Intersection between public policy and technical standards – PL 02 2019: Difference between revisions

From EuroDIG Wiki
Jump to navigation Jump to search
No edit summary
(34 intermediate revisions by 3 users not shown)
Line 1: Line 1:
19 June 2019 | 14:00-15:30  | KING WILLEM-ALEXANDER AUDITORIUM | [[image:Icons_live_20px.png | Video recording | link=https://youtu.be/UDYhYE2mHeU]] | [[image:Icon_transcript_20px.png | Transcription | link=#Transcript]]<br />
[[Consolidated programme 2019|'''Consolidated programme 2019 overview''']]<br /><br />
[[Consolidated programme 2019|'''Consolidated programme 2019 overview''']]<br /><br />
{{Sessionadvice-PL-2019}}
Working title: <big>'''Intersection of standards and policy '''</big><br /><br />
Proposals assigned to this session: ID 123, 132, 140, 150, 168, 172, 175, 198 – [https://www.eurodig.org/fileadmin/user_upload/eurodig_The-Hague/statistik_proposals_all/proposals_for_2019_2018-12-04__01_final_web_IDs_ver1.pdf list of all proposals as pdf]<br /><br />
Proposals assigned to this session: ID 123, 132, 140, 150, 168, 172, 175, 198 – [https://www.eurodig.org/fileadmin/user_upload/eurodig_The-Hague/statistik_proposals_all/proposals_for_2019_2018-12-04__01_final_web_IDs_ver1.pdf list of all proposals as pdf]<br /><br />
== <span class="dateline">Get involved!</span> ==  
== <span class="dateline">Get involved!</span> ==  
Line 7: Line 6:


== Session teaser ==
== Session teaser ==
 
*What are the intersections between public policy and technical standards? To what extent public concerns over security, privacy and encryption can be addressed in standard making processes and orgs?
Evolution of Internet technical infrastructure and functioning has heightened concerns about global impacts on key aspects not merely of technical and operational innovations, but also on key aspects of security, privacy, encryption, technical policy and data protection. There is space for stakeholders to discuss implications of the deployment of core technical innovations on potential technical standard policy and regulation from internet governance’s perspective in this session.
*What is the impact of the new technical solution on the functioning of the internet? How the deployment of new technical standards and policies changes the internet?
 
*What is the impact of the lag between the deployment of standards and their adoption?
> Please be reminded that this is still a draft in the process of finalizing.<
*What are the market dynamics at play in the adoption of technical standards?


== Session description ==  
== Session description ==  
Until <span class="dateline">30 April 2019</span>.
There is a growing need for continuous dialogue among various stakeholders’ groups related to policy and technical standards, fueled by the growing attention about the regulation of the internet concerning also its political and technical approaches.
Currently, the understanding of the technical layer of the Internet is still limited in the policy circles.  The aim of the session is to involve all constituencies in the discussion about the intersection between policy and technical standards. To understand the dynamics at play in the adoption and deployment of the standards and how they are influenced by political, economic, technical and security aspects and also by individual motivations.
The session is opened by introductory overviews by panellists coming from different stakeholder’s groups to give the audience valuable insight into technical issues. The subsequent discussion will provide answers on key challenging and newly-emerged questions as well as illustrative examples to debunk acronyms and technical terms.
KEYWORDS: standardization and deployments of new protocols, implementation of existing standards, interoperability, fostering DNS over HTTPS/DoH, TLS-connections and the role of regulation or self-regulation of DNSSEC, IPv6, RPKI, QUIC, IDNs and Universal Acceptance.


Always use your own words to describe the session. If you decide to quote the words of an external source, give them the due respect and acknowledgement by specifying the source.
== Format ==
The session will be organized as a panel discussion with live interaction with the public. The panel comprising representatives from different stakeholder groups together with strong moderators will outline the hot topics of this session. There will be a lightning introduction provided by panellists at the beginning of the session. In addition, the panel will open a discussion allowing the audience to use live questions and to voice their concerns related to the main points and discuss them within this environment. This session should lead to stimulation and interaction of serious discussions by contributions of various stakeholder groups that bring new conclusions or most probably new crucial questions for the wider public. Besides using EuroDIG remote participation tools, there is also an online platform to submit questions to being discussed during this session. Please join and access live interaction on https://www.sli.do/
by entering event code #4347.  


== Format ==
Panelists:
Until <span class="dateline">30 April 2019</span>.
*Gerben Klein Baltink, Dutch Internet Standards Platform
*Wolfgang Kleinwächter
*Peter Koch, DENIC


Please try out new interactive formats. EuroDIG is about dialogue not about statements, presentations and speeches. Workshops should not be organised as a small plenary.
Moderators:
*Chris Buckridge, RIPE NCC
*Andrea Beccalli, ICANN


== Further reading ==  
== Further reading ==  
Line 28: Line 39:


== People ==  
== People ==  
Until <span class="dateline">15 May 2019</span>.
'''Please provide name and institution for all people you list here.'''


'''Focal Point'''  
'''Focal Point'''  
Line 47: Line 55:
Key Participants are experts willing to provide their knowledge during a session – not necessarily on stage. Key Participants should contribute to the session planning process and keep statements short and punchy during the session. They will be selected and assigned by the Org Team, ensuring a stakeholder balanced dialogue also considering gender and geographical balance.  
Key Participants are experts willing to provide their knowledge during a session – not necessarily on stage. Key Participants should contribute to the session planning process and keep statements short and punchy during the session. They will be selected and assigned by the Org Team, ensuring a stakeholder balanced dialogue also considering gender and geographical balance.  
Please provide short CV’s of the Key Participants involved in your session at the Wiki or link to another source.
Please provide short CV’s of the Key Participants involved in your session at the Wiki or link to another source.
*Peter Koch, DENIC
*Wolfgang Kleinwächter
*Gerben Klein Baltink, Dutch Internet Standards Platform


'''Moderator'''
'''Moderator'''


The moderator is the facilitator of the session at the event. Moderators are responsible for including the audience and encouraging a lively interaction among all session attendants. Please make sure the moderator takes a neutral role and can balance between all speakers. Please provide short CV of the moderator of your session at the Wiki or link to another source.
The moderator is the facilitator of the session at the event. Moderators are responsible for including the audience and encouraging a lively interaction among all session attendants. Please make sure the moderator takes a neutral role and can balance between all speakers.
*Chris Buckridge, RIPE NCC
*Andrea Beccalli, ICANN


'''Remote Moderator'''
'''Remote Moderator'''
Line 57: Line 70:


'''Reporter'''
'''Reporter'''
*Cedric Amon, Geneva Internet Platform


Reporters will be assigned by the EuroDIG secretariat in cooperation with the [https://www.giplatform.org/ Geneva Internet Platform]. The Reporter takes notes during the session and formulates 3 (max. 5) bullet points at the end of each session that:  
The Reporter takes notes during the session and formulates 3 (max. 5) bullet points at the end of each session that:  
*are summarised on a slide and  presented to the audience at the end of each session  
*are summarised on a slide and  presented to the audience at the end of each session  
*relate to the particular session and to European Internet governance policy
*relate to the particular session and to European Internet governance policy
Line 71: Line 85:


== Messages ==   
== Messages ==   
A short summary of the session will be provided by the Reporter.
*The intersection between public policy and technical standards does not rely on the implementation of standards alone, their adoption and recognition is equally important. This is where the dialogue between the policy-makers and code-makers comes in, it should be aimed at breaking down silos.
*It is essential to bring down the barriers between the policy-making and code-making communities. The multistakeholder model provides the necessary framework to achieve this and must be further enhanced to create more trust and better understanding between the communities. Trust between the stakeholders can be achieved once the respective stakeholders have a greater grasp of the complexity of the fields of their partners.
*Applying standards is not the only way to make the Internet work. There is an important role for each method and mechanism of the rule-making arsenal wherein good practices might provide very strong (but voluntary) mechanisms, without the (often) innovation-hampering elements of a law.
 
 
Find an independent report of the session from the Geneva Internet Platform Digital Watch Observatory at https://dig.watch/sessions/intersection-between-public-policy-and-technical-standards.


== Video record ==
== Video record ==
Will be provided here after the event.
https://youtu.be/UDYhYE2mHeU


== Transcript ==
== Transcript ==
Will be provided here after the event.
Provided by: Caption First, Inc., P.O. Box 3066, Monument, CO 80132, Phone: +001-800-825-5234, www.captionfirst.com
 
 
''This text, document, or file is based on live transcription. Communication Access Realtime Translation (CART), captioning, and/or live transcription are provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings. This text, document, or file is not to be distributed or used in any way that may violate copyright law.''
 
 
>> CHRIS BUCKRIDGE: There was a slide to go on the screen here. Can we perhaps have that appear?
 
There we go.
 
We'll let Wolfgang get his microphone and they can we can proceed.
 
Maybe while we're waiting it is useful to have a slight housekeeping point: We're a pretty small group here. I hope we're all a friendly bunch. You're very welcome to ask questions at the microphone. I hope we'll have an active discussion because we have a small panel and I don't think it is going to be sort of extensive discussion just from the stage. We're also trying something with Slido here allowing you to ask questions online and if there are questions that are asked and you see them on the side, you can upload those so we can see if there are particular questions that people have a burning desire to see answered by the panel or discussed more openly. Yeah. The link, it is there. For those of you with handheld devices and cameras, hopefully the QR code will take you straight there and make it very straightforward.
 
All right. Thank you all for coming back after lunch. I hope we can keep this interesting and not have the sort of post-lunch slump.
 
I'm Chris Buckridge, I work for the RIPE NCC. It is a company based in Amsterdam, very much part of the Dutch Internet community and the broader European community. I'm going to be moderating this session today, which is -- it is not there -- it is -- I have lost the title -- it is about the intersection of standards making and policy and how standards can help address public policy issues and concerns, and whether there is a fit between the different models, different approaches.
 
We're also going to have Andrea Beccalli from ICANN here.
 
>> ANDREA BECCALLI: Hello. Good afternoon.
 
>> CHRIS BUCKRIDGE: As co-moderator and he'll be roaming the floor, trying to get people to speak a bit more. I hope we'll have an active discussion with everyone in the room.
 
This session is following on and building on the session we had prior to lunch. I think interestingly, the opening session we had this morning as well, I think really from the opening of this EuroDIG we have had a strong focus on some of the practical ways that Internet governance concerns or issues are being addressed through cooperation, through focus on specific technical practicalities among standards and other things. That's part of what we want this panel to discuss, to build a little bit on and to maybe look at where those intersections happen between practical policymaking, public policymaking I should say and the more Internet-based approach of standards making. Are those two approaches able to achieve the same goals or mutually beneficial goals.
 
We have three panelists, Wolfgang Kleinwachter on the end here, I think probably needs no introduction, but very well-known figure on the European Internet governance scene, I think coming in here bringing a lot of his experience from the ICANN board and days of an academic and work he's done in founding EuroDIG and the global Internet governance ecosystem.
 
We have Peter Koch here from DENIC, I think he's going to actually open this with a bit of a summary of some of the issues that we're going to talk about and really set the scene a little bit more practically and specifically than I am.
 
We have the Internet platform standard -- sorry, I -- I have --
 
>> GERBEN KLEIN BALTINK: It is always difficult I think in Dutch. Gerben Klein Baltink.
 
>> CHRIS BUCKRIDGE: Thank you. I apologize.
 
To build a bit more on the work that's being done particularly in the Dutch community about standards making and how it can really address some of these concerns.
 
So with that, let me throw to Peter who I think will probably be able to open this discussion up a little bit more.
 
>> PETER KOCH: Yeah. Thank you.
 
Thank you for the introduction and opportunity to share a couple of thoughts in the beginning. The idea is that we have this crisp title for the session, and we want to give some meat to it to explain what we had in mind that we might want to talk about. As Chris already mentioned, this connects to the earlier session in the morning and the previous panel, maybe from a slightly different angle in terms of how does technical standards making react to public policy concerns, public policy tasks, requirements or stakes I should say, and also how can those technical standards maybe even preempt or prescribe standards and whether or not that is a good thing and whether we address that and the other perspective that's before we heard this morning, there is a lot of technical standards, a lot of them are used, we have an Internet, we couldn't connect, there is another set of standards, number of standards, where we don't feel we see enough deployment to either address security concerns or otherwise react to the challenges of today's Internet. So let me just throw some words into the audience, and I really tried to use words, not acronyms, we want to make sure this is not a technical, engineering panel, we're really trying to bridge between where the standards come from, and how they get deployed and what that means and where the connection between the policy and the tech part is.
 
So one thing is that usually we -- on the Internet we talk about freedom to innovate, freedom of innovation. That, of course, has multiple levels to it. One, it is that, yes, you can make up the next workshop, the next Facebook, nobody will stop you. On the other hand, of course, you have to convince your own customers and perspective customers and that's on the application at the business level. However, there is a very technical perspective, component to this, it is that as you have heard already a couple of times and in the end, at the end of the day, anything that goes over the Internet, it is chunked up in small packets and they go their ways, different ways back and forth. There is no technical prescription of how such a packet is, there is a description of what the package should look like but not the content and whether the packet itself is good or bad. That's the basic idea to innovate on the protocol level as we would call it and -- as when there was no web, people were just able to invent the web, the hyper tech transfer protocol, and laid the roots for what we see with the web today. Same thing with video streaming and you name it.
 
