Governance challenges in the technical space: The impacts on users – WS 01 2013

From EuroDIG Wiki
Revision as of 13:02, 12 November 2020 by Eurodigwiki-edit (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

20 June 2013 | 14:30-16:00
Programme overview 2013

People

Key Participants

  • Wim Degezelle, CENTR
  • Marco Hogewoning, RIPE NCC
  • Jan Malinowski, Council of Europe

Moderator

  • Chris Buckridge, RIPE NCC

Reporter

  • Athina Fragkouli, RIPE NCC

Messages

  • Identifying issues where non-technical stakeholders might have an interest.
  • Bringing technical and non-technical communities together to enhance cooperation.
  • Identifying the appropriate role for governments and regulators in IPv6 promotion.
  • Noting that there is no need for states to substitute this liability with regulation.

Session report

Workshop 1 looked at some of the governance issues of specific concern to the technical community, and the implications that these issues might have more broadly in terms of social, economic or security impact. The goal of the workshop was to identify issues where non-technical stakeholders might have an interest and consider how they might contribute to the development of policy solutions.

Marco Hogewoning of the RIPE NCC discussed the example of IPv4 depletion and the deployment of the IPv6. He highlighted the problems with the transition from the one protocol to the other and how this may affect Internet users in the long term. Discussion also considered what issues would convince Internet users to take an interest in behind-the-scenes technical matters – issues such as privacy, traceability, or the breakdown of basic Internet services. Participants also considered what is the appropriate role for the government and regulators in IPv6 promotion.

Wim Degezelle of CENTR provided an further example of a technical governance challenge in the deployment of DNSSEC, security extensions to the DNS. He talked about the successful adoption of DNSSEC by many ccTLDs, but he pointed out that there is still a long way to go in convincing registrars and Internet Service Providers to employ DNSSEC. The role of government was again discussed, with agreement that leading by example was an important public sector strategy.

Participants, including panellist Olivier Crépin-Leblond (ISOC UK England and ICANN At-Large Advisory Committee), discussed possible ways to bring technical and non-technical communities together to enhance their cooperation. Technical community engagement with law enforcement agencies was highlighted as a successful example of this.

Jan Malinowski of the Council of Europe helped lead later discussion on the issue of whether government should be regulating in these areas. Participants considered the argument that users have an expectation that their state will ensure a secure environment; while on the other hand, we cannot expect a “clean Internet” any more than we can have a perfectly safe offline world. Ensuring that companies are liable for the services they provide to their customers is important, but there is no need for the state to substitute this liability with regulation. Participants also noted that security must not be a justification for state intervention against freedom of speech.

The workshop concluded with some comments on future EuroDIG discussions in this area that could perhaps look at different specific challenges or issues.

Transcript

Provided by: Caption First, Inc., P.O. Box 3066, Monument, CO 80132, Phone: +001-719-481-9835, www.captionfirst.com


This text is being provided in a rough draft format. Communication Access Realtime Translation (CART) is provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings.


>> CHRIS BUCKRIDGE: Hi, everyone. I was just going to say – no, you are in the right place. We are going to start in just a couple of minutes, once we get a couple of the administrative details sorted here. Just give us a couple of minutes.

There are a couple of emails. I will start anyway. Thank you all for coming. My name is Chris Buckridge. I’m from the RIPE NCC which is the RIPE Network Coordination Centre, we’re a regional Internet, for the Middle East and parts of central Asia but also more broadly, we represent issues in IP addressing issues in this region and those IP issues can be very broad and cover a lot of ground.

I think we have heard today and certainly in many IGF sessions of various kinds how broad the issues are covered, the range of issues covered by Internet Governance. Obviously as a technical organisation, we are particularly interested in some subset of those which are the very technical governance issues and that as the areas that we wanted to talk about in this workshop.

But talking at it not from the technical perspective that we would talk about in a RIPE meeting or a meeting of the IETF or one of those technical organisations. We want to talk about it in a way that highlights the ramifications or the implications of these technical issues to a broader society, to – in terms of privacy, in terms of competition and innovation, in terms of the rights of users. And so what we want to do, the way we want to do that today is look at a couple of examples, specific examples of those technical challenges, and I will introduce the panel as I’m doing that.

One of those is in terms of IP addressing and that’s IPv6 adoption and the exhaustion of IPv4, and Marco Hogewoning also of the RIPE will talk about that. One of the other governance issue is about DNSSEC, and this Wim Degezelle will talk about that.

And so we’ve got Olivier Crepin‑LeBlond who is with ISOC England UK, but also working with the ICANN ALAC, the at large constituency. And Jan Malinowski, Council of Europe, who can speak from an intergovernmental perspective, the ways that they see to engage with them.

So with that, I might hand over to our first speaker, Marco Hogewoning to talk about IPv6.

>> MARCO HOGEWONING: Yes, as Chris said, I’m Marco, I work with the RIPE as well. Challenges in technical space, which is a challenge by itself because this is not really technical forum.

So what are we talking about? Well, actually, it’s about the technical community making sure the Internet works, the user just clicks on the browser and you go to a website and you open up your email and you get your new messages. What is going on behind the scenes? This is what I will be talking about and a quick recap on what’s going on and I’m sure that if you are informed about Internet Governance, it’s about IP addressing and in the current addressing system that was designed back in the early ’70s and that’s known as IP version 4. We have about 4 billion unique addresses and technically every device that connects to the Internet, every computer, every phone, every sensor, whatever we put on the Internet these days needs one of those unique addresses to be able to communicate with other devices and those devices are tied to the network. We can move from one network to another. You get a new address which is an interesting case if, for instance, you move your phone from the mobile network into, for instance, your meeting LAN.

Now, there are 4 billion of those addresses, and these days we are nearly done. Some people say, oh, we are all out of addresses. If we look closely, there are a couple of addresses left, a few hundred million.

The rate we are adding devices and the rate more and more people coming online, I mean, we estimate 2, 2.5 billion users have access to the Internet. The other 4.5 billion people on this planet don’t. So we still need to add a couple of billion, and for sure that Internet space isn’t going to solve it.

So the techies, we saw that coming, the technical community and years ago decided, let’s figure out the new system. Let’s solve it problem, and that’s what is known as IP version 6. I’m using the same concept, and each machine gets a new address, we get bigger address block. Billions and billions and billions of addresses. By far enough to survive the next 50, 60 years. You can quote me on that in 60 years time.

That’s the easy bit. We have a new system. Now, the challenge – the first challenge is how to move from that initial system we have, IP version 4 to IP version 6, and the easiest analogy, it’s a language. So every machine that has an IPv4 address can talk to every other machine that has an IPv4 address, just the same as everybody who speaks English can speak to everybody else who speaks English. Now IPv6 comes along. Now we have machines on the Internet that don’t speak English but speak Spanish.

