Public-private cooperation in the fight against cyber-crime and safeguarding cyber security? – PL 05 2012
15 June 2012 | 14:30-16:00
Programme overview 2012
- Anders Ahlqvist, Swedish National Police Board
- Patrik Hiselius, TeliaSonea
- John Kampfner, GNI’s European representative
- Christoffer Karsberg, ENISA
- But Klaasen, Clean IT Project
- Slobodan Marković, Advisor to the State Secretary for Digital Agenda Republic of Serbia
- Tatiana Tropina, Max-Planck Institute for Foreign and International Criminal Law
Provided by: Caption First, Inc., P.O. Box 3066, Monument, CO 80132, Phone: +001-719-481-9835, www.captionfirst.com
This text is being provided in a rough draft format. Communication Access Realtime Translation (CART) is provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings.
>> Ladies and gentlemen, we are very sorry but we are waiting for another microphone for my colleague. So please be patient for a couple more minutes. Thank you.
>> The bell is ringing outside. So maybe we will wait for one or two more minutes.
>> Shall we start?
>> We can start.
>> I beg for your attention, please. My colleague is talking. We beg to respect that.
>> TATIANA TROPINA: Thank you very much for taking this session.
In my short introductory speech I would like to explain why we have decided to focus this security plenary on public-private partnerships. Briefly the reasons are, first of all, we do believe that governments cannot and shall not be expected to fight cyber-crime alone and fight cybersecurity alone, just because network infrastructure was built and owned by private industry, and private industry has capacity to help governments in fighting cyber-crime.
The second reason is that this trend of privatization in fighting cyber-crime and safe cybersecurity which started ten years ago, more than ten years ago, with the hot lines for blocking illegal content, for blocking child pornography, is now developing in many areas, and private industry players like ISPs, big Telecom operators, global service providers, e-payment providers, e-commerce providers, they have already become critical nodes in different areas of fighting cyber-crime and promoting safeguarding cybersecurity.
This is why we are going to talk about the role of private sector in tackling this problem.
I would like this session to be focused mainly on two issues. First of all, it’s best practices. I really would like to ask you as the audience to be as interactive as possible, and if you have something to share, please share this with us, with your interventions.
The second focus of the plenary is problems, problems of this public-private cooperation, because we still are lacking clear frameworks for taking decision and for putting the decisions into practice for implementing the decisions.
Now I will give the floor to the second moderator. I’m sorry. I didn’t introduce myself. My name is Tatiana Tropina. And I’m the focal point for this plenary, and I’m the first moderator. The co-moderator is Denis. And he will introduce speakers and we will start the session.
>> DENIS CORAGIC: Dear ladies and gentlemen, my name is Denis. And thank you for this short introductory, as we are waiting for Tatiana to change the microphone. I will shortly introduce you our panelists who are excellent, proficient and prominent people in their expertise. They will definitely have something to say on this.
And I invite you as an audience to feel free to ask everything, to give comments, and I will be personally happy as a moderator to see some conflicts of opinions and clashes, but I think without any bloody outcomes.
First of all, I would like to start to Mr. Patrik Hiselius, from TeliaSonea; Douwe Korff, London Metropolitan University, But Klaasen, Clean IT Project, Slobodan Markovic, Advisor to the State Secretary for Digital Agenda Administration from Serbia, Christoffer Karsberg, ENISA, and Marco Pancini from Google. I’m sorry if I make a mistake with someone’s surname or not. But I’m sorry for that.
As Tatiana has presented, we will focus today on best practices and on problems which we are going to face regarding cybersecurity. First, I would like to invite my speakers to briefly present their opinions about public-private partnerships, about some options or modalities which are successful or nonsuccessful, and to give us good basis for discussion.
Patrik, I would like to start from you. Do you have any to share with us, any good experience with public-private partnerships, some option or modality?
>> PATRIK HISELIUS: In our sector we are working actively together, in the Telecom sector, together with police authorities to block child sexual abuse images. It is a good example. But it also poses a range of challenges, which I hope I can explain further down the road in this seminar.
>> DENIS CORAGIC: No problem. But.
>> BUT KLAASEN: Actually you are creating a lot of best practices at this very moment by putting private partners and the government together in a kind of multi cycle environment, and this is the project I will highlight.
>> DENIS CORAGIC: Marco.
>> MARCO PANCINI: I would like to make a statement back to clarify what we mean for private-public partnership. First I would like to start from the main focus for us, which is the respect of the rule of law and due process, which is the framework in which this collaboration then can, between industry and law enforcement, prosecutor, the institution can flourish. In this respect, knowing the charter, improve the collaboration, share information on best practice in the way we deal with the current issues in relation to legal content, to align is something very important. We are focusing on this, but we still believe there is a lot that can be done.
>> DENIS CORAGIC: Thank you. Christoffer.
>> CHRISTOFFER KARSBERG: Yes. One example is on the European level, the EP3R, which is the European public-private partnership for resilience. And yeah, that is an example of information sharing regarding best practices on different national public-private partnerships, and also some concrete projects regarding botnet mitigation schemes, for instance.
>> SLOBODAN MARKOVIC: I wanted to highlight two examples from Serbia which are really recent. They all happened in a couple of last two months, three months. The first example is Serbian administration for games of chance.
They actually started implementing legislation which forbids Serbian citizens to participate in betting on Websites which are not licensed by them.
So a couple months back, instead of first entering into negotiations with the industry, they directly sent a letter to the ISPs saying that they should block access to some 70, around 70 Websites, most important betting Websites, threatening them actually with criminal procedures for assisting in organizing illegal gambling.
This example actually illustrates the need for a better cooperation and communication between administration and industry players before entering any measure, because in this case, for instance, the administration for the games of chance had a much less invasive and more proportionate measures at its disposal.
Of course, the ISPs refuse to abide by this request, and after this attempt failed, the administration resorted to action and....services to....
(wired internet goes down.)
Serbia police, they signed an agreement by which the police provide the rest of sites with child pornography and other material considered harmful to minors. Block those sites, block access attempts by their customers. Criteria procedure, there was no method for determining if a Website was on the list. There was no mechanism to get on the list. The only piece we got in the end was block around 120 access attempts.
This is an attempt to highlight the need for more transparence in implementing the public-private partnership in the area of cyber-crime and cybersecurity
>> DOUWE KORFF: You may have seen me as an academic. I’m here today mostly as a representative of the Global Network Initiative. And I make apologies for John Kampfner who tried to get here from America but couldn’t make it. He missed his connection in London. He had to stay in London.
The Global Network Initiative is a cooperation between major companies, at the moment, largely American companies, NGOs, investors and academics and experts like myself trying to address a different angle from the other panelists the problems companies have in dealing with government requests for cooperation in law enforcement and national security issues, both in Democratic and nonDemocratic countries. I have written with coauthor Dr. Ian Brown of Oxford University, that was launched successfully in Washington, D.C. Yesterday. You can find it on the Website of this plenary.