That's the freedom to innovate. There is also this other concept when we talk in technical circles about the standards, standards are recipes or protocols and standards that are communication descriptors. The basic idea is that if two people or two entities talk to each other, they need something like a common language or at least a common protocol, as you know, like we say good morning, good afternoon, back and forth, we have a conversation and we go there.
 
We have had a list of standards in the morning, and we saw that some have been deployed and others haven't so much.
 
There is no central control on the Internet, what you have, what you don't have to speak to be part of the Internet. Basically, yes, you need the Internet protocol but accept from that, anything else is voluntary. That's the voluntary adoption of standards.
 
Whether or not you do encrypted web traffic, you do unencrypted web traffic, that's basically the decision of anyone that provides a website except that there may be peer pressure to go a certain way and we have been through that after the Snowden revelations when there was a big, big move towards encrypted traffic on the Internet, not by some entity just saying it should happen. It was by a bunch of entities that gave some more carrots than sticks to motivate people to go these ways.
 
Again, the web, it is kind of a high-level what we call the application level kind of. There are other parts of the Internet, those are standards that were mentioned earlier like DNSSEC for original authentication in the DNS and they obviously are a bit harder to deploy because the further we get, the closer we get to the core of the Internet, the more we get to very technical details and we get to a situation where not one entity can just say I do this because remember, we need the protocols to interact. Somebody just changing to the next language, that is hip these days, doesn't make communication any better. One entity moving to IPv6 and hoping that everybody would follow, that didn't work.
 
There is, again, no central control, and this is a feature, not a bug, that could say by this and that date, we call this flag days and there has been a single flag day at the very beginning of the Internet when the previous network was kind of changed technically and we moved to the Internet, but since then, we have never had any flag days where any one entity says as of tomorrow, we only will have encrypted websites, as of tomorrow, we'll all have DNSSEC, this is not how it works. It needs collaborative efforts, collaboration and cooperation to deploy is what we say, to deploy the standards. Deploy means we do have products, there is software. People actually decide, yes, we're going to sign our DNS zones, for example, yes, we want our website, our whole Internet traffic to be ready for IPv6 so that the next billion can connect to us and we can connect to them and we also can better connect to the rest or the couple of billions that are already there. No central control, voluntary cooperation. The DNSSEC and IPv6 are examples where you can't jump ahead. We have seen other standards which is a combination of those, no matter the acronym, it helps to distribute or helps foster encrypted and secured communication on the Internet by helping the endpoints to identify themselves by means of domain names. That's a very rushed explanation. I hope I didn't hurt anybody's feeling but that's roughly what it is about.
 
In those cases, it appears that it is easier to go this step. Any he went it I can decide, well, I have an alternative means of identifying myself, and here is what I do. However, in these cases, one entity is saying here is my new identity, that looks nice, and we can measure that, it is good that this is done, the compliance is measured, so on, so forth. If you have a new passport, nobody knows how to use it, you will have trouble to cross any borders. In those cases, there is, again, two sides that need to -- that need to cooperate and to deploy the standards in terms of not only the part that publishes information, but the part that consumes the information, it needs to be ready for that.
 
Again, one side doing the new Internet protocol doesn't help because Internet protocols are formality communication. We have these examples that I guess we can dive into these topics a bit deeper. That's the one part of it.
 
I'll jump to a completely different thing that was also submitted and you should not forget that we have compiled this panel out of a couple of submissions, of course, and the other part, it is that sometimes, of course, engineers are very objective, always only focusing on the technical side and never, ever susceptible to policy influence. Therefore everything in the technical standards is fine. Imagine it wasn't. Somebody would say that, oh, yeah, there should be something in the standard that would allow, say, interception of encrypted traffic and we have had an example like that when the Internet engineering task force standardized the next version of the transport layer security, which is what encrypts the website in transistor other traffic, it I should say, and they were strengthening the description of the protocol in a way that it would make it hard to impossible to intercept the traffic in feasible ways.
 
There was a big discussion going on, because there were entities that had a stake in being able to intercept this traffic, that's not only law enforcement but also people that claim that for compliance reasons, for example, we need to be able to look at traffic that is crossing our enterprise parameter.
 
In the end, the side that was in favor of the strongest encryption prevailed. However, voluntary adoption of standards and there are other standards organizations. In this case, it is, for example, the European telecommunication standards institute, it had been working in parallel a bit on an addition, I think it was called, to the protocol and they called it enhanced protocol in that way, and guess what? That included this on the fly opening of the encrypted traffic by certain means and not going into the technical details.
 
What happened here, a standard developing organization is going one way, another is piggy backing something on it and we could say weakening, we could say enhancing the standard so now we have different standards to choose from.
 
The fact that at the European organization, the European standards, quote, unquote, get preferential treatment in some circles makes this decision and scenario very, very interesting. So that is a mix of policy where the standard kind of gives the policy decision, you can or you cannot intercept traffic while adhering to the same standard. I guess we can leave it with that and have some further -- unless my copanelists want to add anything.
 
Thank you.
 
>> CHRIS BUCKRIDGE: Thank you, Peter.
 
I thought maybe it would be useful to go to Gerben next.
 
As I noted, I'm sure some saw you speak this morning, but it would be good to reiterate some of the introduction you gave of the platform for standards in the Dutch community that's been pulled together. I think it is really interesting, I think Peter has laid out one of the reasons why standards are important, and why standards of development happens the way it does and has to be a certain approach and open and incorporating the different iterations and perspectives. It is interesting to me that the Dutch community has put so much importance on the development and adoption of standards to the extent that it has this multistakeholder kind of platform which brings people together to discuss that.
 
Maybe, yeah.
 
>> GERBEN KLEIN BALTINK: Sure.
 
What I tried to explain this morning, we selected a few standards that we thought were very important for the future for the Internet, stay open, free, secure.
 
There are many more standards to choose from. The good news may be when I had a new job description back in 1994, there was a big chart in my brand-new office that was dealing with Internet standards and there was a small sentence in reading the small print underneath, and so I was moving towards the chart, I noted the good thing about standards, it is that there are so many of them. So the work of standardization bodies will never end. It is a never-ending story in itself, sometimes because we want to improve things or repair things, piggyback on existing possibilities to make something else possible, but basically standards are there to make our lives easier as a basic thinking.
 
The problem is, not all of them are open. When a standard is not open, it may help you to facilitate communications or using software, hardware, whatever, but as long as you don't know what's going on behind it, you may have the problem of fender blocking or controlling what you're doing, the digital standards, that's the kind of thing we want to promote. We sat together in 2014 and we said if we want, really want, to have an open, free, secure Internet, we have to worry about a number of things. One of those things is the way people are able to implement standards, and a number of people that are actually doing it. So our approach then was that the easiest thing we could do is start measuring how organizations in the Netherlands apply those standards and try to find reasons behind why they did not implement a specific standard.
 
So we were not there as the standards police trying to focus on who does it, who doesn't, and then starting with fines, with sanctions, we were there to listen to organizations, why did you not yet implement the intersect, is there a reason, is it expensive, contradictory to what you believe in as an organization? We fully realize that implementing standards is not the only way forward. It is not -- to have the open Internet, when you only adhere to the modern standards, you have to do much more. You have to make sure that governance is in place in a good way, that you have education available and access, that there are no issues of further consolidation and fender blocking, but that's partially outside of the scope of our Dutch Internet standards platform.
 
We focus on a limited Number of standards. We're listening to the broader community to hear if additional standards should be added to that list and if we try to help people who want to implement the standard, but we really also are trying to listen to people to tell us that we have chosen something wrongly or that it is way too difficult to do, for example, that this policy is okay, that the policy, the reporting, the monitoring, that's a lot of work.
 
We try to listen to those people and find ways to communicate that as a small addition to what I mentioned this morning.
 
>> CHRIS BUCKRIDGE: Quickly to respond to that last part, I think it is interesting to me that the platform is about the adoption of standards, obviously there is also the development of standards, it is another process and I presume there is a sort of iterative process, getting feedback on why certain standards were not adopted. Is there a way that the platform -- is there an approach that the platform has to sort of feed that feedback back in the development process to maybe sort of -- is that something that's beyond, as you said, the scope of what you're trying to do.
 
>> GERBEN KLEIN BALTINK: It is a bit beyond the scope. We try to communicate through our members towards ICANN and ITEF to make sure that there is input from our community to them. This process in which people participate, not on behalf of the platform, but on behalf of their own organization already either be it for example RIPE NCK itself, ISOC, other members of the platform, they have their own agreement where they participate in the standards development. We listen closely, sometimes we give a hint, but we're not party to the development work behind standards.
 
>> CHRIS BUCKRIDGE: Thank you.
 
I'm going to go to Wolfgang Kleinwachter for initial thoughts. I would certainly encourage people after Wolfgang Kleinwachter, there are some questions coming in, I would like to see people coming to the microphone.
 
If you have questions, prepared and ready to go, please come to the microphones.
 
I think sort of do you have sort of a perspective on this? Obviously having worked in this field, and certainly where the intersection of standards and public policy, what's your take on this?
 
>> WOLFGANG KLEINWACHTER: You know, I want to broaden a bit the perspective.
 
As you know, data is a layered system, you have on each layer you have policies and call it standards, code, law, whatever, and it is not only the intersection between policy and standards on one layer, it is also the intersection among the various layers.
 
I think when -- 20 years ago, meanwhile, 20 years ago, the famous book was published by Larry, he was quoted always with just one sentence, the shortened version that said code is law. So this is the lawmakers. You know, lawmakers normally for hundreds of years, wherein the position to make law, technical innovation. When telecommunication broadcasting developed. The first thing was a broadcasting law which then defined the space for the code makers. The Internet turned this around now to code makers, they're creating the space which then has to be filled by the lawmakers.
 
So you saw a certain competition between traditional law for public policy issued, it is public policy, it is not policy for certain technology, and to code.
 
I think this has an added dimension to the traditional discussion you have on one layer. You are operating on the more technical layer and then on the public policy layer, and this is now in the middle of the whole thing, it is rather complex and difficult.
 
Even if you remain on one layer, as Peter has made rather clear, you know, in the discussion which is more of a governmental organization, they said, okay, here the code makers, they have to follow what the lawmakers want and in the ITF, the code makers, they say, okay, we have our own value system, our own idea, and then, you know, lawmakers said -- they make the law on the basis of the code we have. So far we have a situation, this is not settled up today, but a permanent battle between code makers and lawmakers.
 
This is bad.
 
You know, this arm twisting, the who has the final say, it is not helpful, neither for the network, nor for the users, nor for the stakeholders. The way forward would be enhanced cooperation amongst all stakeholders so it needs to be on one table.
 
The problem here, it is that certainly lawmakers have a limited understanding of the technical issues, that means that they have to trust the technical communities. It is a question of trust and vice versa. The technical community, it is very often not aware about the political implications of certain codes or standards they make. The standards indeed, you know, the information age, it is a fundamental thing. With a certain standard, you can enable certain activities or you can disable certain activities.
 
I think nobody wants to enable criminal activities by introducing a certain standard.
 
We find there is no way out from the pressure that the policymakers and the lawmakers are working hand-in-hand and come together.
 
As I said, you know, the third thing at the moment, it is that we have the silos, and only really little communication, and my understanding of the call for a multistakeholder approach to this, it is primarily also a call to enhance the cooperation between the technical communities and a policy community based on trust and mutual understanding. This is difficult because they have different priorities, different values, different ideas about how to organize the work.
 
There is no way out, they have to come together and this is a complex challenge and I think this is also the great benefit of meetings like this, like EuroDIG, because while normally people in the ITF are sitting in their silo, people in the web consortium, they have their silos and EuroDIG pulls people from silos and brings them in a dialogue. Dialogue starts that you listen to the arguments of others and try to understand, and not try to impose your position to the other side.
 
This is, I think, a key question for the 2020 -- for the next year. We'll get much more with the Internet of Things and with Artificial Intelligence, much more technical devices based on standards which have far reaching political implications. If you have no understanding among the various groups, though you could put it up to a disaster, no one has the -- the only way to avoid this disaster, it’s to come together, to have a dialogue. There is no silver bullet.
 
>> CHRIS BUCKRIDGE: It is interesting to me to hear you use the word and concept of trust so much. I think trust is a concept that's become really central or used very much in Internet governance recently, I think it was part of the theme to last year's IGF actually and it is something that we hear sort of in the concept, the trust between the members and stakeholders. I think -- well, what I'm interested to hear from you, in the lack of that trust between, say public policymakers in the Internet community, technical community approach or the technical community, lack of trust in public policymaking approach, do you see specific characteristics that are impairments to those trusts or do you see strategies that would help build the trust across those eye lows that you're identifying?
 
>> WOLFGANG KLEINWACHTER: Two examples of policymakers, they really ignored the advice from the technical community, which undermines trust. First thing, it is Germany.
 
We have a law, you know, which in Germany it is called the Facebook law because, you know, a broad part of the public are frustrated with some rough comments, terrorist information or whatever which comes via Facebook and the German policymakers said okay, we have an obligation to give to Facebook to clean this, to avoid bad content.
 