And you can only communicate with other machines that speak IPv6 or with other people that speak Spanish. So how to solve that. The trick lies in learning both languages. Of course, that’s the easy bit. You can choose whether you speak English or speak Spanish to somebody. That system works. You slowly learn every device on the Internet, gets changed over time. I mean, how often do you buy new computers? How much do you buy new phones?

So gradually, you move to this new system, which was a wonderful schema and it’s called dual stack. It works great, the only little problem we have right now is that although there’s quite some progress with IP version 6 and a lot of systems these days on the Internet have IP version 6 capabilities, they understand the language, and might not have connectivity but in the core, everything is there.

It’s that right now we have run out of IPv4 addresses. The time we need to fully deploy IPv6, we need something to keep it working. That’s in the end where you want to be.

We say, hey, here’s your new iPhone, oh, by the way, your Internet connection will be activated in six months once we active the IPv6. That becomes a real challenge.

Well, the technical interests, you can share an IP address. That’s in more common terms, the technical term is called carrier gray net or large scale network translation and it’s also quite common technique. You use it in your home, your office, even here in the hotel, I noticed that meeting LAN doesn’t use it. It’s quite amazing. It’s a normal concept. Instead of having your own unique, private address, there’s a little box in the middle, a translator that lets you share an IP address with multiple devices. It lets you share IP address with multiple users.

This is where the governance challenges come in. How far does this scale? How many users can you share over a single IP address? How much stretches are still in those couple hundred million addresses available. How long can we stretch this before we really run out of addresses?

And it becomes even more interesting, what if you are sharing your address, let’s say with 250 other users and one of them is a spammer. One of them is a hacker. One of them does something nasty. Can you still trace them? Can you still find out who that is?

Which is if you are – if it’s in your network, if you are the network operator, probably possible, but what if you shared on the other side of the world in some remote network? During the response on the Internet, somebody is Spamming me. I can’t get hold of him, I will block his IP address. Somebody is attacking me, I put up a firewall, I block it. All of a sudden, instead of one IP address, one user, you might be blocking 10,000, 20,000 users and you don’t know beforehand. You only know that when you put up that firewall and the phone rings off the hook, if it does.

So that’s – that’s, I think, one of the main technical challenges from terms of governance for the technical community is how to solve that, how to make sure that if something happens still the appropriate measures can be taken.

I’m going through my notes, sorry. The CGN, the other big thing with CGN is – I’ve got innovations. The translator, in order to understand to go from A to E, you have to understand the language. You have to get a bit of context. We know nil, Skype, that stuff works, but what if the next new protocol comes along, what if somebody invents something new and that translator has difficulty understanding the context? It might make mistakes. It might not work.

And then if you just deployed your new application or trying to market your new application, all of a sudden, you have to get all of those translators updated.

So easy way out, why not do IPv6? Well, that would be wonderful, but like I said, we don’t have that time. So whether we like the CGNs, the carrier great nets, we need that or a similar technique for the time being to roll out IP version 6, for the next six months, a year two, years, maybe three years, we need to deploy these CGNs. We need to live with the consequences of sharing addresses.

And that, I think, is the where the real challenge lies. The moment I deploy the CGN, I take away the problem. The end user doesn’t see it as a problem. The end user can still get to the web and place the Skype calls and he can still email up until the point where somebody, indeed, blocks his IP address because his neighbor down the street did something wrong. Then all of a sudden it doesn’t work, and then all of a sudden have an option, oh, I will deploy IPv6 in an hour. That will still take six months. That will still take a year.

So the main thing is while we patch it temporary, and while we actually invest in something that’s only going to be in place, hopefully, for a few months or a few years, is we need to stay on track. We need to keep focus on the final goal and the final solution is IPv6. Although the user doesn’t perceive it as a problem right now, sooner or later, he’s going to find out that the new application doesn’t work or, indeed, that his IP address is blocked because of too many users.

I think that’s where the main technical challenge is in terms of IP addressing is fix the short‑term problem, net CGNs but make sure everybody is aware of the consequences and make sure that everybody, operators, governments, academia, everybody stays focused towards the end goal and that’s IPv6, because this is not only the operators that need to solve it, but it’s everybody else that is involved in the Internet, people who deliver service over the Internet, E‑governance. It’s about education. Tomorrow’s system administrator that you educate today needs to understand IPv6 and be taught about the consequences of running net. So that’s where public/private partnerships and corporation comes into play here. We need to do this together and solve the challenge, but technical community, I think, should take the lead here.

>> CHRIS BUCKRIDGE: Okay. Thank you. I want to sort of make this as interactive as possible with the audience. My – I’m thinking of this IPv6 as an example to be complimented by the example of DNSSEC so it may make sense to move straight on. If anybody had any questions or comments immediately that they wanted to – for Marco.

>> AUDIENCE MEMBER: Hello. I’m a technical guy. I’m a CCIA. When I read the topic, I – I had the question, I would like to redefine the topic that says here about technical space and the impacts on users.

I work for E‑governance. So I thought that that would be more a question for services, electronic services or security, for things that impacts users and I believe that IPv6 is a layer three problem. It affects more business, not the end users. Of course, at the end of the day, they will have to adopt to the new area, to the new parts but I believe that what we could discuss and see what we have to do is what users, how we can empower users and what are the consequences of what we design, of what we invent, and what things we have to do from now on and that’s my main concern. If this has to do more with DNSSEC and IPv6 problems or is it more general?

I don’t know, but this is my point of view. Thank you.

>> CHRIS BUCKRIDGE: Thanks. Marco, did you want to respond to that?

>> MARCO HOGEWONING: I think, and that’s actually where we need to be aware, that this is not directly user affecting yet. The problem you have is that the user doesn’t know what he’s missing about. It’s sort of frog in boiling water. The user slowly gets pushed into a corner, where if you really give him the choice, he probably doesn’t want to be. But how to explain to an end user what he’s missing, this becomes predicting the future.

I can’t tell what application will be next that the user is left out of if we don’t give him IPv6, if we put him behind the net. But looking back, I know that there are certain things that if you look at it closely probably wouldn’t have been possible with wide spread net use because you simply won’t get it started.

>> CHRIS BUCKRIDGE: I think just from the perspective of someone organizing this workshop as well, I certainly totally agree with what Marco is saying. I think a lot of us are here representing end users, but probably the very fact that we are here means that we are not the typical end user. We are a little bit more engaged with these issues, even if it’s not from a technical perspective. And I think our hope and our aim with this workshop is to illustrate for people who weren’t coming from a technical background, the points that Marco makes. These are issues that will have the potential to affect end users and affect everyday Internet services if solutions aren’t found.

Let’s start with Bertrand.

>> AUDIENCE MEMBER: Just one point and a question. I’m afraid if I take an analogy that like the DNA that we have today, the biology called DNA still has traces from millions of years behind, we are stuck with dual stack forever, and IPv4 will be there forever, I’m afraid because the addresses may be distributed. They don’t expire. It’s not something that we burn and we have no resources left. All of these addresses are still there and the ones who have them will continue to use them. So I’m not even sure that this CGNs are going to be even there for a couple of months or a couple of years. I’m afraid IPv4s and dual stacks will be there.

