I had the opportunity to speak for BCS on two panels at EuroDIG on aspects of data protection and privacy - one related to identity and payments and the other to big data analytics and the internet of things.
European Digital Single Market initiative
The proposed European Digital Single Market is a very ambitious set of proposals intended to be implemented in an (unrealistically) ambitious timescale by 2016. A European Commission spokesman estimated that full implementation of the Digital Single Market would lift EU GDP by 15 billion euros. It was claimed that EU regulations (such as the roaming regulation) had already reduced cross-border communications costs significantly.
An important element of the Digital Single Market proposals that came out at the conference is that there is an Annex that states the EU will look at Consumer Protection Legislation in 2016 as the primary means of redress for EU consumers who are cheated in cross-border commercial transactions. This is an area that the BCS IAWG has been recommending be considered for this purpose. The BCS is inputting to this topic through its membership of the Digital Policy Alliance (DPA).
There was concern from some quarters that copyright protection was the main driver of the Digital Single Market, but it was claimed that national copyright should not restrict cross-border trade. There was also concern that the EU was not doing enough to promote the introduction of IPv6 (a criticism also levelled at the UK government, especially in the context of the IoT).
One in three internet users in the UK are under the age of 18 and the UK delegation emphasised the importance of protecting them. The EU ‘Better Internet for Kids Programme’ was held up as a good example of the EU providing a safer internet and tackling some aspects of cybersecurity related to children.
Building on NETmundial
All 47 members of the Council of Europe (except Russia) agreed to take the NETmundial principles forward as the single set of principles for internet governance and to use these as the basis of the global Internet Governance Initiative. This is in accordance with the calls over the last three years at the UN IGF (which is the long term forum - NETmundial was a one-off conference) to agree a global set of principles and is a major step forward for internet governance.
There was some concern among child protection specialists that child protection and disability are not specifically covered in the NETmundial principles. Those who had been at the meeting explained that this was because the principles were agreed by consensus and no one at NETmundial had raised these issues for inclusion in the principles.
The European Commission has set up the Global Internet Policy Observatory to help implement the NETmundial principles. UNESCO also has a related universal declaration of human rights both online and offline.
EuroDIG produced a draft net neutrality statement to take forward to the UN IGF. There was a strong attempt to force the delegates to endorse this, which was rejected. BCS members who wish to input on net neutrality should make comments on this draft statement. There seemed to be considerable confusion in the discussions on net neutrality between: network traffic management; throttling relating to unfair competition / assaults on freedom of speech / deep package inspection / zero pricing and other commercial cost grounds; and blocking (be it spam and illegal content or for other reasons).
Cross-border internet law
There was an update on progress with the Internet and Jurisdiction Project.
Article 10 of the Human Rights Act refers to freedom of expression and has been interpreted by the European Court of Justice to cover both content and the means of transmission across borders within the 47 countries signed up to the Council of Europe.
In 2011 the Council of Europe recommended that the universal integrity and openness of the internet should be sacrosanct and that this required protection of the infrastructure by all member states and mutual assistance to prevent cyberattacks. However, there is a fundamental problem in that crime is under national government control, whereas the internet is global.
The internet is not under the control of any sovereign state, and governance (only at a principles level - see above) is a multi-stakeholder conversation. A major problem arising from this is that what is legal content or activity in one country may be illegal in another. This makes it very hard for everyone, especially small players, to deal with cross border legality.
This has become particularly complex in cases of slander and libel. You can have a contract with a subsidiary of a US company in one European country and have legal proceedings brought against you for making rude remarks about a restaurant in another European country and it is totally unclear who’s jurisdiction you come under. There are similar problems around all aspects of defamation on social media.
While the NETmundial principles now exist, there is no certainty in law across jurisdictions. It was suggested that the next step needed to be legal certainty at an operational level. This could start with uniform standards, procedures and timescales. It was also important to distinguish between illegal content (such as child sexual exploitation) and content used unlawfully (e.g. copyright and intellectual property).
Intermediary liability (the Manila Principles) is a key consideration. The Manila Principles say that intermediaries should not be held liable for third party content. However, it was agreed that platforms and services can legally have their own rules for notice procedures and take down (e.g. for hate material and bullying, which may not be illegal).
Clarity and transparency is also needed in the area of legal remedies. The Council of Europe includes a fundamental right to remedy, but this is very hard to enforce.
The trans-Atlantic trade and investment partnership (TTIP) was also discussed. At present this does not include trans-Atlantic harmonisation between the USA and Europe on data protection and consumer protection. The differing rights cannot be enforced when the consumer and seller are in different countries. It is unclear when matters escalate, which courts are competent to deal with the issues. This should be discussed in TTIP.