You know, it is nearly impossible to define what is bad content. We have legal content, illegal content, but harmful content is not illegal. That means who makes the decision what is really illegal? Normally it should be done by a neutral third-party, by a court, but if the government -- if the policymakers delegate this to the corporation and the corporation uses an algorithm, then, you know, it is a totally misunderstanding of -- you know, then you delegate a public policy issue to fully code without any communication. You know, how to build this. Or you take the legislation, which is also confusing and probably harmful. This is the legislation to get the sovereign Russian Internet. So, you know, you say, okay, we have to be safe against foreign attacks which comes to Russia, but the consequences, it is that the root servers based in Russia, now they have a conflict because they follow the rules set by the root server, there is a document with 13 principles that includes neutrality, impartiality for the functioning of the root server. It is now the Russian -- they say to the root server now, to the Russian root server operating on Russia, Russia first, and then what can you do? So this is creating mistrust. These two examples, if you look at the German example, the Russian example, there is lack of communication between code makers and policymakers creating mistrust. If you want to come back to a certain trust you have to promote the dialogue. If there are sensitive issues, then you have a reduced transparency and you can have confidential communication, but I think every technical person will understand that there are some areas which are so delicate that it should not be negotiated everything in the public.
 
If the principle wants transparency, dying Rhode Island, then you organize the pressure in both directions so that the policymakers, they're not so ignorant against -- with regard to the codes, and the code makers are more sensitive because there are bad things in the Internet and you cannot allow, you know, code promotes, you know, the criminal activities or other activities.
 
In so far, you have to work hand-in-hand, but we have still a long way to go until we have reached this trust within a country and on the global level.
 
>> CHRIS BUCKRIDGE: I'm not sure who has control of the slide here. Is it possible to put up the slide with the Slido QR code while I'm speaking? Please, if there are people that have questions that would like to sort of throw this open to the floor and to hear your questions or comments, perspectives from anyone in the room.
 
I'll let you have the mic.
 
>> AUDIENCE: Hello.
 
I would like to ask Wolfgang, thank you very much for the example of the German law on the Internet enforcement first of all.
 
But I want to ask you how in your opinion trust can fix this? I think there is a misunderstanding on how Internet content should and can be regulated because of the definition of harmful content and I think the application of the algorithms is not, you know, the biggest issue here. The biggest issue here, it is the Human Rights and safeguards and basically the absence of truly defined borders of illegal and acceptable, and, you know, this case, when they remove some things from Twitter it, all of these, I'm wondering how actually trust can help here if the ground for this law is very wrong per se and technical issues are on the top.
 
Did you understand my question? I know maybe it wasn't that clear. I just want to hear about the clear ways, you know, how trust can help and not only in the general concept of trust. I think the problem is there. I just don't see how trust can fix it.
 
>> WOLFGANG KLEINWACHTER: I think any content related discussion is slippery. There will never be a solution where we can say this is plus and this is minus. Content depends on context. You know, one statement could be in a certain context, could be seen as acceptable, and in another context is unacceptable.
 
My favorite example which I use in my lectures, it was the conflict between the New York Times and President Nixon when the Pentagon papers were brought to the New York Times and the New York Times said, okay, it is our right, the people have a right to know about the lies of government and we have to publish the Pentagon papers and President Nixon of the United States said we're in war, this is a security issue, you know, security justifies the limitation of freedom of the press. The whole -- both sides had good arguments. The case went to the Supreme Court of the United States and they decided 5-4 in favor of the New York Times. So you can manage that complicated political issue, only case by case. You need the interdependence of the party. You cannot leave this -- the New York Times, the end of the President of the President of the United States of America. It is complicated.
 
There are thousands and millions of cases, you know. This is extremely complicated. To hand it over to an algorithm, saying, you know, do the work for us, it is complicated. On the other hand, you know, if I look into options which could help, you know, the first thing I have in mind, it is under ICANN. We have hundreds of thousands of conflicts on domain names and, you know, with the decentralized procedure, you have 90% of the conflicts on domain names that can be severed. If we have conflict related issue, 90% of the issues, they're really solvable in an easy way because the context makes very clear if you have an independent panel and they say yes or no.
 
The remaining 5% or so should go to a neutral third-party and not remain in the hands, neither the government if China tore in a private cooperation as in the Facebook law.
 
I don't know whether this satisfies you.
 
>> AUDIENCE: Sorry.
 
>> WOLFGANG KLEINWACHTER: This question has no answer.
 
>> AUDIENCE: Yes.
 
Actually, yes. Yes. I got your answer. I got how trust will play here. Yeah. Thank you.
 
>> CHRIS BUCKRIDGE: Since I asked for questions from Slido, we have two questions and I'll throw them out at the same time because they work nicely together. The first one that came in quite early when anonymous sender here, but it is what technical standards could benefit from more attention through public policy and in what way.
 
Then there is another question that's come in just more recently from Max from Google, he says do you think an open standard on digital identity and social networking is viable and worth pursuing.
 
The first one, it is a bit more open-ended, are there examples that maybe we can think about. The second one, it is public policy, interest and concern, do you see it as a space where maybe the standard might be pursued. I'm happy to throw it open to whoever has a ready answer.
 
>> GERBEN KLEIN BALTINK: On the second question, we have -- I think the platform meeting before last, we had digital identity as a broad topic on the Agenda. We tried to listen to experts from different universities, different backgrounds to see how we could work on something that would make it easier for all of us to gain again trust on identity, it either of an triple digits or an organization be it commercial or government so that you can have central ID or who is actually claiming to be somebody on social media. It was very interesting discussion. Not yet at the point of making any decision on a specific standard. We have heard great research ideas that are there, they're even available as demo and even as -- there are different ways to deal with digital identity that might actually help us forward.
 
We have not yet decided on what way we should try to promote that.
 
I firmly believe in avoiding fake news issues and a lot of that kind of stuff if you have transparent way of identifying, but always there should be a way to have the anonymous message as well. Not by accident perhaps that the first question was anonymous.
 
Sometimes you don't want to reveal your identity to just anyone. There can be a good reason for that.
 
>> WOLFGANG KLEINWACHTER: I'll add a bit to that. The second question reveals one of the difficulties that we're facing.
 
There is at least one, there are multiple open standards for digital identity and there is probably a champion as well. However, most of the interesting questions are not technical standards questions. Most of the interesting questions are the policies in how the identity is verified, what the requirements are for being anonymous, having a real identity, what the trust in the -- the assertion is the term of the identity, so on, so forth.
 
So technical standards is one thing. Of course, they should be -- they should enable certain policies without necessarily prescribing them in a way which means that there needs to be a cooperation and kind of an agreement. Sometimes the silos, the silos are a bit difficult because people try to develop these standards, whatever, not picking on any organization in particular, by second guessing requirements, or by not foreseeing the tremendous success a standard may have, that means that it gets used out of its primary purpose. That's the usual thing when we engineer and say this hasn't been designed for that, like the domain name system, it has never been designed to be universal, user facing string system with languages, so on, so forth. That doesn't mean we shouldn't use it like that today. It would explain, not excuse many of the things.
 
Let me maybe also go back to the first anonymous question, so, of course, attention is kind of a difficult word that scares me a bit.
 
Attention signals interest. The important thing is, before trying to regulate, it is important to understand not only a particular standard and what people think it does, but offers the ecosystem in which the standards, the standard, it will be -- it will be adopted or deployed.
 
Let me make that subtle distinction here. You mentioned the standards which is kind of a decision of a certain entity like your organization tonight saying, yeah, we're going to do IPv6 which you don't because you already have, but that's the one thing, deployment, it is the overall perspective on this, how do we see this on the Internet? That is something that policymakers should have an eye on and then engage into a discussion, what can or cannot be achieved by saying motivating the adoption of a standard or by suggesting certain steps.
 
There is a bad example in regulation, we hadn't mentioned DNSSEC already. The worst thing one can do, you make this a compliance dance and then say, well, by this and that date, everybody under our jurisdiction has to sign the DNSSEC domains and people can do that, there is a favorite example and I'm not quoting now, so what happens, everybody calls in the consultants, they set this stuff up, it looks like, okay, check, done, and then nobody uses this for a while until some people start using it and then they find out that these deployments, the adoption of standards have some technical flaws or issues on the operational side. Then the Internet breaks for a part of the population, quote unquote. It is hard to fix this, and of course once you have the incidents, the whole standard gets a bad reputation because it allegedly breaks the Internet. That's the extreme care and good motives don't -- and good motivation, they don't necessarily make good regulation. Yeah.
 
>> CHRIS BUCKRIDGE: Thank you. You have been patiently waiting.
 
>> AUDIENCE: I'm interested in the topic you're talking about. I'll focus on one, particularly the work, the code maker and the lawmaker, and it is kind of interesting for me from Taiwan to listen to the European, you're talking about trying to make an interface, a dialogue between the code and the lawmaker, and I really think about that, it is that even the code maker, the lawmaker, they are coordinated and maybe you're thinking about that.
 
At least in the European, you know, you have an independent system, and you really need to worry about is the code maker and lawmaker, is it the same one.
 
They're really the evil one, they're really trouble! And that actually is already happening. We knew that.
 
You know, so I think when you're talking about a code maker, a lawmaker, the difference in trying to find a dialogue, I think that's good. At least you have to recognize that the technical people also live in a society. You know, even, for example, the IT of engineer, they live in a society, they know what in society has happened. The real trouble we are going to face, it is about the one country, some country, the code maker, the lawmaker, it is the same one.
 
That is the reality. The reality that's the trouble for everyone.
 
Now only for other people, for their country, actually it is serious damage to the whole world, to the whole Internet in the world.
 
Thank you.
 
>> CHRIS BUCKRIDGE: It is interesting, the difference between the silos, the stakeholder groups being a healthy part of part of the system.
 
>> AUDIENCE: That's a point. It is different, but they may have a different view. You know, and even in Germany, they say -- we had mentioned about that, but at least you still have judicial systems. When you go to the court the judge will make a reasonable -- the final judgment or whatever.
 
Also the engineer has any standard, they're not closed at all, they actually opened the door. It they also live in a society, they listen to the different -- they may have a different point of view of the policymaker, but what I really worry about is not the one. The one that really worries me, it is this code maker it, lawmaker, it is the same person. There is really trouble.
 
>> WOLFGANG KLEINWACHTER:It is a good point. I thank you very much.
 
You know, the only -- we're moving from one problem to the next problem to the next problem. It is a never-ending story.
 
You know, one reaction to this, it is that we have to strengthen our accountability mechanism. That means if the lawmaker and code maker is one, and they make a decision, then we have to have reconsideration policies, we have accountability mechanism and things like that, all these things discussed. In ICANN, when we leave that alone, then we have to have mechanisms to keep ICANN accountable.
 
I think this is more and more, code and lawmakers, they have become united, then you have to strengthen the environment for accountability mechanisms.
 
>> AUDIENCE: It is based on the idea, when the lawmaker, code maker, it is the same one, there is disaster.
 
>> WOLFGANG KLEINWACHTER: I think of Siri -- but I'm an academic person and I have a right to speak about Siri.
 
>> CHRIS BUCKRIDGE: The next person on the microphone. You have been patient, thank you for waiting.
 
>> AUDIENCE: Thank you for this opportunity that I can state the question from the audience.
 
I come from Bulgaria. I represent the Civil Society organization, Media 21 Foundation.
 
So currently, with colleagues from other 14 European countries, my organization is involved in the European horizon 2020 project on social media and convergence. To one of the team, we're working on, it is the team for standardization. We explore this issues in Bulgaria, and we found a lot of interesting topics. My opinion is that this area is probably neglected and under explored.
 
I have to put my questions like this.
 
First of all, what is the opinion of respected colleagues on the panel about the prestandardization procedures, and what is the role of the prestandardization procedures bridging silos with the genuine standardization activities probably, but how do they see their role, and second to this, in my view, we speak a lot about technical standards concerning the Internet and for instance, this project tries to apply a more multiplenary approach, the problem is related to social media and convergence. We try somehow to see also this not only the technical aspects, but also to examine the social, the economic, the legal and political aspects of this process.
 
When we are ready, we'll present our results, but my question is, what is the role of this projects, and how do colleagues here see their impact generally on the standardization processes, and especially on European standardization activities.
 
Thank you.
 
>> CHRIS BUCKRIDGE: I'll throw it to the panel.
 
>> GERBEN KLEIN BALTINK: More or less by excellence. We had a staring Committee meeting a few weeks ago on what we call the secure email coalition and we have participants from societies, organizations, banks, Dutch Direct Marketing Association, people that are really in the ecosystem using email, but also social media for daily transactions. Part of the core business is how do I interact with my customer.
 
They see the tendency that it shifts from a direct order on a web shop or an email that's sent for ordering goods to using social media.
 
They start worrying about what kind of standards are applicable in social media and how can we make sure that they are trustworthy, that they are secured, that they are open, that if you don't have a lock in of a specific type of company that's behind the social media, so it was raised more or less as a generic issue. I would be really looking forward to see some results of your project to see what we can learn from that but we don't have yet an answer.
 
We're at the beginning of looking into what should we do, what can we do.
 
>> I'm not familiar with that project. It sounds very interesting. I would really like to learn more about that.
 
Getting some of the keywords here, when you mentioned prestandardization efforts, there is one important observation, of course, that standards don't appear out of the blue hopefully, but are themselves mostly a cooperative effort of sometimes even competing vendors, they're competing entities. However, in today's world, we observe interesting phenomena when it comes to deployment or even standardization we have entities that have a bigger power, of course, not only of being able to send more participants, engineers, developers, coders, whatever, to standards organizations, but also by being able to at a snip of a finger being able to deploy part of the newly developed standards to their population, the population includes both hardware and the people behind that. That usually gives you an extraordinary weight in being able to prove that certain things work one way or another, do or o do not do harm to the rest of the Internet, so on, so forth.
 
That's definitely an aspect to talk or think about.
 
