Multistakeholder approach to fighting cybercrime and safeguarding cyber security – PL 05 2013

From EuroDIG Wiki
Revision as of 12:59, 12 November 2020 by Eurodigwiki-edit (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

21 June 2013 | 14:30-16:00
Programme overview 2013

People

Key Participants

  • Sophie Kwasny, Council of Europe
  • Richard Leaning, Europol
  • Michael Rotert, eco
  • Christine Runnegar, ISOC
  • Pedro Verdelho, Cybercrime Office within the Prosecutor General’s Office of Portugal

Moderator

  • Tatiana Tropina, Max-Planck Institute for Foreign and International Criminal Law

Reporter

  • Nicolas von zur Mühlen, Max-Planck Institute for Foreign and International Criminal Law

Messages

  • Noting that there are different approaches to the legal frameworks for cyber security and cybercrime, such as Council of Europe conventions and the possible approaches from the ITU and UNODC.
  • Noting also that the cyber security problem is a powerful tool that needs safeguards to be implemented to keep the balance between government intervention and data protection.

Session report

The aim of the workshop was to discuss technical, legal, regulatory efforts to tackle cybercrime and safeguard cyber security from the perspective of the technical community, industry, law enforcement and international organisations. This approach was reflected in the selection of key participants from Council of Europe, eco, Internet Society, Portuguese law enforcement.

The plenary discussed the recent developments in multi-stakeholder environment such as public private cooperation in fighting malware, botnets and child abuse online, trans-border access tot he stored data from industry and law enforcement prospective, the need for striking a balance between privacy, data protection and government intervention. The main controversies of the discussion were focused on the issues of the failure of mutual legal assistance mechanisms and the different perspectives that industry, civil society and law enforcement agencies have concerning the validity of law enforcement requests. Different approaches to the legal frameworks for cyber security and cybercrime, such as Council of Europe conventions, the possible approaches from the ITU and UNODC. The cyber security problem was considered as a powerful tool that needs safeguards to be implemented to keep the balance between government intervention and data protection.

Transcript

Provided by: Caption First, Inc., P.O. Box 3066, Monument, CO 80132, Phone: +001-719-481-9835, www.captionfirst.com


This text is being provided in a rough draft format. Communication Access Realtime Translation (CART) is provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings.


>> TATIANA TROPINA: So, can we start now? And I think if someone is still at lunch, he or she can join later.

So all welcome to the plenary session, which is devoted to the multi-stakeholder environment fighting cybercrime and safeguarding cybersecurity. Just before lunch we had a workshop on the issue, which was a bit overlapping. So for those who attended this workshop, this plenary might be a nice follow-up of the workshop. But otherwise, we are going to discuss with you the multi-stakeholder environment and fighting cybercrime and safeguarding cybersecurity.

And one of the multi-stakeholder aspects we have already got on the panel is the composition of this plenary. We have got stakeholders from different sectors. So, we have got an International organisation, Council of Europe, Sophie Kwasny.

We have Christine Runnegar from the cybersecurity and technical community, which is the Internet Society.

We have Michael Rotert from German Eco.

And we have got Pedro Verdelho, law enforcement agencies, prosecutor from Portugal.

Unfortunately, we are missing one speaker, which was announced on the plenary, but unfortunately he got sick, Richard Leanng, so we all wish him to get well soon and we are missing him. But nevertheless we have to proceed.

And I would also like to mention that we are not focusing only on the panel. I would like not only our panelists, our speakers, to be the stars of this session. I would like you to participate. So after each statement of the speaker, I’m going to accept one or two statements, not questions, because we will leave this for the discussions. But every time when any of the stakeholders will make their statements on cybersecurity and cybercrime, please feel free to raise your hands and to add anything you deem to be necessary.

So I asked our speakers to deliver short statements about their concerns, ideas, some positive developments, negative things that they as stakeholders experienced in the field of cybersecurity. And I believe that we will start with Council of Europe, because for many people cybersecurity and cybercrime are still connected to regulation, to the Government intervention. So I believe that in terms of stakeholders, we can start with International organisations, law enforcement agencies, and then switch to Civil Society.

So, Sophie, you’re welcome to make your statement.

>> SOPHIE KWASNY: Thank you very much.

Good afternoon, everybody.

Is it working? I don’t think so.

It would help. Is it working? Yes.

Good afternoon, everybody. So indeed I work for Council of Europe. I would already start by mentioning that I represent the Secretariat. It’s the Data Protection and Cybercrime Division. It’s not a chance that those two issues have been brought together and I will come back on that later on.

So I do not represent the Committee of the Parties to the Budapest Convention, which is called the T-CY.

So, indeed, we were asked to present our take on either challenges or positive developments. So I will refer to the work that is being done by the Council of Europe in the field. And there it is reporting on what the Committee you mentioned, the T-CY, is doing. In light of the constant technological evolution and developments that occur in the field of cybercrime and the fact that the Convention dates back from over a decade ago, already, this Convention was drafted in technology terminology precisely to stand the test of time. This doesn’t mean that the new technologies and the new threats are not covered by the cybercrime Convention, and precisely the Committee of the Parties has been working on a number of interpretations and adaptations of the provisions of the Convention to new threats.

So I would like to mention some very important work of Committee. Those are guidance notes that you can find on the Web site of the Committee. And they concern a number of specific threats. You have a guidance known on identity theft and phishing in relation to fraud. Guidance note on botnets. One on critical infrastructure attacks. One on deducts attacks. Another one on new forms of malware, so that is to cover worms, viruses and trojans. And one I’d like to come on to is access to data, transborder access to data.

This guidance note refers to a specific article of the Convention, it’s the Article 32. This article is very, very topical and being discussed at the moment. The Committee recently at the beginning of the month held a hearing with the Civil Society, private sector, and the Internet technical community, that was represented, too. The idea is to enable that this provision, which is about accessing data which is held by another party, that this evolves with the needs of the law enforcement.

At the time when this provision was drafted, the consensus and the text that was adopted was about handing over data on the basis of consent or data that would be publicly available. So the T-CY has identified that there was a need to go further than this. So they started working.

So the first step was, indeed, to open up the doors to other actors in the field. Further, to this public hearing, which was held on the 3rd of June, the Committee of the Parties met for its plenary meeting the following days. And the Committee of the Parties decided to draft or to prepare an additional Protocol to the Convention. So now the real work will start for the T-CY, and for its group that is interested with this work.

