Forum. 
One topic to consider is how to develop valued incentive models that match the requirements of people for identity for eCommerce.  The panel looked at the whole framework for identity governance on the internet and the complex topic of trust in transactions with remote identities. This included the use of anonymity, pseudonymity and attribution.
The most fundamental finding from the work last year was the confirmation that security, privacy and anonymity is culturally and contextually a sensitive topic.  It's hard to define and agree and very emotive.  Proportionality will be raised in every discussion in identity on the internet.
This year, the panel was focusing on a modified set of issues.  The commercialization of the internet including legal frameworks, the effect on economic development of the internet, the contextual nature of identity and the different drivers for security and privacy and how they can be better balanced
Over the internet you need different levels of certainty about who the other party is that you're communicating with and you need a level of certainty that's appropriate to the transaction that you are doing.  This covers a whole spectrum of problems.  From the certainty that you've logged onto a legitimate supplier website, to being certain that you're transferring funds to your bank account.  That's a different level of trust for each different type of transaction. 
The key thing in every transaction, on the internet, is, is the other party good for the transaction?  It's exactly the same issue as if you were doing it in the physical world.  Can they deliver the goods?  Can they pay for the goods?  And most importantly, bringing in the legal issue?  What's the redress you're going to get if this transaction doesn't work and something goes wrong? 
If you're doing business with an organization, you need to know the business is legitimate and has processes in place that means the individuals from the organization you're dealing with have the authority to undertake the transaction. 
You don't actually need to know the individuals identity in the organization.  You need to know that the organization is the right one and has internal systems that are going to check the transaction that's carried out.
There are a lot of different commercial models on the internet and some services are free, or below cost, because there is value in the data that we, as individuals and customers, may give up when we're using those sites or services.  And, we should know that there's a quid pro quo which is usually targeted advertising. A Quote from Blue Beetle was "  If you're using a free service, you're not a customer, you're a product”. 
There are costs associated with the internet.  If you don't want to pay for those services and access with cash, then you have to realize, maybe you're paying through your taxes.  Or maybe you're paying for it through the abrogation of your activities as an individual identity on the internet.  When you talk to young people, they mostly accept this paradigm. 
It can be a win-win situation.  The individual can get subsidized or free services, access to information, by giving up personal information about themselves and their identity that they think is of equivalent value or less value than the services they're getting. 
If you don't want your identity attributes to be used and privacy really matters to you, then you either get offline or pay for your protection or pay to understand how to protect yourself.  We need to make our own informed choices and these will be culturally and contextually, completely different for each of us at any point in time and over time.  We'll change our views on these, perhaps as we grow older. 
The ability to retain anonymity, particularly in countries with repressive regimes, in some situations, is absolutely vital. However, identity assured at some level is needed for many transactions.  Most importantly, it's actually needed for commercial transactions when you're buying or selling things.  You need to know the counterparty will supply the goods or pay the price. 
You may also need to know identifiers for some things.  This is becoming increasingly important as we have smart homes and online health takes off.  If you're a diabetic and your doctor is monitoring your blood sugar level remotely and automatically increasing the flow of medication, which is already happening in some places, you need to know it's your medication that's being changed, not someone else's.
So, managing your online identity and the identity of things or organizations that are associated with you is becoming a vital life skill for everybody.  How can we possibly manage that effectively on a global scale with billions of people and a trillion things attached to the internet? 
Turning to the Eastern view and more specifically the Arab world there are significant cultural differences, when we're looking at the internet governance or the commercialization of the internet, we are way apart, whereas, we can benefit a lot if we really look closely and analyze the eastern aspect. 
Because, if you look at internet security and privacy, then you'll be looking at that in the western world, the security and privacy is on one extreme whereas when you come to the east, it's in a very different extreme.  In the Arab world people are used to being monitored.  In the western world, you want everything to be more open.  And it's already very open. 
On the products side, we have new challenges, whereas on the service side, over the past few years, the middle-east has come forward leaps and bounds.  Now there's a lot which can be done over the internet, including e governments, everything is on the e government side.  You can do transactions with the government using the internet and a lot other services like Telecom services, airline tickets, hotel bookings have gone on to be done over the internet. 
When you come on the product side, that's where the biggest challenge is because in the middle-east people are more used to buying products with a touch and feel, the tangible thing. 
Then we have other challenges, we don't have the real infrastructure in place for the logistics to manage the goods to go from one place to another. Many places do not have postal addresses.   Not only that the east often lacks the legal framework to protect the consumer.  So then, from that aspect, trusting somebody will ship something and it will be delivered without problem becomes difficult. 
