Transcript: From cybersecurity to terrorism - are we all under surveillance?
EuroDIG 2016 BRUSSELS, BELGIUM 10 JUNE 2016 11:30 AM LOCAL TIME PL 3a FROM CYBERSECURITY TO TERRORISM - ARE WE ALL UNDER SURVEILLANCE? GOLD HALL
Services provided by: Caption First, Inc. P.O. Box 3066 Monument, CO 80132 1-877-825-5234 +001-719-481-9835 www.captionfirst.com
This text is being provided in a rough draft format. Communication Access Realtime Translation (CART) is provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings.
>> JENS HENRIK JEPPESEN: Good morning. Welcome to this next panel. My name is Jens Jeppesen I work for the centre of democracy and technology. We are a public interest group focused on technology and Internet policy and digital rights. I'll be moderating together with Lianna to my left here. And the title of the panel is are we under surveillance. And I think it's fair to say that when we look at the trends in technology and society there is more and more data, there's more and more information available about individuals, citizens and consumers. Our lives are increasingly digital. We leave digital traces, they're left behind and they're collected and stored and used for various purposes. Most of them quite legitimate whether commercial or public sector. But many pointed out there is a scenario where the increasing availability, the increasing collection and combination of data creates a scenario of almost unlimited surveillance of citizens. And I think most people would not want that scenario to become reality. People want to have the expectation that their communications are private, that their data is well protected. And that we choose with whom we share information. At the same time, open societies need to protect their citizens against the real threats we know exist whether from terrorism or organized crime. So the security services, the law enforcement community needs to use technology, needs to access information and data that's available. And so there is a balance to be struck somewhere. What we have seen in I think in Europe over the past few years is many countries, several countries expanding their surveillance capabilities and introducing new powers for law enforcement and intelligence services. Just this week the U.K. the parliament passed the investigatory powers bill that creates new and broad powers that many people think cause significant concerns for human rights and privacy. So there are many dilemmas and objectives to balance. And we heard in the previous panel people talking about the privacy versus security dilemma and I think some people think that's a mischaracterization of it. But I think what is certain is that the solutions that are needed for societies to meet these challenges involve law and technology and policy, they involve government Civil Society, and there are companies in the technical community. So I'm pleased we have such a well-qualified and diverse panel to talk about these issues today. We want this as always to be an intersective session so Lianna and I will moderate among our key participants but we really want to encourage people to talk from the floor and to ask questions. We will have a short round of opening remarks and Lianna will now introduce our key panelists here.
>> LIANNA GALSTYAN: Thank you. I will introduce our key participants. The first to the level of Jens is Jan Kleijssen, director much Information Society and action against crime wide variety of issues including freedom of expression, cybercrime, and money laundering as well as action against trafficking and drug abuse. He is the author of several publications in the field of Human Rights and international relations. Next to him is Christian Borggreen director at the Brussels office of communication and industry association. He leads CCIA's work on data flows and engagement with national institutions such as the council of Europe, ITU. Next to him is Harry Halpin director of W3C, standardizing the use of encryption in browsers. He received his PhD and he enjoys studying web phenomena and the development of consensus and collaborative tagging. Next to him is Gregory Mounier, head of outreach and prevention at European cybercrime centre. He has been with Europol in various roles since 2008. And next to him is our female participant and at this stage, Valentina Pellizzer, president at OneWorld Platform, an organization that works on the intersection of women's right and Internet rights. She's an activist, feminist, writer and blogger currently serving as vice chair for progressive communication. She is an advocate of feminist Internet, and also founder for first feminist alternative web portal. And next to her is Sacha van Geffen, managing director at Greenhost. A company specialized in simple solutions for complex IT problems as well as dedicated to provide a sustainable Internet infrastructure. Sacha is a specialist in Internet security. He's coauthor of basic Internet security, a manual for securing online communication primarily intended for journalists. And myself, I'm Lianna Galstyan, a board member.
>> JENS HENRIK JEPPESEN: So I think we begin with Jan.