I mentioned to you that, indeed, I’m in charge of both data protection – I’m part of a division that is interested with both data protection and cybercrime. And this is to make very clear the article of the Convention, which is article 15. This article was about conditions and safeguards. It is to make sure that parties that are acceding to the Convention, when they enact their domestic legislation and the powers and measures that are put in place in fighting cybercrime, also consider and respect human rights.

For the Council of your Member States, we have the functioning of the European Convention on Human Rights as a safeguard and the courts. But this is really crucial for nonMember States of the Council of Europe.

In this regard, the Council of Europe has another Convention, which is the Data Protection Convention called Convention 108. And it sees really the promotion of both instruments together as something very important precisely to give some flesh to this Article 15 on conditions and safeguards.

So to come back more specifically, also, to this Article 32 on transborder access to data, the current notion of consent is something that, in terms of data protection, can raise some difficulties of interpretation. We have in data protection the notion of consent. It’s the consent of the data subject. Here in the Budapest Convention, the Article 32 mentions the fact that it’s the person who has a lawful authority to disclose the data. So there we see maybe a difference in approaches, and this will certainly be addressed by the work of the Committee.

Another point to mention about the need that has been identified by the Committee to work on this issue is that they are basically trying to put a legal frame to something which is happening. It’s the wild west of data. Data is being accessed. Those are facts. The current news are confirming that. And the idea of the Committee is really to put a legal framework in place that would protect also the individuals.

Finally, if you can just let me mention an important event for the Council of Europe in the field of cybercrime, that is our conference which we hold every year in Strasbourg. It’s an International conference and this year it will be held in December. I think it’s the 5th and 6th of December. So you are all invited to attend this event.

And last mention to an instrument, a declaration by our Committee of Ministers that was adopted ten days ago on digital tracking and other surveillance technologies. It has already been mentioned during EuroDIG. As you can see, Council of Europe and the Committee of Ministers is very, very reactive to the news.

And I will just mention in particular one aspect of that declaration, when I say we are reactive, it was a joke, because this text had been prepared for a while already. It had been tabled on the Committee of Minister’s agenda, and it’s just a chance for us that it was adopted just after Snowden’s revelations.

There is one call for the Member States to act, and it is to draw attention to the criminal implications of unlawful surveillance and tracking activities in cybercrime and the relevance of the Budapest Convention in combating cybercrime. So the Conference of Ministers reacts strongly, because indeed legal access to data has to be sanctioned under the Budapest Convention.

>> TATIANA TROPINA: Thank you very much. I would like to ask the audience, have you got any statements so far concerning the recent developments of the Council of Europe’s side? Is there anyone who attended this public hearing on transborder access in Strasbourg?

You. Okay.

So if we have got no statements so far, I will pass the floor to another member – actually, of T-CY, of the Council of Europe Development, but at the same time who is working on the law enforcement side. Pedro, could you please share your concerns with us, your developments, what you think about your own fight in cybercrime.

>> PEDRO VERDELHO: Sure. Thank you very much. It’s very good to have the Council of Europe here. Thanks, Sophie. And I say that because, with all respect by other International organisations, the Council of Europe is now the most important institution working worldwide on cybertopics.

The Budapest Convention was endorsed by almost 60 countries. And we already heard the ongoing work on that. So thanks to the Council of Europe for attending this meeting and sharing some ideas.

Now, regarding cybercrime and investigating cybercrime and enforcing cybercrime, five ideas to begin the debate.

The first one, it’s absolutely clear for everybody that cybercrime is something International. It – any investigation of cybercrime is international, absolutely.

And so, the second idea, it requires a global approach. It’s an illusion to investigate locally. You cannot investigate in your local law enforcement agency, simply you cannot, because it’s International.

And this raises the third idea. The third idea is the failure of the traditional International cooperation methods. I mean, you cannot use efficiently International cooperation tools on cybercrime cases, because you cannot do that on time. You cannot do that properly. You cannot use Robert’s Rules letters like the other cases because they are useless on time, and that’s the third idea.

And the third idea runs to the fourth idea. We need another approach to international cooperation. Because these are International cases and the traditional way to approach International cooperation does not work on this field. So we need another approach. We need new legal perspectives, new legal possibilities.

And here, I understand again the Budapest Convention, that is already in place. And that already describes some quite interesting International cooperation tools, new tools.

The last idea goes farther. Besides those tools, we need another approach to transborder access to data. You cannot investigate cybercrime only with International cooperation, even if you have quite flexible tools, quite new tools, revolutionary tools, that is not enough. You need transborder access to data.

Otherwise, all the cases in your country are International cases and require International cooperation. So we need to draft something, we need to imagine something more flexible to allow law enforcement agencies to obtain data stored outside the territory of their jurisdiction.

Information, nowadays, by many ways, law enforcement agents from a lot of countries can obtain information from other countries without International cooperation. For example, if a Portuguese police wants to obtain subscriber information from Google or Microsoft, they can do that and they do effectively do that directly to Google or to Microsoft.

But now regulations on this, as you mentioned, as you underlined, Sophie, this is something like the wild west, because everybody is doing what everybody agrees to do, but no rule, no safeguards. Most of all, no safeguards. Everybody is doing that with discussion as the standard of safeguards that must be observed in that activity.

So these are five ideas to discuss. Probably the first four are quite quiet. Everybody can accept them. The fifth is not so peaceful. Thank you very much.

>> TATIANA TROPINA: Thank you very much.

Are there any comments so far on – yes, please. Can we have a microphone?

Thank you.

>> AUDIENCE: Hello. My name is Amaya Gorostiaga. Now I work for the Swiss Government.

I’d like to echo some of the points that Mr. Pedro Verdelho made. Basically, law enforcement faced a profound paradigm change in crime fighting when it comes to cybercrime. First off, the crime scene is not one place anymore. It used to be that the perpetrator and victim were together in the same place at least at one time when the crime was happening. Now we have the actor in one country, the victim or victims in several other countries. And the evidence is with third parties, with private industry on some servers.

So this raises the question of the different jurisdictions and how to actually gather evidence from these different jurisdictions.

The mutual legal assistance process wasn’t designed for cybercrime or for the speed with what cybercrime actually happens. So that is also where the wish for transborder access to data actually comes from.

Further, the dark field is rather big. So a lot of crimes don’t get reported because they are just – the loss is minimal, maybe it’s even below 100 Euros, so the efforts or the wish to prosecute them or first to report it is not so big. And also to prosecute it is like well, it’s a minimal loss, so we would rather investigate bigger cases.

Another point I would like to make is if you are an ISP, a service provider of service, not necessarily access provider, then you have terms of use, terms of acceptable use or terms and condition, whatever. You find out that they are violated. If they are violated, quite often this is also a criminal offense. Police report that to the police, and ideally establish contact with the local or national high tech crime unit beforehand so you know where to go and who understands. Because if you go to the local police station, these police officers usually don’t investigate cybercrime.