What I like very much is the law of unintended consequences. One of the challenges we see when I heard about this notion in Rio a few weeks ago in a meeting we did for the Internet Interjurisdiction Project. This fits also in the challenge of handling a lot of requests for identification, bylaw enforcement on who is doing what.

There is a very tricky trend where on the one hand, IPv’s allocation could attach full identifier to every device you have that is connected to a database with your full identity so that traceability is absolute, which may be the case in some countries that will distribute IP addresses on the national space is, very traceable.

And on the other hand, we have this trend where even traceability of who is doing what on the Internet at one point may be impossible to do, even when it’s necessary. So I just wanted to highlight those two dimensions going in opposite trends. Is that correct trail of the situation or am I wrong?

>> MARCO HOGEWONING: Let me firstly respond. Yes, IPv4 will be there forever, yes. The trick is that the more – if the network has preference for IPv6 or the more traffic you can handle over IPv6, the smaller your investment is in keeping it all together and at some point it may that IPv4 is so small I won’t enable it anymore. So there is some real incentive to deploy IPv6 from an economic perspective. Straight away, I give somebody a choice to avoid my CGNs. I can give somebody the choice to take the full connectivity by deploying IPv6.

The last point you made regarding traceability, yes, that’s an issue. That’s something we have to be aware of. It may look like CGN is a way to provide anonymity. A won’t open the can of worms, because we have other sessions coming up, but in terms of big data. Somebody from the outside, I can’t see whether you are – whether you are sharing your IP address or not. If I see enough traffic, I might be able to take a rough guess that it’s not one user.

If you look at big data, if I’m not 100% sure whether that address is shared, you might be flagged on a no‑fly list because of something your neighbor posted on his Facebook.

>> (Inaudible).

>> MARCO HOGEWONING: Yes. So if I start aggregating databased on IP addresses, all of a sudden that address sharing becomes scary. Even if it provides initial cloaking or traceability issues.

>> CHRIS BUCKRIDGE: Olivier, did you want to make a point?

>> Thank you very much, Chris. Just a couple of things. I was going to speak like I’m basically going to speak now in my intro. Since we are already in the interactive phase. The first thing I think the IPv4, IPv6 message is wrong.

I remember a T‑shirt “IP Everywhere” and if you said that to anyone on the streets, they would think that’s really sick. That’s not the thing you should do. Unfortunately, it’s still the case today. People on the Internet, the vast majority of people out there do not know how the Internet works. They don’t want to know how the Internet works. They just want it to work.

So when we start speaking about IPv6 and IPv4 and telling them, oh, but if you don’t move to IPv6, things will stop working. They say it’s still working for me today, so I don’t really care.

One of the things, I think, we speck about CGN, carrier grade net, this is something you can talk about because at that point, you can say what does it mean for the end user.

It means that Skype may perhaps stop working and the online gaming may stop working. A number of services that you take for granted today will stop working.

And at that point, that really starts opening the mind of the person and thinks, okay, what do we have to do to keep on make it work? And that’s when you say, well, there’s IPv6, et cetera, and perhaps we should call it something other than IPv6, just call it the next Internet or the real Internet as opposed to the cherry Internet.

>> MARCO HOGEWONING: I think we just defined the Internet as IPv4 and IPv6 right now.

>> OLIVIER CREPIN‑LEBLOND: That takes me to next thing where IPv4 will be around forever. I think IPv4 is bound to disappear pretty fast, pretty fast because as IPv6 takes over, the IPv4 services will be seen as being something that is a thing of the past. It’s – the amount of things you can do with IPv6, empowering the edge, the end user to be able to do a lot of things is overwhelming and IPv4 will not bring anything new. In fact, if at all, it will just be an added load on the network to still run – to the routers and so on to still run IPv4 after a few years’ time, especially when all the new services that will come online are going to run mostly, I would imagine on IPv6, because I can’t imagine where you can find the IPv4 addresses to be able to run them.

So I think that for those people who think that v4 will be around forever, I say, well, some people used to think that steam cars will be around forever.

>> MARCO HOGEWONING: I’m somewhere in the building. I think yesterday the final last telegram was posted. How long has the telephone been around?

>> OLIVIER CREPIN‑LEBLOND: I wondered about this. I wondered what the last telegram was going to say, was it “going home. Stop.”

It’s really a case of how long the Internet will continue working the way that it does today.

>> MARCO HOGEWONING: And –

>> OLIVIER CREPIN‑LEBLOND: And bringing as much innovation as it does today. And this is the message that needs to be sent over to the outside world. If you want your Internet to continue working, then you better do something about it.

>> MARCO HOGEWONING: I think that’s the governance part is, yes, the user doesn’t know what’s going to hit him, but if we put some – some radiation on you, you won’t know what hit you for the next 25 years and I think that’s where you have to step in and protect those users, right now from what’s going to happen.

>> OLIVIER CREPIN‑LEBLOND: I think we agree but then you reach another problem, which is keeping IPv4 and using carrier grade net does bring more control into the hands of those people running the network, the central part, whist bringing it to IPv6 does not bring additional control.

>> CHRIS BUCKRIDGE: And that’s a key point, I think particularly in governance discussions, that issue of control, of who controls the Internet, who has control over networks, and what control do they have over their users or over their privacy.

>> AUDIENCE MEMBER: It depends how the IP addresses are being distributed. If you are in an Asian country, a large Asian country in the northeast, and you distribute your IPv6 addresses on a national basis, and you have your IP address and it’s hard coded in the machine to a mobile phone, and the operator has the list of all the mobile phones with the address of the billing contract, when you mine the data, excuse me, this is not empowering the user that much. This is why I was saying you have the two trends, as Marco was saying.

The carrier grade networks are on the one hand anonymous somehow. One person in the shell pool has been misbehaving. Likewise IPv6 may bring more authority to the individual, except in the traceability of who is actually running this IP address is absolute, and in some countries it may become absolute.

>> MARCO HOGEWONING: It gives you more control but it also adds risk. The fundamental design of the Internet was to put all intelligence at the edge, and network address, they were pushing the intelligence back in the network. And x25 and other standards, because it had no intelligence in the core of the network, which make it cheap to deploy and which gave everybody the opportunity to freely innovate, innovate without permission, I think was the quote from ISOC, I think I saw flying by.

>> CHRIS BUCKRIDGE: We have some more comments from the floor.

>> AUDIENCE MEMBER: Very quickly, what you mentioned before, if Skype tomorrow will stop providing the services, okay, we are now here about – no one knows what will happen in the future. We only just make some predictions. And what I said before is that the market, it’s a business case, and Skype knows all these problems. We have seen many tests, the IPv6 and many others. Most of the biggest companies, they have been preparing the migration stage and phase. So we will see that the users at the end of the day will follow what they have to do.

So in terms of adaptation, maybe the market will arrange things and we just follow what we have to do.