>> JAN KLEIJSSEN: Thank you, good morning, everybody. Many of us who traveled through Brussels airport on the way to this conference would have paused a moment and spared a thought for the victims of the terrorist attack that took place only so recently. It cannot defeat us, cannot defeat democracies that respect the rule of law. There's a risk that we defeat ourselves by lowering our standards and that we firmly believe at the Council of Europe is a trap we should avoid. I will not repeat what the Secretary General said this morning in his speech and during the discussion. The standards we have notably in the cybercrime convention and convenience 108 in data protection are a very good mix of sanctions, security and safeguards which we should keep. I would like to highlight here on two, perhaps three issues if I may, Jens. First I was struck this morning that we shouldn't speak to security services, they should speak to us. They should speak to us. Shouldn't we really consider that in a democracy us is everyone who defends rule of rights and rule of law, that is Civil Society and state structures, and them, they are the terrorists? We are on the same side of the fence. The right to life is just as important as the right the freedom and expression. In a democracy Civil Society, government structures should really work together and also within industry as it’s become very clear in a number of cases to make sure that they, them, the terrorists, can't win. That would be really one of my first, first key messages if I may say so. But really something I think is very important to bear in mind. And then perhaps to focus on two issues in order to respect the time. Security has been mentioned and the need to strike a balance but we should also distinguish on the one hand between surveillance, the gathering of data and specific investigations, the need to get concrete evidence because there's often confusion between these two and I would like to point out the differences. As regards to mass surveillance, there are clear standards that have to be respected. A legal basis, foreseeability, effective oversight, just to name a few. It is also clear that as regards to Brussels attacks and to the previous Paris attacks not to mention other terrorist incidents information was available. It is not that information didn't exist or had to be gathered; it was just not exchanged or sufficiently exchanged. That is a big challenge how to ensure that information is available and has been gathered in a democracy one would expect legally and in many cases with regards to Brussels as Paris perhaps because there were investigations that this information wasn't exchanged. It should be exchanged while respecting standards for data privacy. So that is the surveillance data issue. Then it comes to electronic evidence. Now, in the fields of cybercrime which for the purposes of this now would comprise terrorism, much evidence critically needed evidence is electronic evidence. And more and more it is not stored on a hard disk anywhere but it's started in the cloud. And it is one of our big challenges to ensure that we can agree amongst ourselves, amongst democracies, how to enable us to access this evidence, critical for criminal investigations, critical in the fight against organized crime and terrorism while respecting safeguards. Because of course with the Cloud you have a variety of jurisdictions, it moves very quickly. The suspect may be in country A, his data may be in a server or he may put his data on a server which is owned by U.S. company but is then placing it in some remote island, how can you get to his data? We speak a lot about rule of law but in the cyber world rule of law to some extent is almost an illusion. Only in very, very, very small percentage of crimes committed in cyberspace are actually investigated and even less are actually brought to justice. If ministers of justice and senior police officers had the same success rate in solving cybercrime as in ordinary crime sorry in ordinary crime as in cybercrime that is to say that if ordinary murder, theft, et cetera were only solved to that very small percentage most of them would have to resign within hours I think. So really we have a big challenge here. So to sum up, the us and the them, the data are available, let's see how we can exchange while respecting safeguards and let us not confuse gathering of data with very specific requests for information in the framework of police investigations. Thank you, very much.
>> JENS HENRIK JEPPESEN: Very good. Thank you, January, on to Christian.
>> CHRISTIAN BORGGREEN: Thank you very much. My name is Christian Borggreen. For us when we talk about technology and data driven technologies it's services and products that people use because it enhances their life, whether it be smartphones, smart fridges, or insulin pumps if you have diabetes but people are coming closer and closer to our life. As technology becomes engrained in our lives, there's a responsibility to upheld that trust that consumers put in us in our services which is a commitment we take very, very seriously. And of course data privacy, data protection is a fundamental right in Europe and many countries so it's a responsibility that we take extremely seriously. And of course if you as a consumer don't like your communication app or something else you can just switch to another one so that's why we want to also make sure that consumers trust and have certainty in their services that they use. But as been mentioned earlier and just now of course it is a balance with other rights including the right to security and that is a very difficult discussion to be had. I want to mention that we are facing in our industry related to this balancing act the first one relates to transparency, we want to be transparent to our consumers so they know under what circumstances and what type of circumstances that their data might be provided to law enforcement when they have sort of a legal order to do so. In the U.S. our sector fought with the U.S. government to be able to provide this transparency and now most of our members provide transparency reports where consumers can see the amount and times of request that have been approved or denied by companies. We hope in Europe there will be also maybe more transparency among European companies when it comes to these requests. Also encryption, we see many governments are pushing back on the ability to provide strong encryption. And I'm not going to use the word back door but there is a pressure on companies that they provide access to this encryption. And of course the rules that we decide in our western democracies will be also legitimizing what is happening in less democratic third countries so this is also something maybe we should consider. Thirdly many of the laws that law enforcement use, maybe not so much in Europe but in the U.S. are quite old. In the California case I think one of the rules were like 100 years old, from 1911 or so. And this was about getting access to an iPhone. So you have an iPhone and a law written 100 years ago. Maybe it's time to update these laws and provide more transparency to users. Finally in cyberspace questions like jurisdiction become extremely difficult. We understand that. We think there needs to be a discussion about how to make sure law enforcement can do their work but it should be in full respect for privacy and security. It should be proportionate, necessary, et cetera. So we would welcome a discussion on that. And of course there are few international rules like MLA procedures between governments on cooperation and of course these procedures need to work and they need to be efficient. And it seems to not entirely always be the case today. So I'm just going to finish just to sum up for our consumers, transparency, privacy, security, it's extremely important and extremely important for tech companies. We should look into encryption reform outdated laws and have governments solve their conflicts of privacy laws and make sure they are collaborate but with the full protection of privacy and security. Thank you.
>> JENS HENRIK JEPPESEN: Thanks, Christian. We move on to Harry.