The other part, because of the societal aspects, so forth, so on were mentioned, I'm not sure I got this right. At the risk of responding to the side of the question, at least in the ITF which I don't speak for, but I have some exposure to, there is an increased awareness at least for Human Rights aspects of protocol development and there is an effort in the Internet research task force to review newly developed standards or to be on the few standards, you develop most of the standardization work today, its maintaining and enhancing existing standards, but still in terms of central control, encryption, as vehicles for defending, enabling Human Rights as freedom of expression, right to privacy, so on, so forth, this involves experts of those fields -- what I'm trying to say, that is already approached in an enter disciplinary way by engineers talking to privacy issues, Human Rights experts, and that means the same -- that meets kind of the same level of difficulty that was one of the initial questions about the trust and trust has two enemies there, maybe we can get the bridge to the other topic as well, the enemies of the trust are different languages, that different communities speak and that makes it hard to communicate to each other and, of course, the complexity of the topic, not only the technical complexity but the complexity of the policymaking environment and also the complexity that is behind say preserving Human Rights and the whole -- the real life in that case. That definitely is complicated. If that doesn't answer the question, I would like to continue that offline.
 
>> CHRIS BUCKRIDGE: I was wondering if somebody would bring up the word that's going around, I know that Neil is onsite somewhere, but as an interesting example of trying to maybe modify technical community processes to be more accommodating of public policy concerns or public interest concerns. That's an interesting example..
 
We have a comment through the traditional remote participation.
 
>> We have a question, what is the role of Best Practice standards versus laws? Gives the country legal system and they'll each deliver differently.
 
If it is not clear enough, I have a question.
 
>> WOLFGANG KLEINWACHTER: Best Practice versus laws?
 
>> Best Practice standards versus laws? Probably aiming at standards coming from adoption, I think that's the Best Practice versus the standards within laws. This is my interpretation.
 
>> WOLFGANG KLEINWACHTER: It is simple, a law is adopted by parliament, it is legally binding legislation.
 
Best Practices, code, the ITF, voluntary standards, power, it comes from the general respect of the community. It means if everybody follows the standard, there is no need to make it legally binding because it is in your own interest, it means that -- that's my understanding from Best Practice.
 
If you see this works in one country, and so this is good practice there, by the way, I prefer good practice and not Best Practice, because Best Practice means it’s just one model. The best one.
 
You know, you have good practices and you can be inspired by a number of good practices and then to find your own solution for it. It is not legally binding but it is a guideline which is helpful and sometimes can be more powerful than the law because often laws are ignored or irrelevant or trust remains on paper and nobody is following as long as it doesn't come to a it concrete case that you violate the law and get a conflict through the court.
 
Best Practice, it is extremely helpful, instrumental, good practice in the Internet world where you have such a flexibility because law, although it is aimed to bring stability to a process, and sometimes legislation reduces the flexibility for innovation and that's the way to speak about innovation without -- it means that you have not to the go to a place and to get permission to innovate something.
 
This has been regulated in a law.
 
So far, laws are good legislation, they're needed, but it is just one element in the much broader picture where you have a lot of voluntary codes, guidelines, flexible elements like good perspectives.
 
>> CHRIS BUCKRIDGE: I guess we have also maybe a bit of a Spectrum in terms of saying ITU recommendations for being between the two. I'm often incorporated in national legislation but coming from maybe slightly more technical development process, but -- yeah.
 
>> PETER KOCH: I was going to add that first of all, Best Practices, good practices, we can argue about that, our practices, which is that obviously things that people already do. To that extent, they work and being qualified as Best Practices, they should work well and they can be change. They do change over time actually because often it is called best current practice, at least that's the trade name that's used and these are again changed over time. Maybe quicker than what at least I as a non-lawyer would expect from laws, it is that it should not try to follow every trend to quick -- too quickly but should be broader in perspective or more abstract in viewing a particular scenario.
 
So one cannot be a replacement of the other. It is like you have traffic rules, you have them he encoded in law and regulation and then the practices that hopefully most people follow those and then there are these tiny tricks where people do things that don't violate the law but they're not encoded there and it is just good practice as ins waving rights to go over something like that.
 
Different angles actually.
 
>> There is a very good Example of Best Practice of the Internet standard, thinking of it less than 30 years, almost everybody already can get on the Internet, I think that's Best Practice, but actually I have another question, it is in just a few minutes ago when you were talking about the -- it is my personal opinion, it is my personal view, I think that this is just too late. We just kept pushing that DNSSEC and it doesn't help. It is a waste of resources. Even though -- I was involved before, I promoted DNSSEC, but to be honest, as a technical, I think DNSSEC just is too late, it is a very difficult to accomplish the original purpose.
 
>> CHRIS BUCKRIDGE: What is your proposal?
 
>> GERBEN KLEIN BALTINK: You have DNSSEC plus plus?
 
>> I think that the technical people know that. The resources. It consumes a lot of resources. To certify for the domain name, the original purpose, it doesn't help anymore because of the Internet environment, it is more complex than what we think about. If you are excelled to use the domain name and the IP address, it may be KPI, it is possible to be success, because RPKI, it is introduced much earlier -- well, I mean -- before the trouble happened, we began to work on this. And RPKI tried to prevent people hacking the IP address and then maybe can help. But the DNSSEC, to be honest, I think here as technical people you know that it is just too late.
 
>> CHRIS BUCKRIDGE: Possibly if I could take it to another level here, a bit more generic level, the question I think that stems from that for me is when there is a public interest in having something, some security, some aspect of the Internet secured and there is a failure, let's call it that, on part of the technical standards technical community to make a standard that's adopted --
 
>> And to code off --
 
>> And then what is the next step? The public interest, public policymaker, they have a clear interest in this, technical community hasn't come through, what's the next step? What happens then.
 
>> PETER KOCH: Tough question. Trying to -- I would agree that the DNSSEC has problems at a large scale. I would also think that we as the technical community, the Internet community at large and, however, you phrase that, we haven't done the best job in explaining the necessity.
 
We have for too long been trying to explain that this is making websites even more secure and so on, so forth.
 
Whereas, the benefit of this, it helps make the DNS a -- I need to I plain what I say now in -- I need to explain what I say in an additional sentence. Bear with me. Make it a fully reliable building block in the Internet architecture. When I say make it so it doesn't mean that the DNS is not reliable today, but one of the issues, it has into the addresses, it is that the authenticity is not in there.
 
That doesn't necessarily mean that there is a practical problem today, we do have lots of labs, experiments to exploit the vulnerabilities.
 
But on the practical side, talking about Best Practices, many of these have been addressed.
 
New ones come up. This is all -- this is Band-Aid on Band-Aid on Band-Aid.
 
DNSSEC would be the best engineering way that we could come up with to address the problem at the very technical core, root -- not the root of the domain system but the root of the problem I should say. However, again, we have been relying on the market making this happen. There is no market for this. DNSSEC is not a product and this is the core question.
 
We do have standards where we know they should be deployed, same holds for v6, the pressure is bigger, no v4 anymore, but on whatever market next time. But the pain, it is not felt enough with DNSSEC. If we just rely on people will get interested in this by the next incident and so on, so forth, no websites are secure, we have this, we've that, that's not the part, it is a very, very subtle or different piece of the Internet architecture that's far, far away from websites which is important to make it possible to rely on DMS for other things like Dane, as you mentioned, that makes email more secure, and so -- we have -- I'm sorry, that's the computer science education. We have a lot of indirections here and that goes back down.
 
I can't explain or can't sell this to you, you need to have DNSSEC because it helps you make Dane, whatever that is, and that makes -- that final part should be obvious, making email more secure, making it more reliable, helping people to encrypt email in transport at least, these are achievements. Now you learn by the way I'm not a marketing person, but this is something that we need to further explain and to get it -- to get it disseminated.
 
>> Let me make it easier.
 
>> Okay.
 
>> Because the DNSSEC, from ICANN, now the question is, do you expect the government to have policy to ask, you know, in the industry only of the computer system to install the DNSSEC? This is a difficult problem right now. Many governments around the world, because ICANN, what you have met, the security, making it better, the document name, it is more secure, you will continue to hear policymakers, they'll continue to ask at least to me do we enforce the DNSSEC implement to every machine? To be honest, I can answer and say yes. Even I can -- I come from the ICANN board, I know this is just too late from my point of view, that hard line, it is gone.
 
Just like you say, the DNSSEC no model to make it survive. So to make the question easier, are you hear to tell all the government policymakers they should enforce the DNSSEC or you still have question about it?
 
>> You raise a very valid question. We're lacking interest in general to implement security or things that protect us in general when it is really necessary. We do it often afterwards.
 
If you look at safety belts in car, we have been using cars for many years before the first safety belts were there, still today, in the Netherlands, where it is obligator and throughout Europe, you will see a few people not using their safety belt in the car.
 
They are a real exception. A real exception.
 
Has it taken too long? I think it has taken a very long time.
 
The big campaign in the Netherlands, it started in 1974, and you still will see signs in the streets and around the highway asking people in their car to use their safety belt so implementing standards does not come from me asking the Dutch people to do it and then a few days later it will be there. Not going to happen.
 
That's not disbelief in my capabilities, but that's reality.
 
What we do see, the Dutch government does require, I'm not speaking on behalf of the Dutch government, but I can explain it -- they do require DNSSEC in every new solution they ask for. So the Dutch government says whatever you deliver to us make sure this is in place.
 
We now see a movement in Europe where governments are talking together on secure email and what is called a new initiative where they say, well, we should sit together and have our governments together ask the main suppliers to implement the DNSSEC. At the very small level, in our Dutch Internet standards platform, we have invited the large, the big five, and then often the Dutch representative comes, they come, join us, listen to us, they can actually tell us that they are working on making sure that in those big -- you can understand what I'm -- what I was going to name, not any brands, but the big ones, they're really willing to implement it within the next few six to nine months. If they're doing that, then a lot of end users will have the benefit.
 
If everybody with then start doing this DNSSEC on their own, I completely agree, it’s a lost case.
 
I still have the belief that it is a solution we can use within the scope of the next one, two, three, four years, it is not the end solution, and if we think about how that could be done differently, we may be talking about a complete new vision on Internet architecture on what we want to achieve with the Internet and for us, it is simple, we just want an open, free, secure Internet and we need some standards and they may not be the magic, the silver bullet, the magic solution to all of our issues, they, at least, will raise the level of security and the level of awareness, and therefore protect many users in using visiting domains, using sending receiving email and that's the reason I still support it.
 
>> CHRIS BUCKRIDGE: We're going to the end of the session here. If I cutoff the panel, we have one last question, you have been patiently waiting as well. Let's let you ask that.
 
>> AUDIENCE: Thank you. I'm from Austria.
 
Two questions for Gerben Klein Baltink, coming back to the beginning, where you said we need to bring the technical and policy conversations together in a more systematic manner, how do you evaluate the E.U.'s performance on this over the last 30 years after the treaty and how do you project the E.U.'s way forward on this? In other words, can or should this conversation be brought under the roof of one single institution, or would this be a faulty idea to begin with.
 
And my second question is, can the Internet governance community learn anything from the climate transition community in bringing these two worlds together? The technical and the policy worlds?
 
>> GERBEN KLEIN BALTINK: Good question and it is always difficult. I give marks to the policy of the European Union with its A, B or C. So I this I that the European made progress, if I compare the European Union Internet poll sip in the 1990s, there was nothing, and they have evolved, they have a number of good Commissioners, sometimes they came with proposals, I don't know if you remember the 10 +1 proposals and the intergovernmental council, it was with ICANN as a non-state actor in the council, the Commissioners, they often had ideas which were unrealistic. But from the speech that was given this morning, I feel encouraged that there is more and more in a new generation, probably women, now understand the issues much better than the older ones and it is up to the new commission and we'll have that in a couple of months new Commissioners to take the next step.
 
Sometimes if you discuss with people from the understanding, the multistakeholder, it is a multiparty negotiations between the parliament, council, commission, the multistakeholder approach, it means the really open consultations with all stakeholders from the private sector, it is a little bit underdeveloped in the -- they prefer to talk to the lobby organizations from the private sector and they listen to Civil Society uproars in the streets if I see the debates on copyright reform. In the end of the day, all of this is ignored and it is top-down, that means let's wait and see what the new commission will do.
 
Personally, think that climate change and instability in cyberspace, they're different, you can't compare them, but if the young generation for the future are arguing this is the future, climate change and if you ignore this, then we will have no future, I can't imagine just assuming that young people will be in the street saying this is the future, cyberspace is our future, if you are unable to create a stable cyberspace which offers freedom and security and openness, so in so far, yes, the teenagers of today, they can learn something from the future developments if they look into policymaking for the Internet in the next 20 years.
 
Let's wait and see.
 
Again, let's see what the nut commission will say. My information is that the commission for the Information Society, it has to be a vice President of the commission or something like that. It is not a job I can do with the left hand. It is crucial for the future of the European Commission, in particular because Europe is risking between to be sandwiched, the 2020s, it will be a technology war between China and the U.S. and the Europeans will either watch or become sandwiched or push for the rule of law. So far, it was good to hear saying, okay, what the Europeans can bring to the global debate, it is the rule of law. That's -- that would be a good contribution.
 
You.
 
>> CHRIS BUCKRIDGE:
 
We have 6 minutes left according to my Apple it device here. We have had Cedric Amon pulling together brief messages that attempt to summarize, capture the spirit of the discussion in quite a brief way.
 