Go to the Website, EuroDIG 2012, and click on plenary 5. At the bottom there are documents, and there is an executive summary. If you have a chance to look at that during this plenary, questions are invited. And the full text, which I hope you look at, at home, that deals with both the international legal framework and freedom of expression and privacy, and the rules that apply when governments are allowed to limit these rights.
Of course, companies must increasingly be aware of what kind of demands that are made of them are legal in terms of international rights laws, and what kinds of demands are made of them that are not legal. The problem is they must come up with a policy of how to deal with those demands, and if the demands are contrary to human rights, they should have a policy for mitigating the effects.
We make recommendations on how companies, NGOs, states, Democratic sites, and experts can work together in trying to address these difficult problems. I hope it is complementary to what the rest of the panel does. I think there are overlaps in many points. I’m looking forward to the discussion. Thank you.
>> TATIANA TROPINA: As a moderator I would like to ask you, before I will give the floor to the first speaker to talk about the model of public-private partnerships on the international level, have you any questions with regard to what you have just been told? Our speakers can focus maybe on addressing the issues you would like to talk about. If we have no interventions or questions right now...
>> DENIS CORAGIC: Any need for clarification?
>> TATIANA TROPINA: Problems we might talk about, we start with Christoffer, please.
>> CHRISTOFFER KARSBERG: For those of you that don’t know the European Network and Information Security Agency, it is based in Greece. A European agency, it has an advisory preventive role. It is not operational in a sense that it reacts to incidents. It is advisory. It is a facilitating cross-border cooperation role that it has. It is brokering knowledge between countries, models for public-private partnerships.
My input into this discussion will be on the public-private partnership concept for enhancing cybersecurity and mainly resilience, and why this is interesting. So what is public-private partnership? ENISA has attempted one definition, which is an organised relationship between public and private organisations which establishes common scope and objectives and uses defined roles and work methodology to achieve shared goals.
There must be a rationale for public-private partnerships. So in this case, cybersecurity, much of the infrastructure and operations are managed by private sector on the one hand, and with the responsibility from the governments regarding safety and security for citizens and societies, on the other hand; it seems logical for the industry and government to work together, right?
And they are also in, there are also interdependencies, so e-com providers and other sectors such as power supply sectors need to work together, for instance, and also there is a cyber-crime scope with links to law enforcement.
So I mean there are different stakeholders here. Then we have the cross-border dimensions, of course, which calls for European and also global cooperation. And networks are good examples of efficient cross-border cooperations. So what are we waiting for?
Why don’t we see so much public-private partnerships around in Europe? Because that is a fact. We could see more than we do. There must be concrete incentives for the private sector. There must be a common view among e-com providers and shared investments in resilience. It will probably lead to reduced risk exposure and cost savings.
That is one incentive, to being able to cooperate during a crisis, to get access to what is going on in the government, could be one. And the possibility to influence, share by being there, to influence strategic directions and national policies, and not least the opportunity to avoid inappropriate and unnecessary regulation if it’s not needed. There are some prerequisites.
There must be trust in this type of cooperation. You need to get to know people in a group, physical need things, and so on. You need to be committed to contribute; law being safeguarding and marketing is just counterproductive in such a model. And there must be a stability in the participation, and a need to have patience.
Developing a PPP is a process that must take time, must be able to take time.
The focus could be preventive, where one example is the UK CPNI, the Centre for the Protection of the National Infrastructure, where they share information and learn from each other, which could be, for instance, response, that is to respond to and recover from incidents in a partnership, where one example is the Swedish NTSG, the National Telecom Coordination Group, with representations from Telecos, energy sector, the Swedish armed forces and also the regulator, PDS, that initiated this group.
Then we can have the umbrella focus which covers the whole security lifecycle. And one example is the NESC in Finland, that is a multistakeholder PPP, and is regulated by a legal mandate. So the public and private sectors are actually mandated here to engage in this kind of cooperation.
We also have PPP at European and international level to link cross-border aspects. There we have for instance the EP3R, which I just mentioned, which builds upon national PPPs, and has a global outreach. It has a preventive focus, and is an information-sharing forum, divided into different working groups.
One of them is dealing with botnets and has come up with interesting recommendations in the area, and together with Europal there is a workshop now in June with this working group regarding botnet mitigation – and Amazon, Google, Microsoft are all in the working group – the success of this group, good participation, motivated people, good moderator, and it has, it is a concrete topic, and it’s supported by the commission.
This group aims at going towards recommendations on fighting cyber-crime in general, and that is why it is relevant for Europal to participate in this PPP. And they do the operational work. And ENISA is supporting with running the group and expertise regarding the recommendations.
My final example here is the European, it is pan-European exercises, that ENISA performs together with private-public sector. And the next one, cyber Europe 2012 is coming up here.
>> DENIS CORAGIC: Excellent. We have heard a couple examples over here, just as the foundation for the rest of the discussion. Good.
But, as a representative of one emerging public-private project which is Clean IT, could you give your own perspective for public-private partnerships in general, and perhaps some modalities and options for the future?
>> BUT KLAASEN: Sure, of course, thank you. I would like to address the problem, the fact of the terrorist use of the Internet. I will start with a statement that the European coordinator for the Council of Terrorism said last week. He said that prisons and Internet, those two are the greatest incubators for terrorism. And let me continue with an example.
As you might know, the terrorist threat level in Belgium has just been raised from level 2 to level 3 after last week’s stabbing of two police officers on the Brussels Metro. This week, the guy who did it, a French extremist, explained in the Belgium newspaper why he did it. And I will quote him.
He said, “My personal life was a mess. I was unemployed, and divorced. I started the spiritual search and came across extremist Websites like Sharia for Belgium. I became addicted to this site and it confused me. I started thinking like a zombie and the range of extremist thoughts fascinate me. I could not think clear anymore.” End quote.
Now, I tell you this because I think that probably no one in this room or in this audience is familiar with the Website, Sharia for Belgium. And this is not the only Website that contains extremist content and call for violence.
Many of these kinds of Websites exist, and a characteristic of these kinds of Websites is that they are at least partly illegal, and the owners are not the kind of people that collaborate with, that cooperate with the authorities, to say in a polite way.
I would like to explain the terrorist use of the Internet. And therefore, I would like to describe three layers on the Internet.
This Website, Sharia for Belgium, is part of the middle one, and I will briefly describe the two other layers. The first layer, that is the one we all know, is easy accessible part of the Internet, where you can find social media we all use.
For example, I asked a group of experts two weeks ago how many friends Al-Qaeda has on Facebook. Of course, they didn’t know the exact answer, because Al-Qaeda doesn’t have a Facebook page. But if you look at the Facebook activities from the French terrorist that was killed two months ago, it was amazing to see how many support he received for his acts in a few days.
This first layer is the easy accessible part, where you find social media.
The second, these are the ideological Websites, partly legal and more difficult to find. The third layer is very difficult to find and even more difficult to access. This is the on-line inner circle of terrorist groups that meet in these dark places of the Internet, in hidden chat rooms and encrypted peer-to-peer channels.