>> HARRY HALPIN: Okay. So the question of this panel is from cybersecurity to terrorism are we all under surveillance? And this is a very personal question for me. When I flew in last week, I flew through Frankfort, very large airport; I was stopped at the border and the German police said sorry, we can't let you in. I said oh, why? I'm a security expert, I fly a lot. And the reason is that there's a mark on my pass part. The Germans are like we have rules but there's no explanation in the database. This is a problem. After phone calls and missing connecting flights, I was let into Europe where I work on cybersecurity and open standards to basically make Europe and the entire Internet more secure. But I want to just make a very simple point. What happened to me being put on a list without due process due to national security exceptions because I've investigated this. We put requests to data protection authorities. Because of national security exceptions they don't have to answer why you've been put on a list. They don't have to answer who they have been sharing data with including sharing data with countries outside of Europe which often have less of a rule of law particularly regarding human rights, and there's no way to ask for removal from such list. And this gray zone caused by hysteria over terrorism should I think be eliminated. I think we should eliminate national security exceptions to Human Rights, we should enforce data protection, and look, I understand terrorism is a threat. I was in Washington, D.C. when except 11th happened. My last talk on cybersecurity was canceled because of the police raids to capture the people who were behind a massacre. I personally helped track down pedophiles over the Internet. But at the same point when you have such an out of control system where this database is being shared with personal information it all disappears into a dark abyss that the rule of law and the light of justice cannot look into because of national security exceptions. This is ultimately a failure not just of intelligence and not just of our legal frameworks but of failure of the very fabric of the society that we have been trying to build, a society that is helping, a society that is not afraid, a society that should essentially encourage free speech, should not be able to effectively use a vague undefined word like terrorism and not maintain secret watch lists. I think we should eliminate them, if not we face dangers in the future to have economic and technological problems which will lead to more crime and more social unrest. And now is the time to solidify those frameworks both technical and political.
>> GREGORY MOUNIER: Thank you and good morning, everyone. I'm Gregory Mounier. As a private citizen I feel pretty sorry about this time of problems that you might be having at a border. On the other hand I represent the law enforcement community. We are not intelligent services; we operate in a very tightly regulated legal framework. We are and our investigators the ones working on a daily basis on cybercrime, drug trafficking, terrorism as well are working using very targeted technologies and targeting surveillance. So I'm not sure that my testimony on this panel is very relevant because we are not in contact with mass surveillance techniques or bulk data storage. But on the one hand you have these type of situations where indeed there is abuse of watch lists and the system is not working properly and as you say national security argument might be using and being abused for other means. On the other hand of this group you have investigators that are working on serious cases that are lacking the technical tools and lacking the legal framework to do their work. And I come back to what Jan was saying there's a lack of harmonization in terms of regulations in terms of lawful access to data. I think we need to work on a fair transparent and legal framework that creates a level playing field for the industry and for law enforcement to request legally and lawfully certain types of information. We need also to harmonize issues such as data retention. I know this is a very controversial topic in this type of community but my work here and my role is also to speak on behalf of the grassroots investigators. I want to tell you that the lack of harmonized legislations is posing real problems for them. I'll give you an example. If we are working on a case with six different EU member states targeting an organized crime group based in different member states, if we find out that the criminal infrastructure can be a server is based in one specific country where the data retention period is only 48 hours we know we won't get any information and we can close the case and that's a real problem. What that also implies for us as soon as we get information we need to prioritize our activities. So which means we are going to work on the information coming from one specific country instead of what the logic is and the high value target. The other point is about encryption. Encryption is an issue that had a high profile. For a grassroots investigator encryption is really a problem. We have surveyed throughout Europe and it comes out that more than 75% of the cybercrime investigations are hindered by some sort of encryption. We do support at Europol, we believe it's an essential security pool in our digitalized, protecting Human Rights, freedom of speech, privacy, protecting the digital economy. And we are not for any technical means that might be weakening the system. Encryption and anonymity brings criminal opportunities so we need to have a grown up discussion about it. And as a matter of democratic society coming to a balanced solution. Some of that solution may be legislating around lawful access to data. We need evidence, we are investigators, we are police operating in a legal framework. Maybe it's good to have information before it's encrypted. That's the type of things we are trying to promote. The last point I want to make which is really problematic, IPV 6 is not coming fast enough. The use to mitigate IPV 4 has impact on investigators. Just use your smart phone and connect to the Internet, the police won't be able the find you. When I speak to a grassroot investigator we need to get rid of that technique or we need to find a solution. I think that's it. I'll pass on the mic and thank you very much for inviting me.
