April brought the start of a busy spring and a move toward a hot summer. The April briefing in Geneva and online emphasized a zoom-out view, giving a broader picture with interplay between different thematic areas. The recording of the webinar is now available.
The IG Barometer for April showed that the past few weeks were more intensive for cybersecurity, global IG architecture, online privacy and data protection, and e-commerce, compared to March; while IANA transition, ICANN and new domains, and net neutrality stayed on course; jurisdiction topics manifested no major developments; and e-commerce raised new discussions.
Cybersecurity took the lead in April
Speaking to both in situ and online attendees during the April IG briefing, DiploFoundation director and Geneva Internet Platform head Dr Jovan Kurbalija analysed the main events this month, starting with the Global Conference on Cyberspace 2015 in The Hague, the Netherlands with cybersecurity and open Internet as main topics of concentration at both high and multistakeholder levels. The chair’s statement from the meeting is already available.
One question of note was what space would the Cyberspace Conference cover? Only cybersecurity? This meeting dealt with other issues beyond cybersecurity, including implications for human rights, e-commerce, and others, with a triad of security-economy-rights employed at this meeting. This will raise questions for the Internet Governance Forum (IGF) and the NETmundial Initiative (NMI) as well.
The Global Forum on Cyber Expertise (GFCE) was launched by the Dutch at the Hague conference. Another point to consider is whether the supply/need ratio of cybersecurity expertise affects meeting scheduling and coverage. As the cyberspace topic faces concerns about stakeholder inclusion, the tech community reaffirmed its commitment to the multistakeholder process, supporting the Chair’s [GCCS] statement, adding ‘we hope that the initiative [GFCE] develops to be inclusive towards all stakeholders’ reflecting concerns of civil society as well. The next major cybersecurity conference will take place in Mexico in 2017.
Reflecting on the 13th UN Congress on Crime Prevention and Criminal Justice organised by the UNODC in Doha, Kurbalija pointed out that the Doha Declaration included a reference to cybercrime in its document, as the declaration mentions cyberspace (and, interestingly, infrastructure protection as well) in paragraph 9b: ‘…removing child pornography, in particular child sexual abuse imagery, from the Internet, to enhance the security of computer networks and protect the integrity of relevant infrastructure…’.
To put cybersecurity concepts into context, Kurbalija shared this triangle with 3 points representing Internet users, the Internet industry and vendors:
He continued to explain: cybercrime and cybersecurity are not the same, but have definite overlap, noting that the Doha meeting deals with cybercrime, while The Hague meeting addresses cybersecurity.
Cybercrime tools and security tools are sometimes the same. Security watches crime, and crime watches security. Cross fertilisation of tools and resources is growing. The Doha meeting also addressed protection of critical infrastructure. In contrast, at the same time, silos are sometimes more isolated than ever, and micro-silos are emerging now, albeit with some overlap. Relationships and interactions between communities are vital.
An area of strong interest, as manifested in the dynamic discussion, is the apparently de facto acceptance that the Budapest Convention, as customary law, is a solid base for future global cybersecurity instruments. There are two main possibilities, first, that the Budapest Convention will be regarded as such a foundation, or second, that a new global cybersecurity instrument will be drafted. In the second case, most points from the Budapest Convention will be included in the new instrument.
Discussion on this point brought out different facets of the Budapest Convention. For example, even though the convention is now open to signatories outside of Europe, some countries refuse to sign because it is a regional convention. One participant delved deeper into the topic of the Budapest Convention, noting that although (as Kurbalija said) the Budapest Convention is used widely in many national legislations, only some 50-55 of close to 200 countries currently formally adhere to the convention, which means that 25-30%, are free to do whatever they want. Countries not participating were clearly saying that the outcome of convention does not reflect their cultural differences, making adherence difficult to achieve.
On the other hand, Kurbalija stated that this discussion has not been as visible in the IG field, rather some very important globally utilised principles were introduced by the convention, as tested and accepted since 2001 in IG, where its 14 years constitutes almost ancient history. Reflecting on cultural values, one can expect increased discussion of social values; protection of privacy is different in Asia than in Europe; values differ regionally. But so far, in reality, the Budapest principles are generally accepted although sometimes not signed because states were not part of the drafting process. Nonetheless, Kurbalija acknowledged the important point made concerning cultural values.