I try to visualize these three layers to explain how terrorists make use of the Internet. Considering these three layers, we will find two processes that take place. The first one is bottom-up. It’s the process of propaganda that is prepared in the deepest part of the Internet, in the hidden inner circle, is explained on those second, in the second layer on the ideological Websites and disseminated, spread to the public with a well-known social media.
The second process goes top-down. That is recruitment and radicalization process with the use of social media. Terrorist groups look for new recruits. Those who are interested are directed to the ideological Websites. And if they reach a proper mind-set, they are accepted to the hidden inner circle in those discussion rooms.
That is where violence is glorified and sometimes even attacks are planned. Those two processes, propaganda going up and radicalization and recruitment going down, this is terrorists’ use of the Internet we discussed in the Clean IT Project.
Let me be very clear, it is not the use of the medium at its existence of those three layers illegal that we want to fight; it is the purpose for which it is used. This is why it’s difficult for law enforcement to take action against it.
It is often difficult to evaluate if certain content is illegal or not, even for experts, because normally depends on the context within that is presented. Does it contribute to one of those two processes I just described? It is more the matter that at the certain point, somebody crosses a threshold of illegality, and it is not easy to point out where it exactly begins.
This is the main reason Clean IT Project started. It is an EU funded project initiated by Netherlands with Germany, Spain, Belgium and United Kingdom. And at this moment other European countries are joining our project, like Austria, for example.
We think that the problem is the terrorist use of the Internet is actually too complex to be solved by governments only.
Actually, I think this is my first statement for you and the audience, because the industry that owns, as said in introductory words, it has knowledge about how activity works on the Internet. As government, we need private interest groups to remind us about privacy issues and the importance of Internet freedom. The Clean IT Project tries to bring these three parties together, governments, industry and end users. They meet together to find practical solutions to reduce the impact of the terrorist use of the Internet.
Very briefly, some examples we are discussing is flagging mechanisms, or referral units, or exchange of information on known illegal material, takedown procedures, these kinds of things.
These will be practical solutions, and those are representatives from industry, governments and NGOs. So actually we created the kind of trusted environment, discussed technical and legal consequences from these solutions in a small but multistakeholder environment.
As I’ve only a few minutes, I won’t go into detail about this project. If you want to know more about it, please visit the Website, cleanitproject.eu.
I will conclude with a second statement, which also builds on a discussion we had this morning in plenary 4. Speaking for the Clean IT Project, we are following a kind of public-private approach in the small multistakeholder initiative, and the challenge we face as a project is that we do not have a formal body or committee to accept our end results. No one has really accorded responsibility on how to fight terrorist use of the Internet.
My question would be, who can make decisions when it concerns the use of the Internet for bad purposes? My statement is we might need such formal body, especially if it can agree on concrete measures in order to keep the Internet a secure place. And of course it has to work in a transparent way, and users derive Democratic procedures.
The point is I don’t know how such a body should work or how it would look like, or if it shall create a new one, I don’t know. But that is the reason we are discussing this in the Internet Governance.
>> DENIS CORAGIC: This question will definitely pop up later. I have also some doubts about that. Be prepared.
>> TATIANA TROPINA: Yeah, and before I will give the floor to the next speaker, I would really like to come back to the point which was highlighted by Christoffer, incentives for the private industry to participate in safeguarding cybersecurity and fighting cyber-crime, because recently I was reading a couple of researches which were made in the U.S. and in New Zealand.
The conclusion is that private industry is considering these participation in cybersecurity, self-and co-regulatory measures rather as a high burden. There are still a lot of bottom-up approaches from the industry.
I really would like to ask the next two speakers, because they are representing private industry, Patrik and Marco, what are the incentives for private industry to cooperate? How are you cooperating? And what are the problems for you to get involved into these cooperation? So I would like to give the floor to Patrik.
>> PATRIK HISELIUS: Thank you very much. I represent TeliaSonea, Europe’s fifth largest operator. We are present from Norway to Nepal.
And I would want to start by saying as one response to the remark, to the extent the private company engages in measures to fight crime, that there will always be additional requests for those companies to get involved, to fight also other illegal or illegitimate content on the Internet.
Such requests of course might be more or less legitimate, and cover such as suicide sites or illegal gambling or prostitution sites or illegal file sharing sites.
If you go in another seminar somewhere where rights holders meet to discuss the Pirate Bay or doctors that discuss the problem of suicide, there it would be fully legitimate to ask operators to engage in the fight against such unwanted material on the Internet.
Another area which I have met as a self or co-regulation, which can have a negative effect on fundamental rights such as freedom of expression, is content classification. And it has been raised that content classification should be done through crowd sourcing, for example, to protect minors from certain content.
My view, of course, that would be in detriment of the same child’s freedom of expression. Yet another route to privatize content regulation is through contractual requirements, as for example when content providers may seek from operators to act against the illegal content on the Internet in the contractual way.
In concluding that short introduction, I would say privatization of law enforcement for me seems to be a definite no-go. There will be issues as to rule of law, cost effectiveness, issues of lack of level playing field, transparency, etcetera. But is it that simple? For an operator, it is sometimes very complex.
Someone said you should definitely block the Pirate Bay, and someone else would say you should definitely not block child sexual abuse, or the legislator in Brussels might say, you should delete your data, your traffic data, as soon as possible, and then suddenly comes another directive which says, you should retain all the data for at least six months.
Sometimes it’s confusing for the operator. The example which I mentioned at the very beginning was where operators in Sweden, all big operators in Sweden and in most other Nordic countries and more and more countries around the world have a contract with a, an agreement with the national police to block child sexual abuse images.
That work is not about law enforcement. It’s crime prevention.
So the aim of blocking of child sexual abuse are twofold. The first aim of course is to protect the children, and to hinder recruitment of new users, abusers of this kind of images, so to address the market of child sexual abuse images, and the other aim of course is to protect our own users, subscribers from these images.
It works in the way that, we have had this since 2005 in Sweden, and more than 80 percent of subscribers are covered. And it works in the way that the Swedish police defines a list of DNS which they send to the operators, and the operators do not in any way judge the list. It’s the police who makes the decision on what is illegal and what is not.
We implement the list, and our subscribers, if they through spam or in other ways look for this home page, they get a stop page saying the police has defined this as a child pornography, and therefore you will not be able to see it.
So the positive with all this is that all our stakeholders support us in this, employees, media, shareholders, customers, politicians.
But, as my co-speaker here said, there are issues also in this crime prevention against child sexual abuse images, scope creep, lack of transparency; and therefore, we work for third-party overview in what we are doing. There is the rule of law issues. It is the police and not the authorities defining this crime prevention activity. And also, there is the difficulty of showing the real success to meet the two aims that I mentioned.
So my message in summary is that privatization of law enforcement to me is a definite no-go. It meets the so-called principle, foreign access provider not to get involved in the content of the Internet, should be retained, but when it comes to child sexual abuse images and crime prevention, this is something we as an operator think we can help with, and, yeah, that was my introduction and the example of fighting child sexual abuse images.