>> VALENTINA PELLIZZER: Okay. So a note on this general mind sitting here. I was thinking to define myself as a self defined male because the fact that I'm an outside female it's your projection. But then I'm an outside female and I think it's important that I'm here and I hope the content will prove that it's important that I'm here because you will have plenty of women whether it's a literacy empowerment issue or terrorist big tough issues women are less relevant. I would like also to say are you able to identify a terrorist? How a terrorist looked like? I was a potential terrorist because I didn't reach my destination in Washington, D.C. because I was going last year and this year three times in which is formerly Iraq. If I'm holding a passport I'm a potential threat. So at the airport the migration officer and U.S. citizens decide that I couldn't embark and I came back. Thanks to Internet so I can join and participate in the conference I was to talk and it was about women's rights over all. So this is about my gender and this is about how a terrorist look like. Now do we live in surveillance? Yes, of course. Macedonia, 20,000 people were stopped by their government using the public telecom. Now there is a big scandal. Being on the street, it's a colorful revolution that was stopped by the EU trying to talk with. And siding with the power. So still citizen on the street, surveillance happened. Why? They want to just hide that they killed. And the killer was someone very important to the prime minister. Surveillance, the back door in the telecoms you can spy anywhere hacking team. Those governments they are poor, they live on monetary funds but I pay for those people. Everyone spies on everyone. So yes, we live in surveillance. Citizens live in surveillance. It's a minority report kind of state where we live in. This is together with fragile democracy, you have a separate of state and institution. Judiciary, it's nominated and chose by political parties, the one in power. At the moment the political parties are the same 20 years ago when the war started. So tell me about who is really able to stop at the top with who? And then the chilling effect, if someone is spying on you, which kind of so if you look at diverse you are Avengers. If I go as a woman to the police and say there is a revenge because I'm going through a divorce and my ex portrayed me as a prostitute, if you are a mother and the friends of your children decided to make fun of you and then you risk your position, your health of your own son and daughters and you go and the police tell to you why a women of your age is on Facebook? You should look about serious things. So the same cyber unit that have a dialect line when it's about child pornography, the same special unit will do nothing within the safety of an individual is at risk. But the same police will knock and your door. We protested to arrest minors that put on their Facebook some element saying we were at the protest. Still the security of the state is based on the sum of the individual safety that should be done. Thank you. (Applause)
>> SACHA VAN GEFFEN: So I was introduced as the managing director of Greenhost but I'm here in my capacity as a member of the working group working group one of the freedom of mind coalition which is about an Internet free and secure. One of the talks that we fulfilled was to look for a more inclusive definition of cyber security because it's a thing that rules debate everywhere but it is pretty there are a lot of different definitions and mostly cyber security is always framed as protecting the interests of the state or maybe of very large structures, but not necessarily as the end user. And as such it basically excludes a lot of security that is really important especially if it’s about human rights. So we came up with a definition of cyber security that is built on existing definitions that does include this end user, and as such also breaks the juxtaposition of security on one end and freedom or human rights on the other end. The definition reads as follows: Cybersecurity is the preservation through law, policy, technology and education of the availability, confidentiality and integrity of information and its underlying infrastructure so as to enhance the security of persons both online and offline. And this availability confidentiality and integrity are lying well defined constructs in the iso security standard. So as such, we hope to create a definition of cybersecurity that would resonate both with you in the room which I think most of you are probably not law enforcement and/or working on cybersecurity issues directly but are working for NOGs on human rights issues. And on the other hand would also resonate with the technical community and with people within justice and other departments. And this is important because what we saw happening and what is still happening is that we can discuss this topic here in this panel and we can all walk out. And it's great that we do have Europol on the stage. But on the other end as we saw yesterday there were three people who were in the realm of cyber security who raised their hands in the morning session. So these are very distinct communities that go to different conferences and most of all they make their different laws. This is all framed in local laws and these are the laws that have been or are put up right now like the new intelligence in the U.K., what is happening in Germany, France, Netherlands. These rule laws what will be collected and what will be available to intelligence. And we are not talking to those people. I mean, it's not and this is something that has to change. We need to start this dialogue and we should start it on an equal basis. And if we the only way we are doing this dialogue now is saying yes, yes, well, you want to have this law but human rights. And then people say well, you know, national security. And then the line is drawn and the line is always drawn towards more abilities for security services and never towards the human rights part. So in that sense we are always losing. So what we should do is actually say you're not doing too much, you're doing not enough. You're doing not enough to protect me to protect us to protect society because if you take cybersecurity seriously, you should also protect the end user. And with it comes encryption, with it comes secure systems, with it also comes the responsibility to make sure that our cars can't be hacked in a way we get a highway in five years that looks like a scene from maximum over drive which is a very bad '80s movie from Steven king but with the Internet of Things that becomes closer and closer. So my goal is to stop using this kind of speech of security versus freedom, security versus Human Rights but to talk about security as something that enables Human Rights and should enable Human Rights. And then we are talking about tradeoffs between security and security and then we are talking the same language and then we can actually have the debate that we should have about what we want to do to be able to both protect the sex worker and jail the pedophile.
>> JENS HENRIK JEPPESEN: Okay. Thank you, Sacha. That concludes our opening remarks from the key participants much I think we got a very broad range of perspectives and also some very interesting personal experiences that gives flavor to this discussion. So now is the time for questions and answers. So we have people in the room, we also have people in other locations and they have the possibility to feed in questions via our remote moderator here. And I think we have the first question here from this gentleman.
>> AUDIENCE: I'm Patrik, Council of Europe. The Department on Information Society. What I wanted to say especially also after Sacha intervention at the end, my remark basically is we live in one society. And unfortunately very often what we look at is from very different communitarian perspectives to the same reality. And I would like to come back to what Jan said at the very beginning. We have to and especially as an institution like the Council of Europe; we need to be able to look at society as a whole from all those different perspectives. We have to be able to bring these different communities together. Since I'm also dealing with data protection and cybercrime and freedom of expression, what I often realize is that we are talking maybe in a multistakeholder perspective but uni-culturally. That is that we look at our realities from one single angle. And if we want to promote a real dialogue, that dialogue needs to involve everyone. And I've seen it in IGF; I've seen it in EuroDIG in the past. Certain communities are under-represented. The law enforcement is under represented, let's face it. A second thing we really need to make that distinction between secretariat approach where we constantly speak about the increased mass surveillance and I think it is extremely important that we have a very close look at what that mass surveillance entails and what that means in our democratic societies. That's why the council proposed to start codifying these elements. At the same time let's not forget that when it comes to international corporation around European corporation in particular that will be the first item that national authorities will say this stays with us. We do not want an international organization to start looking into. But please distinguish and that was clearly indicated also distinguishes between mass surveillance and criminal investigation. And if we are mixing those two things constantly, then we point the finger to law enforcement who are doing their job in a democratic society, to ensure that our Internet is and remains a basis for societal dialogue where we can protect the sources of journalists, where we can protect the whistle blowers, that is crucial. And that distinction if you're not capable of making it, we will always mix the discussion between what is a secretariat approach which is promoted by the developments of opponents to democracy and what we need to do to protect the free open space which is the Internet today. And it's not a question to anyone. I think everyone has brought a perspective into that which is very important but we need to look at it from a more global complete societal aspect. And we tried to do that in the Council of Europe bringing together law enforcement officials and data protection officials, they also speak different languages. Freedom of expression activists and law enforcement. I think it's crucial that we need to continue doing that and I think as was the foreign minister of Estonia said this morning, if the EuroDIG in 2017 wants to focus on that, we have to ensure that law enforcement is also better represented in this type of dialogue. That's all I wanted to say. Thank you.