ICANN and the IANA stewardship transition
A detailed update was given by officials involved in the IANA stewardship transition. This is the change in the internet numbering and naming regime from oversight by one government (USA) to oversight by all.
In simple terms, on a technical level there was agreement that what was done now worked well and little needed changing other than the oversight. The numbers aspects of transition have been agreed with minor changes and this is currently out for public comment until August.
The names part of the IANA transition is both more complex and in some areas contentious. It is still being completed and a re-written proposal following incorporation of the comments on the December 2014 draft proposal should be published in August. After the naming proposal is published there will need to be checks that the new naming and numbering regimes will work together.
The risks of completing this by the end of the year are political rather than technical. It is essential that this transition is completed before WSIS plus 10 (World Summit on Internet Systems ten years on) at the end of the year. This is a political prerequisite for UN agreement to continue the UN IGF (as the Western nations want) and not place internet governance under the ITU (as some other nations such as Russia and China want).
Cybersecurity
It was widely agreed that cybersecurity is a key element in sustaining a sound IT society (including privacy and freedom of expression - see below). It was acknowledged that states are now developing military cyber capabilities (a fact that was emphasised by the Under Secretary at the Ministry for Foreign Affairs from Estonia and debated robustly with Russian officials) and that cybercrime, which is frequently trans-national, is growing.
A recent McKinsey Report and data from the world economic forum was quoted saying that annual losses to cybercrime amount to $3trillion, representing 15-20 per cent of the value of all IT commerce.
The response to this was to say that a comprehensive and systematic approach was required from states to make dramatic changes to protect the economic environment and critical national infrastructure through public-private partnerships and to invest in public awareness and eskills. This very much follows the UK cybersecurity strategy which was considered to be a leading exemplar of what is required. This has led to the UK-inspired Budapest Convention on cybercrime, which was strongly backed by must delegates.
However, many delegates thought the timescales for a new convention were so long as to be irrelevant and that it was best to decide what could be achieved using existing conventions and international law. The Estonian Minister said that the Russian attack in 2007 had been a wake-up call for them. They had agreed that protecting the critical national infrastructure was essential. Their view was that it should be an agreed political norm that states should protect their critical national infrastructure and not attack the infrastructure of other states. This included the financial infrastructure, which is the backbone of economies. There needed to be better cooperation between CERTS to resolve incidents.
The OECD Convention on Cybercrime Law and the NATO cybercrime exercises were also seen as very positive. However, it was considered that the UN needs to agree to new norms in existing treaties for operating in cyberspace as a matter of urgency. The key is to establish how existing laws apply in cyberspace rather than starting with a clean sheet of paper.
The issues concerning cybercrime that were discussed included:
- Child protection;
- National security and respect for sovereignty, through establishing norms of security service behaviour over the internet that enables defence from cyber-attacks;
- How electronic identity can improve cybersecurity;
- Payments, especially in unconventional currencies (such as Bitcoin) and digital wallets over the internet from mobile devices;
- Cyber-bullying and cyber stalking;
- The place and role of user responsibility for internet safety;
- Tipping points for investment in cybersecurity;
- Perceptions of cybersecurity risks;
- The assurance of security of software.
A critical problem was seen to be that the percentage of cases of cybercrime that are investigated is tiny, so the chance of justice for victims is negligible and deterrence of criminals minimal. There was seen to be a critical need for more mutual legal assistance treaties (MLATS) that are effectively acted on. A start would be for cybercrime to be defined in law in all countries as a criminal offence. Everyone has to contribute to internet hygiene through best common practices, best operator practices and educating their citizens.
Data protection, privacy and the IoT
EuroDIG was greatly concerned about freedom of expression, journalistic freedom and privacy. There was great support for the response to concerns about privacy and surveillance in the UN through the adoption of resolution 68/167 as a result of which the General Assembly requested the High Commissioner for Human Rights to prepare a report on the right to privacy in the digital age.
It is to examine, in the words of the resolution: ‘the protection and promotion of the right to privacy in the context of domestic and extraterritorial surveillance and/or interception of digital communications and collection of personal data, including on a mass scale.’ The report was presented to the Human Rights Council at its twenty-seventh session (September 2014) and to the General Assembly at its sixty-ninth session - ‘The Right to Privacy in the Digital Age’.
Notwithstanding this, the Freedom House annual report of Freedom in the World 2015 stated that freedom on the internet had declined in all of the last four years. ‘Restrictions on internet freedom have long been less severe than those imposed on traditional media, but the gap is closing as governments crack down on online activity. Censorship and surveillance, repressive new laws, criminal penalties, and arrests of users have been on the rise in numerous settings.’ Internet trolling (where people are paid to spread propaganda or hate speech) is also a growing new phenomenon.