There are guidelines for law enforcement and ISP cooperation, which can be found on the website of the Council of Europe, which give a lot of good ideas on how to cooperate.

So just to, a final point to mention again, even if one crime happens to one victim and the loss is minimal, if you count together all the victims of one perpetrator, this can easily go into the millions. But if we don’t have a report from the victims or from the ISPs, then it still seems to be a minimal crime. But if we get a picture in a country already or even better in Europe or around the whole world, then we will get actually the real picture of how much damage this crime has caused.

>> TATIANA TROPINA: Thank you very much. Concerning transborder access, I don’t want to play devil’s advocate and I don’t want to ask questions right now, but just a point to think about for the future discussion. Not all the countries in the world and not even all countries in Europe are party to this Treaty. And I wonder, because I see the representatives of Russia, in the audience, if you can make any comment on transborder access or cybercrime Convention. You can save this option for later, because I would really like to hear different perspectives. Because yes, we can agree that transborder access is a hot topic right now. But from the jurisdictional point of view, if you think about access to data, about this legitimization of the wild west, it might have an effect on the third parties. And here we are entering into some great area.

So shifting from Government and law enforcement and International organisation perspective, to the industry, I would like to pass the floor to Christine Runnegar of the technical community, Civil Society.

>> CHRISTINE RUNNEGAR: Is it switched on? Great.

So first of all, we really started off with a fantastic discussion, and I would really like to complement the Council of Europe for its strategic thinking in putting together the data protection and cybercrime, and thinking about what are the safeguards needed for transborder access to cybercrime.

I want to talk about the things together for the development of a Protocol, and this is not only an opportunity to deal with new threats but also an opportunity for those members of the Council of Europe to say to the rest of the world and to themselves, okay, this is what is acceptable and this is what is not.

But my job this afternoon, I should say, is to broaden out the discussion. We have been talking about cybercrime. But now I’m going to take us to the other part of the discussion, which is safeguarding cybersecurity. It seems a little broad, so let me rephrase that as safeguarding the Internet.

The first thing is that, basically, experience shows us that in a quick evolving environment, such as the Internet ecosystem, the most effective, the most flexible, agile way of dealing with things is to use an open consensus based participatory framework, whatever that might be. And it’s essential that we have a culture of respect for the contributions of all stakeholders. And we talk about stakeholders in a category in part because it’s convenient. But it’s important, and particularly in light of things that are happening, to keep in mind that within a stakeholder group interests may not be uniform.

And I’ll pick on Government because I’m not here to represent Government. So you can imagine that you have a Department of Economic Development, a Department of Communication, a Department of National security, a Department of Law Enforcement that may all be involved in developing policies that relate to the Internet, yet they have different objectives. And that is going to influence the way they discuss these topics.

The focus really needs to be placed on identifying the agreed problem and finding the solution. So in that sense, the contributions and the contributors are not the focus. Hopefully, if you take this approach, it’s going to be more neutral and again hopefully there will be less political posturing.

So with that brief introduction to the framework, I thought I would just talk about security of the Internet ecosystem from a nonlegal perspective. So if we think about it, traditional approaches to security, we’re principally concerned with external and internal threats and the impact that they may have on our own assets. So, basically, threat based and self interested.

But there is a growing recognition that a security paradigm for the Internet ecosystem should be premised on protecting opportunities. And those opportunities might be protecting economic and social prosperity as to a model based simply on preventing harm. So to quote someone else, basically, it’s about protecting what you value, not stopping what you oppose.

Furthermore, there seems to be an appreciation that security needs to be approached from the perspective of managing risk. Keep in mind there is no absolute security. There will always be threats. So our concept of security has to reflect this reality.

And when we need to think of secure, we need to think of secure in terms of residual risks that are acceptable in a given context. And in this sense, resilience provides a very important metric for evaluating cybersecurity efforts. And the Internet with its connectedness and independence needs to bring about risks. Security of the Internet depends not only on how well you manage risks to yourself and to your own assets, but also the impact that your action or inaction may have on the Internet ecosystem. So those so-called outward risks.

And, additionally, some of these risks are going to need to be managed by more than one actor. And this is shared responsibility. And this is well aligned with the nature of the Internet.

So that sounds easy, right? Well, the problem is that it’s human nature for us to act in our own individual self interest, but that is going to be counter productive and ultimately harmful to the Internet ecosystem and will reduce the common pool of benefits, economic and social, that we derive from the Internet.

So just finally, before we move it back into the area of transborder data flow, let me say that you have to also appreciate that real security can only be realized in a broader context with trust and respect for fundamental human rights.

Thanks.

>> TATIANA TROPINA: Thank you very much. And are there any statements from the audience concerning what has just been told?

>> Two.

>> MICHAEL ROTERT: There was a lady over there.

>> TATIANA TROPINA: Sorry. There was a lady – no? No? Okay.

So we can listen to another representative of technical community, Marco, please give us your perspective.

>> AUDIENCE: Yes, thank you. And I would actually like to build upon what Christine said. And from an operational perspective, we have to be, in these kinds of discussions, be careful that it doesn’t become a case of us against them. Law enforcement against network operators, law enforcement against the Internet community. There is not a single ISP that really likes his network to be abused for criminal activity. We’re in this together and we have to show it together. So as Christine said, it’s multi-stakeholder in these platforms, and the public/private partnerships are vital in solving this. We have to work together.

And that also means building trust. Trust from law enforcement, trust from the public sector, that the industry is capable of doing something about it. That the industry is capable of taking some actions themselves. And trust for the industry that where they do need law enforcement to step in, where they do rely on the public sector to take action against people, that those actions will be taken.

And if I take it one step back to the previous speaker, who talked about transborder data access, again what we see a lot in operational – and I myself work for the RPCC, and we deliver services to members in 76 different countries. So we often get requests that come from one of the 76 countries. Unfortunately, I also have to stick to a legal framework there. And I’m based in Amsterdam and I fall under the Dutch jurisdiction. One of the things is everybody can phone me up and say hey I’m a police officer. Everybody can send me a letter and say hey, under this and this law, we require you to give this data. Unfortunately, there is no way for us to validate those 76 requests. So we have to work a bit on trust. And in terms of transborder, because a lot of times probably there is no way for us to verify where that request comes from, other than go through your inlet process and prove that this is a legitimate request. So that is where one of the challenges is. Not only transborder access but also find a way, and unfortunately Dick is not here because I had a really good discussion with him yesterday about setting up a verification framework to support those transborder requests.

