Roelof Meijer, the moderator (CEO of SIDN, the .nl Internet domain name registry) introduced the session: the development of the Internet has made it crucial to the economy and to society in general. Lack of trust limits the full potential. The concept of acceptable behaviour was introduced in the London International Cyber Conference in November 2011 and developed further in the recent Budapest Cyber Conference
Jamie Saunders, Director, International Cyber Policy, in the UK Foreign & Commonwealth Office, identified the pressures on governments:
Governments have to develop domestic policies on the internet which ensure security. They have to do that in a way that respects fundamental human rights, but there are some difficult trade-offs in that space.
We can't divorce cyberspace entirely from the reality of state-on-state conflict. States do act in cyberspace to protect national security interests.
States recognise the need to collaborate and tackle threats in cyberspace and they also respect national borders. The challenge in terms of agreeing norms of acceptable behaviour is key.
He believed there were significant reasons for optimism that something could be achieved:
There are standards that exist and which could be used to help regulare behaviour and responses;
Few want to see any breakdown of the Internet or fragmentation;
The benefits of the Internet provide an important incentive to work together to tackle threats – cooperation and confidence building will help reduce the risk of escalation of incidents.
The process initiated at the London International Cyber Conference has been heavily dominated by governments. However, business involvement is important as it operates the networks and provides the services. Civil society has an important role in holding governments to account and can often help break through entrenched government position.
Mary Uduma, President of the Executive Board, Nigeria Internet Registration Association described how bad actors in Nigeria had had serious consequences for the country. She noted that this is the same for both on and off line action: in this case Nigeria’s reputation for housing bad traffic led to an economic downturn, the blocking of universities’ IP addresses and a lack of consumer trust in the use of systems – including in the ATM network – limiting the development of e-commerce. There had even been a case where a young woman had been lured to an hotel room and murdered.
There is good news: Nigeria is cooperating with other governments to address issues, in particular with EU training for Law Enforcement Agencies on security and responses. There has been some success in bringing criminals to court, but there is a problem in the lack of a definition of cybercrime and the use of “e-evidence” in courts. There is work on developing a cybercrime bill to provide the legal framework that recognises cybercrime and electronic evidence.
Nigeria has set up a working group led by Law Enforcement Agencies and the national CERT to provide a reporting system.
The Nigerian IGF looked at this issue at its national meeting. One of the things discussed was what you need to do to influence the behaviour of users. Nigeria is ready to co-operate between government, civil society and industry and is ready to communicate with other organisations to see how to tackle bad behaviour. There is a correlation between people who have signed up. We have had consultation on the Bill. We agree with others on how to co-operate and tackle the bad behaviour on the internet.
Dixie Hawtin, Global Partners & Associates, Chair of the Dynamic Coalition on Internet Rights & Principles talked about how the dynamic coalition’s work on key rights and principles (http://irpcharter.org/campaign/) had developed. The coalition was a network of individuals and groups from around the world and included wide consultation. It recognised the contribution the Internet had made to enabling rights – freedom of expression and of assembly, for example. The work recognised dangers on line for users companies, governments and the harm that can be caused: mass surveillance, censorship and infringing national laws, international treaties and ignoring appropriate safeguards, for example.
The coalition adopted an approach to protecting public rights and Dixie considered it important to base Internet policy decisions on clear human rights’ standards.
The Charter of Human Rights & Principles on the Internet is an evolving document. It is a long document and it has been hard to get agreement on this level of detail. The 10 Internet Rights and Principles document is a higher level approach that did benefit from wide consensus, distilling out the key ideas from the work.
The process used in the work gives the document a lot of legitimacy. It is based on existing statements on human rights standards. The process was open and the coalition went out for input and consultations. It used an approach that was multi-stakeholder and global (every country was invited to feed in).
She agreed that any work on Internet governance needed to be based on agreed principles – in addition to the Internet Rights & Principles Coalition’s work, the Council of Europe and the OECD have produced statements of principles that should also be drawn on. She noted that civil society had also called for the IGF to develop a set of principles.
As a final comment, she expressed concern about the terminology of acceptable behaviour, with connotations of a paternalistic and sanitised approach to the Internet, and suggested that addressing unacceptable would be a better approach.
The Honourable Robert Shlegel, Member of the Russian State Duma and a member of its Information Policy, Information Technology & Communications Committee, noted that Russia is one of fastest growing Internet economies in the world and in the top ten for development of broadband access with rapidly reducing costs and increasing speeds, including with growth in the number of older users. While there has been a focus on enabling Internet users, thought has been given to protecting users. There is work in Russia on developing rights and responsibilities for Internet service providers.
He noted a need for globally-recognised principles which could include rules on which the Internet could be developed: principles should oppose controlling or blocking content and underline the need to ensure open access for adults while protecting children from harmful content. The three principles of management which could probably be attained in the near future are:
Equality of access
Complete privacy and anonymity (and he expressed concern that this was under threat because of abuse through cybercrime)
The right to free flow of information for political purposes
A new law was introduced on 1 November 2012 that creates Internet “blacklists” preventing access to child abuse, drugs and suicide websites. This has quite wide support (87%) in Russia.
Russia has submitted a proposal for a UN Convention on International Information Security aimed at developing cooperation in the fight against cybercrime, looking for wide applicability over the Internet but without violating national sovereignty. Such action is needed because of the importance of the Internet in accessing services, e-government, social interaction and information, education and medical care as well as in assisting in responding to natural disasters: the Russian Federation had significant on-going work to help develop these applications.