The other thing about the penetration, the traceability and things about the audibility, my concern is more in terms of the distributed content and how we can justify or how we can investigate if there is a violation or regarding the previous sessions, there are many of the panelists mentioned many things about the cyber security or criminologies with children, pornography and things like that.

So I believe that this is something we have to also consider if they would have to provide solutions or regulation or something else.

>> CHRIS BUCKRIDGE: I think that illustrates where a lot of this ties into the broader governance.

Does anyone? Jan?

>> JAN MALINOWSKI: Yes, if I may, give than we are discussing this topic, it may be useful to see the policy angle to it, the public policy angle to it.

The technical solutions are never neutral. There’s always implications and there’s always different ways in which it can play on rights and the user – on the user, on the victim, on the work of the security forces, on whatever it may be.

I mentioned this morning that the Council of Europe adapted in 2007, a recommendation on the public service value of the Internet and I mentioned the main headings, the headings were access open and diversity and security. What I would say is that in respect of the IPv4, IPv6 question, one would need to test the situation, the possible solutions, the possible challenges against these different things and you were responding to that.

There is a question ever access. There will be problems of not allowing certain people to have access if we don’t deploy IPv6. So that may be an issue. There may be in the context of responding to the question of access, there may be a question of scarcity and managing the scarce resource.

One has to respond to that in technical terms but also in human rights terms and in consumer rights terms and so and so forth.

There’s a question of access to content. What happens if as a result of mismanaging the transition, people end up not having access to content that they can legitimately aspire to access.

There are human rights implications to that. There’s a question of traceability and security. That is a public policy issue as well. The state responsible for the security of people. If they cannot deliver against that obligation, they may be held account.

If there is a child abuse that’s not responded to correctly by the law enforcement agencies, the state can be held to account to the court there.

Was a case if Finland, where the legal system had not given the police and the judiciary the necessary elements in order to be able to identify someone who had interfered with the rights of a child by communicating on social networks that this person was gay and was looking for contacts.

That was the issue.

And the state was found in violation of Article 8, the right to privacy. On the other hand, IPv6 with its potential massive deployment, it could give rise to questions of privacy, of being able to identify people by the utilities they have, by the objects they carry with them and what happens to them and so on and so forth. The IP addressing system is a means of identifying people or contextualizing the way in which people behave and where they are and so on and so forth, and it could give rise to privacy issues.

In respect of all of that, the state has a role and what I can say is that the Council of Europe has given a response in 2010. The 47 states adopted a recommendation and saying a recommendation to our Member States. It’s a Committee of Ministers which the governing body of the Council of Europe saying this raises issues and you have to deal with it. You have to distribute to the deployment of IPv6. That should happen quickly.

So you should create the public policy climate that will facilitate the transition or the deployment of IPv6 if it’s going to function in parallel, the two systems. You should ensure that the – the public sector moves to IPv6 as quickly as possible as well, taking into account the rights of users and so on and you should always bear in mind the traceability issues. It is true from a positive obligation perspective, you have to be able to trace in order to be able to adjudicate responsibility in cases of misuse, but at the same time, there is a privacy issue, protecting the privacy of the citizens.

So these are the elements. I was asked to speak for the intergovernmental context. That was the response of the intergovernmental context at that statement in 2010. Is there something else that should be done? You should tell me. I don’t know at this stage.

Now, what was said then was that the governments had a role to play in encouraging the transition in making sure that the transition does not damage or carry a risk for the users and for the access and for all of this. So there is a follow‑up that I don’t know. I cannot say which has been the follow‑up given to that, but there is a space there that needs to be covered and if there is more action that needs to be taken, I would be happy to hear.

>> AUDIENCE MEMBER: Dimitri, in the Ukraine. I was going to make my comments but some of them have been mentioned. We throw around terms like CGN, and carrier grade network. When I grew up, we had a party line. If our neighbor would use the phone, we cannot use the phone. You know, we had one number for two people, or if you are in an office and you make a call, a call would come from your general number. When you call the number back, the receptionist would answer it. Could you connect that? That is not Internet. The net of v6 and the Internet when everybody can connect to everybody, they don’t have to call the number and then ask for the extension. That’s a word you can use.

You want to restore the Internet premise of direct connect between the users. I don’t want like users, but I want to call them Internet community. I want to live in an Internet when everybody can connect to everybody by means of various ways of communication. That’s the first things, the email, the FTP, if you remember the UCP copying. The Internet is not a start.

>> MARCO HOGEWONING: We have to fight. But operational reality is 90% of the users treat it as a television.

>> AUDIENCE MEMBER: Well, that’s what we have now but do we want to turn our users to passive consumers to active participants? If we don’t give them something to be active, give them their own phone number or IP address. We should call it modern Internet and the legacy Internet. The problem names are modern and legacy.

>> MARCO HOGEWONING: That ties into my comment that 90% of users who treat it as a television, don’t know what they are missing out on.

>> AUDIENCE MEMBER: Well, sure. Of course. And speaking of monitoring of anonymity, I mean, first of all, as I just said, if there’s a requirement to monitor or to discover, you know, who did the speech, where it was a crime, right, you have to find out anyway. So CGN does not make it easier. They are able to keep logs. If you want to assign people IPv6 addresses, I guess that’s what you have. The people would be able to change them, that’s better but it all depends on the legal framework. I don’t think there’s any argument there.

Essentially if you want privacy, you have to pay for it somehow. Just hiding behind –

>> MARCO HOGEWONING: And then again, from an ideal perspective, traceability is guaranteed. From an operational, you can’t be bothered to find out who it is. You put the IP address in your firewall or you black hole it and that’s where the problems arise, because that’s where don’t check whether it’s shared or not. You just dump the IP address.

If Google says I will drop this IP address and then 10,000 users contact Google and then they realize.

>> AUDIENCE MEMBER: It must be brought up. Don’t say that, oh, it works. Say, no, it doesn’t work already. I will just pass the mic.

>> CHRIS BUCKRIDGE: Okay. I think before we bury too deeply down into IP address specific issues, I think it would be – it’s useful and something we want to do in this workshop to look at another example of a technical governance issue that’s, I think gone to the IPv6 issue, and that’s DNSSEC.

>> Wim.

>> WIM DEGEZELLE: We will show some surprising parallels. I’m Wim and I work for CENTR. I’m talking about, well, DNSSEC, but first of all, I think we should have made this into a main session, because it looks so much easier.

So next time we want to have those. It’s always interesting to come to a meeting like EuroDIG because it’s obliged me to think, okay, I always go to meetings and everybody in the room knows what ccTLD is, what DNS is and you start, like, talking well, you are convinced that everybody knows.

So I think for DNSSEC, in particular, it’s important to make, again, one step back and say, okay, what is the Internet domain name system. Basically it was developed so that people when they go on the Internet, don’t have to memorize the IP addresses. Maybe with IPv4 it would have still been possible.