>> JENS HENRIK JEPPESEN: Sorry, before you continue, does anybody want to comment on this remark?
>> HARRY HALPIN: So one quick comment. I agree there's a difference between mass surveillance, targeted surveillance. So two points. One of which is targets balance what puts me on a watch list. Target surveillance can be targeted at what many people would think is the healthy functioning of a democratic society. So it's not really I think you don't want to say mass surveillance is bad but target surveillance is good. It actually should be dealt with on a case by case basis. You should not just enter this sort of nebulous gray zone when use the word terrorism and targeted surveillance. People like myself, climate change activists whatever. It should be stopped. Europe does not have the investment, the systematic investment that was put in depends how you feel about Britain buying the U.S. Well, France has some investment but they do not have the capacity so what you could do is if we followed Sacha's advice and created more rights' respecting Internet, also actually probably it's better preventing cyber-attacks if you have more secure infrastructure and mass surveillance I don't really think it actually helps prevent crime. I mean it seems to be mostly used for economic sabotage. I don't think it's actually used very much to stop terrorism or what not. I've seen very little evidence that. It's very dangerous, I think dangerous that it could be used against internal people internally inside the country and that's where the concern is but we already know target surveillance which does work in Europe does this.
>> LIANNA GALSTYAN: I see remarks?
>> It's important surveillance is in Europe, it's important to have the discussion about surveillance in Europe. (Speaking foreign language) is a French word. We can't all be American. But when it comes to law enforcement, crime has happened or is about to happen, law enforcements wants to have access to that. Crime happens in Belgium, the Belgium police would take care of it and the material was probably in the apartment. Physical material. Now that it's in cybersecurity, you can have the crime take place here the criminal is in one country and the data is in another country. It's difficult for countries to make sense of this loss of jurisdiction in cybersecurity. And there's different approaches. Some countries will try and over reach and ask for the data regardless of where it's taken place. It's an Internet sovereign approach. And I'm hoping maybe here in Europe we can figure out a way to make sense of those procedures so we can actually have transparent laws and transparent procedures which respect security and privacy.
>> SACHA VAN GEFFEN: So just to get back to the mass surveillance. I think the major problem of any kind of mass data collection is in the end you will be looking for a needle in a stack of needles. And in a way if you have enough data the only thing you will find is noise that looks like the data you want to have. We have actually seen this with all of the recent even terrorist attacks where information was available but it was not there at the right place at the right time and this was not even collected through mass surveillance. So managing information is I think one of the key issues of both intelligence services and police, and I wanted to dive into that a bit because like grassroots investigators were put to the front, I think there is an enormous lack of training and skills at like base police and investigative if it comes to the Internet and what you can do. And that is blocking a lot more of the current rate of solving crimes than anything else because if I get to the police and have to report a crime that happened online, it will take me my whole day to explain to the police officer what I'm actually reporting and why it is a crime.
>> JENS HENRIK JEPPESEN: We have a question from the floor?
>> AUDIENCE: Thank you very much. I'm from Lebanon. It's my first EuroDIG. And I thank every panelist for whatever you said and I'm going to project back to the first speaker and I would like to thank you for the very touching start. And I would echo you and add all the victims of terrorism around the world not just this Brussels. The word terrorism around the world is used so differently. Since Europe is being a role model with its laws, courts and Human Rights, I think you should be very careful when you develop laws then said we should define what is terrorism and how to deal with it. Since it's the role mobile of the world in terms of human rights, Arab countries where I come from it can be taken advantage of. In Saudi Arabia a blogger is a terrorist. He's given a thousand flogs just because of a blog. When you consider laws look at the world as your role model in Europe. That's pretty much it. Thank you. (Applause)
>> JENS HENRIK JEPPESEN: That's a really excellent point. Thanks for making that. Did you want to come back on that? Do we have other questions? Do we have remote questions? Otherwise excuse me, go ahead.