On the trust side the trust on the face value is totally opposite.  In the arab world people trust very much on the face value.  When somebody says who he is its often not questioned, they just want to believe it.  To ask somebody to give their identity or to cross question is like offending them. 
This trust on the face value is not lost when you go onto the internet, it's more like, with the technology there, it has to be true.  Anything which is written on the internet, anybody who writes something on the internet, you consider it as valid.  As true. This level of naivety on the Internet can be problematic.
In the middle east privacy is not so private.  We accept, in our part of the world, we accept being monitored.  Why?  Because we have this trust in the government, thinking the government is supposed to provide us security and they're going to be monitoring us. 
When we have these kinds of talks in the modern world, people in the middle-east aren't looking at the private sector for providing digital identities to do e commerce, they're looking at the government and make them accountable or responsible.  Bringing security to the identities on the internet. 
One question is how privacy advocates wouldn't go overboard in pushing the eastern societies to be more aware of their rights.  I know, very tough for western people and privacy advocates to see that's a different aspect.  You look at it from the western side its completely different.
If you look at the east side, the number of people getting onto the internet is huge and it's multiplying many fold every year.  So how can this framework enable the masses in the east to gain benefits out of this quickly.
What boundaries of internet identity would advocates of anonymity accept?  When we say the word freedom, there is a definition requirement.  What is freedom?  And the definition requirement can only be fulfilled of the freedom if we know the boundaries. 
Giving a commercial perspective, whatever we may say about the eastern view or the western view, the internet makes no difference at all.  Whether you are trading in Birmingham, U.K., Birmingham, Alabama, Bahrain, Barley or Baku, it makes no difference to the next street or the other side of the world.  We have to build some form of framework, some form of trust model that will enable wealth and commerce to take place. 
How do we enable small businesses to interact with their counterparties in a trusted manner so that commerce can take place?  The internet offers an enormous opportunity to do this, but we must bring some form of governance, some form of trusted identity processes into the picture to enable this to happen. 
What do we mean by trusted identity?  We may mean having absolute certainty of who you're interacting with.  We need to know who guarantees the identity of the individual person or organisation?  We need to have a complete and transparent audit trail of who did what and when? 
We need to see trusted electronic identities as a key component in limiting liability and external exposure.  So there must be some form of liability management, if things go wrong, where can I look for redress?  Those are the key issues we should seek to address from a commercial and from a business perspective around the world. 
Identity is a critical piece of, of a trust model which needs to accompany the commercialization of the internet. The other two things we need to be thinking about in this context, is what aspects of identity are to be managed and who will be covered by any identity management solution. 
The technology is the easy bit.  It will do what it says it will do.  The human bits become much more complicated, particularly when you look at the liability and legal issues.  How can you, how can we link together the buyer in Bali and the seller in Birmingham so everyone knows what their liabilities are and are not?
It's easy to have identity management internally or within a community of interest or within multiple communities of interest.  But once you get to multiple communities of interest across multiple legal jurisdictions, it can get much more complicated. 
We could have the equivalent of a scheme such as Visa or Mastercard, if you think of that in the 20th century and think of the internet era and think of the joining up of payments with all other pieces of a transaction, you need some scheme, some method, some legal liability framework that all parties can sign up to. 
It is likely to be a number of private sector initiatives, that can interact based upon the law of contract so that everybody knows what their liabilities are and what they are not. 
From a government perspective, we would suggest that governments are not in the business of managing their citizens liabilities.  That is not what government does or should do.  Government should make use of these sorts of private sector initiatives in much the same way as governments use the world's payments networks.  They do this today with significant trust. 
So one thesis is that; if we can have some form of global contractual structure, through things like financial institutions, which are regulated at the country level, then it should satisfy all the different blends of government that we have around this planet and instill trust in use of identity.
Security versus privacy and openness is a really contentious issue.  It is a very difficult balancing act.  And finding the right balance is proving incredibly difficult if not impossible. 
On the one side, you've got national security and law enforcement, actually protecting the majority from the minority.  The Government obligation of making sure that all the citizens in a country are protected from those who would cause them harm.  From those that would commit identity theft, fraud, and otherwise perform various activities. 
On the other side, you've got the right to privacy, you've got fundamental human rights, and in Europe, you've also got data protection legislation, all aimed at protecting the individual. 