I’m always amazed the technical people how they can just memorize them. I mean, they just know the IP addresses but IPv6, that will be completely impossible, I think.

>> MARCO HOGEWONING: I can still member a lot of IP addresses.

>> WIM DEGEZELLE: That is the different between a technical animal and a technical background. One of them.

What happened if you type in a domain name in your computer, it looks up – it’s links to the IP address. That’s where the content of your website is stored.

So what’s happened now of what was discovered, that it is possible in the technology that you look for the IP addressed linked to a domain name but in the process, somebody steps in and changes the answer. Normally, we would say, of course the end user will immediately say, okay, I’m arriving on a strange space or I’m not where I want to be. The tricky thing is now that you – for example, you want to surf or you want to go to the website of your bank and the answer you get back from the – is exactly the same copy of the website of your bank, but when you don’t know, it’s another party that’s behind. They just put in wrong answer, wrong data about the IP address. So that you arrive on their website and they just collect all the information and all the data about, well, how you log into your banking system, what your pass code are and so on.

That’s one example where you say, okay for the end user, it may be without noticing dangerous – a dangerous situation if this happens.

So to solve this problem, there was – well, the technical community worked on an extension of the DNS domain system protocol, which is called DNSSEC. It’s nothing else than if you are looking up for the IP address linked to a domain name, you get the answer but it also will verify in a technical way, verify that with that answer, nothing has happened. So the website from your bank, really is the website from your bank.

That’s – I think at this moment, that’s what the DNSSEC is doing.

It is – well, it is a protocol. It’s a problem that was discussed already, I think a long time ago in the – during the ’90s, I think by the end of the ’90s, the first version of the protocol was ready. Like it goes, nobody sees the need, but five, ten years later, it was discovered, okay, this is an issue, and from that moment, I think the real interests in DNSSEC started.

From that moment, also the ccTLD registry started to begin interested in the DNSSEC and deploying DNSSEC. We had some countries like Sweden, also Portugal who were front‑runners and said, okay, we need to develop this technology.

Can I ask, where are we today? We have a little map of Europe to show where exactly we are today and how it was developed. If you look back in 2008, in 2008, you had, like, three countries. You had Sweden, Czech Republic and Bulgaria, that already were providing, I think – were providing DNSSEC.

If you look two years later, a couple of more countries started, okay, we are ready, as a ccTLD registry, to come up to deploy DNSSEC and to provide, to assign domain names.

The most important thing happens with the difference between the last two years, between 2012, 2013, and then see that most – most of the registries, particularly this area is important. Most of the registries in Europe, will be ready to provide DNS security. I think 2013 and also next year is really a key issue, a key moment, because I think more than 20 ccTLDs in Europe are ready and able – or are going to the deployment phase of the DNSSEC.

So you could say, okay, that’s a good development, but that’s only the first step because what we see is, okay, you have the registry at the basic level of the – of the key, it’s providing the information to validate domain names. That doesn’t mean that you and me are able to assign domain names or to get the security for our domain names because the registrars, the companies that we buy our domain names with also need to deploy the DNSSEC.

It is really important, and I think from a registry perspectives, the underline that it is a very complex and a very technical and time and work intensive process. It was for the registry, but I think it’s even more complex and more time intensive for the registrars.

That means that we have to give them time. It’s not something that you can just switch on from today and tomorrow. It’s not – it is not an upgrade like an upgrade from our – from Windows that you can just download and say, okay, it’s installed. No, it’s, first of all, technically, really complex. Also it requires a lot of administrate – more administrative processes. And some people say, okay, for registrars, okay, you have the DNS and the domain name system, and it’s there and nothing happens. It moves to something that they really need to be aware of and really do some maintenance and make sure that everything works.

So that brings me for first question or first point is, okay, we – at the registry level, you can say, okay, definitely in Europe but I think the rest of the world this is following. The registries are ready to provide the assigned names. But the biggest task or the second task is the registrars, they need to be ready and they need some support. They need some support. There are a couple of good examples from are the registries that helped the registrars deploy DNSSEC.

Does in the regular stars deploy DNSSEC, there’s also the ISPs and the software vendors that need to be aware that the DNSSEC is coming and they need to be ready to adapt their products. At this moment, I think it’s – it’s not that much an issue anymore but I know a couple of years ago, none of the software vendors or the people that made software for servers had software that – that was accepting DNSSEC queries.

Also, for example, if you look up a domain name, or – and you get the answer about the IP address back, the answer is longer than the traditional answer. What makes that, for example, in some firewall software, because the answer was longer, it wasn’t accepted to go through. So it wasn’t working.

This said, I mean, this means that you can’t say, okay, someone in the technical community or only the people at IETF or the people at the highest level of the technical – the technical community, that need to be involved that need to work on the implementation of DNSSEC, it happens on different levels. Everybody has to be ready. Everybody has to be there to invest time and knowledge and learn how it works.

If you look – or also, what should government do? What I hear from most of the registries, the natural answer, and I think that’s not even – not for our own sector but – not Internet related sectors. Well, governments shouldn’t do so much because it’s not regulated because you never know where it ends up and it was mentioned also this morning at the session, like, there was also always the risk if government wants to help you or do something that is legislation, it creates problems elsewhere.

Speaking from experience.

(Laughter).

We have seen what’s happened – what you also hear is, okay, but governments should at least take the lead and give a good example. They can – and there are examples of governments that say, okay, we really like DNSSEC and we would like to have it deployed but if you go look into their own services, none of them is there. They are not using it themselves. They are not able to handle it themselves. So the message to government representatives should be, okay, please look to your own services. There are some good examples, I think in the Netherlands. The government has put it on a special list of requirements for all of their own government organisations and their own departments where DNSSEC is said, okay, it’s a good practice. And if you don’t use it, you have to tell us and you have to come with good argument why you don’t use it.

So by default, it should be there.

Also, recently in Sweden, I think the Minister of Telecommunications asked this year, by the end of this year, all government services would use DNSSEC and all of their applications would be assigned with the DNSSEC.

So end with one of the biggest problems and there’s a parallel with the story we hear before, is one of the good things of deploying DNSSEC is that the end user shouldn’t even notice, and shouldn’t even know, but that also means that, well, the end user is not putting pressure and saying, okay, I want DNSSEC because I want to be secure and I want to be better.

So that’s in both ways. On one hand, we see, okay, when they realize it, and they would ask their registrar, okay, can you give me an DNSSEC domain name, there would be some pressure, but I think the number of people that will ask that question will be very, very low.

So I think there’s a big task for all in the community to help deploy the DNSSEC because in the end, I think it’s important to realize, okay, DNSSEC helps. It only helps to fix one security problem in the Internet, but it helps to establish trust. I think trust in the Internet, in the system is still really important. And if you can limit it to equality, but I think it’s important to realize, okay, DNSSEC helps to build on a trust on the Internet.

>> CHRIS BUCKRIDGE: Thanks, Wim.