>> AUDIENCE: Hi, my name is Lucy. I work for access now. Now first of all I would like to say there are conferences where these people get together. I please, let's talk after. I was at Europol a couple weeks ago. There are more of these emerging and there is space for Civil Society to engage. So let's take advantage of this and let's connect and see what kind of an impact we have. There was also Microsoft cybersecurity summit. So we have these platforms. I think we need to be more effective in engaging with them and Civil Society. Secondly there's a question about lawful access and what it means to be a terrorist. Now when I was 16 I moved to Kuwait because my parents were working there. And I was a bit of an alternative kid. And I was put under surveillance back then. I didn't know what it meant. I logged on to my computer and I was rerouted. Certain websites were blocked. I brought this up to my mom and she said maybe don't go online at home. And I didn't know what that meant back then. Then I said something a couple months into my stay there something very stupid, like I fucking hate religious people, something, like a very strange projection of teenage angst. But the minister of interior integrated my mother who was also profiled because she was single, divorced since I was three. We for them were the risk factors in that community. We were the weird ones; I was a potential hazard and didn't seem to be normal. What you perceived to be lawful and normal in our society and yes in Europe we enjoy a lot of human rights. I want law enforcement to be able to do their job but I want you to be profoundly aware that what is normal for us is not everyone's normal. And you can be completely ostracizing and shunning young people just like I was shunned in that society. That did nothing for my sense of self; it did nothing for my sense of identity in that community. I became more alienated. In the Internet referral unit that runs under Europol, I think if you by relegating these powers that you should have as law enforcement to pursue illegal online content to platforms and in the Europol regulation it states that illegal content will be left to the discretion of online plaintiff facilitators to remove this content, you're making that step and that ruin of online an illusion. How do you reconcile the goals that you have with what I just said? Thank you. (Applause)
>> JENS HENRIK JEPPESEN: Very good point. Thank you. I think Jan and Greg should come back on this one.
>> JAN KLEIJSSEN: I agree with what was said. I think it is clear that the whole development of cloud computing and electronic data not being accessible cannot be blamed on the legislators. These are developments that are very fast and let's not be naive, criminals and terrorists have used every opportunity these new technologies give them in order to operate better. It is certainly clear that we need to enable access to evidence in the framework of criminal investigations. If I may come back to what Harry said, and my colleague mentioned the difference between mass surveillance, surveillance and criminal investigations. That's not targeted surveillance, that's a criminal investigation. That's a proper criminal investigation that happens to include electronic evidence but just as the same as if you stole a bicycle or a car theft. The evidence has to be secured. We have to see within industry how we can make it possible for countries to have access to this data. The real issue is jurisdiction as you rightly say, which laws apply where. You also mentioned MLA's. The average time spent for an MLA request at the moment is six months. So at the moment we are considering the possibility of two things, protocol to the Budapest convention. One of the elements would be that states could allow under certain circumstances with safeguards that their police, I'm speaking about police here, not secret service, but police and law enforcement could make a request to a private company that holds data elsewhere before going to its own judicial authorities simply to enable that law enforcement to get the data before it disappears. I think it's a bit unfair to say it's only the fault of the legislator.
>> JENS HENRIK JEPPESEN: Thank you.
>> GREGORY MOUNIER: Thank you. Maybe before making comments on the Internet refer unit I want to make a point on surveillance as well. Targeting surveillance surveillance is one of the tools in a toolbox of investigators. You need to have targeted surveillance tools, for instance, if you're working on an organized crime groups. You need to be able over a certain period of time so basically monitor what they're saying in order buildup your case and investigate. And in terms of law enforcement engagements with the Internet community and the Internet governance community, we have that conference together with unesa (phonetic). We hope to do it again next we are and we invite the broader community to join because that's one of the platforms where we can have a proper dialogue on these very important issues. As a private citizen I would agree with you, I think there's a trend towards maybe privatization of policing online and that's been not ideal. However we need to be realistic. Over the last two years we have been faced with very serious problems, something new. The abuse of something that we all enjoyed, social media platform by terrorists to call for terrorists act and awful images and things. Should we try to sort the jurisdiction problem which is a very long term perspective and at the same time try to address something really pressing? I think you need to be realistic and I think the compromise we saw and before that, it's answering a need with supporting the law enforcement of the member states to get rid of that propaganda using our platforms but you need to find a realistic and short term solution. I know it's not the ideal solution but I agree we should push for something more holistic, we should have harmonized legislations but at the time of addressing that problem that wasn't the case.
>> I'd shortly like to reply on the fact that there are already some platforms to where this debate is actually taking place between security comments and Civil Society groups. I think there might be a few, there's a trend of some more. But it's still not so much, it's still very distinct. Especially if security communities are still doing a lot without consulting. And I think even like the recent thing with the new things between Facebook and Twitter and the commission is a great example of how things are going really the wrong way and how this is handled. And I really disagree with that kind of putting responsibility on the platforms because that is a very deep chilling effect because it's removing the rule of law actually and leaving it to the kind of like whatever the platform wants and that's really bad.
>> You go ahead.