>> TATIANA TROPINA: Thank you very much, Patrik. I would like to ask if there are any questions or interventions from the audience up to now.
>> DENIS CORAGIC: We do have later one more question for remote participation. But please continue. No problem.
>> TATIANA TROPINA: On this stage, have you got a microphone somewhere? Probably I should take this microphone around when I see....
>> AUDIENCE MEMBER: Does this work? Okay. I’d like to make a point that blocking sites shouldn’t be a magical solution, because even if you block the child pornography sites or abusive sites, that doesn’t prevent a crime. Viewing that as prevention is kind of a misplaced trust I think, because you are not solving any crimes.
You are merely hiding them. I mean, the crime has already happened. And just having blocking and that as the magical solution isn’t really a solution in my eyes.
And I’d also like to go back to what Mr. Klaasen said earlier about terrorism. In that speech you might as well replace the word “terrorist” with “authority,” because that is the system we have today. You have to be careful when discussing the security on the Internet, because in my view what you were talking about and I mean fighting terrorism was really fighting people talking about certain things. And that to me is not a good way to go.
>> TATIANA TROPINA: Thank you very much. Any other questions? Actually, I would like also to make a short intervention after what you were talking about.
I do believe that, yes, if we do not keep the right balance of public-private partnerships, filtering and blocking may become a kind of private censorship issue. Now we have a question from a remote participant.
>> DENIS CORAGIC: Could you please say the question from Rudi which was asked a couple of minutes ago? Microphone.
>> TATIANA TROPINA: Yeah, I’m running. (Chuckles).
>> AUDIENCE MEMBER: There was a question from Rudi from ISOC Belgium, which is straightforward. Who is responsible for cyber-crime and cybersecurity? There was a comment on Twitter before, asking But to say a little bit about 390 projects, but he already referred to that. You can of course continue. So who is responsible for cybersecurity?
>> DENIS CORAGIC: I think this question is interesting for all the participants, their opinions.
>> AUDIENCE MEMBER: There was no particular person. Probably for everyone.
>> Should I start by answering the first question?
>> Of course.
>> PATRIK HISELIUS: Again the aim of this cooperation between, collaboration between the industry and the police authority is, one, to stem recruitment of new abusers, new buyers of these types of images; and therefore, address the market of child sexual abuse images.
But I agree with you, the way of distributing and sharing of these images is more and more maybe through peer-to-peer and other measures, and that is not covered here. There another tool needs to be defined and it is to protect our own subscribers from these images.
>> Douwe would like to make an intervention.
>> DOUWE KORFF: With child abuse, the first thing you want to do is stop the child abuse. And there is, I do agree with the person putting the question. People tell me, who have more access, like Iain Brown, my co-author, that there are in fact very few places where these images are created, and there is a lack of international will and cooperation in really tackling the people who are actually abusing the children.
I’m not opposing blocking sites that are clearly illegal, where there is a good process for appealing against decisions that might be in a gray area, but the first and foremost activity of state authority should be to crack down on people abusing children in the countries where they are being abused. And for some reason that isn’t done.
Maybe there are people on the rest of my panel who can answer that.
>> PATRIK HISELIUS: I fully agree with you, both measures needs to be in place. But you also need to remember that there is a horrible market out there asking for new pictures all the time.
So if you can stem recruitment and make this market smaller, that will also save children from being abused actually, because there is a market built on money out there. But I fully agree with you, the perpetrators need to be addressed as well. This is one measure, besides the takedown and the finding of the actual abusers.
And also, the actual, each time an image is shown, that is also an abuse of the child in question.
DOUWE KORFF: There is the problem with blocking, and it has been highlighted by open society and other organisations. There was always overblocking, and is it easily evaded by the people who really want access to these images, so they are not very effective in stopping the market. At the same time, by overblocking, you are at times blocking legitimate content.
There was a case of this Finnish chap who tried to establish the policy behind the Finnish blocking, and his site, which he set up in such a way as to make it impossible for people to abuse his findings in order to get access to child pornography, was itself blocked, though there was nothing illegal on it.
My colleague from Serbia pointed out you need good solid processes, and need to make sure there is no overblocking, and that there is a very good remedy, if you do accidentally and unintentionally block sites that shouldn’t be blocked, whether it’s gambling or anything else illegal or child pornography. Using the child pornography, the problems, it is easy to get social acceptance for blocking.
On that one step tool is being used, there it is being used against Jihadi sites, gambling sites, anything that people don’t like. Me as a human rights lawyer am concerned, especially in private partnerships, there aren’t proper principles. I’m glad to hear you do want due process.
>> PATRIK HISELIUS: You are mentioning the same problems I’ve addressed, scope creep, lack of transparency, rule of law. We have the same issues that we need to address.
>> But, you also have to respond on terrorism, it is slightly the same question from the audience which was asked about it.
>> TATIANA TROPINA: Can I also intervene shortly. I believe But will respond on terrorism and Marco had something to say, and we have more questions from the audience, so we will manage this.
>> BUT KLAASEN: Briefly, I think the gentleman in the back, you refer to the point of freedom of speech which we are facing every time when you are fighting terrorism. And I think he analyzed the complexity that we are dealing with, and that is exactly the reason why we try to find solutions in a new way.
Actually, it is not a project we are running, is more an experiment, but by bringing law enforcement together with people that are protecting the Internet freedom sites. We believe that in this open dialogue, we should find good solutions without affecting the personal freedom and freedom of speech.
>> MARCO PANCINI: I would like to bring to the table some initiatives where we are trying to find this balance that I think we are all discussing.
Starting from terrorism, again, I agree on, totally agree what was said around the fact that affecting only the visibility has a huge impact on free speech, and not so effective because it runs the risk to create victimization in the person running these Websites, and actually using speech to create terrorism.
So what we are suggesting, the initiative called the formers, which is basically trying to take, to bring into the debate the foremost terrorist acts to counterbalance, to align to professionals who knows exactly what kind of language used first because of their past experience as extremists, and second because they know how to deal, how to engage in the debate, how to debunk the arguments.
This is an example which is to try to minimize the impact on the free speech, at the same time is affecting, is really adding an impact.
The second example on child pornography, in U.S. and Europe we are engaging in an initiative called the financial coalition – in Europe it’s called the European financial coalition – which is bringing together the industry, the law enforcement and the civil society, trying to discuss an effective way to cut the source of revenues for criminal organisation exploiting crime, these terrible crimes on-line. This is another good example of information-sharing.
I totally agree that the visibility, again, blocking the filtering has a lot of flaws because technically speaking can be easily over, can be easily found solution to overcome the blocking.
But it is still important to avoid the victimization again of the, exploitation of the victims. But at the same time, if you cut the resources of criminal organisation, you are not effective.