They're on the screen here. We'll leave them there we'll post them to the wiki page, if you have comments on them, think there is something missing, something that should be tweaked, you can certainly make those comments via that.
 
Yeah. I think we'll leave those there and leave them on the screen.
 
I'll sort of ask for final comments briefly.
 
>> GERBEN KLEIN BALTINK: The only thing to repeat, let's make sure together that we keep the Internet open, free and secure and do our very best to achieve that.
 
That will not be an easy thing to do.
 
It should be our mission.
 
>> PETER KOCH: Yeah. What you said. Maybe trying to respond to a final question there, it is clear that the well-intended interference of regulation with the standards can have unintended side effects on the stability of the network. At the same time, that does not imply that technical standards of the Internet itself is outside any regulation forever and for all.
 
There needs to be a dialogue in that direction or on that topic as well.
 
We are here to continue that.
 
>> CHRIS BUCKRIDGE: Final word for you?
 
>> WOLFGANG KLEINWACHTER: More dialogue. Dialogue, dialogue, dialogue.
 
>> CHRIS BUCKRIDGE: I agree.
 
Ironically enough, we'll cease the dialogue now for at least this session.
 
Thank you to all three speakers. Thank you to our message taker and our remote moderator. Thank you for joining and taking up the invitation to join the discussion.
 
It has been a pleasure. I hope -- I think it has been a very interesting session.
 
Thank you all.
 


''This text, document, or file is based on live transcription. Communication Access Realtime Translation (CART), captioning, and/or live transcription are provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings. This text, document, or file is not to be distributed or used in any way that may violate copyright law.
''


[[Category:2019]][[Category:Sessions 2019]][[Category:Sessions]][[Category:Technical and operational issues 2019]][[Category:Development of IG eco system 2019]]
[[Category:2019]][[Category:Sessions 2019]][[Category:Sessions]][[Category:Technical and operational issues 2019]][[Category:Development of IG eco system 2019]]

Revision as of 11:11, 26 June 2020

19 June 2019 | 14:00-15:30 | KING WILLEM-ALEXANDER AUDITORIUM | Video recording | Transcription
Consolidated programme 2019 overview

Proposals assigned to this session: ID 123, 132, 140, 150, 168, 172, 175, 198 – list of all proposals as pdf

You are invited to become a member of the session Org Team! By joining an Org Team you agree to that your name and affiliation will be published at the respective wiki page of the session for transparency reasons. Please subscribe to the session mailing list and answer the email that will be send to you requesting your confirmation of subscription.

Session teaser

  • What are the intersections between public policy and technical standards? To what extent public concerns over security, privacy and encryption can be addressed in standard making processes and orgs?
  • What is the impact of the new technical solution on the functioning of the internet? How the deployment of new technical standards and policies changes the internet?
  • What is the impact of the lag between the deployment of standards and their adoption?
  • What are the market dynamics at play in the adoption of technical standards?

Session description

There is a growing need for continuous dialogue among various stakeholders’ groups related to policy and technical standards, fueled by the growing attention about the regulation of the internet concerning also its political and technical approaches.

Currently, the understanding of the technical layer of the Internet is still limited in the policy circles. The aim of the session is to involve all constituencies in the discussion about the intersection between policy and technical standards. To understand the dynamics at play in the adoption and deployment of the standards and how they are influenced by political, economic, technical and security aspects and also by individual motivations.

The session is opened by introductory overviews by panellists coming from different stakeholder’s groups to give the audience valuable insight into technical issues. The subsequent discussion will provide answers on key challenging and newly-emerged questions as well as illustrative examples to debunk acronyms and technical terms.

KEYWORDS: standardization and deployments of new protocols, implementation of existing standards, interoperability, fostering DNS over HTTPS/DoH, TLS-connections and the role of regulation or self-regulation of DNSSEC, IPv6, RPKI, QUIC, IDNs and Universal Acceptance.

Format

The session will be organized as a panel discussion with live interaction with the public. The panel comprising representatives from different stakeholder groups together with strong moderators will outline the hot topics of this session. There will be a lightning introduction provided by panellists at the beginning of the session. In addition, the panel will open a discussion allowing the audience to use live questions and to voice their concerns related to the main points and discuss them within this environment. This session should lead to stimulation and interaction of serious discussions by contributions of various stakeholder groups that bring new conclusions or most probably new crucial questions for the wider public. Besides using EuroDIG remote participation tools, there is also an online platform to submit questions to being discussed during this session. Please join and access live interaction on https://www.sli.do/ by entering event code #4347.

Panelists:

  • Gerben Klein Baltink, Dutch Internet Standards Platform
  • Wolfgang Kleinwächter
  • Peter Koch, DENIC

Moderators:

  • Chris Buckridge, RIPE NCC
  • Andrea Beccalli, ICANN

Further reading

Until .

Links to relevant websites, declarations, books, documents. Please note we cannot offer web space, so only links to external resources are possible. Example for an external link: Website of EuroDIG

People

Focal Point

  • Andrea Beccalli, ICANN

Organising Team (Org Team) List them here as they sign up.

  • Peter Koch, DENIC
  • Wout de Natris, De Natris Consult
  • Amali De Silva-Mitchell
  • Zaneta Vinopalova, ICANN
  • Adam Peake, ICANN

Key Participants

Key Participants are experts willing to provide their knowledge during a session – not necessarily on stage. Key Participants should contribute to the session planning process and keep statements short and punchy during the session. They will be selected and assigned by the Org Team, ensuring a stakeholder balanced dialogue also considering gender and geographical balance. Please provide short CV’s of the Key Participants involved in your session at the Wiki or link to another source.

  • Peter Koch, DENIC
  • Wolfgang Kleinwächter
  • Gerben Klein Baltink, Dutch Internet Standards Platform

Moderator

The moderator is the facilitator of the session at the event. Moderators are responsible for including the audience and encouraging a lively interaction among all session attendants. Please make sure the moderator takes a neutral role and can balance between all speakers.

  • Chris Buckridge, RIPE NCC
  • Andrea Beccalli, ICANN

Remote Moderator

Trained remote moderators will be assigned on the spot by the EuroDIG secretariat to each session.

Reporter

  • Cedric Amon, Geneva Internet Platform

The Reporter takes notes during the session and formulates 3 (max. 5) bullet points at the end of each session that:

  • are summarised on a slide and presented to the audience at the end of each session
  • relate to the particular session and to European Internet governance policy
  • are forward looking and propose goals and activities that can be initiated after EuroDIG (recommendations)
  • are in (rough) consensus with the audience

Current discussion, conference calls, schedules and minutes

See the discussion tab on the upper left side of this page. Please use this page to publish:

  • dates for virtual meetings or coordination calls
  • short summary of calls or email exchange

Please be as open and transparent as possible in order to allow others to get involved and contact you. Use the wiki not only as the place to publish results but also to summarize the discussion process.

Messages

  • The intersection between public policy and technical standards does not rely on the implementation of standards alone, their adoption and recognition is equally important. This is where the dialogue between the policy-makers and code-makers comes in, it should be aimed at breaking down silos.
  • It is essential to bring down the barriers between the policy-making and code-making communities. The multistakeholder model provides the necessary framework to achieve this and must be further enhanced to create more trust and better understanding between the communities. Trust between the stakeholders can be achieved once the respective stakeholders have a greater grasp of the complexity of the fields of their partners.
  • Applying standards is not the only way to make the Internet work. There is an important role for each method and mechanism of the rule-making arsenal wherein good practices might provide very strong (but voluntary) mechanisms, without the (often) innovation-hampering elements of a law.


Find an independent report of the session from the Geneva Internet Platform Digital Watch Observatory at https://dig.watch/sessions/intersection-between-public-policy-and-technical-standards.

Video record

https://youtu.be/UDYhYE2mHeU

Transcript

Provided by: Caption First, Inc., P.O. Box 3066, Monument, CO 80132, Phone: +001-800-825-5234, www.captionfirst.com


This text, document, or file is based on live transcription. Communication Access Realtime Translation (CART), captioning, and/or live transcription are provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings. This text, document, or file is not to be distributed or used in any way that may violate copyright law.


>> CHRIS BUCKRIDGE: There was a slide to go on the screen here. Can we perhaps have that appear?

There we go.

We'll let Wolfgang get his microphone and they can we can proceed.

Maybe while we're waiting it is useful to have a slight housekeeping point: We're a pretty small group here. I hope we're all a friendly bunch. You're very welcome to ask questions at the microphone. I hope we'll have an active discussion because we have a small panel and I don't think it is going to be sort of extensive discussion just from the stage. We're also trying something with Slido here allowing you to ask questions online and if there are questions that are asked and you see them on the side, you can upload those so we can see if there are particular questions that people have a burning desire to see answered by the panel or discussed more openly. Yeah. The link, it is there. For those of you with handheld devices and cameras, hopefully the QR code will take you straight there and make it very straightforward.

All right. Thank you all for coming back after lunch. I hope we can keep this interesting and not have the sort of post-lunch slump.

I'm Chris Buckridge, I work for the RIPE NCC. It is a company based in Amsterdam, very much part of the Dutch Internet community and the broader European community. I'm going to be moderating this session today, which is -- it is not there -- it is -- I have lost the title -- it is about the intersection of standards making and policy and how standards can help address public policy issues and concerns, and whether there is a fit between the different models, different approaches.

We're also going to have Andrea Beccalli from ICANN here.

>> ANDREA BECCALLI: Hello. Good afternoon.

>> CHRIS BUCKRIDGE: As co-moderator and he'll be roaming the floor, trying to get people to speak a bit more. I hope we'll have an active discussion with everyone in the room.

This session is following on and building on the session we had prior to lunch. I think interestingly, the opening session we had this morning as well, I think really from the opening of this EuroDIG we have had a strong focus on some of the practical ways that Internet governance concerns or issues are being addressed through cooperation, through focus on specific technical practicalities among standards and other things. That's part of what we want this panel to discuss, to build a little bit on and to maybe look at where those intersections happen between practical policymaking, public policymaking I should say and the more Internet-based approach of standards making. Are those two approaches able to achieve the same goals or mutually beneficial goals.

We have three panelists, Wolfgang Kleinwachter on the end here, I think probably needs no introduction, but very well-known figure on the European Internet governance scene, I think coming in here bringing a lot of his experience from the ICANN board and days of an academic and work he's done in founding EuroDIG and the global Internet governance ecosystem.

We have Peter Koch here from DENIC, I think he's going to actually open this with a bit of a summary of some of the issues that we're going to talk about and really set the scene a little bit more practically and specifically than I am.

We have the Internet platform standard -- sorry, I -- I have --

>> GERBEN KLEIN BALTINK: It is always difficult I think in Dutch. Gerben Klein Baltink.

>> CHRIS BUCKRIDGE: Thank you. I apologize.

To build a bit more on the work that's being done particularly in the Dutch community about standards making and how it can really address some of these concerns.

So with that, let me throw to Peter who I think will probably be able to open this discussion up a little bit more.

>> PETER KOCH: Yeah. Thank you.

Thank you for the introduction and opportunity to share a couple of thoughts in the beginning. The idea is that we have this crisp title for the session, and we want to give some meat to it to explain what we had in mind that we might want to talk about. As Chris already mentioned, this connects to the earlier session in the morning and the previous panel, maybe from a slightly different angle in terms of how does technical standards making react to public policy concerns, public policy tasks, requirements or stakes I should say, and also how can those technical standards maybe even preempt or prescribe standards and whether or not that is a good thing and whether we address that and the other perspective that's before we heard this morning, there is a lot of technical standards, a lot of them are used, we have an Internet, we couldn't connect, there is another set of standards, number of standards, where we don't feel we see enough deployment to either address security concerns or otherwise react to the challenges of today's Internet. So let me just throw some words into the audience, and I really tried to use words, not acronyms, we want to make sure this is not a technical, engineering panel, we're really trying to bridge between where the standards come from, and how they get deployed and what that means and where the connection between the policy and the tech part is.

So one thing is that usually we -- on the Internet we talk about freedom to innovate, freedom of innovation. That, of course, has multiple levels to it. One, it is that, yes, you can make up the next workshop, the next Facebook, nobody will stop you. On the other hand, of course, you have to convince your own customers and perspective customers and that's on the application at the business level. However, there is a very technical perspective, component to this, it is that as you have heard already a couple of times and in the end, at the end of the day, anything that goes over the Internet, it is chunked up in small packets and they go their ways, different ways back and forth. There is no technical prescription of how such a packet is, there is a description of what the package should look like but not the content and whether the packet itself is good or bad. That's the basic idea to innovate on the protocol level as we would call it and -- as when there was no web, people were just able to invent the web, the hyper tech transfer protocol, and laid the roots for what we see with the web today. Same thing with video streaming and you name it.

That's the freedom to innovate. There is also this other concept when we talk in technical circles about the standards, standards are recipes or protocols and standards that are communication descriptors. The basic idea is that if two people or two entities talk to each other, they need something like a common language or at least a common protocol, as you know, like we say good morning, good afternoon, back and forth, we have a conversation and we go there.

We have had a list of standards in the morning, and we saw that some have been deployed and others haven't so much.

There is no central control on the Internet, what you have, what you don't have to speak to be part of the Internet. Basically, yes, you need the Internet protocol but accept from that, anything else is voluntary. That's the voluntary adoption of standards.