Before I slow it open, I had one question myself. And it’s interesting that you note that there’s not really the end user notices that this is a problem and they are not providing the impetus. You also mentioned earlier the Kaminsky bug as motivating factor in getting the point that we are at already with the registries. It’s at that level at least successful, where was the sort of pressure coming from the Kaminsky bug. Was it the technical community or civil society or governments? Were governments aware and taking an active role at that point?

>> WIM DEGEZELLE: Well, we did a survey within CENTR, I think two or three years ago – two or three years ago where we ask, well, are you planning or implementing DNSSEC and why are you doing it?

And the overall majority of answers we got, it is helping the security of the Internet and we see that as – as a task for us as a registry.

And only two or three answers – okay, there was some pressure from local Internet community and some pressure from government, but I think overall, when the registry started to look into it, it was because they say, okay, it’s part of our task to work on and develop a stable an secure Internet.

>> AUDIENCE MEMBER: Just a quick one. Is there a need to update DNSSEC because of new requirements coming up from law enforcement side and the follow‑up of the GTLD and the new agreements that may be coming into force, as far as registry?

>> WIM DEGEZELLE: As far as I know, not. Of course, I’m not a technical person.

>> CHRIS BUCKRIDGE: Marco?

>> MARCO HOGEWONING: You have similar issues to IPv6. Why should I do this if nobody validates and why should I validate with nobody signs on. How far are you done with tackling? Why is there no content on IPv6 because there’s no user and vice versa.

>> WIM DEGEZELLE: We are not tackling it. You saw on the map basically – well, definitely by the end of the year, most ccTLD registries will be ready. I think there are three very successful – well, three more or less successful examples among them. And that’s, I think Sweden, first of all the Netherlands, Sweden and the Czech Republic. And definitely for the Netherlands, they went to talk to their registrars. It costs you to implement DNSSEC. We will support you and reductions so you can earn back.

Sweden has had the same initiative. They said, okay, we will start promoting DNSSEC, but if you as a registrar comes and deployed the DNSSEC, you get a small reduction on the amount, and that’s what you saw in the figures. I think overall, we are in the same problem that people don’t see it.

In one or two case and I think that’s more in the example of the Czech Republic where one of the larger registrars says okay, I really want. The DNSSEC is complicated and it’s technical, very complicated it. I want to show off that I’m able to do it. So it is not solved because most of the – except of those three examples, most of the – well, the DNSSEC deployment on real times is really very low. But there are three tryouts.

>> MARCO HOGEWONING: (Inaudible).

>> WIM DEGEZELLE: Well, you should talk to the person who sells it to you.

>> CHRIS BUCKRIDGE: Thanks.

>> AUDIENCE MEMBER: I was going to touch on the question of whether these types of problematics which are currently being dealt with by the technical community are for everyone to look at, and looking specifically as whether those raised governance challenges that nontechnical people need to be looking at.

My experience in nontechnical people dealing with technical matters stems from ICANN where a lot of the ITF’s work gets looked at and then someone says hang on, this doesn’t make sense economically. Let’s see if there’s another way. In some case, there’s a clash between the nontechnical people and the technical people. There’s certainly a miscomprehension between the techies and the non‑techies. The question I wanted to ask the audience. I’m really here to listen more to the audience than to speak.

I wondered if there was a way you could include more people in nontechnical issues. The feeling I had so far is that technical issues are not for everyone, and some people are not particularly interested in them but at the same time, it is important that the people who deal with governance understand the basic issues and are able to then convince – translate those issues into governance issues and actually translate this into something that governments, that industry, that the civil society is going to be able to take up and push forward.

How to do it is a question that I have been asking myself for a while. So I wonder if anybody has got ideas.

>> CHRIS BUCKRIDGE: I think one – I will let you explain it.

>> AUDIENCE MEMBER: I have been trying to hide.

>> You are way too tall to do that.

>> AUDIENCE MEMBER: I’m a law enforcement officer based in the Netherlands. I will come to your bit. For law enforcement, this carrier grade net is an issue for us, or we thought it was an issue for us. I like my colleague here talking about the legacy Internet and the modern Internet, and the carrier grade net may be there for a short period and we will have a IPv6 and law enforcement can do what law enforcement do.

So I assume it’s somewhere in the middle of all of that, and that’s a whole different conversation.

To your point, we have working, law enforcement, that is, as nontechnical people. We are getting there, but at the moment, we are not, involved in Internet Governance but we don’t use Internet Governance because governance doesn’t translate very well. So we are engaging with the community, the cyber community how we can build our knowledge up and how the system works, how you guys work to go, how the Internet works. So it helps us to understand when we are investigating crime, that’s what we are concentrating on. We know who to go to and what we can expect back. That was a long process. Some of it was a bit painful at the stop because being cops, we like direct answers to our direct questions and the Internet isn’t like that.

So we have worked hard with RIPE NCC to educate us and then we educate our government about what we need for training and we are doing the same with the ICANN community as well. It’s there. It’s not as fast as we would like, because at the moment, we are only doing the law enforcement officers that are involved in pure cybercrime we call it, but all crime has a presence on the Internet and that’s from robberies, murders, everything, has a presence on the Internet. Maybe just for communication but there’s still a presence there.

It’s trying to train those guys as well about what they can do. I know there have been a few horror stories of nontechnical police officers from a nontechnical unit banging on his door telling me where that IP address comes from. We are trying to stop it.

>> CHRIS BUCKRIDGE: Great. Thank you.

Yeah?

>> AUDIENCE MEMBER: If I can come in from the sort of hybrid policy and government angle. When I was a kid, seat belts in cars were not compulsory, and I remember that my father had a car and suddenly the law came into place and he had to have a seat belt system welded into the car. And then it became mandatory that all cars would have it. And manufacturers were compelled to go through very hefty types of security tests and destroy cars many times before they can sell them and so on and so forth.

The European Union has come in and they give safety regulations, very detailed safety regulations about what the cars need to offer and what the roads should look like in order to be able to drive safely on them and so on. It was normal that it was not the case when I was a kid, but it is normal that it is now. DNSSEC at the beginning it was not necessary. It was too modern, for what thinking. It hadn’t even been developed. Now it is. Now it’s possible to turn to government and say, you should have policies about this. There should be security measures built into the system. The technical means to do it are there and you should be taking the necessary steps to make sure that at the beginning there is encouragement, and in the future then there may be obligation.

The – I mentioned positive obligations. There are two types and the human rights construct, the legal construct, there are two types of obligations. There are negative obligations where the state is told, you cannot interfere. You cannot kill people. You cannot torture people. You cannot eavesdrop into people’s communications without due process, authorization. You cannot interfere with freedom of expression. There are other obligations which are positive obligations. You have to take all possible measures that are within your hand in order to ensure that this right is protected for the citizen.

So if someone in the community says my right has been interfered, as a result of the state not taking the necessary measures, if my bank account is plundered as a result of – and I can trace it back to a positive obligation in respective of which the state is held, I could hold my state accountable, so that my transactions with my bank are secure. Now, we are not, there but we could get there.