>> Thank you very much. I'm Mary Anne Franklin. Thank you for making distinctions between law enforcement, mass online and terrorism. However the recent perpetrators in the last few years in Europe have been known to the authorities and they often advertise what they're doing on Facebook. So the assumption through encrypted means I’d like to address that. But what forms of legal recourse for individual citizens or groups who find themselves being subjected to disproportionate forms of border control. Our borders are being turned into brutalizing dehumanizing moments of access and exit. So what does an ordinary person do if they feel they have been inappropriately treated, incorrectly treated put on lists they shouldn't be on? Where does one go? I mean this is a hugely I was wondering if you can respond to some practical measures for the rest of us, where can we go if we think wrong has been done to us, we have been inappropriately treated? I feel this part of the conversation really needs addressing at this point. There are bad people out there, we know that. Thank you, very much. (Applause)
>> JAN KLEIJSSEN: Thanks, v a relevant question. Of course what happened to Harry, what happened to you, shouldn't happen. When the Secretary General mentioned the court of Human Rights, governments are supposed to implement decisions and follow the case law. In the recent year if you were to look up and you can find on our site the case law, violations have been found. There were individuals who took the trouble and I'm the first one to agree it is a long and complicated process to get there but a number of people did and they won. These cases have established firm principals which our governments are supposed to uphold. And please keep reminding them it's where we need the help of Civil Society to make sure that these decisions are known, that these principals and decisions are known by law makers, by national parliament, by your authorities and refer to them.
>> JENS HENRIK JEPPESEN: Thank you, Jan. Do you want to comment on that?
>> VALENTINA PELLIZZER: I would like to go back two spaces. Because we always talk about the importance of a Civil Society to be in this place but to be in this place is incredibly expensive. And activists today don't only work, they sometimes do other things to survive. So time, money, so if you want to have access, if you want to have those people in the conversation then we need to have them probably at the national level. But this is access. It's a real access knowledge. Because people need to be able to participate and not just be impede to participate because they don't know what IPV 6 because no one spends the time. Because this is the reality. And also about platforms. Yes, there are platforms mainly in English. So if you want really to have a global participation, really it's a global, why a person needs to be very, very fluent in another language and never can use their languages? And also the experts. So I think if we want to make not just have a blah blah of participation, if really want to have the people, the citizens, the user, the customer, the ones that suffer the terrorism because again victims are individuals, then I think we really need to talk about access because security, cybersecurity, surveillance terrorists, I know by experience how people feel and they're not ready to talk about this big issue but it's our life and we are expert in our life. And it’s about the so called expert legislator they have to talk. In my reality I know that the big company will sit with the government without getting the specification of how they're going to protect the people. No one called me to be there. To be part of the design. So I think we need a meaningful participation, not to have a talk, of people, to Civil Society, to legitimize what the elected individual are chosen by the people, servant, public servant.
>> Thank you. I also support that point in regarding the language. Sometimes people forget that not everyone in the world are English language carriers.
>> HARRY HALPIN: I would like to make a point on the recourse. What do you do? And it's actually very interesting. So with my case which didn't happen in Kuwait, I was living in the U.K. doing, UN, climate change activism which is now celebrated in Paris but at the time it was viewed as fringe and possibly dangerous. And was targeted by essentially a law enforcement operation who was just gathering intelligence, you know. And I almost feel bad for the poor German border guard because they don't know why the British put this on my passport. And the problem is that I'm a pretty I'm a white guy, decently wealthy, I've got security clearances, I work in cybersecurity so I can afford a lawyer. We are going after the case. But I want to bring up the national security exceptions and back to what Elsa said over terrorism. I would like to know how to get off this list, it would be nice, and I have to travel for work. And when you ask the British police authorities for information, it's a bit complicated, and they won't give it to you. They will give you some. Maybe a parking violation. And everything else which we have well documented, it's an exceedingly well documented case, it's a terrible story. Even though it's well documented we have photos and court papers, the police won't hand over any of that for someone to say hey I would like to get off this list because that would violate whatever national security exemption they were running the whole crazy operation under. This is why I think the real likes is eliminating national security issues and eliminating the use of the word terrorist. I was in Paris, Washington, D.C. That's murder. People get murdered. That's very different from blogging and very different from non violent Civil disobedience and marching. Different from pedophilia, it's very different from a parking ticket. Criminal terrorists. You lose track of the precise nature of what you're doing and all sense of proportionality. And that's the real problem with the entire legal framework that is crafted here. And I do think Europe is doing a better job than most places by a long shot. That said, we have to really fix it. I think if we can't fix it legally we will have to fix it technically. And that someone like myself, you know, I am going through the properly legal recourse because I'm very privileged but so many other people who are poor, you know, who are Muslin, being targeted, when people are targeted, they become people who want to murder people. And this is the real problem so I think that's what we need to stop. (Applause)
>> Thank you. Just
>> Just for a moment before you speak I would like to pay everyone's attention to the screen. We have our reporter’s notes; and if you just have some disagreement with that, you can have a speech on that. So... go on, please.
>> Just a quick comment. The question from the floor is what are my redress opportunities as a citizen if I'm on a no fly zone, maybe you have the same name as a terrorist which is very unfortunate and you want to clarify you're not that person, you're you. So it's quite interesting and quite a lot of debate about this. The congress is passing a new act called the initial redress act, I know that because we were the first association to lead those efforts to push for a year and a half to give that right where European citizens, all 5 million European citizens have the right that they can take the U.S. government to court, they can clarify the data and have redress procedure there. There will also will be a new ombudsman person function hopefully in the summer so these are some mechanisms happening in the U.S., thanks to a debate. I'm not saying it's perfect but there's a decision and things are happening there. In Europe there's less of a discussion but it's interesting that Americans don't always have these rights here in Europe, for instance.