How can you verify that the guy calling you as an operator is really what he says he is? That he is legitimately asking for data and is asking by law?

>> TATIANA TROPINA: Thank you. So there is another point to discuss later, maybe. One more statement?

So – oh. Mr. Demidov.

>> You were looking at me when you said there were members of Russian. I’m representing the nongovernmental industry. But if you want to hear comments on transborder access issues and on Russia’s aspect concerning the Budapest Convention, I wouldn’t be able to say anything really new, because the position has not changed since the early years, since Russia refused to become a party of the Convention, due to concerns related to the Article 32, which was already mentioned today, and particularly the paragraph B of that article.

And the reason why we did so, why Russia refused, was that the mechanism of access and receiving information through a computer system in one party’s territory located in another party’s territory, could be misused, or excessively used by, say, special services for another party state or something like that.

So it finally led to national security concerns. And as it was correctly mentioned by the previous commenter, there is still the issue of transparency for requests to transborder access to data. In the absence of established mechanisms of providing such transparency and providing the criteria to ensure the legitimacy of a request, these national security concerns cannot be just eliminated or ignored. I’m not 100 percent justifying and supporting Russia’s position, but on the other hand we couldn’t say that it has no things to fix. It has, in fact, and they are quite clear. I already described them.

Speaking for another prospect, what Russia proposes, instead, is some global mechanism. Global mechanism, global framework for fighting cybercrime Internationally, using the United Nations as a platform for adopting a universal Convention on fighting cybercrime.

One reason which is used to justify and to promote this approach is that despite the fact that the mechanism of the Budapest Convention is now applied far beyond the geographic borders of the European region, and it’s promoted on the global self level, it still doesn’t encompass many members of the International community. And there are still gray zones and a huge number of UN members of Nation States which are not parties to the Convention. While adoption of a universal United Nations Treaty or Convention on Cybercrime would allow to cover all Nation States by this mechanism, and to make it really universal, to make it comprehensive in geographic terms in this sense, and to eliminate such gray zones where the mechanisms of cooperation are absent, these issues need to be discussed. And I’m sure that we will hear more discussions and more negotiations on the International level on those issues, because Russia is going to finalize and to present the project of such a Convention, though it’s not clear when it will happen but it will happen. And then we will have another agenda to discuss and to bridge our approaches. Because both of them could be questioned. Both of them need to be discussed. And we cannot say no one from the official structures in Russia can say that the Budapest Convention is totally useless. Everyone is saying that it was useful. Okay. I’m just shown that my time – I’m out of time.

>> TATIANA TROPINA: Sorry.

>> AUDIENCE: The Budapest Convention is accepted as a useful tool. It’s played a huge contribution to the mechanism of International fighting cybercrime, but it has its limitations and that’s why Russia is promoting a universal approach.

>> TATIANA TROPINA: Thank you very much for your statement. I’m sorry I was cutting it just a bit for time concerns.

I will give the floor to Michael, because we are attaching now the corrections of transparency and handling the requests, and data protection, and we all know that recently the big issue of PRISM came all of a sudden. So we were supposed to have a speaker from Google here, but unfortunately, we followed the rule that one speaker can be presented only on one plenary. But we have Marco Pancini in the audience and I really would like to – you to make the comment from the floor on transparency on handling requests.

Because we have got the perspective on verification of MLATs, so what do you think about this?

>> MARCO PANCINI: These are topics near to our sensitivity, since Google’s focus to the user is very important for us. We put the user first. We build that relationship of trust, based again on the services that we provide to the user, and on the other side, the trust that the user gives back to us in giving these services in a fair way.

This is why we believe that the framework, the existing legal framework that we are having in front of us, should be taken in consideration as a point of reference. So when we discuss about law enforcement requests, we need to take into consideration the due process of law and all the consideration that was done also from other service providers.

In a global environment, jurisdiction is not just a matter of discussion, but is also application of existing law. Application of existing laws requires also to take into consideration the place of establishment and the place from where we are providing our services.

On top of that, the transparency is for us also a very important tool to keep the relationship of trust with our user and also to – and we believe that also this could be beneficial also for law enforcement and the Governments around the world if they would improve the way they inform the user in transparent ways about the way that they are dealing with cybercrime. I think this would help to take out from the table of discussion a lot of the chaos that we have seen in the last days.

Where, again, let me reinforce the message that was escaped in the first plenary, there is no back door or drop box or a way for law enforcement to access the Google information without using the due process of the law. And I look forward to the challenges in dealing with cybercrime, but we believe that instead of thinking or rethinking the existing law, we have to understand exactly what are the gaps and the issues on the existing Treaty and existing procedure? We are doing this, you know, in relation to the MLAT. We were in Strasbourg to discuss the Budapest Convention a few weeks ago.

Again, we are very open as stakeholders to discuss with the other stakeholders, the Civil Society, the Governments, ways to improve the existing procedures. We believe that going around the procedure or thinking completely through the procedure, without taking into consideration the user fundamental rights and the transparency would be very, very, very dangerous in terms of destroying this trust and relationship that we as an industry and the Government has to us, as citizens.

>> TATIANA TROPINA: Thank you very much. Coming back to the ISPs and industry, Michael, please share your concerns with us.

>> MICHAEL ROTERT: Well –

>> TATIANA TROPINA: Or maybe tell us something good about ISPs? Without any concerns?

>> MICHAEL ROTERT: Well, yes. I mean, when it comes down to the ISP industry and cybercrime discussion, ISPs always are between two stools. Either they follow the law enforcement requests against their customers, or vice versa. So this causes problems for the industry.

And when I was asked to be on this panel here, I thought a good idea would be to talk about best practices and projects which the industry set up in cooperation with the other stakeholders, very successfully. And just to encourage other countries to maybe go the same way.

When we started, that was a couple years ago, we started a project together with the Minister of The Interior. They gave the money. We set up the project. And the idea was to get Germany at that time out of the top five botnet distributing sites, countries, in the world. Germany was I think number one or number two, which means the number of infected PCs distributing malware and distributing – and supporting phishing and all this kind of stuff.

So that started a couple years ago. It was for two years. And after the two years, when we set it up, we were something ranking on number 28 or so. So that was quite successful. The way we did it was to educate people to give consumers the possibility to talk to experts, to clean their PC. We had a website where they could download software to check their PC and everything else.

