(No.90) iFreedom and cyber security in the balance

Go to Report
Workshop Theme: 
Security, Openness and Privacy
Theme Question: 

SO&P: Question 3: What risks do law enforcement, information suppression and surveillance have on security, privacy and openness and how can public and private sector cooperate to conform and observe human rights?

Concise Description of Workshop: 

Companies and government institutions across the globe are increasingly under attack from hackers, criminals and hactivists, while non-democratic countries, governments increasingly turn to digital surveillance tools to monitor their citizens online. Human rights activists and NGO’s fight for fundamental rights on the web, including data protection, while Web 2.0 developers declare privacy as something of the 20th century . This workshop will look at the merit of these assumptions.
A forum discussion will be organized that brings people from these (seemingly) opposing constituencies together, to discuss the following key questions:

  • how exactly are the different concerns perceived?
  • where can parties find common ground?
  • what are common next steps to build on, and what action and by whom is necessary?

In general it is possible to identify three main lines of advocates:

  • Privacy advocates fighting for privacy in an online environment.
  • Law enforcement and security experts pointing to the constraints laid on their work by privacy legislation and norms in an international environment.
  • The Web 2.0 community propagating practically no restrictions to internet freedom .
Organiser(s) Name: 

- ECP on behalf of the IGF-NL (ECP | Platform for the Information Society) wants to take barriers for the implementation and acceptance of ICT away to the benefit of our economy and society, and in order to strengthen our international competitive position. In addition, ECP (also at a political-governmental level) draws attention to a number of specific themes such as growth of productivity, strengthening of competitiveness and the European Digital Agenda. One of it programs is the public-private partnership NL IGF. NL IGF prepairs for the IGF and provides good embedding of the results of the IGF in national policy.
- Dutch Ministry of Economic Affairs, Agriculture & innovation
- Dutch Ministry of Foreign Affairs

Previous Workshop(s): 

NL IGF organized :
2010: Public-private cooperation on Internet safety/cybercrime

2011: Parliamentarian Challenge: a Round Table between Parliamentarians and other Stakeholders


Submitted Workshop Panelists: 

Ivo Ivanov, AC/DC, EU project on botnet mitigation and cooperation (confirmed)
Milton Mueller, Privacy advocate (confirmed)
Katitza Rodriguez, EFF (confirmed)
Cornelia Kutterer, Microsoft (confirmed)

Name of Remote Moderator(s): 
Sophie Veraart, NL IGF - ECP
Reported by: 
Sophie Veraart
A brief substantive summary and the main issues that were raised: 

Over 80 participants gathered in this workshop to talk about the balancing act between security and law enforcement on the one hand and individual rights to freedom of speech, to having a free flow of information, and rights to privacy on the other hand.
Panelists were Milton Mueller (privacy advocate and professor at Syracuse University), Katitza Rodrigues (EFF, international rights director), Cornelia Kutterer (Microsoft), Iarla Flynn (Google's Head of Public Policy for Australia and New Zealand) and Alexander Seeger (head of Cybercrime Division in the CoE). Moderator was Emily Taylor (independent consultant in Internet Law and Governance).

Companies and government institutions across the globe are increasingly under attack from hackers, criminals and hactivists, while non-democratic countries and governments increasingly turn to digital surveillance tools to monitor their citizens online. Human rights activists and NGO’s fight for fundamental rights on the web, including data protection, while Web 2.0 developers declare privacy as something of the 20th century . This workshop  looked at the merit of these assumptions.

Cornelia Kutterer began by setting out that times in  European politics are exciting, because in many countries governmental policy is currently being  revised. Think of the draft privacy regulation and the intermediary liability that are currently discussed, the new child safety strategy that is put in place, and the forthcoming European cyber security strategy to be issued by the European Commission. She has also noticed that similar developments are taking place in other member states and that they actually refer to each other, which Cornelia thinks is a good thing. Most of the European national cyber security strategies that are emerging in member states do actually include openness and freedom as well as cyber security.
But the devil is in the detail, Cornelia warned. For example, in order to secure accounts of customers, sometimes information needs to be shared.  And that is now recognized in the draft privacy regulation. But only in a short recital. It must be  clearer that information in particular circumstances may have to be shared. 
Milton Mueller  approached the question from a social scientist point of view, who study basically  science technology and society. He explained the ins and outs of Deep Packet Inspection (DPI) and what went wrong there. Deep Packet Inspection was meant to manage and control band width.  Many of the Internet service providers made the mistake of simply implementing this, just because they had the unilateral power to do so, without notifying their customers, and without having any kind of permission, which you would  normally expect them to do, when implementing new technologies. But when these technologies are disruptive and mix up power in relationships among actors, that's when things go wrong, he said.
Milton also calls for  activists, activist organizations, net neutrality activists, privacy activists to constantly monitor, survey the survey users, and to actively make a statement when something happens that they think is rebalancing or unbalancing rights. Because usually the government in terms of traditional data protection regulation is not very thorough with new technologies until a problem arises. According to Miltons research  ‘digital referees’ will have quite an important role to play.
Katitza Rodrigues said the role of society is very important for actually monitoring and seeing to what companies and governments do, how they collect and access our data, whether or not they  use them and whether or not they have legal grounds to access it. Not only governments but also companies should notify users when particular data are in demand more than usual. Katitza thinks there is a lack of transparency and secrecy within governments and she pleads for principles that determine how governments have to deal with data.
Iarla Flynn thinks that privacy must be underpinned by good security. He agrees with Katitza that one of the key things is transparency. Google actually launched a report in 2010, the Google Transparency Report, which lists and shows in table and map format all the requests that they get from governments around the world for access to user data. Iarla admits that in many cases it is important to provide such data, because they believe they are valid requests. However, they check them all nonetheless. 
It is also about proportion and balance, Iarla said. He thought there's a proportionality principle.  The police does need some powers to fight crime, but we need to get the balance right between the risks and costs that those powers might create versus the benefit for society and successfully tackling crime. 

Alexander Seeger disagreed as he thought it is not a question of balance. He said governments have positive obligations to protect citizens, society, against crimes because crime affects the rights of individuals.  He pleaded for better justification if governments wanted to interfere in the rights of people. There is a need for rules that respect fundamental rights, rule of law, Human Rights issues but also data protection issues. Therefore Microsoft, ISP organizations and police agencies together developed guidelines on how law enforcement and ISPs could cooperate  in a constructive manner while respecting those principles, he concluded.
Cornelia Kutterer reacted by saying that those recommendations do not sufficiently cover how service providers should implement guidelines and that those recommendations do help companies to actually implement in a corporate social responsibility way. She also mentioned the Global Network Initiative (GNI) , which Microsoft and Google participate in. GNI is a non-governmental organization with the dual goal of preventing Internet censorship by authoritarian governments and protecting the Internet privacy rights of individuals.
Katitza added that cooperation of companies is sometimes not so much voluntary  but that it is rather political pressure which makes them comply with certain obligations. She pleads for the discussion to focus more on granularity, to create more obligations for this kind of conduct.
Iarla reacted by remarking that a lot of good principles  are being developed. They may have some overlap but that’s not really a problem. The good thing is that a lot of work is going on that helps guide the development of good public policy in this field. Next he started a debate about something that was happening in Australia  right then, where they wanted to implement legislation which requires the retention of various types of data for two years.
Someone in the audience emphasized that retention of data is important because sometimes crimes are not discovered on the spot or directly after the deed has been committed, so it's very important to find proof, he said.

Conclusions and further comments: 

No further comments