To the proposition that the convention is a museum piece – but obsolete… or priceless – one online participant suggested that it is certainly obsolete. In any case, the search for compromise continues, and the cybercrime community will continue its work, and ongoing efforts in capacity building.
In European Union cybersecurity news, the Latvian presidency hopes to push forward negotiations on a proposed network and information security (NIS) directive on 30 April, but needs a mandate from member states before it can do so. The directive would oblige critical Internet infrastructure companies to report any cyber attacks, but the definition of types of companies (e.g. which are over-the-top companies) remains controversial.
Actions in the USA raised the pressure, as a new executive order (signed 1 April) allows sanctions to be imposed on persons engaged in ‘significant malicious cyber-enabled activities’, who are ‘located, in whole or in substantial part, outside the United States’, or linked to a ‘commercial entity, outside the United States’. (More from the Washington Post online). Many questions were raised: what does ‘entities’ mean? How can this be interpreted in the context of the Sony/North Korea case? In addition, the codification of sanctions into a US policy framework requires clarification of ‘significant’, ‘malicious’, and other terms. Also to be clarified is whether the sanctions will be typical economic sanctions, or whether they might be some kind of Internet related sanction. Although the sanction order has global coverage, Kurbalija emphasised that these are US sanctions, not UN sanctions.
Also in the US, in February, Obama had gone to Silicon Valley asking companies to give information to help fight terrorism, and to facilitate the exchange of information between Internet companies and government authorities (as the French are requesting as well). Now, tougher legislation is being introduced to combat cyberattacks, while intelligence officials are hinting at front door access to encrypted data. The US Federal Communications Commission (FCC) filed new rules about this with the Federal Register, and on 22 April, the US House of Representatives passed an expansive measure that would push companies to share access to their computer networks and records with federal investigators. More at the NY Times online and Wired. This involves putting more and more pressure on Internet companies to cooperate in anti-terrorist activities, while there is continuing pressure from users on issues of trust. Kurbalija said a key point is how this request for sharing will be viewed in countries like Ireland, who host large Internet companies (e.g. Google), and asked: will this end in a zero sum equation, with more security, less privacy?
Other points were raised by DiploFoundation and GIP Cybersecurity expert Vladimir Radunovic, speaking from Serbia, who highlighted cybersecurity news from China, saying that China was allegedly behind the GitHub and Greatfire.org DDoS attacks (see ars technica and Errata Security). These attacks used unencrypted websites to hijack browsers. Radunovic also mentioned the Google Chinese certificate authorities case, noting that Google is dropping Chinese root certificate authority after a breach of trust. Radunovic commented on the dangerous trend of state use of DDoS, and misuse of the trust built in the Internet, as it seems China used its backbone routers to alter traffic coming from Baidu services, and used them to introduce a DDoS component to carry out a global DDoS attack against foreign China related news services. He noted that we are seeing more states using the vulnerabilities of the Internet for their own purposes, but also more corporate sector distancing from this practice both in the USA and in China.
Radunovic also noted that an investigation of attacks by Russian hackers from last autumn revealed that some of Obama’s unclassified email communications were also accessed (NY Times online); according to Radunovic, this highly sophisticated attack proves ‘the weakest link’ concerns are justified; the US decided not to blame Russia(ns) officially, in spite of having done so for in the North Korean case.
In closing his comments on cybersecurity, Radunovic referred to the DOHA meeting, noting that concerns about cyberspace related crime also relate to security networks, and the need to protect the Internet infrastructure, as stated in the Doha declaration, underlining the overlap between infrastructure and cybercrime.
IG architecture, ICANN, IANA held high interest
Kurbalija then turned to discussions on the global IG architecture, which have raised the profile of the Global Forum on CyberExpertise, established during the Cyberspace Conference. An important question asked was, is there similarity or overlap with the IGF and the NETmundial Initiative (NMI)? The NMI improved its multistakeholder image, and will foster open discussion as it moves ahead after a bumpy start, now stabilising with new terms of reference and an invitation for comments, after being criticised during its initial phase for having a top down approach, which is now being corrected.