And from a policy perspective, my question is, my question to you is: Is it now the moment when countries should encourage, should regulate, should give tax breaks to the operators to make sure the systems are in place to make sure the level of security is heightened. If that is the case, would an organisation like the Council of Europe be the right messenger? We cannot implement but it would be possible to say to Member States, the time is right, the capabilities are there and most registries have enabled the capacity to do it. This should go on in order to deliver the security that its citizens are entitled to enjoy.

It’s an open question.

>> AUDIENCE MEMBER: Just a remark to what you told about cyber security obligation. It’s really been debated, actually. It has been on for years now, cyber security is a public group, who is responsible? Governments? Users? The problem of all of these, the problem of regulation, is the balance between development of the industry and regulation, because there’s some industries which are over regulated and you can definitely see that the development is hampered.

When we come to the question of should we regulate or not in terms of ICT. I have ICT regulator background and I know how different ICT services are broadcast and regulated and what I definitely see is that, for example, when the industries emerge or two sectors emerge and one which was less regulated tends to be heavily regulated, if it’s merged with something that’s highly regulated.

And I believe that that always shall be a balance. You have this kind of boost and development and the economic roles provoked by the Internet just because there was little or no regulation. There was no domain at all, and there shall be a right balance if we are going to answer these questions, just an observation or a comment.

>> JAN MALINOWSKI: Can I come. That’s why my question was open. Is it the moment to encourage? Maybe the time is right for regulation, maybe not. Maybe it’s time for encouragement, deploy DNSSEC, but in respect of whether security is part of – is a reasonable expectation of the user, I will go back to the recommendation of the ministry adopted, the last couple there was security. The definition 69 public service value of the Internet for the Council of Europe is people’s significant reliance on the Internet as an essential tool for everyday activities and so on and so forth and reasonable and legitimate expectation that Internet services should be accessible, affordable, secure, reliable, and ongoing secure. That’s one of the legitimate expectations that the Council of Europe 47 Member States agreed that the user is entitled to.

>> AUDIENCE MEMBER: Can I make another comment concerning security and expectations and so on. What I see during the last year, the last couple of years, governments trying to get legitimacy in the Internet Governance have not invented better than cyber security as a tool. We intervene for the sake of security, for the sake of fighting crime and so on and we want to regulate and, you know, it’s not only for that government who are democratic and so on. If you will see who is using these cyber security tool, bringing it to the ICANN, to the ITU and other organisations, you will see that sometimes they are just using this for legitimization and not for actually because of cyber security concerns. And I think that should also be, you know, balanced between – because if we are talking about cyber security as an obligation, it can be used as a tool to hamper freedom of express, previous of communications and so on and so forth, again, just an observation.

>> JAN MALINOWSKI: I have to insist on the principles that I mentioned the question of going to the principles several times already. The sort of Council of Europe definition, how we define our role in respect of the work that we do, in respect of freedom – the Internet governance is to seek to maximize the rights, minimizing the restrictions and that means the restrictions that are legitimate. It’s not just any restriction, but minimizing restrictions while offering the users, the security, the safety that they are entitled to respect. So it is the first element of our vision is maximizing rights and – and one shouldn’t forget that, because that is the human rights approach to things.

>> I was going to say security sells very well because it’s based on threats and mitigation of threats and that generates and immediate emotional response.

>> AUDIENCE MEMBER: I just wanted to – just to pick on Jan’s image, in terms of security in cars, you have two types of security devices in cars. You have safety items that have been imposed by regulation and you have airbags. Interestingly enough, airbags have not been regulated per se initially. They have been adopted by the car manufacturers in a copycat manner because if you had one car with airbags and the other one didn’t, people were buying the one with airbags.

And I do not believe that the – on a personal basis, that the only approach to spreading security enhancing aspects is to go to governments to ask them to regulate and enforce this. The best example of this is the following – not the example but an illustration would be the following: Again, as I said in the plenary today, I am extremely worried now at this ideal vision of a sort of – the Internet is just a new garden of Eden, where the animals should be hopping like in a Disney movie where nobody would be eating anybody and the humans would be transformed by the invention of the Internet.

I’m sorry, humans have not changed in 10,000, 20,000 years. There are spaces on the Internet that are safer than others. One of the things that is interesting, I believe, in the introduction of the new gTLD framework is that there will be registries that will implement a full DNSSEC, extreme protection and so on. There will become spontaneously by virtue of their own branding secure spaces.

If there’s a bank, I don’t think it is necessary to have an obligation that every single small website uses the DNSSEC. What is important is that spontaneously, because it’s well branded, because it’s understood, any bank that will be in a dot bank, for instance, or any bank that will have its own TLD will naturally put in the airbag which is the DNSSEC. And I think it will percolate this way, and we need to anchorage this rather than beginning to say, hmm, we now reaching a threshold where we must establish the garden of Eden.

>> Can I respond?

>> AUDIENCE MEMBER: I’m really glad I heard you say that because this is the message that I’m trying to get across. The Internet is just what society is. There will be crime on it. There’s always going to be crime on the Internet. And we know that. That’s why in the law enforcement arena, in this environment, we are looking for prevention disruptions. So something like that, where it will go for choice, and then the public will follow and that’s the way forward. We can’t arrest our way out of. This there are thousands and thousands and thousands and jurisdictions that we have no leverage over. It’s about prevention, disruption, and if we can catch the big ones, we will catch the big ones. The Internet is just a mirror of real society. It’s always going to be crime there. But at least in real society, I’ve got a chance of finding them. In the Internet, it’s very hard.

>> MARCO HOGEWONING: The Internet is a mirror. What happens in society also happens on the Internet and to dial it in, I think it’s – it’s a joint responsibility. You are supposed to have locks on your door at the same time you expect the police to drive through the street to show that nothing is happening. When somebody does break in, you want the police to be able to find and prosecute whoever did it. That’s where we need to seek those partnerships and solve it together. There’s no single entity that can solve this.

>> AUDIENCE MEMBER: Just to add two aspects to this observation. First of all, I fully agree. I mean, when you walk, you know, in a city, any city where you are and where you have grown up, I mean, you know the dark areas. You know when to go where and not to be there. Sometimes you are in bad luck and you end up in a bad situation, but in most cases, you know what to do. And in the danger – this is my second, where I think we have to watch a little bit careful. For governments, this is something frightening.

Most governments already have a hard time to understand reality, but they have a much harder time to understand the reality and the Internet in the virtual world and that’s why the image of the clean Internet or the clean, you know, this ideal world obviously comes up in government talks. And I think it’s something we have to care about. If we don’t do, if we don’t explain, if we don’t reach out and if we don’t continue to explain, this desire to have a clean reflection on the Internet of the world will always prevail. I think it’s extremely important to send this message constantly and reach out. And I’m glad to see, to have you here from the law enforcement side. Are you from the C3 unit? Yeah. I mean, you are doing marvelous work. It’s really great work, because you really – no, really, you keep the balance. Everybody appreciates this.