Whether or not you do encrypted web traffic, you do unencrypted web traffic, that's basically the decision of anyone that provides a website except that there may be peer pressure to go a certain way and we have been through that after the Snowden revelations when there was a big, big move towards encrypted traffic on the Internet, not by some entity just saying it should happen. It was by a bunch of entities that gave some more carrots than sticks to motivate people to go these ways.

Again, the web, it is kind of a high-level what we call the application level kind of. There are other parts of the Internet, those are standards that were mentioned earlier like DNSSEC for original authentication in the DNS and they obviously are a bit harder to deploy because the further we get, the closer we get to the core of the Internet, the more we get to very technical details and we get to a situation where not one entity can just say I do this because remember, we need the protocols to interact. Somebody just changing to the next language, that is hip these days, doesn't make communication any better. One entity moving to IPv6 and hoping that everybody would follow, that didn't work.

There is, again, no central control, and this is a feature, not a bug, that could say by this and that date, we call this flag days and there has been a single flag day at the very beginning of the Internet when the previous network was kind of changed technically and we moved to the Internet, but since then, we have never had any flag days where any one entity says as of tomorrow, we only will have encrypted websites, as of tomorrow, we'll all have DNSSEC, this is not how it works. It needs collaborative efforts, collaboration and cooperation to deploy is what we say, to deploy the standards. Deploy means we do have products, there is software. People actually decide, yes, we're going to sign our DNS zones, for example, yes, we want our website, our whole Internet traffic to be ready for IPv6 so that the next billion can connect to us and we can connect to them and we also can better connect to the rest or the couple of billions that are already there. No central control, voluntary cooperation. The DNSSEC and IPv6 are examples where you can't jump ahead. We have seen other standards which is a combination of those, no matter the acronym, it helps to distribute or helps foster encrypted and secured communication on the Internet by helping the endpoints to identify themselves by means of domain names. That's a very rushed explanation. I hope I didn't hurt anybody's feeling but that's roughly what it is about.

In those cases, it appears that it is easier to go this step. Any he went it I can decide, well, I have an alternative means of identifying myself, and here is what I do. However, in these cases, one entity is saying here is my new identity, that looks nice, and we can measure that, it is good that this is done, the compliance is measured, so on, so forth. If you have a new passport, nobody knows how to use it, you will have trouble to cross any borders. In those cases, there is, again, two sides that need to -- that need to cooperate and to deploy the standards in terms of not only the part that publishes information, but the part that consumes the information, it needs to be ready for that.

Again, one side doing the new Internet protocol doesn't help because Internet protocols are formality communication. We have these examples that I guess we can dive into these topics a bit deeper. That's the one part of it.

I'll jump to a completely different thing that was also submitted and you should not forget that we have compiled this panel out of a couple of submissions, of course, and the other part, it is that sometimes, of course, engineers are very objective, always only focusing on the technical side and never, ever susceptible to policy influence. Therefore everything in the technical standards is fine. Imagine it wasn't. Somebody would say that, oh, yeah, there should be something in the standard that would allow, say, interception of encrypted traffic and we have had an example like that when the Internet engineering task force standardized the next version of the transport layer security, which is what encrypts the website in transistor other traffic, it I should say, and they were strengthening the description of the protocol in a way that it would make it hard to impossible to intercept the traffic in feasible ways.

There was a big discussion going on, because there were entities that had a stake in being able to intercept this traffic, that's not only law enforcement but also people that claim that for compliance reasons, for example, we need to be able to look at traffic that is crossing our enterprise parameter.

In the end, the side that was in favor of the strongest encryption prevailed. However, voluntary adoption of standards and there are other standards organizations. In this case, it is, for example, the European telecommunication standards institute, it had been working in parallel a bit on an addition, I think it was called, to the protocol and they called it enhanced protocol in that way, and guess what? That included this on the fly opening of the encrypted traffic by certain means and not going into the technical details.

What happened here, a standard developing organization is going one way, another is piggy backing something on it and we could say weakening, we could say enhancing the standard so now we have different standards to choose from.

The fact that at the European organization, the European standards, quote, unquote, get preferential treatment in some circles makes this decision and scenario very, very interesting. So that is a mix of policy where the standard kind of gives the policy decision, you can or you cannot intercept traffic while adhering to the same standard. I guess we can leave it with that and have some further -- unless my copanelists want to add anything.

Thank you.

>> CHRIS BUCKRIDGE: Thank you, Peter.

I thought maybe it would be useful to go to Gerben next.

As I noted, I'm sure some saw you speak this morning, but it would be good to reiterate some of the introduction you gave of the platform for standards in the Dutch community that's been pulled together. I think it is really interesting, I think Peter has laid out one of the reasons why standards are important, and why standards of development happens the way it does and has to be a certain approach and open and incorporating the different iterations and perspectives. It is interesting to me that the Dutch community has put so much importance on the development and adoption of standards to the extent that it has this multistakeholder kind of platform which brings people together to discuss that.

Maybe, yeah.

>> GERBEN KLEIN BALTINK: Sure.

What I tried to explain this morning, we selected a few standards that we thought were very important for the future for the Internet, stay open, free, secure.

There are many more standards to choose from. The good news may be when I had a new job description back in 1994, there was a big chart in my brand-new office that was dealing with Internet standards and there was a small sentence in reading the small print underneath, and so I was moving towards the chart, I noted the good thing about standards, it is that there are so many of them. So the work of standardization bodies will never end. It is a never-ending story in itself, sometimes because we want to improve things or repair things, piggyback on existing possibilities to make something else possible, but basically standards are there to make our lives easier as a basic thinking.

The problem is, not all of them are open. When a standard is not open, it may help you to facilitate communications or using software, hardware, whatever, but as long as you don't know what's going on behind it, you may have the problem of fender blocking or controlling what you're doing, the digital standards, that's the kind of thing we want to promote. We sat together in 2014 and we said if we want, really want, to have an open, free, secure Internet, we have to worry about a number of things. One of those things is the way people are able to implement standards, and a number of people that are actually doing it. So our approach then was that the easiest thing we could do is start measuring how organizations in the Netherlands apply those standards and try to find reasons behind why they did not implement a specific standard.

So we were not there as the standards police trying to focus on who does it, who doesn't, and then starting with fines, with sanctions, we were there to listen to organizations, why did you not yet implement the intersect, is there a reason, is it expensive, contradictory to what you believe in as an organization? We fully realize that implementing standards is not the only way forward. It is not -- to have the open Internet, when you only adhere to the modern standards, you have to do much more. You have to make sure that governance is in place in a good way, that you have education available and access, that there are no issues of further consolidation and fender blocking, but that's partially outside of the scope of our Dutch Internet standards platform.

We focus on a limited Number of standards. We're listening to the broader community to hear if additional standards should be added to that list and if we try to help people who want to implement the standard, but we really also are trying to listen to people to tell us that we have chosen something wrongly or that it is way too difficult to do, for example, that this policy is okay, that the policy, the reporting, the monitoring, that's a lot of work.

We try to listen to those people and find ways to communicate that as a small addition to what I mentioned this morning.

>> CHRIS BUCKRIDGE: Quickly to respond to that last part, I think it is interesting to me that the platform is about the adoption of standards, obviously there is also the development of standards, it is another process and I presume there is a sort of iterative process, getting feedback on why certain standards were not adopted. Is there a way that the platform -- is there an approach that the platform has to sort of feed that feedback back in the development process to maybe sort of -- is that something that's beyond, as you said, the scope of what you're trying to do.

>> GERBEN KLEIN BALTINK: It is a bit beyond the scope. We try to communicate through our members towards ICANN and ITEF to make sure that there is input from our community to them. This process in which people participate, not on behalf of the platform, but on behalf of their own organization already either be it for example RIPE NCK itself, ISOC, other members of the platform, they have their own agreement where they participate in the standards development. We listen closely, sometimes we give a hint, but we're not party to the development work behind standards.

>> CHRIS BUCKRIDGE: Thank you.

I'm going to go to Wolfgang Kleinwachter for initial thoughts. I would certainly encourage people after Wolfgang Kleinwachter, there are some questions coming in, I would like to see people coming to the microphone.

If you have questions, prepared and ready to go, please come to the microphones.

I think sort of do you have sort of a perspective on this? Obviously having worked in this field, and certainly where the intersection of standards and public policy, what's your take on this?

>> WOLFGANG KLEINWACHTER: You know, I want to broaden a bit the perspective.

As you know, data is a layered system, you have on each layer you have policies and call it standards, code, law, whatever, and it is not only the intersection between policy and standards on one layer, it is also the intersection among the various layers.

I think when -- 20 years ago, meanwhile, 20 years ago, the famous book was published by Larry, he was quoted always with just one sentence, the shortened version that said code is law. So this is the lawmakers. You know, lawmakers normally for hundreds of years, wherein the position to make law, technical innovation. When telecommunication broadcasting developed. The first thing was a broadcasting law which then defined the space for the code makers. The Internet turned this around now to code makers, they're creating the space which then has to be filled by the lawmakers.

So you saw a certain competition between traditional law for public policy issued, it is public policy, it is not policy for certain technology, and to code.

I think this has an added dimension to the traditional discussion you have on one layer. You are operating on the more technical layer and then on the public policy layer, and this is now in the middle of the whole thing, it is rather complex and difficult.

Even if you remain on one layer, as Peter has made rather clear, you know, in the discussion which is more of a governmental organization, they said, okay, here the code makers, they have to follow what the lawmakers want and in the ITF, the code makers, they say, okay, we have our own value system, our own idea, and then, you know, lawmakers said -- they make the law on the basis of the code we have. So far we have a situation, this is not settled up today, but a permanent battle between code makers and lawmakers.

This is bad.

You know, this arm twisting, the who has the final say, it is not helpful, neither for the network, nor for the users, nor for the stakeholders. The way forward would be enhanced cooperation amongst all stakeholders so it needs to be on one table.

The problem here, it is that certainly lawmakers have a limited understanding of the technical issues, that means that they have to trust the technical communities. It is a question of trust and vice versa. The technical community, it is very often not aware about the political implications of certain codes or standards they make. The standards indeed, you know, the information age, it is a fundamental thing. With a certain standard, you can enable certain activities or you can disable certain activities.

I think nobody wants to enable criminal activities by introducing a certain standard.

We find there is no way out from the pressure that the policymakers and the lawmakers are working hand-in-hand and come together.

As I said, you know, the third thing at the moment, it is that we have the silos, and only really little communication, and my understanding of the call for a multistakeholder approach to this, it is primarily also a call to enhance the cooperation between the technical communities and a policy community based on trust and mutual understanding. This is difficult because they have different priorities, different values, different ideas about how to organize the work.

There is no way out, they have to come together and this is a complex challenge and I think this is also the great benefit of meetings like this, like EuroDIG, because while normally people in the ITF are sitting in their silo, people in the web consortium, they have their silos and EuroDIG pulls people from silos and brings them in a dialogue. Dialogue starts that you listen to the arguments of others and try to understand, and not try to impose your position to the other side.

This is, I think, a key question for the 2020 -- for the next year. We'll get much more with the Internet of Things and with Artificial Intelligence, much more technical devices based on standards which have far reaching political implications. If you have no understanding among the various groups, though you could put it up to a disaster, no one has the -- the only way to avoid this disaster, it’s to come together, to have a dialogue. There is no silver bullet.

>> CHRIS BUCKRIDGE: It is interesting to me to hear you use the word and concept of trust so much. I think trust is a concept that's become really central or used very much in Internet governance recently, I think it was part of the theme to last year's IGF actually and it is something that we hear sort of in the concept, the trust between the members and stakeholders. I think -- well, what I'm interested to hear from you, in the lack of that trust between, say public policymakers in the Internet community, technical community approach or the technical community, lack of trust in public policymaking approach, do you see specific characteristics that are impairments to those trusts or do you see strategies that would help build the trust across those eye lows that you're identifying?

>> WOLFGANG KLEINWACHTER: Two examples of policymakers, they really ignored the advice from the technical community, which undermines trust. First thing, it is Germany.

We have a law, you know, which in Germany it is called the Facebook law because, you know, a broad part of the public are frustrated with some rough comments, terrorist information or whatever which comes via Facebook and the German policymakers said okay, we have an obligation to give to Facebook to clean this, to avoid bad content.

You know, it is nearly impossible to define what is bad content. We have legal content, illegal content, but harmful content is not illegal. That means who makes the decision what is really illegal? Normally it should be done by a neutral third-party, by a court, but if the government -- if the policymakers delegate this to the corporation and the corporation uses an algorithm, then, you know, it is a totally misunderstanding of -- you know, then you delegate a public policy issue to fully code without any communication. You know, how to build this. Or you take the legislation, which is also confusing and probably harmful. This is the legislation to get the sovereign Russian Internet. So, you know, you say, okay, we have to be safe against foreign attacks which comes to Russia, but the consequences, it is that the root servers based in Russia, now they have a conflict because they follow the rules set by the root server, there is a document with 13 principles that includes neutrality, impartiality for the functioning of the root server. It is now the Russian -- they say to the root server now, to the Russian root server operating on Russia, Russia first, and then what can you do? So this is creating mistrust. These two examples, if you look at the German example, the Russian example, there is lack of communication between code makers and policymakers creating mistrust. If you want to come back to a certain trust you have to promote the dialogue. If there are sensitive issues, then you have a reduced transparency and you can have confidential communication, but I think every technical person will understand that there are some areas which are so delicate that it should not be negotiated everything in the public.