With regard to IANA Transition meetings, the naming community, entrusted to develop a stewardship transition proposal on naming-related functions, has published its second draft proposal, now open for public comment until 20 May. The naming community has been very affected by the transition process but is now able to consider proposals.
Adding information on the IANA transition, online participant, Nigel Hickson, ICANN Vice President for Europe, explained that over a year ago now, in March 2014, the USA announced the IANA transition process, and asked ICANN to facilitate a multistakeholder process and proposal for critical Internet resources that would transfer ICANN’s IANA activities to a global Internet community (not an international or governmental entity). A significant step was taken on 22 April when the naming group, looking at transitions for gTLD and ccTLC presented its consultation document and proposal to replace the US role in this function. Out for consultation until 20 May, responses will be considered, and on 8 June, will go to the ICANN community for endorsement, after which it will go to the ICANN board, giving the process a definite timeline. Hickson did note that it is possible that the transition might not be completed by 30 September, as stated earlier by Kurbalija.
Hickson explained an interesting proposal that suggested a legal separation of IANA with the construction of a separate body, an affiliate of ICANN, within ICANN as a PTI (Post-Transition IANA) entity affiliated with ICANN, yet with its own board and constituency, contracted by ICANN for IANA functions, like separate trading elements within their corporate structure. Hickson built upon Kurbalija’s prediction, and said he expects the ICANN/IANA transition barometer for next month to go up; it will not stay level.
In ICANN discussions of gTLDs, Vox Populi, the owner of .sucks, is involved in a trademark controversy over the registration fee of a gTLD. The registry (Vox Populi) will charge trademark owners (but not individuals) an annual fee of $2500 instead of the normal registration fee. In a letter to the Global Domains Division at ICANN, the Intellectual Property Constituency (IPC) at ICANN says this is ‘predatory, exploitative and coercive’, and asks ICANN to halt rollout. See more on theregister.co.uk
Privacy and data protection, and net neutrality
With regard to online privacy and data protection, also in focus during the Global Conference on Cyberspace in The Hague, attendees marked a trend towards wider access to Internet data by governments, as indicated by the US executive order (referred previously). In preparation for the UK election, both Labour and Conservatives have pledged to extend the powers of the security agencies (more at the Guardian online). A new French Intelligence Bill is set to increase the powers of French intelligent services.
The UN Human Rights Council has adopted a resolution on the Right to Privacy in the Digital Age (A/HRC/28/L.27) in which it has decided 'to appoint, for a period of three years, a special rapporteur on the right to privacy'. Kurbalija explained that this is as the result of a long process, initiated by Germany and Brazil at the UN General Assembly in November 2013, with the debate moving to the UNHRC, concluding with the establishment of Special Rapporteur. A major focus during the negotiations was how much 'digital' would be in the resolution. Kurbalija noted that anyone may apply for the position of Special Rapporteur: an individual does not need to be endorsed by their state. Applications are now being accepted.
Network neutrality produced a big bang in February, as the Internet is no longer considered an information service in the USA, but a telecommunications common service carrier, as the FCC implemented a decision affecting major US companies, with worldwide implications. On 1 April, the FCC's rules on net neutrality, (which came to a vote in February) were filed with the Federal Register. The new rules will come into effect two months after publication. The 2nd bang: a wave of lawsuits against the FCC in the US is predicted for late summer.
Two lawsuits have already been filed ‒ United States Telecom Association and Alamo Broadband ‒ but it is expected they will be thrown out for having been filed too early. Meanwhile, the US Congress is attempting to pass bipartisan legislation which would replace the FCC rules, but Obama is expected to veto the bill. More information is available at Marketplace.org, TechCrunch, and a blog on the NY Times [What do the FCC rules say? Summary at NY Times online].
Again from Belgrade, Vladimir Radunovic explained that the new FCC regulations will strongly protect net neutrality in that paid prioritisation of online content from service providers to end-users will be prohibited. However, the regulations leave room for possible specific agreements between telecom providers (e.g. AT&T and Verizon) and content providers (e.g. Google and Netflix). This allows the option for specialised services, which would be designed separately, but the FCC would monitor any agreements that appear to offer paid prioritisation.