Last thing, transparency is the key, rule of law. If we don’t have transparency coming with the rule of law in terms of informing the user about how much requests we are receiving from law enforcement around the world, what kind of process we should take as law enforcement, without this information the debate is not complete.
Final things on what was said before, the example, when we say that these examples of the guys, extremist stabbing two policemen in Brussels, and for sure, the Internet has a huge impact. But how was it impactful for him, his condition of being, without a job, in a country where there are huge problems of integration, and in a continent where actually religious debate is not developing in the direction of respecting each other.
So this does not mean the Internet does not have an impact, but it means there is a shared responsibility in understanding the situation and coming up with solution in this situation, this need to be taken into consideration.
>> DENIS CORAGIC: In other words, comprehensive and practical approach. You had a question.
>> I’m Monica. I’m a journalist. We have moved already but it is a very short question. Do you, perhaps to the transparency, do you publish numbers of false positives? What is your experience with false positives from the blocking list?
>> MARCO PANCINI: Yes. We post example of abuses, so you can see how many requests that we are receiving and how many requests we are complying with, or the reason we are not complying with this kind of request.
For the false positive you can also rely on the chilling effect initiative, which is much more insightful in terms of this information. Our information did more quantitative, chilling effect, which is based on the same numbers, but provide more insightful about this problem. I totally agree that this is a big issue.
Other things that you can, another big learning you can take from the transparency effort is, now we are focusing on terrorism and on child safety. If you see the big numbers in the request that we receive from law enforcement, most of the reason is defamation, other free speech related or censorship related reasons, which means something needs to be done in priority of law enforcement.
>> DENIS CORAGIC: You had a question. Yes?
>> AUDIENCE MEMBER: Yes, thank you. I’m with the Norwegian Post and Telecom Authority. A quick comment to the previous question, regarding what is sort of, what you achieve by blocking. The panelists have partly answered that question.
But of course, blocking the images is of course to prevent the sort of users of this material to get access to it. But also, of course, the idea of having, like in Norway, the criminal police actually doing the blocking, but they are also doing the investigation and securing evidence before, of course, they do block sites.
So of course, to be able to try to prevent abuse of children and to get the users and the ones that produce this kind of material, of course that is also the effect of doing this.
But so also the comment, I said the Norwegian regulator, public-private partnership also in this area, of course we have facilitated some cooperation between the ISPs and the criminal police in Norway back in 2004.
But of course, the process, sort of challenges of course to free speech and everything, and of course it must be balanced and also must be transparent and so on. So of course, due process and respect of law, of course, that should also be sort of upheld, very much so.
So, but of course, that is just a sort of quick comment to the question. Thank you.
>> DENIS CORAGIC: Thank you for your comment.
>> TATIANA TROPINA: There was one more question. Can I have a microphone?
>> DENIS CORAGIC: Microphone is walking.
>> AUDIENCE MEMBER: Thank you. Poland and European Digital Rights Coalition of European NGOs Fighting for Digital Rights. More maybe comment than question. I think it is known to you that as we advocate strongly against Internet blocking, as we believe that this is a strongly inproportionate measure to achieve the goals we are discussing here, for two reasons inproportionate. First, it isn’t effective in achieving the goal. I will not repeat the arguments already said on the panel.
But also because it is not, well, I mean, the cost of fundamental rights that we have at stake, it’s very high. Every filter which is between me as a user and the server I want to reach poses so many risks for democracy, freedom of information, that we have to be considering them.
In this debate, a very tricky question for us as an organisation is data. We often hear that there are more Websites, more pictures that has to be blocked, that there are, that many hits that were effectively blocked. It is a confusing debate because as citizens, we have no measures whatsoever to verify this. According to our research we use, it is the opposite.
There is, the research clearly shows less and less sexual – I mean, pictures of sexual abuse are available in the broad Worldwide Web. It is mostly going underground. The problem should disappear from the Worldwide Web.
What I would like to know from these of you who deal with this problem directly is how we can verify the data, how you obtain data you use as an argument for blocking.
Another point is of course we strongly advocate for notice and procedures for effective deletion and effective cooperation. I also welcome your views on what can be done or what is done towards, well, quicker removal of that kind of material. Also, the concept of mere conduit which is often applied to search engines and other providers that in my opinion provide hosting, we can easily see them as host providers in terms of copies of the images.
I would like to hear your views also on the removal. Thank you.
>> TATIANA TROPINA: Can I make a short intervention? If there would be room about blocking and removing, could we talk about blocking botnets and removing botnets as the other side?
>> BUT KLAASEN: In this public-private approach we follow in the Clean IT Project, we try to identify best practices. But actually we also identified bad practices, and blocking is one of them.
>> PATRIK HISELIUS: It’s good that the debate comes to the very practical parts of this work against child sexual abuse. I very much welcome that. So the fundamental principle for operators participating in this work is that we cannot and shall not decide what is illegal or not.
So it’s on the authority’s side to decide what should be on the list. Now, a huge problem with that list, that no one checks the list, okay. So what TeliaSonea has been working for since the beginning of this in 2005 is to raise public trust in this work, to have a third party to overview what sites that the police put on list, because the police can say there is nothing else than child sexual abuse, but no one is checking that.
If we as a company and industry can get support from others to get the third-party overview in place, that will be good for the fight against child sexual abuse and the protection of basic human rights. What we can bring into the debate also, there is now since a year ago a new directive, so-called moms term directive covering work against child sexual abuse. And it says that member states may introduce a law for operators to block.
I’d be happy to hear from everyone or someone a comment, should industry go to the legislator in any chosen country and ask for legislation, or is the risk in doing that big, because might then the legislator put in foreign gambling sites, piracy sites, suicidal sites, prostitution sites, terrorist sites, extreme site or whatever.
So for me, I have not been able to answer, do we dare to do that, or would that risk freedom of expression even broader. So far, we have kept to self-regulation, and said no to any other requests that we have received to block other stuff.
But we have not asked for legislation, because of the risk that that would be a broader than child sexual abuse.
>> DENIS CORAGIC: Did you have some comment?
>> DOUWE KORFF: I’m slightly puzzled by the fact that we agree there has to be extremely good safeguards, there has to be due process and transparency. But the reality, there is no transparency. There is no good checks on what is on these lists, that the lists insofar as we do know about it always overshoot and block all kind of things that shouldn’t be blocked.
The question is not really the good intentions of the people on this side of the table, but how you can come up with a system that really meets international standards. On top of that, we are talking here about how we operate in societies where you have good, hopefully good police and good courts, companies that are willing to cooperate.
I’m always worried about cozy relationships between private entities and especially the police. I think if anybody has to decide on what is legal and not legal, it should be the courts.
When you talk about a third party, essentially it should be a court. Now, I can think of immediate measures, where a prosecutor can issue an order to block a particular site and with an immediate appeal by anybody involved to a court to make the adjudication.
But when you talk about what is and is not accessible to the general public, you are treading on dangerous grounds. Whatever we do in the rest of Europe is jumped upon in other states. They block sites. We can block sites. We have got terrorists. And everybody’s definition of a terrorist gets wider and wider and wider.