In response to a question from the moderator, Robert Shlegel noted the need to put a lot of effort to develop and act on rules agreed at international level. However, he was concerned that the dialogue was not working because the focus of much of the disn was on why ideas were not being considered and why they are not considering idea. We need to listen to what others are saying about how to define unacceptable behaviour.
Professor Flávio Rech Wagner, Federal University of Rio Grande do Sul and a Member of the multi-stakeholder Brazilian Internet Steering Committee said that Brazil strongly supported a worldwide multi-stakeholder approach for the development of a framework of acceptable behaviour. Brazil has been following this multi-stakeholder approach for many years at a national level with success, involving all the various stakeholder groups in the country.
The internet steering committee has 12 members from civil society and nine members from the government and it has a particular responsibility for enhancing trust. It has an important political role as it proposes policy affecting the operation of the Internet in the country. It is not a regulatory agency, but produces non-binding recommendations to enhance trust, working together with society, government and the Congress by education and outreach to put those policies forward. As examples, it has identified policies for fighting spam (its resolutions have been followed by all Internet service and telecom providers in the country); and a dialogue on policies on privacy and the protection of personal data (actions by the different stakeholders and their respective responsibilities).
Of particular note is that the committee has developed 10 fundamental principles for the use of the Internet, which includes issues of acceptable behaviour on the net, privacy, data retention, net neutrality and the responsibilities of content providers. This has been discussed in the Brazilian Congress. This has led to a draft Internet Bill of Rights which will be voted on imminently.
Flávio thought that Brazil would be very interested in engaging with a multi-stakeholder initiative to work on the concepts of behaviour, but starting with principles and rights, before we looking at what is acceptable or unacceptable behaviour.
Lesley Cowley, CEO, Nominet, the .uk Internet domain name registry started by looking at the work that Nominet has done in enhancing trust, which has been working with law enforcement agencies where activity breaches our terms and conditions. This is a blunt instrument for dealing with some of the undesirable behaviours that damage trust.
It has been working through a multi-stakeholder process on policy around how to respond to criminal behaviours. It is difficult to develop policy in such a contentious area through a multi-stakeholder process, but it will shortly be able to finalise a policy approach on responding to criminal activity.
It is a difficult issue because Nominet should not act for law enforcement or become a law enforcement agency. However, it does need to meet its responsibilities, particularly to end users, and to ensure that people retain trust in the .uk space.
One concern is about how to scale up to respond quickly: criminal activity can be happen incredibly quickly, but often the processes for dealing with it is incredibly slow.
Lesley questioned the concept of a trusted Internet. We teach people how to keep safe in an unsafe world. However, when it comes to cyberspace, we try and protect and cocoon people and perhaps more effort needs to be put into helping users and businesses keep themselves and their systems safe. Any discussion about rights is missing the other half of the picture which is the individual’s or the organisation’s responsibilities to protect themselves or to other users.
Finally, Lesley referred to the discussion in the UK IGF. There was consensus that the work should be well based in human rights. Where there was disagreement was on the balance with privacy. It was also recognised that it would be hard to get full agreement between different countries on what is acceptable (or unacceptable). It probably is not realistic to reach consensus, but there might be a way of benchmarking between countries to help define national approaches.
In response to a question, Lesley noted that unacceptable behaviour could range from the obviously unacceptable, such as criminal activity to that which might be unacceptable to an individual – for example, re-posting personal images or content.
In the discussion:
One questioner from the floor noted that the view from Russia did not make any reference to civil society. It sounded like the model of an omnipresent state taking care of each and every citizen. Is this a weakness of the system which might hamper the development of the open Internet in Russia? Robert Shlegel responded that he agreed with the role of civil society, but noted that in Russia the development of democratic expression is happening: civil society is developing, but this cannot be achieved very quickly.
A second questioner asked what the ultimate objective is – is it about reducing cybercrime or fraud? Without that clarity, it is hard to be clear about what can be the best output from the process. Jamie Saunders suggested that part of the work was to establish a framework for international cooperation for responding to cybercrime – including on what cybercrime is. He noted that some work was going on the UK to identify the scale of investigations that stop because there is no framework for international cooperation. A second objective was economic and to make it easier for trading across borders. And a third objective was to try to avoid international security incidents escalating into uncontrollable real-world conflicts.
A questioner was concerned about references to morality because of differences in culture. Individuals in different countries need to have the same rights. Mary Uduma noted the similarity between the on and off-line worlds in gauging morality or criminality and governments sets the laws for this.
There was a concern that scalability might lead to stronger action against individuals than against large criminal organisations. Lesley Cowley clarified that she was referring to how to respond to a large number of complaints (even if a small percentage of actual users of services).
The Chair asked how the discussion could be moved forward internationally.
Same rights / behaviour principles online as offline
There was widespread agreement for the need for multi-stakeholder engagement to establish principles, rights & responsibilities. Multi-stakeholder-defined principles and then stakeholders implementing the concepts as appropriate for their separate roles. This engagement could take place in an IGF model, working regionally and nationally.
You cannot legislate for trust – it is more to do with the cultural environment in which you are working. How do you get the concepts to stick if there is no binding agreement? Self regulation depends on society and values.
Is it easier to focus on the major issues where every country agrees it is wrong – child abuse, drugs etc.
We do need have government-to-government debate and agree things and have treaties because that is what makes things binding. However, international legislation is too slow for speed of development on Internet and it might be premature to try to look for agreements at that level until we are clear about the principles of rights and responsibilities.
One view was that a convention between a small group of countries (like the Council of Europe) is not a recipe for success. But this does happen successfully – smaller groups of countries (and it happens a lot in Europe) do strive to come to an agreement because it makes trade and the economy work so much easier.