If the principle wants transparency, dying Rhode Island, then you organize the pressure in both directions so that the policymakers, they're not so ignorant against -- with regard to the codes, and the code makers are more sensitive because there are bad things in the Internet and you cannot allow, you know, code promotes, you know, the criminal activities or other activities.

In so far, you have to work hand-in-hand, but we have still a long way to go until we have reached this trust within a country and on the global level.

>> CHRIS BUCKRIDGE: I'm not sure who has control of the slide here. Is it possible to put up the slide with the Slido QR code while I'm speaking? Please, if there are people that have questions that would like to sort of throw this open to the floor and to hear your questions or comments, perspectives from anyone in the room.

I'll let you have the mic.

>> AUDIENCE: Hello.

I would like to ask Wolfgang, thank you very much for the example of the German law on the Internet enforcement first of all.

But I want to ask you how in your opinion trust can fix this? I think there is a misunderstanding on how Internet content should and can be regulated because of the definition of harmful content and I think the application of the algorithms is not, you know, the biggest issue here. The biggest issue here, it is the Human Rights and safeguards and basically the absence of truly defined borders of illegal and acceptable, and, you know, this case, when they remove some things from Twitter it, all of these, I'm wondering how actually trust can help here if the ground for this law is very wrong per se and technical issues are on the top.

Did you understand my question? I know maybe it wasn't that clear. I just want to hear about the clear ways, you know, how trust can help and not only in the general concept of trust. I think the problem is there. I just don't see how trust can fix it.

>> WOLFGANG KLEINWACHTER: I think any content related discussion is slippery. There will never be a solution where we can say this is plus and this is minus. Content depends on context. You know, one statement could be in a certain context, could be seen as acceptable, and in another context is unacceptable.

My favorite example which I use in my lectures, it was the conflict between the New York Times and President Nixon when the Pentagon papers were brought to the New York Times and the New York Times said, okay, it is our right, the people have a right to know about the lies of government and we have to publish the Pentagon papers and President Nixon of the United States said we're in war, this is a security issue, you know, security justifies the limitation of freedom of the press. The whole -- both sides had good arguments. The case went to the Supreme Court of the United States and they decided 5-4 in favor of the New York Times. So you can manage that complicated political issue, only case by case. You need the interdependence of the party. You cannot leave this -- the New York Times, the end of the President of the President of the United States of America. It is complicated.

There are thousands and millions of cases, you know. This is extremely complicated. To hand it over to an algorithm, saying, you know, do the work for us, it is complicated. On the other hand, you know, if I look into options which could help, you know, the first thing I have in mind, it is under ICANN. We have hundreds of thousands of conflicts on domain names and, you know, with the decentralized procedure, you have 90% of the conflicts on domain names that can be severed. If we have conflict related issue, 90% of the issues, they're really solvable in an easy way because the context makes very clear if you have an independent panel and they say yes or no.

The remaining 5% or so should go to a neutral third-party and not remain in the hands, neither the government if China tore in a private cooperation as in the Facebook law.

I don't know whether this satisfies you.

>> AUDIENCE: Sorry.

>> WOLFGANG KLEINWACHTER: This question has no answer.

>> AUDIENCE: Yes.

Actually, yes. Yes. I got your answer. I got how trust will play here. Yeah. Thank you.

>> CHRIS BUCKRIDGE: Since I asked for questions from Slido, we have two questions and I'll throw them out at the same time because they work nicely together. The first one that came in quite early when anonymous sender here, but it is what technical standards could benefit from more attention through public policy and in what way.

Then there is another question that's come in just more recently from Max from Google, he says do you think an open standard on digital identity and social networking is viable and worth pursuing.

The first one, it is a bit more open-ended, are there examples that maybe we can think about. The second one, it is public policy, interest and concern, do you see it as a space where maybe the standard might be pursued. I'm happy to throw it open to whoever has a ready answer.

>> GERBEN KLEIN BALTINK: On the second question, we have -- I think the platform meeting before last, we had digital identity as a broad topic on the Agenda. We tried to listen to experts from different universities, different backgrounds to see how we could work on something that would make it easier for all of us to gain again trust on identity, it either of an triple digits or an organization be it commercial or government so that you can have central ID or who is actually claiming to be somebody on social media. It was very interesting discussion. Not yet at the point of making any decision on a specific standard. We have heard great research ideas that are there, they're even available as demo and even as -- there are different ways to deal with digital identity that might actually help us forward.

We have not yet decided on what way we should try to promote that.

I firmly believe in avoiding fake news issues and a lot of that kind of stuff if you have transparent way of identifying, but always there should be a way to have the anonymous message as well. Not by accident perhaps that the first question was anonymous.

Sometimes you don't want to reveal your identity to just anyone. There can be a good reason for that.

>> WOLFGANG KLEINWACHTER: I'll add a bit to that. The second question reveals one of the difficulties that we're facing.

There is at least one, there are multiple open standards for digital identity and there is probably a champion as well. However, most of the interesting questions are not technical standards questions. Most of the interesting questions are the policies in how the identity is verified, what the requirements are for being anonymous, having a real identity, what the trust in the -- the assertion is the term of the identity, so on, so forth.

So technical standards is one thing. Of course, they should be -- they should enable certain policies without necessarily prescribing them in a way which means that there needs to be a cooperation and kind of an agreement. Sometimes the silos, the silos are a bit difficult because people try to develop these standards, whatever, not picking on any organization in particular, by second guessing requirements, or by not foreseeing the tremendous success a standard may have, that means that it gets used out of its primary purpose. That's the usual thing when we engineer and say this hasn't been designed for that, like the domain name system, it has never been designed to be universal, user facing string system with languages, so on, so forth. That doesn't mean we shouldn't use it like that today. It would explain, not excuse many of the things.

Let me maybe also go back to the first anonymous question, so, of course, attention is kind of a difficult word that scares me a bit.

Attention signals interest. The important thing is, before trying to regulate, it is important to understand not only a particular standard and what people think it does, but offers the ecosystem in which the standards, the standard, it will be -- it will be adopted or deployed.

Let me make that subtle distinction here. You mentioned the standards which is kind of a decision of a certain entity like your organization tonight saying, yeah, we're going to do IPv6 which you don't because you already have, but that's the one thing, deployment, it is the overall perspective on this, how do we see this on the Internet? That is something that policymakers should have an eye on and then engage into a discussion, what can or cannot be achieved by saying motivating the adoption of a standard or by suggesting certain steps.

There is a bad example in regulation, we hadn't mentioned DNSSEC already. The worst thing one can do, you make this a compliance dance and then say, well, by this and that date, everybody under our jurisdiction has to sign the DNSSEC domains and people can do that, there is a favorite example and I'm not quoting now, so what happens, everybody calls in the consultants, they set this stuff up, it looks like, okay, check, done, and then nobody uses this for a while until some people start using it and then they find out that these deployments, the adoption of standards have some technical flaws or issues on the operational side. Then the Internet breaks for a part of the population, quote unquote. It is hard to fix this, and of course once you have the incidents, the whole standard gets a bad reputation because it allegedly breaks the Internet. That's the extreme care and good motives don't -- and good motivation, they don't necessarily make good regulation. Yeah.

>> CHRIS BUCKRIDGE: Thank you. You have been patiently waiting.

>> AUDIENCE: I'm interested in the topic you're talking about. I'll focus on one, particularly the work, the code maker and the lawmaker, and it is kind of interesting for me from Taiwan to listen to the European, you're talking about trying to make an interface, a dialogue between the code and the lawmaker, and I really think about that, it is that even the code maker, the lawmaker, they are coordinated and maybe you're thinking about that.

At least in the European, you know, you have an independent system, and you really need to worry about is the code maker and lawmaker, is it the same one.

They're really the evil one, they're really trouble! And that actually is already happening. We knew that.

You know, so I think when you're talking about a code maker, a lawmaker, the difference in trying to find a dialogue, I think that's good. At least you have to recognize that the technical people also live in a society. You know, even, for example, the IT of engineer, they live in a society, they know what in society has happened. The real trouble we are going to face, it is about the one country, some country, the code maker, the lawmaker, it is the same one.

That is the reality. The reality that's the trouble for everyone.

Now only for other people, for their country, actually it is serious damage to the whole world, to the whole Internet in the world.

Thank you.

>> CHRIS BUCKRIDGE: It is interesting, the difference between the silos, the stakeholder groups being a healthy part of part of the system.

>> AUDIENCE: That's a point. It is different, but they may have a different view. You know, and even in Germany, they say -- we had mentioned about that, but at least you still have judicial systems. When you go to the court the judge will make a reasonable -- the final judgment or whatever.

Also the engineer has any standard, they're not closed at all, they actually opened the door. It they also live in a society, they listen to the different -- they may have a different point of view of the policymaker, but what I really worry about is not the one. The one that really worries me, it is this code maker it, lawmaker, it is the same person. There is really trouble.

>> WOLFGANG KLEINWACHTER:It is a good point. I thank you very much.

You know, the only -- we're moving from one problem to the next problem to the next problem. It is a never-ending story.

You know, one reaction to this, it is that we have to strengthen our accountability mechanism. That means if the lawmaker and code maker is one, and they make a decision, then we have to have reconsideration policies, we have accountability mechanism and things like that, all these things discussed. In ICANN, when we leave that alone, then we have to have mechanisms to keep ICANN accountable.

I think this is more and more, code and lawmakers, they have become united, then you have to strengthen the environment for accountability mechanisms.

>> AUDIENCE: It is based on the idea, when the lawmaker, code maker, it is the same one, there is disaster.

>> WOLFGANG KLEINWACHTER: I think of Siri -- but I'm an academic person and I have a right to speak about Siri.

>> CHRIS BUCKRIDGE: The next person on the microphone. You have been patient, thank you for waiting.

>> AUDIENCE: Thank you for this opportunity that I can state the question from the audience.

I come from Bulgaria. I represent the Civil Society organization, Media 21 Foundation.

So currently, with colleagues from other 14 European countries, my organization is involved in the European horizon 2020 project on social media and convergence. To one of the team, we're working on, it is the team for standardization. We explore this issues in Bulgaria, and we found a lot of interesting topics. My opinion is that this area is probably neglected and under explored.

I have to put my questions like this.

First of all, what is the opinion of respected colleagues on the panel about the prestandardization procedures, and what is the role of the prestandardization procedures bridging silos with the genuine standardization activities probably, but how do they see their role, and second to this, in my view, we speak a lot about technical standards concerning the Internet and for instance, this project tries to apply a more multiplenary approach, the problem is related to social media and convergence. We try somehow to see also this not only the technical aspects, but also to examine the social, the economic, the legal and political aspects of this process.

When we are ready, we'll present our results, but my question is, what is the role of this projects, and how do colleagues here see their impact generally on the standardization processes, and especially on European standardization activities.

Thank you.

>> CHRIS BUCKRIDGE: I'll throw it to the panel.

>> GERBEN KLEIN BALTINK: More or less by excellence. We had a staring Committee meeting a few weeks ago on what we call the secure email coalition and we have participants from societies, organizations, banks, Dutch Direct Marketing Association, people that are really in the ecosystem using email, but also social media for daily transactions. Part of the core business is how do I interact with my customer.

They see the tendency that it shifts from a direct order on a web shop or an email that's sent for ordering goods to using social media.

They start worrying about what kind of standards are applicable in social media and how can we make sure that they are trustworthy, that they are secured, that they are open, that if you don't have a lock in of a specific type of company that's behind the social media, so it was raised more or less as a generic issue. I would be really looking forward to see some results of your project to see what we can learn from that but we don't have yet an answer.

We're at the beginning of looking into what should we do, what can we do.

>> I'm not familiar with that project. It sounds very interesting. I would really like to learn more about that.

Getting some of the keywords here, when you mentioned prestandardization efforts, there is one important observation, of course, that standards don't appear out of the blue hopefully, but are themselves mostly a cooperative effort of sometimes even competing vendors, they're competing entities. However, in today's world, we observe interesting phenomena when it comes to deployment or even standardization we have entities that have a bigger power, of course, not only of being able to send more participants, engineers, developers, coders, whatever, to standards organizations, but also by being able to at a snip of a finger being able to deploy part of the newly developed standards to their population, the population includes both hardware and the people behind that. That usually gives you an extraordinary weight in being able to prove that certain things work one way or another, do or o do not do harm to the rest of the Internet, so on, so forth.

That's definitely an aspect to talk or think about.

The other part, because of the societal aspects, so forth, so on were mentioned, I'm not sure I got this right. At the risk of responding to the side of the question, at least in the ITF which I don't speak for, but I have some exposure to, there is an increased awareness at least for Human Rights aspects of protocol development and there is an effort in the Internet research task force to review newly developed standards or to be on the few standards, you develop most of the standardization work today, its maintaining and enhancing existing standards, but still in terms of central control, encryption, as vehicles for defending, enabling Human Rights as freedom of expression, right to privacy, so on, so forth, this involves experts of those fields -- what I'm trying to say, that is already approached in an enter disciplinary way by engineers talking to privacy issues, Human Rights experts, and that means the same -- that meets kind of the same level of difficulty that was one of the initial questions about the trust and trust has two enemies there, maybe we can get the bridge to the other topic as well, the enemies of the trust are different languages, that different communities speak and that makes it hard to communicate to each other and, of course, the complexity of the topic, not only the technical complexity but the complexity of the policymaking environment and also the complexity that is behind say preserving Human Rights and the whole -- the real life in that case. That definitely is complicated. If that doesn't answer the question, I would like to continue that offline.