In some ways, privacy and the right to privacy is about protecting yourself. Some also claim that anonymity is part of privacy and therefore also a right.  So, it makes the balancing act even more complicated because some of the things that you're doing for national security can be misused and used against people.  Some of the things you do for privacy can be misused. 
More and more, as organized crime move onto the internet, you're actually seeing them using the laws and rights that are being granted around, data protection, and privacy to protect themselves and their activities online and using those laws to misuse the internet and use it against individuals and against law enforcement.
When it comes to identifying someone how good is good enough?  We have a lot of problems with stolen identities.  We have a lot of problems with online fraud.  Much of that is caused because the root identity cannot be confirmed or cannot be traced or can be too easily stolen or misused.  So when you're interacting with someone, either you don't know they're the legitimate person or they don't know you're a legitimate organization and one they should be doing business with. 
From a sort of governmental point of view, if you're going to give someone a passport, you want to know they are who they claim to be and they are a national of your country and they have a right to a passport and a right to travel.
But if you are just letting someone download a free report on the Internet do you really need to see their passport?
We have a lot of people going online, a lot of young people going online.  They're following the crowd, they're following what their friends do, they're putting a lot of their personal information up on the internet.  It's being, captured, it's being stored, and they can never delete it again. 
We have situations where, large companies, are interviewing people and actually asking to be friends with them on Facebook or linked to them on linked in, so that they can see their personal information.  So they can see the type of person they are and who they consort with.  That's a bad use of someone's personal information.  People's personal information cannot be deleted.  Once it's on the internet, it's there to stay.
People may do silly things in their teens when they go to get a job in their 20s, the people interviewing them can see what they did in their teens and can hold it against them.  You cannot stop people from doing stupid things in the first place, but how do you protect the naïve from themselves, can you, should you?
Will we ever be able to balance the need for security against the need for privacy?  And, do we actually need to do it the same for everybody?  Can we actually have different forms of balance in different countries, in different jurisdictions and in different contexts?
How do you have any assurance in remote identity?  Whether it's a government dealing with their citizens, whether it's a commercial organization dealing with customers, how do you actually have assurance in the identity?  Organizations like ebay, PayPal, Amazon, they seem to have got a model to work.  They're using ratings based on feedback. As you interact with them and with other people, your identity becomes corroborated and the level of trust improves. Its not perfect but it works.
You're basically getting an identity rating.  So, whereas the financial industry has credit ratings, things like ebay and that, also operate equivalent of trust ratings.  Is the concept of identity ratings one that we want to use?  Is that a concept we want to actually establish?  The idea of identity ratings online? 
Currently there are only a few identity documents, there are only a few ways of verifying identity.  When you come to get a credit card or a bank account, when you come to set up your account with Amazon, normally they will use things like your passport or your birth certificate or some other breeder document to initiate that new identity you're creating in that context.  But it always comes back to a few documents.  Always comes back to the passport.  If you have a passport, you can get a driver's license, bank account, mortgage, et cetera. 
One of the workshop participants raised a very critical point during the discussion. “I think there are a number of confusions.  I don't think anonymity is the same as privacy.  People can know who I am without knowing everything about me.  I think it's important to retain these distinctions.  And also, in these, at this conference, a lot of people are talking about what their rights are in different places, quite honestly, I don't see how you can have rights without having a rights holder.”
Louise responded – “I agree with you that anonymity and privacy aren't the same thing.  I think they're often allotted together and this caused an enormous amount of confusion…”
Asar made the follow up comment “It looks like it's really a security issue rather than anonymity issue.  Because the person who will declare something, doesn't like somebody to know it, just because they feel threatened by them.  But in an ideal world, if there is ideal security, then we can have that we really don't look for anonymity at that point.  Because we have those threats, that's the only reason we require the anonymity.”
Andy followed up with “I agree completely that privacy and anonymity are different.  The biggest issue I have with anonymity is where people actually abuse it and use it to their own advantage” for nefarious means.
Privacy is about not giving personal details to people who have no need to have them. You may give your name, you may give a pseudonym, you may use some form of identity tag, on the internet, but it should be traceable back to a root identity in most instances, but it should only be people like law enforcement or intelligence agencies, that should be able to do that.
A Workshop participant then made the following point: This problem is often posed as one of drawing the balance between privacy and security.  One of my counterparts said we have to optimize for security and privacy.  I think that's even more challenging than just simply drawing the balance between the two, but something we need to try and step up to.