The second stage on this was to create a European project in order to establish a pan-European platform for detecting, measuring and analyzing, mitigating and eliminating all the cybersecurity threats. The project was just called, it’s still run, it’s called ACDC, for those who like music, it’s not with a band. It’s called ACDC is an abbreviation for advanced cyberdefense centre. But we thought it was a good name and everyone could remember it. And it covers 28 partners from 14 countries. And we have all the stakeholders onboard. ISPs, the CERT, computer emergency response – emergency response teams, Internationally, the developers, the academics, the public agencies, and law enforcement agencies.

And not enough, as this was targeted to individuals, we said okay, we will start another project which we could combine that is about infected Web sites from small and medium industry who have no idea that they are using for their website a code which maybe – which can be accessed easily by hackers. And this is called initiative S. And it’s starting as well. And the target is not the consumer, as before, but the industry, small and medium industry.

These are examples, beside what the ISP industry additionally does, is the In-Hope Project with the hot lines. This is very much an International cooperation, where the reason was to delete at the source instead of blocking and filtering, just to mention it once at least.

And the way it works is to secure evidence and then delete the illegal material. But police should still be or law enforcement should still be in a situation to track those criminals. Because if you only block, you might not be able to track these guys.

So the guidelines for the cooperation between the ISP industry and law enforcement was already mentioned by you. And we worked quite hard on it, together with the Council of Europe. And all I can tell is that the cooperation between the ISP industry and the Council of Europe is in terms of human rights, multi-stakeholder process, much more effective than just trying to avoid additional directive, like data retention and things like that, which comes from Brussels.

So that was my idea to give you a very, very short glance on positive projects, what the ISP industry does in order to fight it cybercrime and to have safeguards.

And for cooperation. We would wish that police Internationally would cooperate like ISPs do, in a way, in order to be even more effective. But as was said before, it definitely – we definitely don’t want a police from UK calling directly a German ISP saying hey, can I have this or that data?

There has to be negotiations. And from what I heard a couple of weeks ago, this will be part of the extension from the Budapest Convention on these issues that were discussed there.

So this is for the moment, I think, it is enough material for requests and questions.

>> TATIANA TROPINA: Thank you very much, Michael. And I think we have got an intervention from remote participants?

>> SORINA TELEANU: Thank you, Tatiana. I have a question from Syracuse University related to the earlier proposal about the UN Convention. He is asking why not use multi-stakeholder model (inaudible) so that they could be included. Thank you.

>> TATIANA TROPINA: So who can comment on this?

So was the question about UN Conventions?

>> SORINA TELEANU: Yes. It was about the proposal. I can make a comment as well after you if, if you, please.

>> Sorry, I just missed the question, in fact.

So was it about the mechanism for global United Nations Convention against cybercrime, which is proposed by Russia?

>> SORINA TELEANU: Multi-stakeholder consultation, in that context.

>> AUDIENCE: Well, the multi-stakeholder nature of such mechanisms is the question still to be discussed. Because the draft Convention has been elaborated as an official UN document. And the United Nations is, firstly, it’s an institution which has been designed for intergovernmental agreements, and adopting some documents and Conventions and treaties, according to international law on intergovernmental basis.

So the very nature of the document proposed is intergovernmental. But it is still unclear what – to what extent of engagement of other stakeholders the mechanism of its implementation is designed in the draft Convention. We still don’t know, because there is no text available at the moment. But, we might hope that Russia’s policymakers and Russian people who are in charge of elaborating this document derive some lessons and conclusions from the general trends of development of the International process of cooperation in fighting cybercrime. Because any document would not be realistic and it would not be feasible to implement such a mechanism without any multi-stakeholder involvement. And policymakers in Russia know it very well.

I guess we just should wait when the first draft text is published. And then we could make our own conclusions on whether that document is effective in terms of promoting the multi-stakeholder format or not. I hope it will be, in fact.

>> TATIANA TROPINA: Thank you very much.

Have you got any further comments from the floor? Or maybe questions? Because I think I can open this up for discussion. If we have no questions so far, I would like to ask Christine or Pedro to comment on this.

So, Pedro, you go first about this new – maybe you can make a comment about this balance between the proposed UN based approach and the Council of Europe approach?

>> PEDRO VERDELHO: I’ll comment on comments.

Well, basically, we have two questions nowadays in the International scene regarding the International approach to cybercrime. Just two questions. The rest are minor questions.

Of course, everybody recognizes that cybercrime is International. Of course, everybody recognizes that most information we need is in the hands of the private companies. Everybody recognizes that most of the information is based in the United States. This is quite clear.

The two open questions, more difficult, are the following. First one, are the countries – do the countries agree on the need of making flexible International cooperation or do they still want to keep the traditional way of cooperating Internationally by means of interrogatory letters, by means of ministries of foreign affairs, respecting the borders and the traditional ways.

So the question is, are the countries discussing and do they agree on moving to another step? Because this International fashion of cooperation is not suitable anymore. That is the first question.

And they don’t agree on that. At this point some countries say the traditional way of International cooperation is no longer useful, cannot be effectively used with good results. So we must flexible-ize it. Other countries say no, we want to keep our sovereignty. We want to keep all the kinds of investigative measures within the borders. So the countries do not find agreement on this.

And that was one of the main questions discussed in the United Nations. Nevertheless, the experts – and some of them are here with us – the experts of the United Nations said everybody in the country field, every investigator, every law enforcement points out that we need to have flexible measures of investigations. But some States, this is public, this is not confidential information, so I can, for example, mention Russia or China or Iran, for example, because they have that public position in the United Nations meeting. So they are not the only one, of course, but Russia, China, and Iran, for example, are against the flexiblization of the cooperation Internationally. And they say no, if you want information from my country, you must ask me, the Russian or the Chinese or the Iranian Government. That’s the first question, and no agreement on that. And so that is – that’s a dead end road regarding discussion of cybercrime.

The other important question, so on that point, the discussion is dead. The other important question is should we discuss an International agreement within the Council of Europe or within the United Nations? Of course, everybody agrees that the United Nations are a global organisation. It’s close to 200 countries the number of affiliates to the United Nations. So probably a United Nations Treaty would be more comprehensive, including more sensibilities, of course. This is clear.

The point is that in the United Nations, the countries did not agree on negotiations. And on the other side, the Council of Europe could find, could end, could draft and could open to signature a Treaty, an International Treaty, that nowadays covers close to 60 States of the world, not only from Europe. United States, for example, Japan, for example, Dominican Republic, for example, very soon Senegal, very soon the Philippines, already Australia, probably very soon Argentina, probably also Mexico, and other countries from other latitudes.

So the point is, the United States probably would be the best option. But it is not the real option. Because in the United States, the countries did not agree on very important questions.