Joao Caribe, online from Brazil, intervened to note that activists from LAC and India are fighting for network neutrality and against internet.org fake internet access. He also discussed the implications of Facebooks’s offer of limited access as a two-sided promise. Access? Yes, but possibly with a breach of network neutrality, he said.
Jurisdiction issues were quiet during April, after March events with the French court established jurisdiction in a case involving a French teacher's Facebook account being blocked after posting an image of an 1866 painting, where the French court seized jurisdiction based on the domicile of the plaintiff.
E-commerce raises discussions
E-commerce came to the fore with the EU considering the establishment of a new regulator to address concerns over dominance by large Internet companies. Google is facing an anti-trust action in the EU for alleged abuse of its dominant market force.
Demonstrations against Uber were held in Europe, as the company was criticized for unfair competition, and slammed by injunctions across Europe. Protests showing ISIS-looking black flags, opened discussions on how to regulate Uber (free access? special status?) as an unlicensed taxi service, with its implications for e-commerce, labour, and consumer protection. This article discusses the Uber case challenge in France and one from the USA on the question of the labour classification of Uber drivers, covering the question of new language in this field as well
Google faces anti-trust action in the EU. A statement of objections was sent to Google by European Commission DG Competition) for alleged abuse of their dominant market position by restricting competition. A separate EU investigation has been launched into incentives offered by Google to smartphone manufacturers to pre-install and bundle apps and services on Android. See this focus on Google and its data monopoly. Euractiv says the test for any antitrust investigation must be whether competition, not individual competitors, is being harmed. Kurbalija noted that the briefing was held in the World Meteorological Organization (WMO) building, where climate change is under serious scrutiny. He said: expect a hot summer in IG, particularly in September.
The Riga Summit 2015: Multilingual Digital Single Market brought together top government officials, business leaders, technology developers, and language researchers to forge a unified vision for the multilingual digital single market.
Connecting the dots to upcoming events
In response to questions from attendees, Kurbalija explained a bit about the Geneva Internet Policy Observatory (GIPO). The GIP is a partner of this new observatory which will organise information on IG. While there are various mappers of mappers in this busy field, he said that it is good to have different approaches and views. The GIPO will focus on data aggregation, and on 30 April will hold a webinar explaining its strategy. The upcoming GIP Global Digital Watch, in contrast, will analyse IG through 40 digital issues, in a rich menu of digital policy.
Kurbalija noted that the briefing was held in the WMO building, where climate change is under serious scrutiny. He said: expect a hot summer in IG, particularly in September. As the briefing ended, he left to catch a plane to Malta for the Internet as a Global Public Resource international conference, which will be reported in next briefing. He hopes to bring answers to the questions: What parts of the Internet are global public goods? Data? The rootzone file? The Internet infrastructure?
At the May briefing, we will also hear about Freedom Online conference in Ulaanbaatar, Mongolia, from Vladimir Radunovic, who will attend the conference about multilateral, multistakeholder spaces on online in next week.
The Geneva Internet Platform is currently delivering an online course for Geneva-based diplomats on Internet governance, which started very successfully on 20 April, while a seminar on current developments in MIKTA diplomacy and vision for the future took place on 24 April. The seminar was a follow-up to a first event held last year, and aimed to generate input to preparations for the Ministerial MIKTA meeting to be held in Seoul in May. The event discussed MIKTA's potential in disaster risk reduction and cybersecurity.
The next briefing, Internet governance in May 2015, will take place on 26 May. Read more and register to participate online or from Geneva.
Be sure to stay up-to-date with the GIP IG Timeline. Main events coming up in May:
· 4-5 May: Freedom Online Conference 2015
· 4-8 May: CSTD Eighteenth Session
· 7 May: Asia Internet Symposium
· 8 May: Launch of Commission initiative on Digital Single Market
· 11-15 May: RIPE 70 in Amsterdam
· 12-14 May: 6th Annual Internet of Things European Summit
· 12-22 May: ITU Council 2015 Session, including Internet of Things sessions on 14-15
· 17 May: ITU 150th celebrations
· 20-22 May: IGF MAG and Open Consultations
· 24 May-5 June: Africa Internet Summit
· 25-29 May: WSIS Forum 2015
· 27-29 April Riga Summit on the Multilingual Digital Single Market
· 28 May: European Commission’s Second High-Level Cybersecurity Conference