I have worked on anti-terrorist legislation since I worked for Amnesty International in the ’70s. One rule of history about anti-terrorist legislation, it always expands and expands and expands. You start with real bomb-throwers and you end up with people who might be sympathetic to people who might be sympathetic to relatives of bomb throwers. Russia is a good example of a European culture where there are massive dangers in this respect. Many countries face serious problems.
One of the issues we try to address in this report is how to come up with mechanisms to make sure that companies are protected, states follow the best practices, and there are mechanisms on mitigating harm.
I really am worried about relationships that are too cozy.
>> I’m pleased to hear you have the same worries I listed in my introduction.
>> SLOBODAN MARKOVIC: You mentioned this programme started in 2004.
>> PATRIK HISELIUS: 5.
>> SLOBODAN MARKOVIC: 5. What has been preventing establishment of an independent oversight by now?
>> PATRIK HISELIUS: For the first years our counterpart, Swedish authority, police did not see a need for this.
That has changed.
Now we should find together such an entity, but we have not succeeded yet.
But it would be most welcome if that could be put in place, more than most welcome.
>> SLOBODAN MARKOVIC: I’m asking this because the public-private policy was exported to all countries in which the operators are present. And in our country, for example, we don’t have such a strong civil society engagement in this particular area.
So if you have a tough time finding justification and finding the appropriate partner, it would be even tougher in Serbia to find someone to do actually, to oversee this agreement.
I think when we design public-private schemes, we should definitely address the oversight mechanisms, and actually build this mechanism which promotes trust, because it’s only one mistake or one wrong site is actually necessary to undermine the whole like good process and good programme. So just to consider this.
>> TATIANA TROPINA: Now we have got two microphones, and as far as I understand, more than four people to speak. Maybe we will collect comments.
>> Remote is waiting.
>> My name is Boos Swenson. I’m calling from Sweden. We have recent long discussion about what you can do from the public sector, from the private sector. But I would shift focus quite a bit and say, I’m an end user.
If I’m going out in the street and see something which I suspect could be a crime, my normal way to handle is to report it to police, and let them make an investigation on it.
When I’m sitting at the net and now I’m coming out on a Website or some other place where I can be, have suspicion about that this is a cyber-crime, this is not legal, this couldn’t be right, then I ask: Where should I turn? To whom should I report? And how could you make it a little simple to do that?
Couldn’t we have a little button to press, please help, and then we can send in and you could investigate it.
I mean, we could probably, with quite a less number of cyber-crime passes if you have a lot of end users also watching a little bit.
>> DENIS CORAGIC: Thank you. Other questions? You were waiting.
>> AUDIENCE MEMBER: Thank you. I’m Oksana, iNGO European Media Platform. I would like to give you an example from Ukrainian experience. You had very popular file sharing resource, which was closed this winter for copyright reasons. Ukrainian Internet users reacted to the closure of this. It was attacks on sites of media, of national security. A lot of governmental sites were closed, were down. In a year maybe this source was restored, but a lot of materials were, absolutely legal materials, educational, from universities, or private materials, were lost.
Just for your, not maybe for comments; for known.
>> DENIS CORAGIC: Your question? Excuse me, madame was first.
>> AUDIENCE MEMBER: Thank you. My name is Susie Hargreaves from the Internet Watch Foundation in the UK, which is the UK hot line for the elimination of child sexual abuse on-line. I wanted to come back on a couple of the comments that have been made.
One is that we are seeing an increasing amount of material on the Internet, so we are not seeing less. I also thought of interest you would like to know about 80 percent of what we see is free, 20 percent is commercial. So people pay for it.
We are also a self-regulatory body. So we are a partnership between the industry, ISP, mobile operators, ourselves, we are an independent charity, and the police. And we receive no government funding, but we receive lots of government support. But most importantly, I wanted to tell you that we are independently audited once a year. So we do have people check, because we do have two things that people would be aware of. One is we do have a blocking list.
We would definitely say blocking is something that would only stop inadvertent access, inadvertent stumbling, because actually the answer is notice and takedown which are effective in the UK. We have material taken down within 20 minutes in the UK. That is because we have excellent partnerships in place.
In terms of the blocking list, we are inspected. People do check what is on our URL list. We only block at URL level. We would continue to do it because we are talking about the rape and sexual torture and victimization of children. 70 percent of the children we see are under 10 and 10 percent are under 2.
>> AUDIENCE MEMBER: Hello. I represent Tele2, an ISP in Europe. From my own experience from fighting in spam and such, is that put in block in 2005, 2006. It doesn’t stop it at all. Some years ago, I was in Germany, on the German anti-spam summit. It’s cooperation about from German ISPs and ENISA, for example.
What I saw there in Germany is that they have a hot line with a third party that controls the list, as in Serbia, and it is working good there, because they are tackling the problem.
The thing that we are doing in my company does not the right thing to block it, or in Europe. I’m kind of scared that child abuse is so far behind, because the anti-spam fighting, that seems to be further ahead in development.
That’s so scary for me. Coming back to this gentleman here, is that, I mean, you should raise awareness and push a button, through self-empowerment or something like that, because it is up to you guys and we here, the user, to decide what is good or bad.
>> One more comment about self-regulation which keeps coming back. I would like to know how you reconcile the basic idea of Democratic society, human rights can only be limited on the base of law, that can be questioned in front of the constitutional tribunals with self-regulation in a very fragile area, how that, that is the main argument that society uses against any form of self-regulation, affects freedom of communication, because basically this kind of activity should never be done otherwise than on the basis of the law.
Another comment about the amount of content available out there, I remember, I haven’t read Internet Watch Foundation’s report from this year, but the previous one clearly stated that the amount of content available on the web is decreasing. That is another confusing information for me. Thank you.
>> MARCO PANCINI: On self-regulation, if I may, I agree with you. Self-regulation cannot be used for putting a stake or putting in balance between need for security, fundamental rights. It is not the right tool.
What can be used are memorandum of understanding and other major in order to force the collaboration on from the different stakeholders. But again, I think that looking forward, even these tools need to have, to include civil society in the mix and in the discussion.
>> PATRIK HISELIUS: There is a good example in which both of our companies participate together with the European Commission, kids on-line project, which addresses some of the issues that we have discussed here, such as content classification, privacy, notice and takedown, and also hot line, i.e., reporting when there is illegal material. Also I know the NGA Ekbote has an app, if you have a smart phone, you can download an app and also report child sexual abuse easily to the police.
>> DENIS CORAGIC: Questions from the remote. Or Douwe.
>> DOUWE KORFF: It ties in with the question about the same topic. I have a fundamental problem, coming from the United Kingdom, with the setup of the Internet Watch Foundation, that we seem to share, which is that it seems to say two things at the same time.
One, we don’t need to be law because it is a purely voluntary self-regulatory system. And at the same time, the government is saying, so magnificently effective that we totally cooperate with it.
You can’t have it both ways.