>> CHRIS BUCKRIDGE: I was wondering if somebody would bring up the word that's going around, I know that Neil is onsite somewhere, but as an interesting example of trying to maybe modify technical community processes to be more accommodating of public policy concerns or public interest concerns. That's an interesting example..

We have a comment through the traditional remote participation.

>> We have a question, what is the role of Best Practice standards versus laws? Gives the country legal system and they'll each deliver differently.

If it is not clear enough, I have a question.

>> WOLFGANG KLEINWACHTER: Best Practice versus laws?

>> Best Practice standards versus laws? Probably aiming at standards coming from adoption, I think that's the Best Practice versus the standards within laws. This is my interpretation.

>> WOLFGANG KLEINWACHTER: It is simple, a law is adopted by parliament, it is legally binding legislation.

Best Practices, code, the ITF, voluntary standards, power, it comes from the general respect of the community. It means if everybody follows the standard, there is no need to make it legally binding because it is in your own interest, it means that -- that's my understanding from Best Practice.

If you see this works in one country, and so this is good practice there, by the way, I prefer good practice and not Best Practice, because Best Practice means it’s just one model. The best one.

You know, you have good practices and you can be inspired by a number of good practices and then to find your own solution for it. It is not legally binding but it is a guideline which is helpful and sometimes can be more powerful than the law because often laws are ignored or irrelevant or trust remains on paper and nobody is following as long as it doesn't come to a it concrete case that you violate the law and get a conflict through the court.

Best Practice, it is extremely helpful, instrumental, good practice in the Internet world where you have such a flexibility because law, although it is aimed to bring stability to a process, and sometimes legislation reduces the flexibility for innovation and that's the way to speak about innovation without -- it means that you have not to the go to a place and to get permission to innovate something.

This has been regulated in a law.

So far, laws are good legislation, they're needed, but it is just one element in the much broader picture where you have a lot of voluntary codes, guidelines, flexible elements like good perspectives.

>> CHRIS BUCKRIDGE: I guess we have also maybe a bit of a Spectrum in terms of saying ITU recommendations for being between the two. I'm often incorporated in national legislation but coming from maybe slightly more technical development process, but -- yeah.

>> PETER KOCH: I was going to add that first of all, Best Practices, good practices, we can argue about that, our practices, which is that obviously things that people already do. To that extent, they work and being qualified as Best Practices, they should work well and they can be change. They do change over time actually because often it is called best current practice, at least that's the trade name that's used and these are again changed over time. Maybe quicker than what at least I as a non-lawyer would expect from laws, it is that it should not try to follow every trend to quick -- too quickly but should be broader in perspective or more abstract in viewing a particular scenario.

So one cannot be a replacement of the other. It is like you have traffic rules, you have them he encoded in law and regulation and then the practices that hopefully most people follow those and then there are these tiny tricks where people do things that don't violate the law but they're not encoded there and it is just good practice as ins waving rights to go over something like that.

Different angles actually.

>> There is a very good Example of Best Practice of the Internet standard, thinking of it less than 30 years, almost everybody already can get on the Internet, I think that's Best Practice, but actually I have another question, it is in just a few minutes ago when you were talking about the -- it is my personal opinion, it is my personal view, I think that this is just too late. We just kept pushing that DNSSEC and it doesn't help. It is a waste of resources. Even though -- I was involved before, I promoted DNSSEC, but to be honest, as a technical, I think DNSSEC just is too late, it is a very difficult to accomplish the original purpose.

>> CHRIS BUCKRIDGE: What is your proposal?

>> GERBEN KLEIN BALTINK: You have DNSSEC plus plus?

>> I think that the technical people know that. The resources. It consumes a lot of resources. To certify for the domain name, the original purpose, it doesn't help anymore because of the Internet environment, it is more complex than what we think about. If you are excelled to use the domain name and the IP address, it may be KPI, it is possible to be success, because RPKI, it is introduced much earlier -- well, I mean -- before the trouble happened, we began to work on this. And RPKI tried to prevent people hacking the IP address and then maybe can help. But the DNSSEC, to be honest, I think here as technical people you know that it is just too late.

>> CHRIS BUCKRIDGE: Possibly if I could take it to another level here, a bit more generic level, the question I think that stems from that for me is when there is a public interest in having something, some security, some aspect of the Internet secured and there is a failure, let's call it that, on part of the technical standards technical community to make a standard that's adopted --

>> And to code off --

>> And then what is the next step? The public interest, public policymaker, they have a clear interest in this, technical community hasn't come through, what's the next step? What happens then.

>> PETER KOCH: Tough question. Trying to -- I would agree that the DNSSEC has problems at a large scale. I would also think that we as the technical community, the Internet community at large and, however, you phrase that, we haven't done the best job in explaining the necessity.

We have for too long been trying to explain that this is making websites even more secure and so on, so forth.

Whereas, the benefit of this, it helps make the DNS a -- I need to I plain what I say now in -- I need to explain what I say in an additional sentence. Bear with me. Make it a fully reliable building block in the Internet architecture. When I say make it so it doesn't mean that the DNS is not reliable today, but one of the issues, it has into the addresses, it is that the authenticity is not in there.

That doesn't necessarily mean that there is a practical problem today, we do have lots of labs, experiments to exploit the vulnerabilities.

But on the practical side, talking about Best Practices, many of these have been addressed.

New ones come up. This is all -- this is Band-Aid on Band-Aid on Band-Aid.

DNSSEC would be the best engineering way that we could come up with to address the problem at the very technical core, root -- not the root of the domain system but the root of the problem I should say. However, again, we have been relying on the market making this happen. There is no market for this. DNSSEC is not a product and this is the core question.

We do have standards where we know they should be deployed, same holds for v6, the pressure is bigger, no v4 anymore, but on whatever market next time. But the pain, it is not felt enough with DNSSEC. If we just rely on people will get interested in this by the next incident and so on, so forth, no websites are secure, we have this, we've that, that's not the part, it is a very, very subtle or different piece of the Internet architecture that's far, far away from websites which is important to make it possible to rely on DMS for other things like Dane, as you mentioned, that makes email more secure, and so -- we have -- I'm sorry, that's the computer science education. We have a lot of indirections here and that goes back down.

I can't explain or can't sell this to you, you need to have DNSSEC because it helps you make Dane, whatever that is, and that makes -- that final part should be obvious, making email more secure, making it more reliable, helping people to encrypt email in transport at least, these are achievements. Now you learn by the way I'm not a marketing person, but this is something that we need to further explain and to get it -- to get it disseminated.

>> Let me make it easier.

>> Okay.

>> Because the DNSSEC, from ICANN, now the question is, do you expect the government to have policy to ask, you know, in the industry only of the computer system to install the DNSSEC? This is a difficult problem right now. Many governments around the world, because ICANN, what you have met, the security, making it better, the document name, it is more secure, you will continue to hear policymakers, they'll continue to ask at least to me do we enforce the DNSSEC implement to every machine? To be honest, I can answer and say yes. Even I can -- I come from the ICANN board, I know this is just too late from my point of view, that hard line, it is gone.

Just like you say, the DNSSEC no model to make it survive. So to make the question easier, are you hear to tell all the government policymakers they should enforce the DNSSEC or you still have question about it?

>> You raise a very valid question. We're lacking interest in general to implement security or things that protect us in general when it is really necessary. We do it often afterwards.

If you look at safety belts in car, we have been using cars for many years before the first safety belts were there, still today, in the Netherlands, where it is obligator and throughout Europe, you will see a few people not using their safety belt in the car.

They are a real exception. A real exception.

Has it taken too long? I think it has taken a very long time.

The big campaign in the Netherlands, it started in 1974, and you still will see signs in the streets and around the highway asking people in their car to use their safety belt so implementing standards does not come from me asking the Dutch people to do it and then a few days later it will be there. Not going to happen.

That's not disbelief in my capabilities, but that's reality.

What we do see, the Dutch government does require, I'm not speaking on behalf of the Dutch government, but I can explain it -- they do require DNSSEC in every new solution they ask for. So the Dutch government says whatever you deliver to us make sure this is in place.

We now see a movement in Europe where governments are talking together on secure email and what is called a new initiative where they say, well, we should sit together and have our governments together ask the main suppliers to implement the DNSSEC. At the very small level, in our Dutch Internet standards platform, we have invited the large, the big five, and then often the Dutch representative comes, they come, join us, listen to us, they can actually tell us that they are working on making sure that in those big -- you can understand what I'm -- what I was going to name, not any brands, but the big ones, they're really willing to implement it within the next few six to nine months. If they're doing that, then a lot of end users will have the benefit.

If everybody with then start doing this DNSSEC on their own, I completely agree, it’s a lost case.

I still have the belief that it is a solution we can use within the scope of the next one, two, three, four years, it is not the end solution, and if we think about how that could be done differently, we may be talking about a complete new vision on Internet architecture on what we want to achieve with the Internet and for us, it is simple, we just want an open, free, secure Internet and we need some standards and they may not be the magic, the silver bullet, the magic solution to all of our issues, they, at least, will raise the level of security and the level of awareness, and therefore protect many users in using visiting domains, using sending receiving email and that's the reason I still support it.

>> CHRIS BUCKRIDGE: We're going to the end of the session here. If I cutoff the panel, we have one last question, you have been patiently waiting as well. Let's let you ask that.

>> AUDIENCE: Thank you. I'm from Austria.

Two questions for Gerben Klein Baltink, coming back to the beginning, where you said we need to bring the technical and policy conversations together in a more systematic manner, how do you evaluate the E.U.'s performance on this over the last 30 years after the treaty and how do you project the E.U.'s way forward on this? In other words, can or should this conversation be brought under the roof of one single institution, or would this be a faulty idea to begin with.

And my second question is, can the Internet governance community learn anything from the climate transition community in bringing these two worlds together? The technical and the policy worlds?

>> GERBEN KLEIN BALTINK: Good question and it is always difficult. I give marks to the policy of the European Union with its A, B or C. So I this I that the European made progress, if I compare the European Union Internet poll sip in the 1990s, there was nothing, and they have evolved, they have a number of good Commissioners, sometimes they came with proposals, I don't know if you remember the 10 +1 proposals and the intergovernmental council, it was with ICANN as a non-state actor in the council, the Commissioners, they often had ideas which were unrealistic. But from the speech that was given this morning, I feel encouraged that there is more and more in a new generation, probably women, now understand the issues much better than the older ones and it is up to the new commission and we'll have that in a couple of months new Commissioners to take the next step.

Sometimes if you discuss with people from the understanding, the multistakeholder, it is a multiparty negotiations between the parliament, council, commission, the multistakeholder approach, it means the really open consultations with all stakeholders from the private sector, it is a little bit underdeveloped in the -- they prefer to talk to the lobby organizations from the private sector and they listen to Civil Society uproars in the streets if I see the debates on copyright reform. In the end of the day, all of this is ignored and it is top-down, that means let's wait and see what the new commission will do.

Personally, think that climate change and instability in cyberspace, they're different, you can't compare them, but if the young generation for the future are arguing this is the future, climate change and if you ignore this, then we will have no future, I can't imagine just assuming that young people will be in the street saying this is the future, cyberspace is our future, if you are unable to create a stable cyberspace which offers freedom and security and openness, so in so far, yes, the teenagers of today, they can learn something from the future developments if they look into policymaking for the Internet in the next 20 years.

Let's wait and see.

Again, let's see what the nut commission will say. My information is that the commission for the Information Society, it has to be a vice President of the commission or something like that. It is not a job I can do with the left hand. It is crucial for the future of the European Commission, in particular because Europe is risking between to be sandwiched, the 2020s, it will be a technology war between China and the U.S. and the Europeans will either watch or become sandwiched or push for the rule of law. So far, it was good to hear saying, okay, what the Europeans can bring to the global debate, it is the rule of law. That's -- that would be a good contribution.

You.

>> CHRIS BUCKRIDGE:

We have 6 minutes left according to my Apple it device here. We have had Cedric Amon pulling together brief messages that attempt to summarize, capture the spirit of the discussion in quite a brief way.

They're on the screen here. We'll leave them there we'll post them to the wiki page, if you have comments on them, think there is something missing, something that should be tweaked, you can certainly make those comments via that.

Yeah. I think we'll leave those there and leave them on the screen.

I'll sort of ask for final comments briefly.

>> GERBEN KLEIN BALTINK: The only thing to repeat, let's make sure together that we keep the Internet open, free and secure and do our very best to achieve that.

That will not be an easy thing to do.

It should be our mission.

>> PETER KOCH: Yeah. What you said. Maybe trying to respond to a final question there, it is clear that the well-intended interference of regulation with the standards can have unintended side effects on the stability of the network. At the same time, that does not imply that technical standards of the Internet itself is outside any regulation forever and for all.

There needs to be a dialogue in that direction or on that topic as well.

We are here to continue that.

>> CHRIS BUCKRIDGE: Final word for you?

>> WOLFGANG KLEINWACHTER: More dialogue. Dialogue, dialogue, dialogue.

>> CHRIS BUCKRIDGE: I agree.

Ironically enough, we'll cease the dialogue now for at least this session.

Thank you to all three speakers. Thank you to our message taker and our remote moderator. Thank you for joining and taking up the invitation to join the discussion.

It has been a pleasure. I hope -- I think it has been a very interesting session.

Thank you all.


This text, document, or file is based on live transcription. Communication Access Realtime Translation (CART), captioning, and/or live transcription are provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings. This text, document, or file is not to be distributed or used in any way that may violate copyright law.