At least on the company sides because it’s something that’s really important and relevant and not easy to do. So it’s good to have you here.

>> Can I comment on Jan’s first point. I’m the first to say, please don’t regulate because that usually leads to different things. And Wim touched upon it, the list of Dutch standards I think that’s the public sector, realize you are a customer. Figure out how many billions you spend and there’s a real incentive for the industry to build.

>> CHRIS BUCKRIDGE: So we are quickly getting to the end of session here. So any other comments, let me know, but –

>> AUDIENCE MEMBER: Yeah, I must admit I actually strongly support Bertrand’s point about not regulating. I think sitting here, there is a little bit of a mark failure, but not actually very big one.

And the problem, I think we have is the regulator coming in and substituting themselves from – for the decisions that will be made, for example, by the bank to decide where to put their priority on investment. Is it in DNSSEC this is it, perhaps, two factor authentication? Is it something else they should be doing? And as soon as the government steps in, then, of course, everybody goes off to tick the box that is the particular relevant box and I would actually put Jan up his seat belt in car analogy and, you know, by the time people regulated for seat belts in cars, there was actually a massive amount of evidence that seat belts would cause a reduction in death, a reduction in harm. And actually most car manufacturers store a long time by then had been putting in the fixing points, the seat belts in cars. So there was that recognition.

And there is a sort of mechanism that works there. If the bank doesn’t put DNSSEC and its customer gets caught by a Kaminsky bug, the correct route is that the bank is liable for the person’s loss. And the government stepping in and substituting for that, again, I do not think is a solution. Thanks.

>> CHRIS BUCKRIDGE: Oh, we have one remote participation comment.

>> Thank you, Chris. Hi, my name is Farizana. We have two remote participants. We have two comments. One from – a question from Renata Alvarez. He’s asking although sightly tangent to what is being discuss, I would like to know what could be done on the technology cost side to prevent Internet wars by rendering services unusable?

In particular, referring to the denial of service attacks.

And the second comment is from Ismail Rashtob, he’s saying it seems in a global world, technology can surpass the regulation of a specific country to provide or deny citizen rights. From this, and in your opinion, is Internet regulation truly useful?

Thank you.

>> CHRIS BUCKRIDGE: So we started a few minutes late. So I will let us keep going for a few minutes. Would anyone like to answer?

>> MARCO HOGEWONING: Again, I think it’s a combination. It’s virus, that are hacked into or used as a stepping stone. So, again, it’s a matter of putting locks at the door and at the same time, it tied into the CGN story, if you do get bugs, you want to be able to filter that traffic and take the source off and hand them over. So, again, it’s a joint responsibility and maintaining the registries and making sure in IP sharing, you know who is sourcing the traffic and at the same time, for everybody to keep a lock on the door and make sure the community sees it.

If you see something happening on the street, you need to step up and do something about it.

>> CHRIS BUCKRIDGE: And, I’m sorry, the second question about regulation. Does anyone have a comment? I think we have certainly been talking a lot about regulation already, which is –

>> MARCO HOGEWONING: Way too much.

>> CHRIS BUCKRIDGE: It’s an interesting direction for the conversation to have gone, because I think when we set this up, our idea was more looking at how actor, maybe civil society more than government could take a role in technical policy development, what it sort of seemed to have fallen into it regulation government versus everyone else and that’s – I don’t know whether that’s just the way the discussions are going a lot these days or something about this topic.

Olivier, you had something?

>> OLIVIER CREPIN‑LEBLOND: Yes, on the denial of service attacks, this is something that is often caused by carelessness of users and people running computers and so on. So education is one of the things that really needs to be pushed out there and information about it. I’m still so surprised by so many companies and users that have no idea what this DDOS is all about, denial of service, and there’s tons of different flavors of it.

On the Internet regulation question, I think that very often regulation is seen as being something that could be of use by governments to do more than what’s on the tin to start with and this is one thing that really needs to be looked at.

>> MARCO HOGEWONING: I think for the technical community, it’s to make sure honestly, and just don’t hide – it’s easy to say it is a denial of service, but a lot of times, it’s just carelessness and be honest about it and admit failure where it’s – where you need to admit failure.

>> AUDIENCE MEMBER: Good afternoon. Sorry about the few minutes from 4 p.m. I’m Murielle and I have been coordinating the IPv6 task force in Portugal. I was very surprised about the technical issues that were discussed here. I was not imagined this type of workshop to go into this level. A suggestion for a new team. I have been following workshops through net neutrality. I can tell you, it’s really distinct and tough between the oppositions. I would like to bring the technical discussions and then the public discussion, the problem of service differentiation in the best effort for public Internet.

Because the solution of over provisioning, always over provisioning and the service integration that comes along, it will not work forever and there’s a lot of important economy over the Internet today and so we could not imagine ten years ago and we cannot get the Internet going in this way without further level of sophistication on layer six. We are working on layer seven. We have now one of the LP mobile networks and the famous X interface where we can put as we did in the past, into the TDM networks, a control plan to create a service differentiation. That’s something I would like to leave for next year. Okay?

>> CHRIS BUCKRIDGE: Thank you. Yes, I think there are probably a few people that are disappointed that this decision was going parallel with the net neutrality one.

I do need to wrap it up. Jan, very brief?

>> JAN MALINOWSKI: Yes my wrap‑up and at the same time, the response to the question about regulation. Let me assure you, I’m not in favor of regulation. No, no, no, no. Some people may have misinterpreted. I asked whether there should be encouragement to move in that direction, not in the direction of regulation.

And I would add that the Council of Europe as an organisation is not in favor of regulation. In one of the texts that the Council of Europe, the ministers adopted recently, it said in a specific context, but I think it’s applicable to what we have been discussing, it says regulation is a form of interference in itself and because it’s a form of interference itself should satisfy the human rights tests that the court applies and the court has three tests, one is, is it provided for in law? So an interference will always need to be provided for in law. Is it necessary in a democratic society? Or as the court reinterpreted that, does it respond to a pressing social need? And then the last one is the proportionality test. So let me finish with repeating this idea. Regulation itself is a form of interference, and because of that, one should first use it very carefully and preferably not at all. And if it is to be used, it has to satisfy the human rights requirements.

>> CHRIS BUCKRIDGE: Okay. Thank you Jan. I’m going to wrap it up here. So thank you to the four panelists. I think this was a really interesting discussion. I don’t know if we had any solid outcomes here but I think it sort of has gone into some interesting issues and as has been said, I think it can sort of – it can go into some other areas in future events maybe along this model.

I think you for the remote moderation. Thank you to all of you who participated and came here. I think we had some good interaction from the floor and finally, there’s a house warming – a housekeeping – house warming –

(Laughter)

Please remind tickets that there’s an invitation voucher.

If you don’t have this voucher and you would like to go to the dinner tonight, you can collect it from the registration desk. Thank you all very much.

(Applause)