There was a lot of discussion about the new EU regulations on data protection, e-signatures and e-Trust, with all the well-rehearsed concerns that have been expressed by BCS and others in the UK in their responses to consultations. There was also discussion about interpretations of legislation in this area by the courts. In particular, it was agreed that the so-called ‘right to be forgotten’ amounted to a right to be de-indexed and was widely misunderstood. There was also concern about the ‘Who Is Programme’, as many people do not want to publicise their mobile numbers and consider this to be a privacy issue.
GPS and privacy
GPS and tracking was widely considered a key privacy issue. Is GPS a friend or an enemy in your pocket? The major concerns were around tracking related to insurance and advertising.
It was accepted that such things as tracking in a city centre could help to reduce traffic congestion and speed up the flow of traffic, and that tracking in disasters was enormously beneficial to speedy evacuation and in determining where assistance was required. However, there is no excuse for failing to anonymise the data or retaining data once a disaster is over.
The solution here was felt to be simplicity and transparency. All parties collecting or sharing data should say what they are doing up front using clear statements such as: no data retained, data shared or metadata shared.
The consensus appeared to be that individuals and consumers must be able to be private in their own environment and be able to choose how to engage online both with governments and commercial organisations. It was agreed that privacy policies were much too complicated and legalistic and most people failed to read them.
IoT now reaches people as individuals and in their homes through smart phones, smart TV and other smart appliances, smart metres, smart cars and most importantly medical monitoring. All of these interconnections have privacy impacts.
Conclusions and recommendations
2015 is going to be an important year for internet governance. After the successful adoption of the NETmundial principles, it will be essential to ensure that the UNIGF continues as a multi-stakeholder environment to continue responsibility for the governance of the internet and this activity is not taken over by the ITU.
A critical element to ensure this will be an agreed IANA governance transition, from the USA to the multi-stakeholder community, for internet names and numbers. This appears to be possible, but the timetable is tight. WSIS plus 10 in December will be a key meeting.
It takes many to run the internet and many to ensure that it remains open. BCS supports the UK government stance on this.
In Europe the adoption of the Digital Single Market is the most important activity. Given its scope, 2016 completion seems unrealistic. It will be important for BCS to comment on plans within it for EU wide consumer protection legislation associated with the ability to get redress for problems associated with cross-border internet commerce. It will also be important for BCS to comment on the new EU data protection regulation when it appears in its revised form after extensive comment.
As far as the main focus of BCS activity with EuroDIG (on identity, payments and privacy) is concerned, the desire to establish new norms is growing. The four topics related to identity and the security of online payments that BCS presented were well received. They were concerned with the boundaries and tensions between individual financial privacy concerns, societal concerns and governmental obligations.
It was agreed that we need trust for online payments whether they are commercial or peer to peer. We do not want people to go to false websites where criminals are intending to defraud them or sell to individuals who are unable to pay for goods. Trust online is well established in Europe and the Western world in bank transactions and when using credit cards, where regulated financial institutions have to ‘Know Your Customer’ i.e. be assured of their customers’ identities.
In addition the following points were debated:
- Do we always need assured identities rather than anonymity for online payments? The BCS view here is that the answer must generally be yes, we need assured identities for payments. However, BCS do accept that in some cases both buyers and sellers may simply want to know if the buyer meets certain criteria (most notably for the seller an age range to buy alcohol, tobacco, pornography etc.). So the seller may only need to know whether the buyer is older or younger than a specific age. The buyer may also not want people to know they have bought the goods - such as an adult buying legal pornography. Younger ages also need to be verified ensure only children are accessing such places as children’s chatrooms, and there are no adults seeking to groom them.
- An example of this attribute verification in the UK at the moment is the DPA work on age verification (which BCS are contributing to) where a BSI PAS is being developed, in preparation for possible legislation to restrict children from accessing adult content as part of the battle to improve child online safety.
- This impacts anonymity in online payments.
- How can security be ensured for people who are increasingly going online from mobile devices, often using unconventional unregulated payment methods, like digital purses? There are no standards for mobile access payment services and the supply chain can be very complex, including apps with little or no security and varied security elements in mobile devices. It is impossible for the user to know where liability lies. BCS is preparing a position paper on this topic.
- The importance of liability models for payments being internationally recognised so consumers can get redress if things go wrong. There is a great need here to improve consumer protection and make sure buyers and sellers understand their liabilities and how to get redress if things go wrong. The EU digital single market legislation may address this.
- Some answers may be found through new open standards for identity and payments online. BCS is involved in the work on international identity and payment standards with the world wide web consortium (W3C) that started over a year ago. We urge those interested to get involved in drawing up the requirements specification and developing open royalty free standards for international use.