If it is really effective and it has support of the government, then it should be placed in a secondary basis. You cannot have a system that bypasses legal controls. Article 12 of the European Convention of Human Rights says any system based on access to information should be based on law.
If there is a self-regulatory system that can easily, which is optional, in other words, I choose for that control to be on my system, which I can also choose an alternative where I don’t have those restrictions, fine. But if the Internet Watch Foundation is as effective as it says it is with the support of the government, effectively I am barred from access to information on the basis of a decision by a private entity that is not operating on the basis of law.
That is contrary to the concept of the rule of law. I’ve got nothing against the aims. I’m not even saying they are off the mark. I can’t judge that. But I cannot as a human rights lawyer accept that the system should be based on nonlaw. That means there are no adequate remedies because you can’t go over the court against it because the courts are purely a voluntary organisation.
I think it needs to be fundamentally rethought. I hope the report from this session will reflect the consensus on the panel that systems like this should be strong, should be based on law, and should have all the remedies that are required under the European Convention of Human Rights.
I don’t think that is the case in the UK at the moment.
>> DENIS CORAGIC: Of course. Remote.
>> We are getting remote, discussing child issues, child safety, and there was quite a fuss about why is it such a big elephant. I’m just taking notes that there was a discussion. There was one comment that the Internet will never be safe, and that we should be ready to accept it.
Now we have the Armenian hub following us for some time, and thus far they don’t have a question. There is one question or two points from Belgium. One was, you already mostly addressed it about the blocking, says blocking doesn’t solve the problem, that the perpetrators can have a way to avoid blocking. But you already mostly responded to that one.
The other one, however, refers to including the small business into the dialogue and partnership about a protection on-line, and I’ll quote this time. He says: “From our experience running also an Internet ombudsman in Belgium, very often a specific group is not in the lines of discussion. I’m pointing to the hundreds and thousands of small hosting suppliers and domain name sellers that open the door for many cyber criminals. We need urgently regulation on this type of activities. Does anyone in the panel has any suggestion or idea how to tackle this?” Unquote.
>> DENIS CORAGIC: But.
>> BUT KLAASEN: Thank you very much. I recognize this problem, because when we try to contact with the Internet industry, for the big companies, actually it is no problem. They have the public image, they have enough people to think about it. For small companies it’s a huge problem, because they have to make profit on a daily basis.
They simply don’t have the time to join our discussions for all day somewhere in Europe. I recognize the problem.
One way to solve it is, because you are absolutely right, small hosting companies, there are thousands of them, and they are very very important with regard to the content on the Internet.
One way is, of course, they try to be associated in some way to create association. I know in Netherlands we have two of them. We have two association hosting providers. It would be very good if also other countries, we create these kind of associations to find time to discuss with these interesting topics.
>> TATIANA TROPINA: Any questions from the audience? If no, I would like to make a short intervention about spam and child pornography issues and then to ask a question.
Yes, in fighting spam things are moving faster than in blocking child pornography. But I believe it is because there are plenty of opponents of spam criminalisation, of criminalising the spam. And in many countries, the spam issues, blocking and filtering issues is a domain of ICT regulator or data protection agency. It is not connected to criminal law.
Maybe that is why things are moving fast, because criminal law cannot be flexible as well as criminal law enforcement cannot be flexible.
I would like to ask you or maybe someone in the audience a question. We were talking a lot about blocking child pornography, and this is totally right, because for many years child pornography was one of the main items of public-private cooperation in fighting cyber-crime.
I would like to ask you about other experiences, about mitigating botnets, for example, because as far as during the last two or three years, there is a lot of activities of the ISPs in mitigating botnets. They are considered as being a critical node for botnet mitigation.
Like for example, botnet, there is an anti-botnet project in Australia, where ICT regulator and operators are monitoring the traffic, the activity and traffic, and then they come back to the users, help to remove botnets. The same is happening in Germany.
My question is, what do you think about other areas, where possibly cooperation can happen? This is the first question.
The second question may be an opinion. As far as I understand, as Patrik told, privatization of law enforcement is totally no-go. I do agree with him.
But if we will have a look at public-private cooperation, we will see that mainly it’s happening in prevention and awareness-raising. What about investigation, from the point of view of the private industry, to which extent you would like to participate in investigation or how it shall be restricted? Only police request only memorandum of understanding. Shall there be any ongoing collaboration? Or it shall be only ad hoc based?
>> BUT KLAASEN: Would you like me to answer?
>> TATIANA TROPINA: Yes, please.
>> BUT KLAASEN: What is very important, if you are cooperating as law enforcement with private parties, the most important thing is that you not allow the private parties use the powers that you have exclusively as law enforcement.
If you keep deadlines to it, you can cooperate whatever you want. But keep your powers strict to where it belongs. That is I think the most important issue.
>> TATIANA TROPINA: You keep your power to enforce, and keep private industry as a support, like in cooperation but resort for governments –
>> BUT KLAASEN: There are many ways to help. For example, as I said in the beginning, law enforcement, with all due respect, they often do not understand how the Internet works.
You need that knowledge from the industry. Exchange of knowledge is no problem. That is a way you can help.
>> PATRIK HISELIUS: I would want to answer with the same words as my co-panelist here, that too cozy relationships between an operator and a police is not comfortable.
An operator, in most countries there is a very defined role of what an operator must do as to lawful intercept. But, of course, an operator should not do more than is defined there. I would agree with you.
>> TATIANA TROPINA: Sorry to interrupt. Why I was asking this question, because if you read the documents from international organisations like, for example, from OSC, you will see something like private and public parties are collaborating, but there is no memorandum of understanding in investigation and so on.
I was just asking because for me, really privatization here is hard, and maybe it will never happen. Maybe it shall be ad hoc only. That is why I’m asking.
>> BUT KLAASEN: But privatization is something else, that private collaboration. That is a distinction to make.
>> DENIS CORAGIC: I have one question that strikes me from the very start. It’s about criterias. When we are setting criterias for public-private partnership, we know who we will probably invite from the part of the government, law enforcement agency, people from justice or from another state or organisation, and of course from the private side we will invite the most prominent corporations, ISPs and everyone. And what do you think? And I would like to hear opinion from every of them.
Who is the best possible representer of the very usual user, NGO, or political party, or youth and youth advocates? Who in short, probably. Douwe.
>> DOUWE KORFF: Civil society should definitely be involved, especially since these days you have many groups that are very knowledgeable, technically knowledgeable as well. I think it is important to draw that. I think Parliament is very important. You haven’t mentioned them.
I think there should be strict Parliamentary control. When it comes to taking this issues that are essentially judicial, you need to involve the judges as well. Only judges can ultimately decide what is legal and what is not legal.
You need oversight, committees, IM; I’m hesitant with all the commissioners, they tend to be captured by whoever they are regulating. They tend to be appointed for being not too difficult to the government that appoints them.
But there are also some very good examples of good active regulators that do scrutinize. But I’m a bit hesitant, because I’ve seen too many poodles instead of watch dogs. But you need a wide number of stakeholders. But I totally agree with the panelist at the other end. You need to keep the lines straight.
Private police should not become law enforcers, and law enforcers should not try to rope in private entities to do their work for them and hide behind them to avoid legal scrutiny.
Bring in lots of people, but keep them all separate.
>> DENIS CORAGIC: Slobodan, we are coming from the same country, which is not really relevant for keeping the lines straight. I would like to hear your opinion.
>> SLOBODAN MARKOVIC: The whole point of public debate is expose a wide number of opinions and assist the lawmakers and executive government which has the authority to make decisions in the end, and to balance different opinions.
I think that further and bigger wider use of social media by the government, and for the purpose of consulting with the widest possible audience is also, I think, should not be forgotten, especially today. I mean, it’s 2012. We are all on the Internet.
And also, let’s not forget about the media, and the media is also an important factor in raising awareness and educating people about these issues. This is from my – I mean, apart from the usual suspects, I think that we should really seek to open the floor to the widest possible audience.
>> DENIS CORAGIC: Of course. Christoffer.
>> CHRISTOFFER KARSBERG: I think it’s a very good question. The user perspective is always, it’s often missed in these perspectives. But I really agree. To have transparency in the processes, to have public consultations, to let anyone give feed on processes and draft positions and so on, that’s good.
>> DENIS CORAGIC: Marco.
>> MARCO PANCINI: Again, I repeat myself. But transparency for us is so important that we are expanding also this practice to other areas, for example, copyright, where we believe that the issue of self-regulation and private exercise is a risk, actually a risk. So it should be across all the right policy. Transparency is involving user in the end. I think looking forward we should involve the user, as was said before, also in the context of the memorandum of understanding, as consulting. We need to see the way of representation of user. Because again, you said clearly, there are most stakeholders that need to be represented in these user or civil society group. So they are all open question, but this is the direction.
>> DENIS CORAGIC: But, from your experience.
>> BUT KLAASEN: That is an excellent question, because we have such a diverse community, it is difficult to find the right mix of representatives.
But if you are talking about a kind of formal body, I think I agree with Douwe; Parliament, EU Parliament might be the best one.
If you are asking about which is the best mix of people and the best multistakeholder environment, I think the answer is the audience of the EuroDIG conference.
>> DENIS CORAGIC: Thank you very much for your compliment.
>> PATRIK HISELIUS: Giving my end punch line here, but it is a very good question, and often a problem to get consumer involvement, sufficient consumer end user involvement in discussions. I have very practical experience.
I was involved in multistakeholder dialogue on illegal file sharing in the Swedish context, and the consumers were there around the table, which was very helpful. Then we have the same industry dialogue on the European level, without consumer participation, which was very much lacking around the table.
So again I would agree with you. Good context is EuroDIG and the IGF to have consumer end user representatives. But also for public funding of such as UK, the consumer focus, consumer – what is it called? The consumer board in the UK, and BEUC, in Europe, and also the Swedish consumer organisations are good to have on board.
>> BUT KLAASEN: I would like to add one more thing. Besides we have fantastic EuroDIG audience, we also need besides that somebody to decide, and I come back to the question that Rudi asked remotely, who is responsible? Somewhere, besides all this, we need some thing to decide upon.
>> But not the ITU.
>> One question from the audience.
>> AUDIENCE MEMBER: Hi. My name is Martin Miller. I am from the Swedish DFRI. I have a question about what Patrik was talking about before, regarding operators becoming too comfy with the state essentially. In the U.S. they had something called the national security letters. I wonder how are we as a society supposed to handle these things? Do you have any opinion?
>> Can you repeat the question?
>> TATIANA TROPINA: Could you please repeat it but more loud? Because it was really –
>> AUDIENCE MEMBER: My question is regarding the national security letters that have been sent out in huge numbers in the U.S., secret orders to users who nobody is allowed to speak about, not even to your wife or husband. How do we handle something similar in Europe, as a society? How would you approach that kind of secrecy?
>> For clarification are you talking about the gagging orders?
>> DOUWE KORFF: Combined with the gagging order meaning the data subjects aren’t aware of the fact their data have been dispersed to the U.S.
>> AUDIENCE MEMBER: Exactly, and they have no way to recourse.
>> DOUWE KORFF: As you know, there is been a huge outcry about both the early swift and PMR data disclosures under that. The act, that is actually more dangerous than the Patriot Act, is the FISAH act, section 188A. This allows the U.S. authorities to grab absolutely everything that is in the cloud.
There is going to be a massive battle between the Europeans and the Americans over this kind of surreptitious access to data, for that matter people from anywhere in the world. It is going to be a massive problem. The Americans retaliated by issuing a paper that is actually not very good – I’m trying to prepare a response to it – saying that the Europeans are just as bad, and there are lots of rules in Europe that allow disclosure of personal data to national security agencies as well.
So we are getting into one of the topics covered by the report, that unfortunately hasn’t had much time to be presented here. So please, please do look the GI report up later. Disclosure of personal data to national security agencies and to police agencies is a massive problem. The secrecy that surrounds it is problematic.
In Europe, we do have the European Convention of Human Rights to fall back on. There are some pretty decent decisions in the cases in Strasbourg about the kind of control mechanisms that should be in place. Probably the best case to look at is the Veba and Safolia case against Germany and Liberty case against the United Kingdom.
Viba unfortunately was an inadmissibilities decision, but the court went into quite a lot of details of the supervisory mechanisms that exist in Germany about data disclosures.
Then when Liberty brought a case against the UK, the court effectively said you should have systems like the German ones in place that are decent, and the ones that you have in place in the UK are not decent. And therefore, there is a violation of article 8. But I’m sorry. This is not the time to go into further detail about it.
Some aspects of it are touched upon in our report, although that is more on a global than a European scale. That is another one of the problems of this panel, same problem with the panel I moderated yesterday. Everybody in this building are very centered on the European problems. And we haven’t focused as much as perhaps we might have done with the global implications of all these issues.
>> PATRIK HISELIUS: There is a Swedish law, actually, the FRA law, which TeliaSonea and the rest of the industry heavily lobbied against before it went through Parliament. But as it has gone through Parliament, we and all the other operators need to adhere to the law.
It actually gives this defense authority access 724 to all traffic which passes the Swedish border.
Now, in the Swedish case, there happens to be, you know, Parliamentic and rule of law control behind, because there is a specific court and oversight committee. But from the operator point of view, we don’t know what happens on the other side.
So we are obliged by the law to give access to all, all traffic. Then we don’t know what happens. We know there is this Democratic control. But how it works, we don’t know. So even in Sweden there is such a law.
>> DENIS CORAGIC: Regarding Democratic control, it is not so Democratic to say that we are over and that I will have to stop the session. But I have to thank you for your attention. We are over. I thank you to the speakers and to the excellent audience which was pretty much active today. Thank you very much.
>> TATIANA TROPINA: Thank you very much.