When it comes to the anonymity versus privacy versus security debate, again, it's an emotive topic, but my view is that well, this is often characterized, again, if you've got nothing to hide, you've got anything to fear, argument.  My problem with that is, there are always bad actors in the system, even amongst those, for example, who have authorized access to data.  And under those circumstances, the question is, who do you have something to fear from?  Because it may well not be the people asking for your information, it may well be third parties who don't have your best interest at heart.  That's something that needs to be designed into these kinds of systems.
Louise made the point that reputation and trust are other very important issues and reputation is not only important to individuals, it's enormously important to institutions.
We have to trust the market to deliver some of these issues and there'll be some absolutely trusted organizations that people will be comfortable in going with. If people become sufficiently uncomfortable with a particular policy of a particular organisation or its reputation gets damaged or people lose trust in it, they will simply move to a competitor. Many websites have gone out of business when they have lost customer trust. Those that protect their reputations have become household names.
John made the point that “I think the key issue there is liability. If something goes wrong, where do I get recourse from?  That seems to me, when all else is said and done, is incredibly important for trust and for doing business on the internet.”
Asrar provided a slightly different view on this point “I believe there's still a balance required, when you just say that the markets can decide and once we have their organization and people, based on their liking, can do that…  Because sometimes, things like what happened in 2008, the financial collapse was, again, the same market and what happens in the days of, the dot com collapse when everything went wrong by just leaving it to the market there is, again, a responsibility and accountability which has to be there by somebody”.
There has to be somebody on top of the regulators.  You are required to have a framework, if you just leave it, the banks can do it the way they want to do, the market is just being driven by money, profit.  If you leave it to be driven by profit, who will look after the real interest of customers?
The panel then moved on to another question posed by a Dutch participant. “In real life, you have a right to be forgotten.  When you don't want something you have produced or anything else, in the market anymore, you have the right to ask to take it out of the market.  On the internet, it's not possible.  So...what's your opinion on that?”
Andy made the point “If you post stuff on the internet, it's there forever.”  It will get copied, it will get backed up.  You try and delete it from one source, you find it on another source. But he made the point you have this problem in the real world.  Once you're in a printed newspaper or on TV, you will never be forgotten, you just have to be careful in the first place.
Around London there, are over 7,000 CCTV cameras, that are run and monitored by different parts of the government.  On top of that, you've got tens of thousands of CCTV cameras put in by industries, business, even private individuals.  Nobody sits and watches all of that, all the time.  The police have 12 people looking after 7,500 cameras.  If something bad happens, they go find the tapes and they look.  That's pretty much what's happening with the internet.  And with the, the data capture on the internet.  Nobody's looking at it, there's just too much of it, but if something bad happens, they can have a look at the tiny little bit that's relevant. 
You have to understand from a proportionality point of view, it's not that they're tracking everybody, it's that there's loads of big computer systems storing loads of data that could potentially track everybody and as when they need to, they go find the bit that's relevant.  They don't have the resources to do it and they also don't have the inclination to do it either.
The final discussion point was on How, can an internet identity framework become an e business enabler for the masses in the east?
On participant commented that often in the East the main issue with e business.  It's two things.  Getting a credit card is a pain.  You have to be already employed.  So, and it takes awhile.  And the second issue is that people have a feel of getting their identities stolen by a hacker and all that, because during the late 90s, there was a huge amount of hackers. 
Asrar made the point that there are companies trying to address this. There's a starting point from a company which started in UAE.  The company is a Canadian company that shifted their business model to the Arab world.  They said there are too many blue collared people working in the Arab world who are not even connected with any kind of internet identity or e commerce or banks or so on.  They started by putting ATMs, specifically their own ATMs around different organizations which have got a few thousand employees and the salaries are going to be coming from the cards which will be issued to every single employee. 
Now those staff have started now having that identity.  The same card can be used anywhere across any of the countries because it's really a debit card.  Which can be used everywhere.  Not only that, with that card being there, the same organization, which isn't a bank, but is now acting like a bank, they've started giving micro-financing.  People can take loans, small amounts, and that automatically is being deducted in the same manner.  All of their money transfers can be done using the same card.  So it suddenly gave them a lot of ease.
The BCS have made a lot of progress in the last two years, defining what the problem is and coming up with answers, but the balancing act between security and privacy and openness is going to remain emotive and it's going to remain very hard.  We're just going to have to work hard on this and the U.N. and U.N. IGF is a very good forum to actually keep this moving forward.

Syndicate content