On the other side, there is a Treaty already in force, already working, already allowing cooperation, that is the Budapest Convention from the Council of Europe. So we have two questions, as a final remark.

The first one, Council of Europe or United Nations. No question.

Second question, are the States available to discuss the question of flexible-izing, making flexible the cooperation? And on that point, some countries are, some other countries are not.

The Budapest Convention, and with this I conclude, the Budapest Convention already includes flexible tools to cooperate.

For example, if today at this precise moment a police office from the Netherlands – sorry, Belgium, Portugal, wants to obtain information abroad, it can do it. Period.

Thanks.

(Applause)

>> TATIANA TROPINA: Thank you very much.

Are there any comments from the audience? Because I believe that we came to the very controversial point, actually, because industry mentioned that if you get some questions, as an operator or as a private industry stakeholder, you would really like to prove them. You would really like to know that this mechanism works.

>> PEDRO VERDELHO: Life is not perfect. If you go to a perfect restaurant, if you have a fantastic dinner, great. But at the end you have to pay.

>> TATIANA TROPINA: Of course.

>> PEDRO VERDELHO: So life is not perfect.

>> TATIANA TROPINA: I would like to ask the audience, maybe someone can comment on this. What is your opinion? What would you prefer, as business, as users, police, from the foreign state, would you prefer that for the sake of investigating crime, your data would be accessed via borders, without using mutual legal mechanisms? Would you rather prefer some official document, some official ways?

>> PEDRO VERDELHO: That’s why we need to regulate it, why we have to discuss it to create safeguards and guidelines. And that’s why the T-CY of the Council of Europe already mentioned before is discussing exactly an additional Protocol to the Budapest Convention to create the rules how it can work.

>> MICHAEL ROTERT: Unfortunately, there is another player on this field, a group from the United Nations, which is called ITU. They are a – they held a communication forum where they propagated new ITRs. And one article, Article 5A, says Member States shall individually and collectively endeavor to ensure the security and robustment of International telecom. That was about the cooperation, and it was formulated a little bit different.

Unfortunately, or fortunately, however you call it, these ITRs were only signed by 88 out of 193 countries. And they have to work together.

So it is already discussed at the UN level. And the ITU said something about it. So it’s not only the Council of Europe.

>> TATIANA TROPINA: So we have multi-stakeholders not only in terms of public/private, Civil Society, Governments, but we also have different stakeholders within this International environment.

Are there any other questions? Please use this opportunity.

Can you have a microphone?

>> BERTRAND de La CHAPELLE: Hi. I’m Bertrand de La Chapelle. Just one comment regarding methodology for the development of International agreement.

If I look at the example of the texts that were adopted at the World Summit on Information Society, they were adopted by Governments in a UN Conference. However, some of the wording was actually produced by a multi-stakeholder group on Internet Governance. The definition of Internet Governance, the format of the IGF and so on was actually predrafted and incorporated afterwards. Likewise, in the Council of Europe, there was this Working Group that I was honoured to participate in that prepared the document on the principles regarding Internet Governance and the recommendation on the transboundary arm. The document was drafted in an interactive process by a small multi-stakeholder group.

So I just want to introduce this, because there is no contradiction between having an intergovernmental body and a preparatory process that can be more multi-stakeholder than it is today. If at one point in time something that is being developed in a UN framework could be prepared by multi-stakeholder groups, that would be a great progress. Unfortunately, on the substance, I agree that the UN community is not able to get to an agreement right now. And, unfortunately, the key question regarding universality is when it is a starting point or an end point. Starting point, as making any negotiation in a universal space, is a PC had and no go, doesn’t produce any result. Universality as an end point can be participation of a limited number of actors who produce something that progressively spreads. And the Budapest Convention showed that the earlier that you take something into account, and the incidence that it will spread, the more likely it will, in due time.

>> TATIANA TROPINA: Thank you very much.

>> SOPHIE KWASNY: If I could come back on the universality as an end point. Pedro mentioned about 60 countries that are about to be bound by the Convention, if we count the current 40 that have been invited, but also something that is important to the Budapest Convention is that we have cooperation in a number of countries that we assist to develop legislation that is in conformity with the Budapest Convention. So even if there has been no formal process of request of accession or accession being considered, those countries are developing legislation which is in conformity with the Budapest Convention, so there again gaining in universality.

>> CHRISTINE RUNNEGAR: If I could add a bit. Of course, it is important to talk about where we develop our ideas and how they will be solidified. But let’s not lose sight of what we’re trying to achieve. We must put a lot of our efforts into thinking about what are the – what is the world we want? What are the tools that we need to achieve that world? Rather than focusing too much all the time on should it be here, should it be there, should it be in this other place?

>> TATIANA TROPINA: Thank you, Christine.

Any further questions? Comments? Yes, please.

>> REMOTE MODERATOR: Thank you. We have messages from Muldova. They had a meeting a few days ago and they discussed about cybersecurity. Here is the message. The more popular the Internet becomes, the more risks emerge when it comes to cybersecurity. The vulnerabilities increase and it becomes very challenging to fight cybercrime. In Muldova there is a need for a department within the Ministry of Internal Affairs that would deal especially with prevention of crimes online.

And we have another question from a remote participant. He is asking whether the Telemenu is used for fighting cybercrime. Because the Telemenu has legal mechanisms offered to countries to fight cybercrime, including cyberwars, from Italy.

>> TATIANA TROPINA: Thank you very much. Can you comment? Telemenu was a document which was developed for the common terms to combat cyberattacks. So common language and principles which are agreed by countries.

So any one of the speakers and the audience can comment on Telemenu?

Let me make a comment on that. Oh, please.

>> AUDIENCE: I’m surprised that the issue of telemenu is raised within the framework of this session. Because at first glance it has quite little to do with multi-stakeholder approach. It’s clearly an InterGovernmental approach, and InterGovernmental dimension of cyberdefense.

So I should stress and I do know that the document itself is not an official document. It’s not even the document of the CCD CoE. It’s just a draft prepared by the group of experts.

But as far as it is known and as far as it is reviewed by Russian experts, it’s very meaningful. It’s a very important document. And it’s a very important step in adaptation of the International law to the issues of cyberconflict and cyberdefense.

And there are two points that should be stressed regarding the telemenu itself and regarding the reaction of Russia’s experts and representatives to the creation of this document.

The first thing is that there is a trend to regard Russia’s approach to international regulation in the field of information security and in the field of its military implications. And the telemenu has two diverging approaches. Because one of them, the Russian approach implies elaboration and use of International norms, legally binding norms, restricting such activities as elaboration of cyberwarfare and conducting conflicts in cyberspace. And the aim of the Russian approach is to move these things such as warfare and cyberwars out of the scope of legitimate behavior on the International arena.

While the telemenu provides just a guide for how to conduct those activities. And the main concern related to the telemenu, among Russian experts, including the representatives of the military, is that by its own existence, the telemenu contributes to legitimization of cyberwars and cyberwarfare. This is the main concern and it’s – this aspect has been very actively discussed in rationale.

But on that account, according to our own research at the peer centre and according to our nongovernmental points of view, there is an opportunity for converging of these two approaches, of the telemenu and for Russian approaches. Because the goal of Russia is to prevent the very case of cyberwars and application of instructive cyberwarfare. But due to very low technological thresholds for collaboration of cyberweapons, this task cannot be solved in 100 percent of cases.

Sometimes it would not be possible to prevent cyber conflict, probably. And then we have to introduce some instruction for the worst case. When the prevention and when the restriction norms do not work, then what should we do? And in this case we could apply just the very norms of the International humanitarian law and the law of armed conflict, if they are properly adapted, adapted to the cyberspace reality.

And there is a link. Here is a link between the telemenu and between Russia’s initiatives. And there is a chance that the menu would not be treated only negatively in Russia. And that NATO representatives and representatives of Russia and also of the Shon Ki cooperation, which brings together key Russian lives and partners, would find some common language to discuss this document and to discuss their approaches as mutually supportive and mutually contributing to each other.

But once again I do not see any multi-stakeholder component here. That is why I was not expecting to discuss this issue within the framework of this session, though it’s quite interesting and important. Thank you.

>> TATIANA TROPINA: Thank you very much for giving this insight.

Would you like to react?

>> SOPHIE KWASNY: Just a clarification about the telemenu. It’s clear from the mandate of the Council of Europe that our priorities to create stronger links and unity between the Member States about our traditional pillar, which is human rights, rule of law and democracy. And clearly anything to do with national defense is out of the mandate very clearly.

So I just wanted to make that clear.

>> TATIANA TROPINA: Thank you very much. Because I was going to do the same. I was going to say that what I see sometimes, I see mixed concepts of national security, cybercrime and the cybersecurity, so I didn’t expect us to touch the national security concept at this plenary.

Sorry, I’m going to make this intervention, because in terms of political processes, in terms of political intervention, it’s very easy to approach people and businesses and say: I’m international security and I need to control you. I need to intercept your communication. I need to store your data and retain your data, for the sake of protecting the interest of the state.

And I believe that there is a very powerful instrument on the one hand, because Governments do need some process to legitimize themselves and the easiest way is to say that we are protecting our citizens. But we also believe it can raise human rights concerns and so on.

Have you got any questions so far?

>> AUDIENCE: I would like to make this question on to the people on the stage.

I think we are underestimating – and sorry if I repeat myself – the kind of trusted relationship that citizens have to our States and citizens have to the services that they use online. Now, we fully understand that the framework of this discussion, which is fighting against cybercrime, and we all agree that fighting against cybercrime should be be a priority especially fighting with criminals.

So in relation to that, what are the, for example, the ideas that people on the stage have as to a way to attack the source of revenue criminalisation, such as the focus that we have on user content information? So why don’t we talk about criminal organisations instead of talking about user negative behavior online, first part.

How do you think we can address the trust issue? Once the trust is gone towards Governments and to the online service provider, it’s gone. And, frankly speaking, the PRISM issue is for sure something that we are facing as a reasonable concern. But if you look at the reaction of US and European cities and vis-a-vis the US Government is not exactly what Governments should be, as a way to have a fruitful relationship with our citizens.

>> CHRISTINE RUNNEGAR: Yes, so if I can follow-up on that very excellent point. This key issue of trust. I mean, it’s one of the fundamentals that underpins the Internet. I mean, we have – trust is important not only in principles but in the relationships of trust. And as we have seen, things that threaten that trust, where you have what is considered to be unwarranted collection and correlation of user data, I mean, this risks undermining this trust relationship on which we built the Internet.

And it also raises questions about the extent to which individuals’ expectations of privacy have been compromised. And the impact of this – these sorts of things is global. It’s not just restricted to one country or one Government citizen.

And since we have been talking about transborder access and trust, it’s also worth pointing out that, you know, beyond these issues, which are very important issues about the impact on privacy and human rights, we also need to think well, what might be the reaction if there has been or if there is perceived to have been unwarranted access to data from one country to another country?

We might start to see that Governments want to exert geographical control over traffic and transit routes. And this has a potentially chilling effect on the global resilience of the Internet architecture. And we risk losing the diversity that we have through the diversity of connections and routing, which is really important particularly in times of natural disaster. Resilience and trust are key issues in this area.

>> TATIANA TROPINA: Thank you very much.

>> AUDIENCE: Just a short intervention.

We are there. I guess that is a slight exaggeration. First of all, it’s not my position and neither is it the position of Russia. Just some concerns about telemenu were raised by representatives of the Russian governmental agencies that the menu might contribute to the legitimization of cyberwars in case if it’s not balanced by International norms aimed at prevention and prohibition of such phenomena.

So just to make a parallel, you are in a bus and you just use – you use the door to open it and to go out. But if the door or mechanism is broken, or there is a car accident, you use the hammer to break the glass. So if you have instruction only for using the hammer, but you don’t know how to just use the door in a regular situation, usually, you are damaging someone’s property and it’s not behavior you should be oriented towards.

So this is – telemenu is an emergency instruction, but it appeared before the instruction how to behave usually in the International arena.

The default mode is prevention and prohibition of cyberwarfare and cyber conflicts. But in case that doesn’t work, then we have these rules outlined in the menu and only then we use them.

So it’s just how it should be, how it is perceived in Russia.

>> TATIANA TROPINA: Thank you very much for your useful comments. Sometimes I actually regret that I cannot sit at the same time there and so I can lead the plenary and also read the reaction which we have got in the Twitter news feed.

Are there any further questions?

Because if there are no questions, or no statements, which actually really surprises me. Because I perceive cybersecurity as a common concern. But nevertheless, if there are no statements or questions –

>> There was a question there.

>> TATIANA TROPINA: Very good. Thank you.

>> AUDIENCE: Good afternoon. My name is Nelson Portina and I work with the Justice in Portugal.

I don’t use the Internet for personal use, because I don’t trust it. And as I see as International you cannot agree on how to manage it. I as a citizen stand on my position. I don’t trust the Internet.

>> TATIANA TROPINA: Thank you very much. Anyone to comment on this?

Thank you.

Can we have a microphone for the lady.

>> AUDIENCE: I have a question for the panel. We heard we can call it stories all the time about some dark business that goes around the Internet. We talk things related to organised crime, et cetera. I wanted to know, what is the position of the law enforcement? And the next steps that law enforcement offices around the world are taking for this position? Because it is one of the reasons why people don’t trust the Internet, because the stories go out about things that go on there.

And I would like to know any comments on that.

>> TATIANA TROPINA: Pedro, please.

>> PEDRO VERDELHO: This is almost the beginning of the debate.

(Laughter)

What could I say first? Internet opened a new world, a mirror world. We live in a physical world and suddenly we got a virtual world on the other side of the mirror. That’s very good. You can get information from there. We can make business there. We can work on the other side. A lot of things.

The problem is that our side, the physical world, the offline world is already regulated for centuries. Well, in Europe at least since the Romans. The other side of the mirror is not yet still regulated. So the rules must be still dropped. And besides, sometimes we do not agree on that most of the times.

The other part is that in the physical world, if you want to drive a car, for example, first, the cars respect technical rules and legal rules.

Second, the roads respect rules.

Third, you must have a driving license to drive a car.

There is a rule of the road, a code that rules the traffic. Everything is ruled. But if you go to drive your computer on the Internet, no rules. Most of the times no rules. No rules for building Web sites. No rules for exploring businesses, except the physical world of businesses. No rules for driving, for surfing on the Internet most of the time. So that’s a problem but it’s also a challenge.

And it’s time to give you the word.

>> TATIANA TROPINA: I’m sorry. Okay. You and then we will go to the intervention.

>> MICHAEL ROTERT: I have to object. I totally disagree. If you would apply the existing regulation for the Internet on the offline world, no one would leave their house anymore. Because, for instance, do you need your passport to go in the market and buy a salad? No. But on the Internet it’s requested, things like that. Or data retention. Does anyone open your letters sent to you and notice everything down, storing it for six month? No.

>> PEDRO VERDELHO: But that’s another question. That’s another question.

>> AUDIENCE: Well, I want to completely go in the direction that Michael was alluding to.

I think the statement you made is intentionally framed in a way that justifies action. The reality is that the world of cyberspace not only is without law, but it’s overwhelmed with laws. Every single national law actually applies to what people are doing online.

In addition, the analogy with the car, it’s not because it’s physical equipment. What we’re doing with the Internet is the equivalence of walking in the streets. Walking in the streets is a fundamental freedom, and you don’t have to show your passport when you enter a shop. You don’t have to do a lot of things. We are considering now that this environment that has been created basically 25 years ago, as I said in another panel, should be cleaner than the real world. That it should be such a new Garden of Eden.

There are two things. One is that it’s an existing garden of Eden and that we have to establish rules, which is not true. And the other one is that we should establish rules so it becomes a perfect human world that we cannot achieve in the real life.

The Internet is a mirror of the real life. It’s a citizen. But as a former representative of a European country, I consider that it’s miraculous that there are so few things that are happening on the Internet, given that this puts into contact people who are 2.5 billion would normally never interact among themselves.

And I basically defy anyone to say that the Internet per se is just making the criminals seem worse, in general. These are people who are in the real life. They are using the Internet as a tool. The challenge of solving those issues I agree are new, because it requires transborder cooperation. It requires procedure. The flexibility that you are mentioning is a core issue. Because in the past people were addressing issues at the national level with borders and today they have to face it with new tools and across borders and new cooperation.

But let me make an argument like Michael did. What is happening with the PRISM thing. Excuse me, if anybody 25 years ago wanted to have traceability on the movements of everybody in a foreign country, you would need to send 200,000 or 300,000 secret agents under diplomatic passports, sitting in cars all day long, checking with people who are coming out of their house and coming in. Today you get the location of the mobile phones that are stored already. That is a fundamental distinction that makes the challenge bigger, because we have tools to do things good and to do them bad.

But the notion that it’s without laws or that we should establish laws so it becomes much better than the real world is illusional on both sides. Flexibility and how we collect the data that is collected for good users and not bad ones are really the issues, and that is what we should focus on.

>> TATIANA TROPINA: Thank you very much. Is there anyone who wants to make comments? Because we will soon run out of time. If not, I would like our parties to summarize in just one phrase.

What is the way forward for you as a stakeholder? You, Pedro, as law enforcement, what is the way forward? Probably it will be transborder or something like this. But anyway, wrapping up the discussion about your role in this environment of fighting cybercrime.

>> PEDRO VERDELHO: Really, it’s transborder access, my final word. We need transborder access. We do have it already, but we need to discuss it, so as to regulate it and to create safeguards to that activity.

>> TATIANA TROPINA: Michael, from your industry perspective?

>> MICHAEL ROTERT: Well, my idea is better cooperation and definitely not having the ISP industry as an additional Deputy in between.

Support, yes, industry does a lot of support. Better cooperation across borders, with police or law enforcement in itself, as done by the ISP industry. I think that would help much more than direct access to data.

With safeguards, however. The safeguards must be considered very, very carefully and be a lot.

>> PEDRO VERDELHO: Just to respect your speech, I mean, to make applicable to do online world, the principles of the offline world. And with that we can survive. Fundamental rights.

>> TATIANA TROPINA: Thank you very much. So I can see this collision of direct access and ISPs in the middle.

>> CHRISTINE RUNNEGAR: First a reflection about where we are. We are at the European Dialogue on Internet Governance, a multi-stakeholder place to discuss these very difficult complex and controversial issues. Let me also make a plug for the Internet Governance Forum itself. It’s a very important place. We should all get involved and contribute and support.

And now my recommendation. So I’ll invite all stakeholders to work together to understand cybersecurity threats and risks, and through cooperation and mutual assistance, to develop policies and strategies that enable innovation, economic growth, and preserve the fundamental principles of the open Internet.

>> TATIANA TROPINA: Thank you. And Sophie?

>> SOPHIE KWASNY: I think the Council of Europe has a great future. The Convention in Budapest has a great future. What has just happened, we see that there is a need for the framework, human rights approach, very strongly. And indeed this question of the transborder access to data that is in everyone’s mind at the moment, we need to work on it. And I think that the Council of Europe with the Budapest Convention is really a perfect platform for many Governments. So not only our Member States, but all the participants to the Convention. And because in the Council of Europe we are very strongly committed to the multi-stakeholder model, too. So I think the future is bright.

>> TATIANA TROPINA: Thank you very much. Anyone wants to make final remarks, comments, to wrap up the session. If no one. Thank you very much for attending this session. Thanks to all the panelists, and thanks to the remote participation moderator, Sorina. Thank you.

(Applause)