>> JENS HENRIK JEPPESEN: Thank you, Christian, if there are no questions at this point I wanted to see if we could just get a bit deeper into the encryption problem because I think both Jan and Greg alluded to it as Sacha mentioned it as well. So after the Apple FBI case there was an uneasy truce. But is there a perfect solution here where we can keep systems and devices and services protected while at the same time law enforcement can get access when they feel that they need? I'm not sure actually the Europol statement suggests there isn't a perfect solution here. Do you have a perspective on this?
>> JAN KLEIJSSEN: Thank you for such an easy question when we are close to 1:00. Fortunately the FBI Apple case was an exception. In most cases or at least in very many cases data that comes from normal law enforcement procedure request for information is actually granted. And for instance, Apple makes these data transparent, it indicates the number of requests it complies with. Also the number of requests it complies with varies greatly from country to country. If I remember correctly most requests are accepted in the United States. A large number from Europe. Although then the percentages from European countries seem to vary a lot so there's something definitely to be done. We should make sure that and then come back to the us and them, that the ones that are laughing at this are the terrorists. That companies and governments can work out procedures that do respect human rights that, do respect the standards I've referred to that make it possible and again make this distinction in the framework of a concrete criminal investigation into a specific case with proper judicial guarantees but in such cases the evidence that is needed to prosecute can be obtained.
>> JENS HENRIK JEPPESEN: Views on this?
>> VALENTINA PELLIZZER: Just I wonder before the digital, before the encryption, how mass murders were arrested? I would say that mass surveillance is the anti intelligence because it's cheap. You use a super algorithm that costs millions or many algorithms and then you're harvesting. But you can use actual people because if you have to follow or to target or to be alerted, I think that, you know, so I think it's a cheap way. Less police women or men start to have this wonderful silver bullet. So an encryption I think this difficult word should be the rise of communicating with who I want, when I want, any time. So I would like to understand why we focus on encryption when we should focus on how make sure we use intelligence to protect the people properly, not get the shortcut of the super-digital which in one place brings everyone.
>> CHRISTIAN BORGGREEN: It's extremely important for users not just individuals who want to communicate freely but for companies who want the safe guard their data from corporate thieves. Government should never be able to mandate back doors or our ability in company's encryption. If you create one back door they will be used by other persons and other criminals and other countries. You have to have strong encryptions, no back doors.
>> I think there's a lot of folklore like speak about how encryption thwarted any research et cetera that comes into crimes. I think what thwarts most of these things is lack of proper digital knowledge as I said before of, like, the people on the street who are doing this research. So these are investigators that are working on a local level. And that's where we improve quite a lot. There's things you cannot do and everyone is aware of. You can't inject a probe into someone's brain to see what they think so we can jail them for their thoughts and we can also not break all encryption to collect evidence. Most crimes are the things that in the end happen in the physical world and that is also where the most of the evidence comes from. So I think if you look at that instead of indeed as focus on the encryption, focus on the kind of techniques that that technology has brought law enforcement like DNA techniques and advance scanning of crime scenes, et cetera, I think trade-off for law enforcement is not that bad.
>> Just briefly I agree with most of what has been said so far but you can't deny there's a trend over the last 2 or 3 years for having readily available encryption techniques and there is definitely a trend of criminals and people to use encryptions to hide their traces, to hide their financial transactions to hide their communications. And in fact the evidence that used to be available for law enforcement outside encryptions is reducing. That's well documented and that's true. It doesn't mean we need to break encryptions but we need to find smart ways of getting the information we need to investigate criminal cases without undermining the security of everyone. You're laughing but it's so easy to take the one side approach and said encryption is binary questions, there's no way around it and that's it. Sorry we are living in a real world with real crime and you have a lot of law enforcement people trying to do a good job. And I'm speaking to colleagues every day and they're hard drives containing evidence and they can't crack it. So we need to find an alternative here.
>> JENS HENRIK JEPPESEN: I think we are out of time. Is there a question there?
>> AUDIENCE: Can I have a last statement? I'm a computer science student. I want to get a little bit into the technical because it's important to understand it I think. Most people when they think about encryption and breaking encryption, they see a computer and it's blinking and everything is scrolling and blah blah blah. This is not how it happens. It's very silent, you do not know when this data is used to infiltrate and see what is encrypted. And so I don't notice when I'm getting hacked by other people. And you will also not notice when you're getting hacked by other people most of the time. So I don't know if the loophole that I'm keeping hope for law enforcement will not be used by other people that won't be nice to me if we assume for a second that law enforcement will be nice for me which is a premise that we can accept but it's not the case for most of the people on our planet, actually. So I think it's very important to stick to our principals here and keep encryption. And also it has something to do with the availability of encryption; there will always be open source projects to have these kinds of measures so they will always be technical solutions for people that want to have a private conversation over the Internet. It's not a problem. And you will never be able to solve the problem at all so why will you jeopardize the privacy and the ability to have private conversations for all of the other people for most of the people who just want to like, I don't know, privately send their nude picks.
>> JENS HENRIK JEPPESEN: Thank you for that contribution. We are out of time. I think we should thank our key participants. I'm not sure we found solutions but we covered a lot of ground. And the problems can be solved maybe over lunch.
>> LIANNA GALYSTAN: Thank you, very much. (Applause) (Session concluded)
This text is being provided in a rough draft format. Communication Access Realtime Translation (CART) is provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings.