You are connected to event: CFI-RPC4 (Standing by for the Empowering and Educating the Next Billions of Internet Users session of the Internet Governance Forum 2016.) (The Internet Governance Forum 2016 session number 111 will begin shortly. Please stand by.) Internet Governance Forum 2016 enabling inclusive and sustainable growth Guadalajara, Mexico 08 December 2016 0900 CST session number 111 Empowering and Educating the Next Billions of Internet Users Internet Governance Forum 2016 Enabling Inclusive and Sustainable Growth Guadalajara, Mexico 08 December 2016 0900 CST Session Number 111 Empowering and Educating the Next Billions of Internet Users Internet Governance Forum 2016 Enabling Inclusive and Sustainable Growth Guadalajara, Mexico 08 December 2016 (Internet Governance Forum 2016.) (08 December 2016.) 00 (0900 CST.) (Session Number 111.) (Empowering and Educating the Next Billions of Internet Users.) (Please stand by for the IGF session Empowering and Educating the Next Billions of Internet Users.) (Standing by.) (Standing by for the session to begin.) (Testing audio.) (Please stand by for the session Empowering and Educating the Next Billions of Internet Users to begin.) (Mic tests -- sound is good.) (Please stand by for the session to begin.) >> Good morning, everyone. Anyone to wants to join us at the table, this is workshop 111, Empowering and Educating the Next Billions of Internet Users as it specifically relates to cyber and digital citizens so just make sure you're in the place you want to be so we were discussing this as a group that is in charge of the dialogue that we had kind of a plan A and plan B. Part of that was, if we had people who wanted to go into breakout groups we could do short breakout groups on specific topics which I can name through. Or if we want to do this as a round table dialogue. I'll do a quick show of hands. Who wants to do a 15-minute break out group on topic? no one! Okay. I guess we are going to stay at the table. Great. so I am Shane tews with Logan circle strategies, visiting Fellow at the American enterprise union and worked with digital citizens, looking at how we manage cyber issues on the level of how the individual user has to deal with the challenges, which means we need to look at it from a network perspective as a group, people who are users and your own individual responsibility I am going to introduce my other colleagues in this discussion, but I want to encourage everyone to participate in today's dialogue. so directly across from me is Alexa Raad. She has her own company and has a patent on pattern mapping and how we actually use the Internet and how we can possibly use the Internet more securely. She will talk about that a bit. The key issues she will discuss with us today is the expectation and the management of privacy and how we do that with our digital mediums. Directly across from me, Scott McCormick. I like to refer to him as a threat hunter. He does incident response and work for major enterprises on how we manage the challenges of network. James Edwards is on the other side of Scott. He is with Internet Nz r Z and is going to be focusing on trust and the potential for market failure when we use trust as a medium for security on using the Internet anybody else want to introduce themselves into this discussion? (There is no response.) >> SHANE TEWS: Okay. Alexa, why don't we start with you. >> ALEXA RAAD: Can you hear me now? All right. So we talked a little bit the other night about the issue of privacy and expectations. And one of the things that I mentioned was that it is first important to define what we mean by privacy. In other words, if I were to tell you, if I put nuns out there, 1123 1966 104, 0322. It wouldn't mean anything per se. However, if you knew that one of them was my birthday, the other one was maybe an expiration date of a credit card and the last one was the last four digits of my credit card, in context that starts to mean something. So privacy in and of itself, the fact that you have digital footprints out there, it's a matter of life. We live in a digital world, unless you are living off the grid. You will always leave breadcrumbs. The issue is, what information about you is out there? Do you know about it? How is that information going to be used in context and do you have any control over say so? Do you know enough and have control or say so over the information? There is certain information that is out there about me. And it is private, but it is private for me and I appreciate that because I, for example, being able to serve me the kind of news that I want to hear. It's pattern matching about my behavior. But it is actually helpful for me. I don't necessarily want information about the kinds of products that I may buy or my political views out on the Internet, particularly if I'm a dissident. Again it is about information, what is out there. But in context, and you being aware and knowing how that information -- having control over how that information is used. >> SHANE TEWS: Thank you. That's a very interesting context. Why don't we run through the two other speakers and then we will talk about this and kind of break it into its part. Scott, talking about threat hunting and some of the information that Alexa said, that we have information out there in the system. I know that we have seen a lot more phishing attacks. It has become a very inexpensive medium to make revenue on the Internet, and the challenges that we have with cyber. Talk about that and anything that you suggest we look at from a Marco p perspectiveknow* Scott: You have phishing attacking that have been going on for years now, but at the end of the day you also have -- is it back here? You also have whaling attacks, going after your C suite executives and being able to map that privacy information that is out there and available about people. >> SHANE TEWS: Can you describe a whaling attack? >> Scott: That's more specific, phishing attacks designed to go after, hence CEO, a CSO, a CTO of a company. You end up with somebody that has maybe a vast fortune that they are trying to go after. Thra's all sorts of reasons why people go after phishing attacks to target and individual. It is an easy way. We design systems to help prevent that. There are ways, it's a lot of end user education. I can tell you CE levels are not the easiest to educate on this. It should be a top priority. But when you look at whether it's shopping or whether it's new technologies coming out, being able to track individuals by use of smart devices, things like that. There's a lot of issues wrapped around that. Then you get into what threats and risks that is to a company or an entity, whether it's an NGO or whether it's a Fortune 500 company. >> SHANE TEWS: James? Trust and market failure. What do you have to discuss with us and recommend? >> James: I'm going to break the pattern. I'm not going to talk with my back to everyone in the room (Laughter.) >> James: Hi, I'm from New Zealand and I'll wave the mic at people to come after me as well. There's market failure here. People are excited about the Internet of Things and the potential for ubiquitous connections, your wallet, your car, your glasses. One of the interesting features of this, these devices are made quite cheaply. You can go in a shop and pick up something for under $50 or so. As a manufacturer you might be excited about the opportunity of selling those things. But there is a set much issues that come about when those devices get on the Internet. They are designed to be attractive and marketable and not necessarily to be secure. They have a default password. Maybe they have no Option for changing the password. Maybe they have no facility for updating the software and it is good practice in any system, particular lip one on the Internet, to update the software so you can find and address vulnerabilities over time. We are seeing hundreds of thousands, millions of these devices going out. We expect more than one purpose on the Internet at some point and they are vulnerable to being taken over with the default passwords. This is a large part of what is fueling the botany attacks, the D DOSsing among others. Brian cribs, security researchers. There is market failure. The buyers and makers of the devices don't care about the negative flow and effect for security risk. My organisation has just done a round table on the Internet of Things. And who owns the data? There's copyright licensing and privacy issue. It's great as Alexa said to be able to put together the data in a way that is useful for you and isolated it might be harmless, but the permission structure of who controls, who can access, and who owns that data is important to benefiting the users. It is not clear that the market structures are serving that purpose either. >> SHANE TEWS: You mentioned when we were prepping for this yesterday the potential for using geo location as a way to bring in a barrier on IoT devices. You want to elaborate? That's really interesting. >> James: The devices themselves often made cheaply, the minimum thing that does the job. And so we shouldn't trust those devices made in that way to have the same kind of security infrastructure you have around the top end smartphone from a reputable manufacturer. So how do you manage that? Well, if you've got a smart therm stat -- this is not an original idea. It's something written in a blog post. The thermostat needs to be able to talk within your home network. It doesn't have to talk to someone in Istanbul if that's not where you live. You can limit the permission structure to geo location. You can do it in terms of network addressing. So your router might have a two-track mode where there's devices you trust because they have the security infrastructure to go on to the open Internet. To go on the open seas. Some boats you run about and don't take them out of harbor and some do have the capacity to go on the open seas. The same engineering concerns apply to devices, especially those made as cheap as possible. Shane, signal me if you want me to -- >> SHANE TEWS: Has anyone in the room had problems with the IoT device they purchased and used in their own home, office, their own life? So you haven't had the password user issue? Scott, have you? >> Scott: No, but most users would not even know they have an issue. You trust that device. You know, for instance, I run nest in my own house. I have nest thermostats and nest fire detectors. So I myself monitor that traffic. I've got infrastructure in my house to do that. The normal user does not. So you wouldn't know that. Yeah, you might get locked out of your device. You call and have it reset. Other than that, nobody is going to know their thermostat has been in a denial of service attack. >> SHANE TEWS: It is acting bad -- my nest disconnected when they upgraded the firm ware. I made a conscious decision to let it be disconnected. You know, it would be cool I would be at the armet and turn my air conditioning on or off. That's okay, I can be cool when will I get to my home. Anybody else? Great. >> Hi, from the web foundation. I wonder if we're putting the cart before the are court. All these mobile devices as it were, how secure are they? By the time the next billion are graduating to the IoTs, we can have a frame of reference around, did we secure the mobile devices or did we lead to an insecure web? How can we contextualize that with the devices in the next phase? >> SHANE TEWS: The trust starts right here. You assume trust with this, yeah. Any thoughts on that? To make sure -- Alexa, you can probably elaborate on this. How much does the phone know about you and how can we use that for good besides potential challenge? >> ALEXA RAAD: One of the scary things, obviously we are much more reliant on our mobile devices, more so than ever. However, it is amazing how much information is actually distributed from this mobile phone or this mobile device about us, about our patterns and behaviors, even what apps we use. If you think about the context of big data and the kind of pattern matching that can be done, it becomes really scary. A lot of the time what you actually put in and what you see on the other end, consumers have no idea what is actually being broadcast about them. >> SHANE TEWS: Can you give us an example? >> ALEXA RAAD: Let's say that there was about a two or three years ago not really publicized, but one of the mobile banking apps, when you actually put in your password, it had one of those gotchas. For awhile that gotcha didn't work. One of the mobile apps was effectively putting your password out there. They caught it in time and it didn't make it to the news outlets. However, for a number of people your user ID, your mobile password, particularly if you were in open wifi here. It would be easy for somebody to eavesdrop, take that, if they were perfectly situated and be able to commit identity fraud. Take your information and once you have, for example, somebody's banking ID and you can get into the banking account, there's lots of information that you can now take from them. By the time you know about it, it is a couple of hours at best. So these are the kinds of things -- in fact, even ver ry sign did a study two years ago on circle ID where they talked about how much information is actually sent out from mobile devices that can be seen, that consumers have no idea, in fact don't have the education to know, aren't aware. >> SHANE TEWS: When the device wants access to my camera, all my contacts, at what point do you think I'm beyond the -- I understand a lot of that is to make the actual app do what it wants to do. So I need it to have some of that information. Is there a way to cabin that off? Is it all or nothing? >> ALEXA RAAD: Part of the problem is, a lot of the privacy notices or privacy policies of things, we don't necessarily -- I don't necessarily go and review. So yes, it is very, very easy, it is -- if the device has access to my camera, if the device has access to my mic, if the device has access to other apps in there, but I don't necessarily know what the privacy policies are. It does make it convenient for me but I don't know what they are doing with it. If you remember it was a surprise for many people when they realised, we were talking about this the other day, that Facebook gets your photos and that they own it. This came as a surprise -- Facebook is a much bee loved app. People use it all the time and they think they're familiar with it. They had no idea that their pictures were not their own property. >> To caveat that, Uber updated their app. One of the things, I went through the terms of service and up pops a warning saying Uber wants to know your location for five minutes before and after a ride. How does it know that I want a ride? So because I pull up the app, when does it start monitoring me? There's questions and legalities around the privacy of that. Now when you go on ISO, I haven't looked at Android, it's an always on function or off function. Now. (OIS.) now you run into the security getting Trumped by convenience. Everybody wants to use the app. And wants to be able to have that added benefit of machine learning and AI that Uber is using to be able to use their app better. So do you turn it off or on? Nobody understands the privacy rights behind that. >> AUDIENCE: I'm going to use the hand-held one. I think the idea is, anyone who wants to stick your hand up, a mic will get to you. Do you want to comment, Jim? >> JIM PRENDERGAST: I'm the remote moderator. We have folks in the online room, in case they are not staring at the chat function, if you want to participate online you can enter your question into the chat or if your microphone is enabled on your connection, we can allow you to ask it via the audio system in here. I'll ask my own question since I do have the mic. Bringing it back, I know Scott, your Uber example is beneficial I think to a lot of people at this conference who might be Ubering. But the next billions are not starting at that point. They are starting at a point much further back. Their concerns are not about IoT attacks. That's the point you were trying to make is, for most people in developing world, this is their computer. This is their connection to the Internet, this is their bank, this is their lifeline. So from a social standpoint, not necessarily a hardware standpoint, what are some of the things that people need to be looking for, aware of, and potentially educated about so that as they go about the normal course of their day interacting on their phones primarily they don't become susceptible or victims to some of the things that Scott described? >> SHANE TEWS: Anybody want to enjoin that? >> ALEXA RAAD: If you have an iPhone device, look at the location setting. Go to settings and look at the location monitoring. See how many apps actually give you only two Options, which is always on or not. Really, what they should be doing is giving you an Option to monitor your location at least when you are using the app, right? >> SHANE TEWS: You're saying authorize for a specific purpose rather than blanket? >> ALEXA RAAD: Why monitor me at all times and my location, where I'm going when I'm not using the app. The app is simply installed. A lot of times when you set something up, this is for the user. You need to pay attention. You continually press yes, yes, yes, actually read the text to see what you are saying yes to. It may be harder for you to go back and fix that later. >> AUDIENCE: (Speaker away from microphone.) How do we change that? >> AUDIENCE: Not using the microphone. How do you change that? You know, you're nodding your head. What stops you or prevents you from actually reading those disclaimers? Is it because they are too long? Written by lawyers? You just want to get to what you downloaded and start using it? >> I'm from Bhutan. I was also thinking when you were talking about the privacy policies and all things, when you download an app or even when you register to a wifi, you have the prief have I policies and all that's correct terms and conditions that you have to agree to before you sign in. Most of the time, including myself actually, you just click agree without even reading it. I think, I don't know what is the problem actually. I haven't figured it in my own self actually. Just maybe it is lengthy or just because you need the app? You just, you know, click the agree button and that's it. You don't actually know what is there. The terms and conditions you don't even understand. So you are asking, how do we change that? >> SHANE TEWS: This is something that lawyers will hate me for, but is there a possibility of doing kind of a gradation where I approve some things but I need a second tier level -- you see where I'm going on that? Can I turn things on and off? Ims sometimes these apps are using background data to help me with the service and sometimes they just feel invasive. >> I am trained as a lawyer. A lot of the issues that have come up at the IGF are about, you recognize the values that are at stake. As Alexa said, you want to make the information available because it's useful. Not all the information all the time (James?) The default is to collect too much. It is not proportional to the value of use you get. So how do you make these systems worthy of trust? The UX for that is terrible. The UX is set up assuming that by default you want to share everything, and you have to, for each thing that you want to limit, you have to go and deliberately make a choice to opt out of that being tracked and your information being collected and stored where it can be used for a range of purposes, some of them good for you and some of them not. In so many debates, which is the default and where do you start? You can imagine it being the other way around. What would the UX look like where you empower the user to say: I want to achieve thus, and that's why I have the app or device. And it gets the set of permissions that go with what I want, rather than what the provider of the app or platform wants me to give. >> SHANE TEWS: I want to bring you into this conversation. Part of this is, IGF is about identifying challenges and issues for the Marco spn and the micro. We see we have a potential user challenge here and you have tried to work this out from a global policy perspective. Is there, give me some kind of thoughts on what you looked at when you were looking at how do we do some norms around this? Because we have things -- when my device goes from here, from the United States to Mexico or somewhere else, do my rights change on that? Have I signed it away depending on what country it is? I realise I changed topics on you. >> I'm going to pick the user who doesn't read the terms. The reasons I don't, I want the benefit of the service and I know that it doesn't really matter what I think. Like if there was some way where we could give feedback, clearly like I want it to be like that, then I would read it and I would annotate and do something. But I think it's this feeling of powerlessness that I really need or want the service and there is nothing I can do about it. So I might as well hit accept. I think that if there is a way to integrate feedback, whether it is in whatever country we are in, that would be really helpful. The other challenge as we work internationally is language. Sometimes the terms and services are not translated into local languages. What is the point in reading 20 hard to understand English pages that are for an English native speaker when you are speaking a different language? That's hard. So ways to figure out how to translate very nuanced information in terms and references. And having kind of an agreed-upon terms because I think as someone who came from policy and not from tech, I didn't always understand what people were actually asking about in the terms of reference or anything around tech. So I think having common language would be really helpful for normal people who aren't doing tech stuff every day. >> SHANE TEWS: I'm thinking wiggle emojis. Happy faces. Scott, you mentioned AI as something becoming more brief length in this space. Taking this to the positive side of the ledger, part of what these apps are looking at are reputational based and predictive. They are trying to help us by -- Alexa, you mentioned in the case of banking. Am I somebody who trasms quite a bit? Is it normal for me to be in an space that has an app that has monetization? How can we help the user use these apps and be more protected? >> Scott: We tend to throw out a term AI all the time. Watson is close to true AI, but it is not very common. Whether it's Amazon or Uber or any of the large companies, Microsoft, LinkedIn, you name the service. They are using machine learning. They are taking this in and saying -- years ago I helped develop a technology that said hey, if one of my system admins is supposed to be in the office at 3:00 o'clock in the morning and he's trying to log in, and we see that, put him into a honey pot and see what he's doing. Make him look like he's on an actual system. So that is machine learning, though. That is sitting there and setting the business rules to then learn and know when somebody is supposed to be in the office or supposed to be in a location. So from an end user standpoint, banking, right? I've asked plenty of banks around the world about this. I have an app with a phone. It knows where I'm at. If I'm logging in from India and I'm in the U.S.? Why is the -- or Nigeria or any other country, right? Why am I being allowed to log in from that location? Granted geo location issues with IPV I six network, if you're on IPV6, location doesn't exist as it should, as it does in the IPV four world. There are technical issues behind it that are limiting factors. >> SHANE TEWS: But you have a room full of people that I assume don't live Guadalajara, even though we all enjoy being in Guadalajara. How do my apps know that it's okay that I'm here? >> Scott: Because your device is here. >> SHANE TEWS: Physical present makes a difference. >> Yes, you have an iPad p and a phone in front of you. You can make a business rule and say yes, this is the person's true location. If my Apple watch is in will will Mexico City and my device is in hide dray bad -- shape Shane you have a problem. Researchers found that 40 percent of IT professionals surveys are most concerned about internal threats. A lot of dang is done by the people you. >>: Know* right, insider threat is a huge -- I'll use this for kind of the ultimate is snowed en, he was the ultimate insider threat, someone who came from the intelligence community. There was supposed to be stop gaps. And checks and balances. Obviously those failed. So it proves, I'll quote general Alexander who made this comment: If someone is determined in getting data out of your organisation, there's no way you are going to stop that individual. They will succeed. Granted, there are plenty of safeguards that you can put in place, layers of safeguards that you hope will catch that individual. If someone is determined to get information out, they will get information out. >> SHANE TEWS: James is getting up again. >> James: Always I said, I would rather not talk with my back to everyone in the room. Scott said there are safeguards in an organisation to stop people getting the data and sharing it with those who aren't. As a global community there are services catching a lot of data that you don't necessarily want to get caught and there are supposed to be safeguards and institutional constraints on how security services work. So what is the relevant community? What is should the trust and sharing architecture be for determining who gets what? Governments just do stuff. Private companies just do stuff. Individuals just do stuff. How do you build the trust that is going to assist in both those who are already online being able to do what they want, but also providing that trust architecture for the next billion, which is in your title. >> SHANE TEWS: There was an Article yesterday or the day before coming out of the snowed enfiles that the U.S. and the British spy agencies were able to use, when people got on commercial flights and used their phones a couple of years ago they were able to listen in on the GSM conversations, cell phone conversations. So to the extent -- there is no way that you would have, I would have known that or anybody else in this room known that had it not been for this revelation. It does bring up the question of what are the safeguards? What are the parameters? There are some heuristic rules that we as end users and even developers can do what you mentioned in terms of fraud prevention, right? If you were here and your IP location says you're in Guadalajara and somebody is trying to use your credit card from a device with an IP that is in Beijing, there is no way that you could have gotten it from Guadalajara to Beijing in less than two minutes. So that is a fraud detection algorithm that has been used by credit card companies for a very long time (Alexa.) Another one, like you said, there is no AI. There are predictive algorithms, but they are dependent on past behavior. And then looking at how that could forecast future behavior and when there are exceptions. It throws an exception out and says, well, you know, this is out -- this amount is out of your normal purchasing behavior. So now combined with the fact that you are trying to charge something from Beijing when you clearly were in Guadalajara two minutes ago, that ought to raise the flag up even higher. So the probability of this happening as a fraud is higher than before. But that is all we have so far. >> SHANE TEWS: So, there is a study I was reading yesterday on the 2017 overall cybersecurity assurance, where we are trying to head. One of the number one items goes to the point earlier, what they call mobile morass, the challenge of enterprise security and individuals and the risk assessment on mobile. So ... yes? >> I had one more comment. I work for the Nokia, behind Wikipedia and other knowledge projects. I want to step a little bit back on the conversation we are having and going back to the title of educating the next billion users. I think we haven't talked about, without sounding patronizing, the conditions in the digital literacy and the digital skills that the next billion people will have. I think so far the conversation has been around terminology issues and things that revolve around the people that are already connected, right? The people already online and educated and have digital literacy rates that would allow them to have these kind of things. That said, I think we as enablers for participants and influencers in the Internet have a very important role in how we are bringing this very relevant topic to the next billion in the context that they have the digital skills, the digital literacy, that they have and with that understanding, think how it would shape, how we would inform these new people who will be coming online. >> SHANE TEWS: I think that's a very important point to bring up. I think this dialogue is trying to point out that we've all lived through the first generation or the first billion have had to deal with the hiccups of not having security on the system. So some of these things that we are discussing allow a new level of security to be baked in as we go to the next generation, but they do have privacy challenges. I guess one of the questions, to your point, how do we best educate the next billion users? We have a group of people here from all around the globe. Are there any thoughts about the best way to get to the people that are just coming online? Great, over here. >> AUDIENCE: Sorry, you can hear me? Okay. To Jorge's point, I think we need some principles about how we proceed with empowering the next billion. One, we can not afford to use the same patronizing that we have used with Sub-Saharan Africa, Southeast Asia, poor people. We have to figure out where the iments sectionalties with other injustices, how do we engage with educators, how do you engage with those figuring out how technologies are being used for agriculture, for security, that kind of thing? And the last but not least, the most important thing is, how do you also engage them in the core design of this empowerment, if you will? I think we are going to miss the mark and end up with either the next billion connected to a very different version of what we are talking about here as well. How do you make sure the initiatives trying to connect them, also make sure they are coming on to the same kind of Internet you and I are enjoying today. Those elements, we need to design a set of principles that everyone will agree upon. We won't use the same patronizing approach but trying to ensure that their knowledge and insights and their cocreators of this connection. For me that is something that has been missing in many discussions about this. Of course, it's great that we all want to do good. It is very, very important. We have to very much make sure we do not make the same mistakes of being patronizing and condescending in how we go about it. Design principles that everybody adheres to in the work they are doing it, wherever they are doing it and whatever angle they are tackling it. That would be an interesting next step. >> SHANE TEWS: One of you brought up the point that some of this is not specifically technology. One of the events I attended earlier this week discussed how just energy -- they were assuming that people are 24/7 on the grid. And they aren't. How do we get around that? This particular example showed that they would bring in cars and they would actually have education rounds where people would know to come find the mobile school. What they were doing is giving them the devices and the energy at the same time. And it was just a matter of knowing when and where to be so you could be part of that dialogue. I get your point about the principles. I hope, I don't think we are trying to be condescending. I think we are trying to learn. How do we best do this. Not this assumption that my first world person is that person's problem. And what they need. I think we also have the fact that a lot of this stuff comes, it's just intuitive, how we think it works, but we don't also understand what is the underlying comprehension behind that. I'm always curious, where do you step into that? I watched programmes and find it fascinating, you see seniors who want to be online. They don't want email until they realise it's the only way to talk to grandchildren. You get dialogues between ten-year-olds and 80- year-olds who figure it all out. The best way to put principles an guidance together that is useful. Back here? >> AUDIENCE: I have a separate point to make. If you want to continue with this point -- >> SHANE TEWS: No, you have the microphone. >> I'm cush based in Shanghai but I'm Indian by nationality. I want to bring it in perspective that sometimes it is also about the readiness. When we are trying to connect the next billion, India just demontized two the highest currency value notes. And that pushed the economy to digitalize overnight. We got a three-day notice basically to take out the money from circulation. The company did not print enough of currency in lower denominations for people to use currency in terms of print. So everyone had to use digital means. There is an app called pay TM, the Indian version of PayPal. People were forced. I'm talking about people, not the ones educated. India is way, way behind a lot of the developed nations in terms of connectivity, in terms of getting access and digital literacy, per se. Now you have vegetable vendors on the street who do not know how to use a mobile device having to buy a mobile device. They that also supports the Internet buy the facility to have Internet and pay through that app. We are not an economy as of today who is ready to get digitalised, but we are being pushed and coerced into it, which is one way of getting people to learn, because it is forcing them to learn. It is not always the right way to do it. >> SHANE TEWS: Taking people's currency out of circulation makes them digital pretty quickly. >> AUDIENCE: It did! It did! It is something I feel is unfair. >> SHANE TEWS: I mentioned it, so did a lot of these vendors already have bank accounts that they could attach these to? >> AUDIENCE: The thing is, you have the debit cards. Some of them don't have bank accountings. India as rich a company as people think. There are so many different languages and badges are not necessarily vernacular or multilingual, per se. There is a withdrawal limit of $29 a day on the ATM. That for a family, in India we do not have the one child or the two child policy per se. It is advisable by the government. It is called (phrase.) us two and our two, is the policy for having kids. But there is a lack of education. A lot of people do not even have sex education. So they have a lot more children than you can actually manage. If you have to sustain an entire family on $30 a day as withdrawal limit in cash, you can't do that. But there is no limit on money to be transactioned digitally. If you have a business of any sort, you have to rely on digital means. Now, I may be taking raw material for business from somebody who does not have any sort of digital literacy at all. That puts me in a fix. I have no way to ask that person to pay me, or for me to pay the person because now one of us has a barrier. And it just is basic coercion. You are not wanting to use digital economy. You are not really ready to use plastic money, but you are forced to. We are not even well connected. Our Prime Minister as of today is very pro digital. It is a ten year plan, but you took it out overnight. What happens to people in remote parts where they are trying to get Internet access still? But you do not have money in hand, so you don't have the Internet. You don't have money in hand. What happens to an economy at that point? >> SHANE TEWS: Since you are living this live, as we are going through -- some of us were in high dray bad when that happened. You think about the digital element, but think about people, who don't have online ability, didn't have a mobile device. How quickly is that ramping up? How is the society managing that? Is it angst ridden? Are they feeling it come together? >> AUDIENCE: A lot of people instead of giving flak to the government for it, after the initial draw back of maybe two, three days of rage and angst and protests, a lot of people started appreciating the Prime Minister for bringing in something new as a digital policy and taking black money out of circulation. It was basically done to take out black money, but if you suddenly think that 1.25 billion people can manage to shuffle around their money in less than 72 hours, which was given, and for people like for me, I'm an overseas Indian citizen. I do not live in India. I live in Shanghai. If I carried any sort of currency with me as emergency measure, if I come back to the country I have some amount of cash. Maybe not a lot but some amount. For people staying overseas in a country like China, China did not allow Indians to exchange that currency. So overnight if I had, say, about $2,000, I just lost that money. There is no way for you to exchange it. So people are not very happy with it, but at the same time there were so many debts. If you actually read vernaculars, not the national and international media, there were about 15 bankers who died out of the stress of handling so many people coming into the banks. There are four-hour queues to withdraw $50. It is just, we weren't equipped to handle that kind of pressure. Maybe if they are given more time to it, it would have taken six to seven months to get the policy at least working. But today if I have domestic help at home and they do not even understand the concept. So the first day when it happened, people cried because they had money in cash, whatever they earned, just minimal means of survival. Suddenly they felt that they are going to loss everything they had. They weren't even educate. The gap was in education. It was all digital, in a country that is not digitalised. >> SHANE TEWS: I'm infinitely interested in this situation with your monetization. But going back to our topic, I'm interested in lessons learned. You basically were shocked into a digital system that didn't seem prepared for it at multiple levels. What is it, is there anything, any take away we can see? If they had a thought-out plan, how would you manage that going forward? Obviously, you have infrastructure issues but you are not going to solve those in six months. The idea, how would you have prepared people for this? Like you are talking about the vendors. Would that have helped if they had ramp up time? >> AUDIENCE: Not just that. The least you can do as a civil society is to educate people while -- we have a lot of vernaculars, we have 35,000 newspapers in circulation on a daily basis in India. We have 17,000 languages in India alone. Twenty-six of them official languages, the rest in dialects. The least they could do is put it in newspapers in steps, you know? And we are not -- we are one of those Asian countries that has some hostility -- we thrive on journalism. If you could educate those who could read that you try helping the vendors understand the situation, give it time to educate your house help instead of first thinking of your own self, because anyone from an upper middle class family has a lot of money. We save in gold and save in cash at home. People do not necessarily declare their income, their actual income. There's a lot of black money because we pay 37 percent tax as income tax. >> SHANE TEWS: I could talk to you about this issue for a long time. Let's bring it back to our idea of getting people connected. Obviously we are seeing what India is going through. We can take measures about that to bring more people into the digital medium. It seems, I will be curious to see as we go through this how that is working out and if it is taking the challenges of the black market away or people have worked around that. I'm curious to see if you have a point of view on this. >> No. I think what is happening in India is basically a good case of what not to do. Thinking of places where also eGovernment services, critical services are only now increasingly, the investment is on the online services and not factoring in people who are not connected at all. There are all these -- I think there is a mapping that needs to happen about the context in which you're trying to introduce this digital devices and just connections to the so-called next billion. Let's contextualise the reality, how does it fare in terms of gender. Where are the women? Do they have the time? Is this something that they are factoring in their budgets? I have to leave, actually, the most important thing, this cannot be a siloed conversation but it is a great start. I emphasize the fact of figuring out principles of how to do no harm. >> SHANE TEWS: To your point about the papers in India, that won't work in every group. Where can you get a critical mass of people to educate? >> I have a point toed a here. Even if we print in the newspaper, today you digitalised the economy. You need a phone that has Internet access. That means it has to be a smartphone. If I don't know how to operate a phone in English, how do I first understand how to use a device that I have never seen before, I never held before? India is that kind of a backward country at the moment. There are remote parts, there are developed cities, but there are other cities that do not even know how to use the device. You don't know how to use the device let alone an app. For that app you need a bank account that leads you to a debit account. There is a lot of education that was expected overnight. For 1.25 billion of us. >> SHANE TEWS: Mark, did you want to get in on this discussion? >> Yes, mark from the U.K. government. I think what you need to bring into this debate are those entities and services at the national level that actually can deliver the education. I mean, the U.K. experience on data protection advice is through our network of citizens at the device Bureaus and also our inflation Commissioner, our independent regulator on data protection is well seized of the issues you have been discussions in this session and produced reports on how to empower the consumer to protect themselves to exert greater control over what they are signing up to when they buy a device. So maybe, I don't think these people are here at this IGF. But maybe in the future you can get some of that dialogue involving those people and also at the national level, nationality IGFs. Maybe that is the place as well to bring in the national consumer advice activists, agents, independent personal data, regulators and so on to get them involved in a strategic plan for education. >> SHANE TEWS: Thanks. The point of, you know, what works where? You are going to have different levels that are going to work in different recentlies, but you might be surprised what works cross functionally. I remember reading an Article about somebody did a test and took something that looked like an ATM machine and dropped it into a neighborhood in India. They let the kids just play with it to see how quickly they could acclimate. It was more or less a game. They came back a week later. They said first of all, we speak tam I will and up put it in English. We had to learn English first. They were amazed how quickly because they wanted to play with the device, that they went and educated themselves. So it is like you have to look at what they thought was going to be barriers turned out to be different barriers to what they needed the machine would turn off and they wanted it on 24/7 because they wanted to figure out what they were doing with it. To Mark's point about the studies, it is always interesting to see how much of this is, is that actually usable device that you're getting back in. The idea of eGovernment and people actually using the services. Are we spending money on something that is not at the right level of entry? >> AUDIENCE: In India we are fast learners, for starters. Most areas do speak English. Behind di is commonly and the ATM machine will give you the Option of English, but people do start learning. They do not expect people to understand ATMs shall, but overnight they learned it. Out of the bolt of shock, people did learn. India being the largest democracy, how democratic was that kind of coercion in terms of suddenning forcing an entire nation that wasn't prepared to use something that they did not have access to. >> SHANE TEWS: You were in Singapore. We were actually there. It was unique to figure it out. We have five minutes left. I was going to do a lightning round with this group. Anyone who wants to add to the conversation? James, start with you? >> James: The thing we heard about in the past half of the session is, there's lots of top-down approaches to educating, and the idea that I can make things accessible and set up devices to do what the users want. What is the bottom-up approach? Sticking an ATM machine in a place that hasn't had one before. That was what we have heard over here and what you're getting at. What is the bottom-up approach that meets people where they are and discovers what the real barriers are, discovers what the priorities are. >> SHANE TEWS: Good points. Scott? >> Scott: From the Internet of Things perspective we should also be looking at the actual people developing the technology. As we saw in the Diane attack that happened recently, fast me prototyping to get a product out to market, to then get your revenue base built is not acceptable. We need the security safeguards built in. Looking at what happened with Diane, it was a very simple stack that should have been employed, or deployed in that technology, flat and simple. Again, it goes back on to the vendor. >> AUDIENCE: Thank you. I think. >> ALEXA RAAD: I think if we look topo lar ends, it's government regulation, government involvement one shape or form. Bottom-up is self organizing end users and so forth. I don't have the answer, but I don't think that you are going to find the solution at either end of the extreme. One of the nice things that I have seen happen, for example, the underwriting laboratories are starting to provide certifications for some IO devices. That's good. To what extent that could be expanded or perhaps across different countries, and for users, I think it is a tough requirement for us to think that users are going to be effectively security experts. Whatever is cheaper, faster, better. If these can be baked into the design somehow, either through business models or through some sort of minimal regulation, to make things for the users that are cheaper, faster, better, it removes the constraint from them to also now also be a security expert on top of everything else they have to be. >> SHANE TEWS: Go ahead. >> Melanie: To the comment you made about energy, I think we have to remember there are 4 billion people that don't have, on our work on grid and off grid to reach those people for connectivity for electricity we can pair that in with Internet. So we are not just delivering one solution. We are delivering it all at the same time. It's much more efficient. There's major cost savings to doing it together. (1.2 billion.) >> SHANE TEWS: Anybody online, Jim? This was designed to be an interactive workshop. Thank you for those who interacted. Even if you didn't verbally participate, one of the things we would like is a feedback loop. I think we heard that was something that was maybe missing in even parts of not necessarily the policy, but the way that things, the application and design of how this information is getting out. So if you want to make comments about in particular workshop or any suggestions that you might have, I think that there's an ability to do that online. If you want to come talk to me afterwards, Mark, I appreciate your point about seeing about getting more government involvement in this dialogue. Getting everyone connected is important. If we can do it in a more secure fashion for the next billion users, that's ideal. In a way, it is actually user friendly, perhaps more bottom-up and less top-down. Those are excellent suggestions and I wrote other things as well. Thank you for starting your day with us and have an excellent day at the Internet Governance Forum today. (Applause.) (The session concluded at 10:00 o'clock CST.) (Standing by for the Internet Governance Forum session Can Law Enforcement Catch Bad Actors Online ANymore?.) (Please stand by for the Internet Governance Forum session number 6, Can Law Enforcement Catch Bad Actors Online Anymore?.) (Please stand by for the session to begin.) (Standing by for the session to begin.) >> Two-minute warning. We are going to be starting in two minute time. AV team, we'll be starting in two minutes. Thank you. >> One minute. We'll be starting in one minute's time. >> ROBERT GUERRA: Good morning, everyone. I'm here with mip co-moderator, Jeff Bedser, well Koch you to session 6, Can Law Enforcement Catch Bad Actors Online Anymore?. Catchy title. What are we going to be talking about? A variety of different things. Our focus and premise to our conversation is about the exhaustion of IPV four addresses, what it means as we move to pif six and specifically what does it mean in regardstor law enforcement and catching bad behavior online and acting on it in one way or another. The bios are online. I want to get to the materials. The speakers that are here and some of the speakers that are remote. I will talk to you about the format we are going to be using and we'll get started. Alphabetical order, the bios again online is Jeff Bedser from I threat he group, John cur renne from, Laura could no join us but gave me questions. Fragkouli ills online. Far site siewrlt and also with ICANN Committee will be connecting and participating remotely. We have irbegan with the Federal Bureau of Investigation who will be participating remotely. Dic Leaning with us today from RIPE ICC. The format for today is we are going to have in a way two sessions in one. The first session or the first part of our workshop today is going to be an overview in regards to the IPV 4 depletion issue. Kind of a kick-off and general information in terms of where we are in law enforcement. John from ARIN will be giving that. I will go to the speakers, the experts that are with us today. I will give them all a question in regards to the space of IPV four depletion in law enforcement. What is their role, what do they do from day-to-day. We'll go around the table and with our virtual speakers as well. So everyone here in the room can get a sense of what their perspective, their stakeholder group brings to the table. Then what I will do is go to you, the audience. If you have any questions or comments in regards to that first part we're talking about. Then my colleague Jeff is going to get into something concrete. He will in a way set up a scenario, get a bit more specific from his perspective. And then we will go around as well in terms of everyone who is here and virtually for that case, how would they respond, how would they react to that and open it up to you. In a way an introduction to everyone, a scenario and then a discussion. That is my proposed format. I'm happy to have it evolve as need be. I've spoken a lot today. I really want to promote a conversation. So I'm going to pass it over to John who is going to kick off and give us background on IPV 4 depleeption and law enforcement. John, over to you. >> JOHN CURRAN: Thank you very much. I have a brief slide presentation to introduce the topic of pip 4 depletion and law enforcement. So as a sort of background to bring everyone up to the same position, I am going to talk a little bit about IPV 4 and IPV 6. We'll talk about IPV 4 who is, who is data and NAT, Network Address Translation, talk about IPV 4 depletion, IPV 6 deployment and law enforcement implications. So let's see. There's this thing called the Internet that everyone knows. And it was developed actually, one of the speakers earlier this week. Vint Cerf and others were responsible for the protocol which made the Internet, IPV 4 is what we built the Internet on. It allows for about 4.3 billion addresses. There's a number of reserved ranges so about 4 billion, which is a big number but not really that big when you think about a planet approaching 8 billion people. It is deployed globally. We issued IP addresses based on the need. So in other words, we didn't give them all out at once. It was as each ISP needed addresses to connect new customers it came and got additional IPV 4 addresses. Back around 1993 the group that is involved in doing these standards, the IETF the Internet Engineering Task Force did a group that did depletion estimates. We realised we were going to run out of IPV 4 addresses sometime between 2012 and 2017. It turns out that was pretty much right on track. As a result we created a new version, IP version 6. You'll hear about it. IPV 6 has a much bigger address space. 340 unDacillion, 340 trillion, trillion, trillion. Each universe has a trillion university and each trillion -- has -- it is standard since 1999 and deployed, it's in your laptops, cell phones and servers. People are enabling it, but the technologies is already out there in all the operating systems. And it is very similar to IPV 4. We issue it based on need. You actually have to need an IPV address bock to get it. These are necessary to keep the Internet running, only it's larger blocks we give out because we have much more space. We don't want to put people through the onus task of getting an address space over again. Every device talks to the IP address through packets. Simple stuff. Regional Internet registries. Each one of us has a region. You'll see it up on the screen. Whoops. Each region is based on a certain part of the globe. ARIN handles, parts of the Caribbean, LACNIC handles the rest of RIPE NCC handling Europe and P.A. NIC handling the Asia-Pacific rim and AP NIC. Soles countries go to them to get assignment blocks. The addresses have been created through the protocol standard and the group that does that within ICANN is called IANA. They follow the direction of the IETF. They allocate blocks out to the Internet registries. There's a global policy that sets how those blocks are managed. RIRs assign addresses to users and sips zips. We give griewls to ISPs, Internet service providers, they reallocate those to Internet users and others. An address block gets subdivided. This is important to remember. With IPV 4, everyone was getting address blocks, using them and coming back and getting another. With IPV 6 we give out very large address blocks. People don't necessarily come back to get another one. There is not the same rigor of updates. So in the past people assigned addresses dedicated addresses predominantly to businesses and dynamic addresses for broadband customers and mobile customers. When they assign them, they put an address in who is. There are two who is databases. There is the who is for domain names and a who is for IP addresses. Very similar but a separate database. So the IP who is database is a record of every organisation that has been assigned an address block. Over time when people need more address blocks they go to the RIR. With IPV 4 they show that they used and assigned all those addresses. We looked at all the subassignments for who is, and all the organisations that ISP assigned to was reflected in the public database. Then we issued them another address block. Obviously they used the last one. And this worked really well. And it is sort of the basis for the information in the who is registry today. There is a little bit of nuance. That is not the only thing that is involved in IP addresses. In a lot of cases organisations would assign a single address to a business or home. Then they would use private addresses inside and use NAT, Network Address Translation to map between them. As a result of this when you actually look at a log of what is on the web or mail server you might not see a public address. You may see a private one. You need to know where the NAT translation was done and what the mapping was. Because only one address public may have hundreds of private addresses behind it. Those private addresses may be assigned to different parties at different point in times. We have run out of IPV 4 space. In 2006 through 2011, the central address pool for IPV 4, the one managed imrain went to zero. There is no central IPV 4 pool. Each region runs out at their own rate. In the ARIN region we ran out in September 2015. We literally have no more IPV 4 addresses. We are telling people to use IPV 6 because we don't have IPV 4. IPV 6 is happening. In the sivment a third customers connecting to Google are using IPV 6, up from 10 percent a year and a half ago. Google says 15 percent of all accesses are coming over IPV 6. An interesting thing going on here. When you use IPV 6 to access Google, if you use your mobile phone if it accesses a Web site that is before, there's NAT involved and the ISP or mobile provider has to translate IPV 6 addresses to IPV 4, that is a conundrum for law enforcement. They see a Web site at an IPV 6 address but it's a phone speaking IPV 4. Where does this leave us? With the depletion there is increasing use of NAT as people try to get more out of IPV 4 and as people make use of IPV 6. Both use the -- involve the use of NAT. It is a challenge for law enforcement to reliably determine the actual source because you don't have a unique address at each send end that doesn't change. You need to have the mapping between whoever was using the public address and whatever was on the device, which may be private or IPV 6. Those logs and the correlation are necessary to get back and understand where is the responsible party. The other one is law enforcement has to probably be able to find that ISP to even have the discussion about their logs. In some cases the ISP, since we are using V6, you can have allocations, subISPs. They may not make it into who is. We don't need to worry about utilization as much. The allocation are not in the database unless someone updates them. It is possible that the ISP you are talking to is using a V6 address that hasn't been put in who is, because they got them from their ISP p, but they are using a V4 address that was someone elses but they have taken responsibility for. That hasn't made it into who is. All of these make it complicated for law enforcement, who is trying to actually when someone's rights are violated, when the privacy and security is violated and law enforcement needs to provide recourse, they need to be able to find out the other end, the party that was involved. We can't provide people the security me want unless we can provide law enforcement the tools they need to understand the party involved and the jurisdiction. That concludes my presentation. I'll turn it over. >> ROBERT GUERRA: I would like to get a sense of everyone in the room understanding what everyone on this side of the tail is going. I have a set of questions for everyone. First round, Jeff, what is your ... in regards to the ecosystem, IPV four, IPV 6, what do you do in your day-to- day work in a minute or less? You will get into this more later, but how does this affect what you do? >> JEFF BEDSER: So my involvement with the entire issue of infrastructure is on investigative standpoint. Trying to determine at the end of the day who is the end user responsible for an act, a criminal act, fraudulent act? Who perpetrated this crime? The issues come down to two. One, there has to be enough information available to allow an investigator to know where to go to a viable criminal process or court to get a State Party process or writ to find out from the provider the ISP who is behind that infrastructure. Secondarily, it's an issue of perishability. Will the data about that transaction be stored long enough for an investigator to figure out where to ask the question to get a prosecutor or a solicitor to agree that there's a crime and to support getting a court order, so that the process of the investigation and the legal processes taking place, the information is still available on who committed the crime. >> ROBERT GUERRA: Thanks, Jeff. Ben, you're at Go Daddy. Domain name registrar, IP addresses, does it affect you at all? What is your role in this? And how is it important in regards to IP 4 and IPV 6? From your perspective why is this important to you? Been been so I, as Robert said I work for Go Daddy in the IPV security and have been leading the digital crimes unit for the last 15 years. My role is primarily one of being on the receiving end of the legal process and trying to help law enforcement when they actually are trying to identify who the bad actor is at the end of an illegal transaction online. So our involvement with IPV 4 address depletion and IPV 6 adoption is often times one of helping to train law enforcement on what to ask for, how to interpret the results they would get, since the results of a State Party might come back V6 or V4 or some combination of the two and what questions to ask to give them the best chances of success. The other part of that is helping work with other content providers, registrars and hosting providers to help them see the benefit in having more robust logging and the longest possible data retention, which has the side effect of making these investigations more possible fliewrmt. >> ROBERT GUERRA: Great. Thank you, Ben. Iranga is virtual. I want to check if -- we are going to get into the scenario in the second part. The first part, the same questions I asked, why are IPV 4 and IPV 6 addresses, why are necessity important for you and, law enforcement and the FBI? >> IRANGA KAHANGAMA: Thanks, Robert. I hope you can hear me. I want to concur especially with what Jeff said. From an investigative standpoint and the FBI attribution, that's usually the biggest priority and the first step that kicks off all of our investigations. Without that, it either delays or cancels out the process for moving forward. Like we said, we are often trying to find where to serve the legal notice in terms of jurisdiction and proper identification of that IP address is the key to that. Not only that, but to add for the FBI, when conducting legal wiretaps as well, there is a significantly high burden in terms of the paperwork when you're writing the warrant for the court. A lot of investigators have to waste a lot of time trying to make sure that they are not over writing that and that they are getting very specific. Without the correct information it is dif difficult for them to apply for those court orders because they don't have enough information to get specific enough in order to have those types of things added to them. One other thing I will say is that as the FBI we have a tremendous amount of resources, but often times we are still dependent on commercial products. But that is not to say we also advocate for lots of our state and local partners. A lot of these are small shops, small guys in small cities. They may not have the resources or educational materials that we as the Bureau may have. A lot of times that initial IP who is identification is all they can afford to do at this point. It's even more critical that we have accuracy in those resources. Thanks. >> ROBERT GUERRA: Great. Athina, if you are online, you are at RIR as well. A question for you is, and we'll go to some of the other RIRs in the room as well. What are the policy issues related to this that you have to deal with, that you can talk about before we get into the scenario? And so just tell us a little bit, kind of your role -- we have you and your colleague, dic. What are your day-to-day issues regarding this that you have to deal with. >> ATHINA FRAGKOULI: Hello, everyone. I hope you can hear me. My name is Athina Fragkouli. So yes, I can tell you about some of the challenges that RIPE NCC as a registry, regional registry basis. To start with I would like to bring another aspect to the table. RIPE NCC and the other RIRs have a unique position. We are the only organisation that provides registration services. In that case we are the upper level because no one else can provide the services that we do. Although this doesn't change with IPV 4 depletion, it is important to keep in mind especially in our discussion with the LEAs. The law enforcement authorities come to us and tell us, this resource holder is involved in criminal activities. Why don't you do anything about it? Why do you keep offering services to them? It is important to highlight because of this unique monopoly position, we can not deny services unless we have a very good reason that is known before hand and well documented before hand. Of course on the other hand, as regional registrar, we have a responsibility to our community to maintain a good registry. A good registry, of course, is an accurate registry. Part of this responsibility is in performing due diligence checks, to ensure that who we distribute addresses to, they are who they say they are. We have the inability to deny services because of our monopoly position and our responsibility to maintain a good registry on the other hand, we have documented procedures that describe all the due diligence checks we perform. Also under what circumstances we would deny services. we would terminate a contract or we would deregister resources. So according to this documented procedures, submission of fraudulent information to RIPE NCC is a reason to stop offering services because fake information would reflect badly on the registry so we wouldn't have a correct and accurate registry. Updating the publicly available database with correct information is, of course, another reason to stop offering services. A Dutch order stopping us to stop, I'm saying Dutch order because this is a requirement for us as we are incorporated under Dutch law. So additionally, we do have the mandate to report to the authorities the submission of fake and fraudulent information from a resource holder to us, but we have no mandate to share nonpublic information on a voluntary basis. I believe that law enforcement authorities appreciate our inability to do so. So instead we follow the official legal process. This is a challenge that already exists there. Now, as I mentioned, our mandate is to maintain an accurate and correct registry. And we do realise that the public registry or database is a very useful tool for law enforcement authorities. And an accurate and up to date registry is crucial for their investigations. So before the depletion, law enforcement -- before depletion, the law enforcement authority could expect that the distribution of IPV 4 addresses, at least at the first level distribution of the resources we directly distribute as, to resource holders as John explained just now, this hierarchy bit. The first level of the distribution would be accurately reflected in the right database. However, would that before depletion? We don't have much IPV 4 to distribute. Alternatively the community policies allow network operators to transfer IP addresses between themselves. It is a requirement that such transfers are reported to us so that they are reflected inment registry, but here is the challenge. Our community policies do not allow transfers with no limitations. In fact, they are quite restricted in order to avoid IPV 4 speculation. So the community policy wants to make sure that IPV 4 will be transferred to those that will use IPV 4 and not to those who want to collect resources in order to make money out of them. But as you can imagine, some not allowed transfers may are angry. Since they are not allowed, they take place under the table. They are not reported to us because we would not approve them. Because they are not reported to us, they are not reflected in the prej industry. Our community is aware of this risk an discussing this risk, but they haven't come up with an accepted solution, an accepted approach. And roughly speaking there are two main opinions that are expressed. On the one hand, part of the community wants to allow transfers. These are not just people who are in the IPV 4 transfer business, not just brokers and so on. But there are also people who want to stop any discussions about IPV 4. They want to move on and develop IPV 6. Another part of the community wants to keep the restrictions for the reason I mentioned before. They believe the resources should be kept for those who actually use them. In any case, the challenge is there. Before IPV 4, because of the depletion and because of the restrictions in place that are there to manage actually IPV 4 depletion, the registry may not be always accurate which may jeopardize law enforcement authorities' investigations. With that I will stop and come back for the discussion. Thank you. >> ROBERT GUERRA: Great. Thank you so much, Athina. We have other RIRs here. John, you gave us an overview. We have Dick as well and Carlos. Before we get into setting a scenario, in addition to setting the scene for us, the question -- at ARIN, your role in this, what I would ask is maybe a specific question. In regards to law enforcement and ARIN, do they interact with you all the time to get the requests? How does that work? >> JOHN CURRAN: Excellent question. Recognize that much of the information that law enforcement would seek from a regional Internet registry is actually in the who is database because that's what we are maintaining is the who is database and it is public lick reply publicked. They can generally go to who is. As long as the information is reliable, they can use that to further their investigation. There are some cases where we may have a circumstance where a party has, they are at a dead end, they can't find the party. We may have additional information from our correspondence that is helpful. That is actually quite rare because generally they are trying to get to someone who is doing something on the Internet, not someone who is providing Internet services. Our records are predominantly the parties providing Internet services. Most of the ISPs are good about keeping contact information up to date. They are technical, admin and abuse contacts. We don't get involved heavily in that. The engagement between law enforcement and at least in the case of ARIN's registry, is more making sure the ISPs understand law enforcement's expectations about them keeping their records up to date and them tending to subrecords when they allocate or assign. It is crucial for law enforcement to be able to get to the edge ISP. If you've subassigned to an ISP it doesn't do law enforcement any good to reach out to you when it is not in the ISP's interest. No one wants to get a State Party to say that we are not serving that customer, we are serving an ISP who serves that customer. If you have the records up to date they'll go directly to the ISP serving the customer and save your legal abuse and response desk the work. We have law enforcement processing in the multi-stakeholder process in ARIN on our policies and they talk at length to those, it is crucial to make sure that the subpublications make it to the database unless the ISPs want to respond to each request directly. >> ROBERT GUERRA: Thanks, John. Carlos, you're from the region. Do you see it the same as John just mentioned? Is your relationship in regards to law enforcement and LAC the same? Are you in your role at LACNIC doing something different in regards to helping catch bad actors? Tell us a little bit about that. If you can be brief so we can get to Dick and then the scenario. >> Carlos: Thank you very much, Robert. The situation in our region is a bit different. We don't get many requests directly from law enforcement. And most of those requests that do -- I mean, we do get in many cases due to failure of investigators to properly interpret the result. Which is a very bad thing in my opinion because it delays investigations a long time. So this has been going a long time, we have police officers in uniforms demanding things that are not there and are subject to interpretation error. This convinced us as LACNIC that we need to do outreach to the law enforcement community and provide training in how to make good use of the sources of information that are out there. >> ROBERT GUERRA: Thank you, Carlos. Dick, you bring a unique perspective to the table. You were from law enforcement, and we have Iranga who will be talking more when we get to the investigation scenario, but I'm curious for the audience here, what perspective do you bring to RIPE and perhaps the community as a whole as someone who understands law enforcement, what insight do you bring to RIPE and your role there? So people here can understand when we get to the scenario, people understand where your perspective is coming from. >> RICHARD LEANING: Things. I perspective I bring to it is law enforcement and the RIPE community want a safe and trusted Internet. Sometimes they don't speak to each other in the same language, but they want the same thing. It is bridging that gap between law enforcement and by extension the governments and the community that basically want the same thing but don't understand what it is they actually want, apart from a safe and secure Internet and how to get there. What we do at RIPE NCC and echoed in the RIRs, we do a lot of training of how to look through our database to get the information that they want because it is the who is is more of a technical database and not law enforcement. There is a lot of information in there that isn't obvious to law enforcement. We try to make that, demystify what the database is. We get the law enforcement to our communes to engage with our Members at the RIPE meetings and the ARIN meetings, because that's the only way they will all come together and understand where there are issues and challenges are and how they can work together to solve those. The other thing that I do, and not just be, but we are members of many international and national law enforcement Working Groups and high level governance groups like yiewr PPol, interP,l, others around the globe. We have a perspective on the challenges that law enforcement have now. We can tell them what can be done and what can't be done as an RIR. Because that's just as important. We can take those issues and concerns back to the members and have a proper dialogue because at the end of the day we all want the same thing. That is the perspective I bring. I want to emphasize, it is not just RIPE NCC that does that. It's all the RIRs. >> ROBERT GUERRA: Thanks so much, Dick. Before we get into the more hands-on, what does everyone do, what are some of the challenging issues, technological, privacy and otherwise, and also tap into the great expertise in this audience. I'm seeing people come in who have worked on this a lot. Before we get to that setting up the scenario, I don't want the panel to be talking all the time and the experts to talk all the time. I'm wondering -- I will have a few minutes for comments from the audience. Does anyone want to just say something that they might bring to the table? We see app Nick is also here. Paul, I'm wondering, in terms of law enforcement in your region, what do you do? And keep it short. >> I'm Paul, the Head of APNIC, registry of IP addresses in the Asia- Pacific. In the Asia-Pacific we are working as actively as we can with agencies like the interpol centre in Singapore and others, particularly on training of LEAs and justice sector folks, in terms of what you can't and do with who is, what it means in terms of the addresses you might find and what might be behind them when it comes to private addressing, technical issues like that, trying to provide a level of technical understanding or to ensure there is a understanding of technical understanding that helps people do the jobs that they need to do. That's it. >> ROBERT GUERRA: Is there anyone here from any ccTLDs, country code TLDs, that they may want to flag what they do in investigation? Okay. In the room are there any people from civil society that are involved sometimes in investigations on line and bring a particular perspective? There have to be people from civil society in the room. I assume you are just shy today. Definitely there's privacy issues. Is there anyone here in the corner? If you are following this, just get a mic and say either what you are involved in this or your perspective. Just so we have a sense of who is in the room. >> AUDIENCE: Okay m I'm Nick smif, general, the ccTLD for the United Kingdom. I want to echo some of the points about the accuracy of the register database. We spend a lot of effort trying to make sure that the who is are registered to people who are accurately reflecting the person for a Web site or email address. Cooperation with law enforcement, absolutely the key is to have a good dialogue with your domestic law enforcement agencies to help educate them so they are smart in the way they go about their investigations. It is less resource intensive on the registry to deal with people when questions are requested in the right way through a proper process that we can organise. And it is an ongoing effort. I think there's a huge amount of unfortunately criminality online, but it is -- it is a minoritiment we need to do things in a proportionate way that doesn't disadvantage the vast majority of totally legitimate users. >> ROBERT GUERRA: Great. Thank you so much. Very key player that has been mentioned multiple times. Do we have anyone from ISP? Perhaps from the region? That's here? Do we have any IST representatives in the room? Don't be shy. I know you're here. You're probably telling me you want to get to the fun stuff. Now we have a sense who who is here. Their perspective. What does it mean when we have an actual situation. Jeff, I'll turn it over to Jeff and Jeff will talk about, let's get into an investigation and go in terms of working it through with not only the experts here, our great participants that are remote that I will go to as well, but also to you here in the audience. Jeff, set up the scenario. >> JEFF BEDSER: Thank you, Robert. Slide, please. A little perspective. I find perspective is good when understanding investigations with the old American analogy of the needle in the haystack. With IPV 4, the haystack was big. In a moment we'll see how big that has become with IPV 6 deployment. For some perspective of scale, 16 million Internet users in 1995, 5.5 billion people on earth. Less than -- 2.9 percent of the globe are Internet users. 2015, we have 3.3 billion Internet users, 7.5 billion people on earth, 44 percent of the people on the Internet are connected to the Internet. 15,000 increase in ten years. Anyone saving for their retirement, I would loof to see that return on my retirement account. It's okay to laugh even if I'm not funny. IPV 4, 5.3 billion addresses. For perspective if you salt down and counted one to four bill, you would be counting for 380 years. More planet owe Poe more people on the planet than in IPV 4 when it was created. You could trace IP to a carrier and usually down to consumer subscriber through court order. Logging IP to carrier was necessary to identify the end user. Investigatively you always need to come back into the past to find out what happened in the past. If that data is not logged, you don't have access to it. As exhaustion of IPV 4 space started looming on the horizon, many of the ISPs started stretching their answers using dynamic IPs and carrier grade, as John spoke about. That did quite a bit to expand the use of IPV 4. You would have more users on the network. At the end of the day, the more that happened, the more there was extra steps of routing to understand who is the end user behind that transaction and more of the complication menltd more storage necessary for the data, which meant the perishability of that data became shorter. ISP stored it for a shorter period of time. It is imperative to go back and determine what you have. How have investigations changed? Finding IPV 4 to individual users was relatively easy in the mid '90s. You could investigately, for law enforcement or private, you could track it to an IP. You knew IP was within a particular ISP. If you got to the ISP within their perishability sperred, say it was set at 30 days, inability days, you could get an answer through the State Party of who that user was. Smaller pools of users, limited Web site, limited tools and methods. At the end of the day, it was a relatively simple process to those who understood the infrastructure. Next iteration of IPV 6 gives you ridiculously large number. I like the way John phrased it. I envision it, this number is estimated to be roughly the same number of grains of sand on this planet, is the number of IPV 6 addresses out there, to give you some scale. The Internet of Things is expected to deploy over 15 million devices on the Internet by 018. The majority of these being IPV 6 deployments. These don't expose geo location on the IPV 6 addresses. Most of those are consumer driven. They are based on companies that gather that data from consumers based on e-commerce and such and other information from who is. Right now because of discal and size there is not much geo location to be inferred. The good and the bad news. There is no end date to IPV 4. It has been gran fathered. IPV 4 is not going to go away. Thus it is going to give a bit of a grandfathered period for understanding. But at the same time based on the huge volume of available IPV 6 there are already strong indicators that bad actors are buying up significant blocks of IPV 6 space with the intent to use it for criminal and fraudulent purposes. Let's get a couple of quick case studies now that I set the stage. Three scenarios for investigative processes for IPV 4 that has been NATed or carrier grade NATed and IPV 6. IPV four, sends a death threat to an executive. Spun examines the headers, including the origination IP address. Up trace route the IP, do a who is lookup through ARIN to see what RIPE or RIR was appropriate at the time to find out who owns that IP address. You know where it's geo located, by the RIR you know what region of the world it is in. You get down to the country and city beyond that in the who is. And then you know who the ISP is. You know where to send any court order you need to to find out who the person is for this transaction. You assume you get to it early enough before the perishability, in time for the court order. Modern IPV 4 investigation, current, there is a scenario where a bank received a harassing anonymous email from a Gmail account. Many of the primary large free email providers strip the or remove the originating IP address out of the headers. There is no longer a source IP address to go to, that's different since the '90s. This case, they were running a blogging post. They had misleading information about the bank and the bank needed to know who is behind these attacks. So Gmail does replace the originating email address with one of its own. You can send them the link. The link was sent to the NGO by the email account which they clicked on. Clicking on the link gave us several ISP addresses from two U.S. ISPs, Verizon and Comcast. Because they were back to ISP, they had who is data and geo location was available for the IPs, it was a residential, Fios, U.S. in the New York area and geo located to some area outside of New York City. They had a domain affiliated with it configured for a sphroanl connection. By a space adjacent by that IP address. We found other domain names for that could. The who is gave up the registrant and location. In this particular case the client was foreclosing on a business loan on this registrant. Obviously giving motive for the attacks on the bank. The point here is all of this is available from public information. This is all information about routing and infrastructure that is available to determine. This wasn't about someone sending a State Party directly to Gmail and sending who sent this email. And Gmail and Google may not have the information available. Other steps had to be done based on correlation of other public information to determine the situation. To know where the State Party needed to be sent. And IPV 6, what is needed, IPV 6 does not lend it sell well to geo location. Most of that data is from third-party database providers. The market should respond to this as deployment continues to expand, but there aren't many data sources yet that give you good geo location on IPV 6. Adjacent addresses can take days or years. There is a not for profit running locally called shadow server, looking for vulnerabilities on servers and provide it to those who control the networks. They are able to scan the entire IPV 4 source. A conversation I had with reps in London, I scald how long it would take to Elluminate all the IPV 6 space for vulnerabilities, they said sometime between now and when the sun burns out plus 100,000 years. They are not able to scan for and look for vulnerabilities in that space. In court when you take the evidence forward, if you don't have good correlation as to why you believe this evidence to have led this direction in an investigation, it does provide a slightly weaker case. That can be a problem. Because you have to definitively rely on court orders to prove ID, there's a problem in that legal process takes time and we have a perishability issue with data. If you have to do a court order at each step of the investigation to get to the next step, by the time you get to the source of the crime you are well past the point of perish interest and have no data left to investigate. I am going to skip that slide. It is not necessarily relevant. I covered most of that. The other example, many of you heard about the bot net that was used for one of the largest denial of service attacks on record within the last several months. This particular bot net, it was it where witnessed at IoT devices using IP addresses where as the bot net was able to take down major sites such as Twitter and several others by attacking the DNS provider Dyne in the United States. So used and old bot net, a new code that compromised Internet of Things devices and basically it was programmed to take over and lock out other bot nets from taking over so it could be used exclusively by this user. In late October it had 3,500 infected devices that it took five days to a mass. This bot net was thoroughly investigated by malware must die.org. I think they are clear about their motive. They required extensive review of code and reverse engineering but due to address space and quantity of infected devices it isn't easy to map and find them. It is believed that the creator might be Italian but it is too expansive to know. None of the techniques used for IPV 6 deployment is available for those to be understood. That's all. Robert, back to you. >> ROBERT GUERRA: What I'm hearing from you, if I buy a new toaster it can be used in a bot net and can be used to take down websites? >> JEFF BEDSER: Depends on the toaster. >> ROBERT GUERRA: That paints a scary scenario. We are running out of IP addresses. The force has gotten so much bigger, it's easy to hide and detect this activity. It is scary. Is it scary or not? Let eel ask Iranga from the FBI. Pifs 6 scary to the FBI? >> IRANGA KAHANGAMA: Yes, I would say it's a world that we are not used to. I don't know about other governments, but ours, sometimes we can be very slow to catch up with the pace, especially the pace at which technology moves. We haven't seen widespread IPV 6, but we have seen it in our investigations. It does create a bit of a problem. Internally we still have problems with pif 4. I would like to demystify the thought that the FBI has magic tools where they are able to figure everything out. I don't think we are as savvy as people think sometimes. We are relying on a lot of commercially developed tools. We have internal tools as well and try to use our data that we have, but a lot of the times investigations, we have to use other techniques in the sense that we have run surveys in the past of where NATing and CGI were an issue. Cases are not always strictly cyber cases. They tend to be child exploitation cases for sure. They also involve kidnapping, they've involved fraud, banking issues, things like that. And a lot of the times because we have blocked on a lot of the online alts biewtion things, we bring charges based on other things. We build cases the old traditional way and then maybe the charges from the cyber component may not get through. That may have an effect on the sentencing that is recommended. But yeah, it is definitely a very scary thing. We can't scale. We have very limited resources, not to mention, like I said before, state and locals. If we are having an issue, I can only imagine what it would be like for state and local. Our cyber guys are good, but with IoT and everything becoming more global we are hindered by the N lap process, when we need to get legal process in other countries we have to work with respective ministries of justice. That adds weeks an months, and speaks to Jeff's perishability issue as well. We don't know if servers are moved by the time we get to them, if people have moved on, things like that. It is a scary scenario that we only see getting worse. Thanks. >> ROBERT GUERRA: Thank you for those comments. A lot to reflect on. Paul, you had a comment you wanted to make? >> Paul: Yes, I'm sorry, I didn't catch your name. That's an interesting presentation. Thank you. I had a couple of questions about a couple of things that you said there, particularly in relation to IPV 6. You drew a distinction between V6 and V4 with respect to geo location. From a technology point of view and registry point of view, there is actually no difference between the two. In terms of geo location that I am aware of. So I'm interested to know more about what you meant there. And the other thing is on port scanning, on scanning through IPV 6 address space, let's remember that the bad actors who are building bot nets are also using scanning in many cases to look for vulnerable devices and add those to their bot net. If there's a disadvantage for law enforcement in finding them, then the bad actors are suffering the same if they are using address space scanning as well. I'm interested in your thoughts about that as well. Thanks. >> ROBERT GUERRA: Thank you, Paul. So. >> So back to the geo location issues. As far as the providers of infrastructures, I agree. The geo location data is really the same. The augmented geo location services that most investigators use are provided by private companies that correlate e-commerce data. So they have, they know who the consumer is that bought from this IP address, et cetera. And because they have been doing that mostly based on IPV 4 as consumers versus IPV 6 as IoT machines, et cetera, there is the correlation is not there to necessarily give you geo location beyond what is requiremented in an RIR IP. >> ROBERT GUERRA: Someone else here from the floor? Andrew, please. Tell us where you are from and your question or comment. >> Sure, Andrew Sullivan. I work for Dyne, which is why I have this microphone. I currently Chair the Internet architecture board but I don't speak for them. I live in Canada. My company is in the United States. So on the attack in October against the Dyne infrastructure, I want to slightly disagree with your description of that because we did not see an enormous amount of V6 traffic in that attack. That was not the basis of that attack. There were some unusual issues about that, but V6 was not among them. I agree with the general point that V6 makes these things harder because the space is much larger. I think the real lesson here, the strategy by which we were going to use brute force in order to map the entire Internet was a losing strategy all along. The fact is we happen to have invented an addressing space that makes that point sort of self- evident to you. You realise that grains of scan is not a scannable space, but the problem actually was there before, which is the reason we were so bad at preventing to these attacks as opposed to reacting to them after the fact. The fundamental issue is just scanning the world to try to find vulnerabilities is not really our future strategy. What we have to do instead is try to figure out mechanisms by which these things can be localized than, and so on. It strikes me that the analogy between the Internet space and the Member State space has been broken down here a little bit. What we need to do is tack em these kind of problems by thinking about what we do in human terms when you've got a perpetrator of this sort, and what we normally try to do in law enforcement cases is try to contain them. You narrow them down into some area and gradually surround them. If we can figure out how to do that on the Internet, we may move forward there. Thanks. >> ROBERT GUERRA: Great. Any other questions or comments from the floor? There is a scary scenario that has been painted. No comments? Good or bad thing? Question here in the back? >> Adam steens from the U.S. Embassy in United States. Has the Budapest convention, has it made it easier to not have to go through the M lap process? Is law enforcement able to move faster between Budapest convention signees? >> ROBERT GUERRA: Jeff, do you want to? >> There is a difference between intelligence information and evidence. When investigators are ave evidence, they have to go through -- sorry, they have to go -- N lap, that's the only way they can, cross jurisdictional evidence is through an M lap process. Unfortunately that process is there and there is a lot of conversation about M lap not working but the government is aware of that and they are trying to resolve that and put more resources into making the M lap process more efficient than it is at the moment. With M lap you basically have to get a paper form and walk across to the airport and fly over and hand it over. That's how inefficient it is. Now we have the Internet! Tripe to use that to make it slightly more efficient (Laughter.) >> It may sound silly, but that's the way. M lap is a very old piece of legislation. That's the way we are going. To jump in -- Nick is from the U.K. government. So ... (New Zealand.) >> My name is Nick Soraia from the U.K. government, I'm from the national crime agency so technically I'm still a investigator. Great, I love it. It provides the facility to operate quickly within a constantly shifting and changing environment which we are just hearing about. One of the challenges I found in addition to what Dick has just mentioned is that actually some of the principles around the Budapest convention haven't been axed into national legislation. So we go to a country and say under the Budapest convention, I have to first of all preserve this data to stop it being lost and then IUA would share it with us on an intelligence basis until we get you an M lap. That would hopefully enable us to mitigate this threat. The problem is within national legislations they don't have the sort of legal framework to be actually able to do that. They would require a court order in order to go to a judge, get a court order in order to go to the companies and get that information. It is not legally, they are not legally able to do it even if they want to. Budapest convention is great. I think the challenge and next step is sort of how the principles get implemented into national legislation in order to provide that flexibility, because lots of people say we want to help you but we just can't legally. We have to have that M lap in our back pocket before we can do that. >> I want to add something. I don't want to have people thinking it's doom and gloom because the pif 6 is coming on and that's the end of the Internet as we know it because it will all be full of crime and bad actors. We all have a place to -- role to play, it is -- law enforcement can do what they need to do to identify the person committing the crime. They are not looking for back doors. They're looking for someone to serve legal process on so they can find who that person is. As an RIR we have an obligation to make sure that our databases is accurate so they know who that service provider is closer to the edge that they need to serve the local process on. That service provider needs -- that is not for us, it is for the law enforcement to speak to service providers to make sure they retain the data they need through a NAT so they can find who it is they need to find. It is not just one person's or one organisation's responsibility. We have to work together to make sure that we add our little bit to the security of the Internet in finding the people that make the Internet bad. So we just have to remember, even though IPV 6 sounds horrendous and has more grains of sand, et cetera, et cetera, but the scalability doesn't matter as long as we keep a record of who has what at what time, no matter how big it is. Let's not get carried away that IPV 6 is coming across the horizon and we are lost. Definitely not. >> ROBERT GUERRA: Carlos, before I go to you, let me just go to Athina and then I'll go to you for you to comment and then I have actually a question for you as well. So Athina, you mentioned earlier that RIPE is a Dutch entity. You're on the legal staff I guess at RIPE NCC. So how does RIPE deal with different law enforcement entities, if at all? >> ATHINA FRAGKOULI: Yes. Thank you very much for the question. Yes indeed we are an entity incorporated under Dutch law. This means that we can cooperate with the law enforcement authorities from all over the world with no problem. We can educate them. We can show them how to use our registry and the other tools that we have. And we can point them to -- we can direct them to the publicly available information that is publicly available. It is there for everyone. That also means that we have no obligation to give them any nonpublic information. And we can only do that if we get a Dutch order. So indeed, in this case the M lap process is very crucial for this known Dutch law enforcement authorities. There is another aspect I would like to bring to the discussion. As I said before, incorrect information in the database is a reason for us to stop offering services. So it is a means for us to enforce our order. If you don't update your information, we'll stop offering services. And usually they do update their information and it is accurate because the vast majority of incorrect information in the database is not on purpose. They just forget to update their information and so on and so on. Now, sometimes law enforcement authorities come to us and say: Hey, this information in the database is incorrect. Because we did issue a State Party -- sorry, through the M lap process we did issue an order and didn't help us because the entity in the database is not the entity where the actual servers are. And they come to us asking to update this information. So that they get their State Party correct, the M lap process correct. And for us the information is not incorrect. It is correct because we register the resource holders legal entity as it is officially registered by the authorities. Sometimes this registration corresponds to a letter box company for tax reasons, for example. And has nothing to do with the actual place and location and country where the services are provided, where the servers are. So we understand that frustration of law enforcement authorities. They do not know how to issue, how to use the M lap process or which jurisdiction they should ask for an order. But this has little to do with the IPV 4, IPV 6 resources or communities in general. It has to do with motivations that make people to use other legal addresses than the ones they use for the actual services, like tax evasion aspects and things like that. So that is also an interesting aspect. Thank you. >> ROBERT GUERRA: Great. Thank you, Athina. Carlos, you wanted to make a comment? Then I'll go to Ben. >> Carlos: Yes. I want to make a couple of comments on what has been said earlier about this difference between IPV 6 and 4 for investigative purposes. I agree probably -- I hope I have some time to get into this later, but yes, IPV 6 is larger which makes things different like scanning. Not only for law enforcement but also for others as Paul said actually. Regarding geo location, I wouldn't want the audience to get the idea that geo location was something that was born with IPV 4. IPV four wasn't born with geo location. This geo location for pip r IPV 4 were created over time. IPV 6 will in time get sim lash database -- similar databases. It will take time, I agree. IPV 4 geo location is not perfect either. Horror stories about them are a bounding. IPV 4s, investigations in that space (audio difficulties.) In the Internet the use of CGNs are common. You can no longer make the same request as you did before, things like in order to, for an ISP to track a user who is behind a CGN box, they need information on the source board of the connection. That information may not even be available as many people don't even log that. So in a way, IPV 4 space for this particular case is also larger, if you will. You need more information, also, for example, timestamp ping requirements are much more stringent in the CGN world, because they rotate much quicker than IP addresses that rotate like within 24 hours or something like that. Thanks. >> ROBERT GUERRA: Great. Thank you, Carlos. We have a remote question? Please, Iranga, go ahead. >> IRANGA KAHANGAMA: It was more of a comment. When Dick spoke, not be so pessimistic and to comment on stuff that John said. We as law enforcement have been engaged with the multi-stakeholder process at the RIRs and are trying to work with the community to get policies. I do think there is a lot of truth to what Dick was saying. We are early enough in the IPV 6 world, it hasn't been widespread deployed. We can try to get ahead of it a little bit and set in place policies and things like that to put us in a better situation to handle some of these. I wanted to appreciate those comments and mention that yes, we are working with ARIN to put forward policies and trying to tackle issues like suballocation issues that we see. Thanks. >> ROBERT GUERRA: I have a question for you, EPN. Then I want to go to the audience. You mentioned that you work on the crime section at Go Daddy. So are you seeing -- I would like to get your perspective. Are you seeing any difference in terms of IPV 4, IPV 6 issues in regards to your investigations? Particularly, you know, you not only work on -- so you talked a little bit about that. But particularly the more nefarious crimes online, stuff related to children online. Is this something we have to worry about? Or is it just, as was being said before, the space may be changing but the tools are there and we can still do things properly. So just can you tell us in terms of are things getting better or worse? If IPV 6 is going to make a difference in the work you do to take stuff down? >> BEN: Thank you for the question and like any security guy, my default answer is always doom and gloom. Yes, it's getting worse an it is going to continue getting worse. But it is not just because of the IPV 4, IPV 6 issues. I wanted to kind of echo something that Carlos said. We are still seeing the vast majority of our internal investigations, when we look at the logs on our servers to see who connected, most of those logs are coming in in V4. And law enforcement is going to have the same issue when they review those logs, trying to determine who is behind the Web site. I want to thank Carlos for mentioning, one of the hurdles that law enforcement has to deal with right now, does that log contain the source port? When they ask the question in the State Party or otherwise who is responsible for this IP on this day, that is not good enough. You can't narrow it down to a day. You can't even narrow it down to an hour. In some cases even a minute. You have to have a full-time stamp down to the second with the source port before a content provider like Go Daddy or before an ISP is going to be able to pin that down to anything even resembling a suspect. And then the flip side of that coin is how do we improve that? How do we get more providers to log source port and date and timestamp p in such a way that these logs are more beneficial to law enforcement? At least within the United States the bad news is you can't approach it from the standpoint of, okay, let's make our logs better so that law enforcement can have an easier time finding the bad guys. There are rules that say you can't keep stuff for the purpose of making law enforcement's job easier. So you have to -- this is something we had to do at Go Daddy years ago when we started to see this problem occurring. We had to say okay, well, what are the benefits, the real benefits to us as a business to logging source port and date and time and all that sort of thing? And we found that in that allows us to have greater visibility on the numerous D DOS attacks that we would have on some of our hosting customers and things like that. We now have customers -- conversations with our customers saying log everything you possibly can Bates gives you a better chance to identify who the bad guys are attacking you. As a side effect, those logs become very useful for law enforcement. Side effects are fine. That doesn't trigger the legal problems. So I think that is something that is going to continue to be a problem. It doesn't necessarily get involved with IPV 6. You still want to have as thorough and rich logs as you can without creating space and logistical problems. >> ROBERT GUERRA: Jeff, you wanted to make a comment. Then I'm going to go to you, Paul and then I have a question for the audience. >> JEFF BEDSER: Thanks. I want to point out while there is frustration in having a much bigger space to play in, the reality is this is a solvable problem. It is about protecting privacy while not protecting criminals with that same privacy. It comes down to setting up with best practices and industry standards that allow us to capture the right information that doesn't allow the criminal miss yew victimizing the users of the Internet through nefarious means. The systems exist in ways that they can store the data in an appropriate fashion that can be used by the appropriate authorities to take care of criminals. The issue comes down to there's the whole range of scenarios from the stories we've all heard about ISPs that only receive State Parties by fax and that fax machine never has toner or paper in it. And they won't respond until a law enforcement officer shows up at the front door and hands them a piece of paperwork because State Party inresponding to State Parties about criminal activity on the Internet is a cost. It doesn't make them money so many don't want to respond to it. It is such a complicated process of logging, that if the law enforcement doesn't want know what to ask for in the right expert, it is not available. These are all global scale, IETF, ITU, other organisations involved in this, if we can come up with standards to say if you are going to connect to the Internet and provide these services, there is a minimum you need to do so criminals don't have impunity to do crime hiding behind privacy. Thank you. >> ROBERT GUERRA: Thank you, Jeff. Paul, you had a comment? >> Paul: A quick one before I need to fly, but on the another V4 to V6 comparison that is important and I am sorry to be labour this, but data retention for the sake of tracing past connections for the sake of attribution in IPV 4 is becoming very, very difficult. The log files that are needed, we need to understand that the estimated calculation for the size of those log files is one gigabyte per user of the ISP per month. If you look at ISPs an millions of users, you're looking at terabytes of data per month which is a huge storage problem, not to mention a big data problem in actually making use of that data. It could only be retained by an ISP if they were required to do that. So it would have to be legit lated. Imagine the problem of two years of that data and having to use it. On the other hand IPV 6 doesn't have that problem at all. You have simple straightforward associations between addressers and users, which is a privacy issue, by the way. Let's not go there in this forum. Look, before I go I did want to mention that there are, in the RIR world we have ten conversations per year across the RIRs. They are open meetings with multi- stakeholder event, we had increasing participation by law enforcement and associated people in those meetings over the years. That is coming up right now towards a policy proposal that is going around the RIRs for the sake of asking our communities to take some particular actions on who is data accuracy and completeness. That is a multi-stakeholder process and I wanted to mention it is something that is going on outside of this room and going on very actively, as I say, in potentially ten events per month. I hope that does go on and I thank everyone, some who are here who have been involved with making that happen. Thank you very much. >> ROBERT GUERRA: Great. You touched actually on some questions I wanted to ask to the audience. We have been talking about or it has come up that gate keeping data is important. Logging is important. And that raises a lot of issues in regards to the data retention initiatives that need to be developed in different countries. What are the privacy implications? So there are folks in the audience that might be able to speak to some of this. I know you're here. I'm just wondering, though privacy is an issue -- sir, state your name, where you're from, your comment on that or the session itself is welcome. >> I'm James Edwards from Internet New Zealand. We are the country code, we are the registry for Nz, the New Zealand registry. I'm on the policy team and I have regulatory colleagues. Those colleagues in the domain name division are concerning the who is policy. There is concern that the availability of the information in the who is database, poses personal safety risks. They have run several rounds of consultations on getting the balance right. They are still going to collect data, but it looks like one of the Options that is on the table now is to identify one's self when registering a domain as an individual person and to have the Option of your phone number and your geographic location being stored but not publicly accessible. And then when people have a court order or some legitimate reason for access to that data, it's there. Like I say, that is sort of balancing which actually improves the ecosystem. The more confident you are that your privacy will be protected, the easier it is to say yes, I'll participate in the system and share my data. That's the other side of the equation as well. If you think everything is captured regardless of what you want, that's a disincentive and a reason to obscure that information. >> ROBERT GUERRA: Great. Thank you. John? Then I've got a question. >> JOHN CURRAN: That's an excellent point. The evolution of the databases that we're talking about, the who is database, both DNS and IP are public and the advantage of that is that they are relatively available to everyone. Just for query, the down side of that is they are available to everyone just for a query. This led to some discussion in the RIR community and with the IETF about potentially looking, who potentially as a protocol is long in the tooth. It's an aged protocol with colorful attributes to it. There is something coming, RDAP, remote access in a structured manner that would provide some authentication and different viewstor different parties. There's work in the IETF and RIRs in working on the protocol to see if it's a viable long-term direction. That would further support data integrity. People can know there's information I'm making available publicly and there's information I'm only making available to the RIR or some subset of personnel based on whatever characteristics are set. >> ROBERT GUERRA: Thanks for that. I have a question that is going to turn the topic of our session. I'm going to ask the question and get to you. You are turning the session on its head. We are talking about catching bad actors online and who the bad actor is is in the eyes of the beholder. It could be law enforcement but I know some of in the room are investigative journalists. They want to understand and find out who is attacking who, if law enforcement in the country isn't, and do their own investigation. So John and others, you have mentioned that the data sources are public, that anyone can do this. And law enforcement is doing it and that's great. But I'm wondering for those in another community that also do investigations that are trying to discover what is going on, to what extent have there been outreach efforts to make sure that they have the technical know how to be able to use the same tools so that they understand what law enforcement is doing, if it's doing it in a legal authorized way? And if moving towards RDAP might make it more difficult for those who aren't the law enforcement to do investigations that have been healthy for democracy. >> I can answer the first part about our engagement with other agencies that are not law enforcement. We do do that. At the moment normally that is done through the public safety Working Group of ICANN which is not just law enforcement. It's all people who have an interest in the safety of the public. We do similar type of engagement with the public safety Working Group. We know that's a far bigger community than just law enforcement. Yes, I suppose we could do more on that, but yeah, that's something we may have to think about. The RDAP1, I'll leave it to the technician. (John.) >> The second question you raise, which is there are actors right now in the Internet who are involved in investigation who aren't properly law enforcement. Actually, if you know anyone who does security work, DDOS mitigation, anti-spam. There are a large number of players who need the ability in order to keep the Internet running to have access to information. They need access to information not necessarily down to a than individual earn -- to an individual person. When we talk about privacy, that's what we are worried about. We are not worried about something is going back to a particular ISP or business or even a particular educational institution. It's when someone says I want to get this tracked down to a user, we get into a challenging privacy environment. One of the questions that comes up, right now there's informal based security forms that share information. These are parties that have gotten together and agreed to trust one another because they are all involved in mitigation of attacks and similar. We may end up with multiple tiers of information. It may be that in fact someone can register something privately and know that for network operations purposes that information may be shared. But still not down to the individual user, which would be still protected. One of the advantages of having a protocol that allows multiple views, it doesn't have to be either or. It can be layers of views. >> ROBERT GUERRA: I had one last question here. Please. >> You talked a lot about IPV 4 and IPV 6. What about toll? How do you handle toll? >> ROBERT GUERRA: Jeff, you put TOR on your slide. If I recall well, you were going through a different history. You are saying there is a period pre-VPN where it was easier to catch people because they weren't using things to connect through other means. I see your question as two fold: How does TOR make investigations harder? Is there an IPV 6, does TOR -- yeah, what about the IPV 6 issues? I see TOR in investigations, does it make it easier, harder or is it a moot point? >> I regret putting. >> JEFF BEDSER: I regret putting the word TOR in my presentation. There is no question, TOR can run on V4 or V6. That is an anonymized system where you can log into TOR and come out from another IP address that anonymizes your transaction. Your Internet connections. Yes, TOR does make investigations more complicated. However, TOR actually came out of a United States Navy development process and TOR has some vulnerabilities as well. Those who know how to do it, do. There are other systems such as there are providers that have -- actually John Curran and I were talking about it this morning. There are providers who have tens of thousands of IP addresses, whether it's six or four, that provide VPN services where you can buy access and log into their system and grab a fresh IP address every single transaction. So there are many complications investigatively, not just which type of IP address you're coming from but also to obfuscate the origin of Internet transaction or traffic. >> ROBERT GUERRA: Before I get to you, we are wrapping up soon, but that's a question I see that is in regards to investigators. So Jeff has his piece. But we happen to have someone from the FBI on the panel too. So Iranga, I wanted to get your sense from a broader scope is, in regards to the investigations, FBI or other law enforcement have been doing, what is the effect of using anonymity tools such as TOR or oamplets has it made investigations more complicated? And if you can answer it -- I'm not sure if you can -- would you say that does TOR actually make crime worse because people are using it or is it a general tool that everyone is using? Your answer or your comments on the use of anonymity software, is it complicating the investigation of crime that the FBI does with would be most helpful. If you can answer that, the person in the audience who asked the question would be keen to hear your response. >> IRANGA KAHANGAMA: Sure. Broadly speaking, anonymity is always an issue. The FBI buckets it under a programme called going dark. That relates to encryption at large, both data at rest and data in motion. They are pursuing lots of difficulties. I can't speak specifically to any specific programme or method, but it is definitely an issue. I think it's a problem that is only going to increase because of pace of technology is there and it is going to naturally do it an it will be a matter and if and how we deal with it. Whether that's internal or through some sort of legislation or some other kind of solution. Anonymity in general is a problem and something that we are seeking to address. >> ROBERT GUERRA: Thank you for that comment. So we had -- John, you wanted to comment? And I think Dick, you wanted to make a quick comment as well? John, please, go ahead. >> JOHN CURRAN: Regarding anonymity, it is an interesting challenge, if you think about it. It is really a question for the people in the room. What I mean by that is, we are in the earliest days of the Internet right now. The Internet works, but evolves over time. And we've only just begun to see how the Internet affects economic and social development, how it becomes pervasive in owe so many environments. Law enforcement is just now getting a grip on how to perform its duty, which is protection of security. Protection of people's right to be secure on the Internet. As we get further down the road over the next years and decades, we have to decide what the right answer is. In other words, perfect anonymous speech means perfect anonymous speech without recourse for attribution for hate speech. You can't have it one way or the other. So the Internet faces a question of what does it want to look like in 20 years? Does it want pure anonymity and the implication of what that means? Does it want some form of mediated anonymity where there is a method for piercing the veil for swh someone uses it to har? Does it not want it at all? It is an open question because the Internet is a very young thing and we are only now really seeing it become part of society. But it is going to be something we deal with because you can't have it with its benefits without its draw backs. We have to decide consciously whether we are accepting them or not as a group. >> ROBERT GUERRA: Thawpg for those great comments. I'm looking at the clock and we are a little bit over our time. So I just maybe would go over to Jeff, if you had any concluding comments you want to make. I'll make some and before I make some comments for the audience. >> JEFF BEDSER: I'll stand on my last comments as my concluding comments and go back to you. >> ROBERT GUERRA: I want to thank everyone who has come to our session today. We invited some folks to the panel and I saw there are a lot more knowledgeable folks who also came into the room. We have Afr NIC, we had all the other RIRs in the room. We touched on investigations, helping people in the room understand not only the IPV 4 and IPV 6 transition and understanding that in a little bit of context. The folks on the panel probably would be happy to speak to the he folks in the audience if you have follow-up questions. This is the place for dialogue. So I appreciate too that members from private sector, the government, and some of our remote participants were also from government as well. So it allowed for rich conversation with all the different stakeholders on this issue. As John said, in an issue that is evolving where it is important for all the will stakeholders to know, to make sure there are good connects and balances but also so we are aware of investigations that take place and how those are taking place. I thank you all for joining us this morning. I wish you a great rest of the day and the rest of IGF. Thank you. (Applause.) (The session concluded at 11:50 a.m. CST.) (Please stand by for session number 37, Internet fragmentation: Getting next 4 billion online.) (Please stand by for the session to begin.) (Number 37 -- Internet fragmentation: Getting the next 4 billion online.) >> MODERATOR: Hello, everybody. Weeing going to get started in a moment. Two minutes! They are getting the audiovisual and the video ready. >> MODERATOR: Okay. They are ready to go. We are going to go ahead and start. Did you want to say something at the beginning? >> Thank you so much everybody who came to this workshop and all of our panelists. We will be doing breakout groups in this workshop. We count on your participation and enthusiasm. Thanks a lot. >> SOFIE MADDENS: Oh, I'm one of the organisers, Sofia, for in workshop. I'm Sophie Tomlinson from the international Chamber of Commerce. This is also cosponsored by the government of Egypt and the Internet Society. >> MODERATOR: I want to -- I'm Robert Pepper. I am each at Facebook. And in workshop really grew out of a series of, I guess it was, I don't know, many workshops or what we want to call them that Carolyn knew general and David Vorst, David from ISOC in Washington, D.C. had a series of workshops looking at Internet fragmentation. Internet fragmentation, looking at it from the technical, the policy, the business, a variety and range of issues related to this question, this notion of Internet fragmentation. At our first workshop U.S. Ambassador Daniel Sepulveda said that one of the things that from his perspective that is leading to Internet fragmentation was the fact that 4 billion people on the planet were not connected to the Internet. So a lot of the discussion about Internet fragmentation are -- we Juan the Internet to be global, end-to-end. There has been discussion, there was a great paper that was commissioned by the world economic forum on Internet fragmentation. That's available online. But I'm sure some people will raise it. It talks about what fragmentation means. There are different ways to think about it, in terms of this global network of networks. But one of the biggest factors in the fragmentation, not just of the Internet, but not having global benefits and connectivity is the fact that there are over 4 billion people not connected. So we are very lucky to have panelists, because this is the Internet Governance Forum. It's multi- stakeholder. We have stakeholders from every constituency: Civil society, government, private sector, the technical community, international organisations, and everybody here in the room. As I said on a couple of sessions earlier in the week, just because people are designated or sitting at the table and this were as part of the preparation process as speakers, everybody in this room is an expert and everybody in this room will have an opportunity to have an intervention. That is the way it should be. And that is one of the defining characteristics of the Internet Governance Forum. The second thing that we are going to do, after we have the opening, the first part where we are talking about various aspects of how different people are thinking about and trying to address Internet fragmentation or reasons why 4 billion people are not connected, we are going to have three breakout groups. We will go to different parts of the room with the idea that again, the people here have real world experiences. What we would like to do is identify some very concrete specific examples and proposals of how to address three different causes for why people are not connected. And then come back and have reports out from that. And if we are successful, at the end of the hour and a half -- I really appreciate people being here as opposed to at lunch, right? The food will still be there. So right before we all go down to eat, we will be able to have a report out on a list of some good practices and real world examples of how people, countries, communities are addressing some of these reasons of why 4 billion people are not connected. And some of you have heard me say in the past that I don't believe in best practices. I think of a menu of good practices. Because one size doesn't fit all. So we need to learn from each other what works in different places and how we can then apply that in our local situations. So we are going to go ahead and start with our first set of presentations from the -- these are going to be lightning rounds, right? Again we only have an hour and a half total. The idea is to put some things out there from the various speakers to get things going and we will go into breakout sessions. So we are going to start with Christine arrested I can't from the government of's -- arrested I can't. Thank you for -- ar I can't for joining you us. >> CHRISTINE ARDIA: Thank you, Robert. Okay. I want to thank ISOC for organizing this workshop. I think it is very important because it is a different dimension of Internet fragmentation. I thank you as the moderator. So I will start off by looking a bit at fragmentation from the perspective of, I work for Egypt for the telecom regulatory authorities. I will touch on cases most relevant to Developing Countries. So fragmentation, this great paper that you referenced has put forward a lot of great literature about what fragmentation is, what are the different cases, all that. All those classical issues, they are valid for Developing Countries. When you look closer at Developing Countries you figure out that fragmentation has made a wider or broader dimension. It is not just about willing points of connectivity not being able to be connected or being obstructed in any way, but more of people getting online that are unable to get the very same experience that other users around the world are getting the experience. This could be due to different reasons. Infrastructure that is not stable, that is much less than elsewhere, so they don't get the same experience, the same services. It could be because of affordability. Prices are not affordable for everyone due to many, many reasons that probably all of you know about. Also the point that not the language, all the benefits that you can get from the Internet is not the same. So you are not opening up to users from Developing Countries with the same economic opportunities that you can get elsewhere. So I think fragmentation from the perspective of Developing Countries is a bit wider when looked at. You can also look at social fragmentation as you were saying. We have so many unconnected people. It is getting those online that is also specifically making that social fragmentation when it comes to the Internet connectivity. So it is good that we are looking at fragmentation with the perspective of connecting the next billion, and we know the next billion are probably, 4 billions are coming predominantly tbr the developing world. We also know that rates of a adoption in Developing Countries is promising. But we can see that gaps are increasing and not increasing. We have users coming from Developing Countries but not coming with the same connectivity. This is the part of fragmentation that we should be critically looking at. Talking about cases, I picked three cases that I thought could be important for the Developing Countries. So one of them is the case of the AP economy and the OTT case. You have remarkable grasp of mobile devices. L this brings along OTT and devices that users in Developing Countries are using the Internet. On the other hand operators are seeing the revenue shift. That is classic. They are not able to reinvest into broadband infrastructure as they used to. The result is that we have lowered infrastructure. So we have over booked infrastructure. We have bad quality. But we also have some trends that we are seeing in fragment taights, where the operators or the local service providers wants to throttle or block some of the services simply because they are picking into their pockets and they are unable to continue in that sense. So in return, you sigh another trend of fragmentation where users start to use VPNs to overcome those restrictions, which is another trend. The users are coming to the Internet with the whole garden concept, not opened to the full-fledged Internet. They are coming in with that perspective. So if you couple that with the policies that are not yet there when it comes to net neutrality in those countries, you figure out having a trend of increased fragmentation which is not really being a addressed by the policies as much as it should be quickly. That's one case. The second case is the zero rating case and the second class experience. That is rated to affordability. You have to go down with prices to get more user segments. On the other hand you have to have investment in infrastructure. You get a lot of second class structure. We see zero class structure. Are they coming online with the same experience or are they having a light version of the Internet or the Internet that is for poor people? That is the second trend. The third he trend, the emerging of cloud. Services are coming quicker than policies are moving. So the equipment is there. For example, machine to machine, cloud and also people are adopting those services, but the policies are not going with the same pace. The end result for that, governments are becoming protective, localizing data, doing some restrictions on cross-border movement of data because they are not ready with the policies for IoT and for cloud computing. So those are the three cases. There are other cases that may be less impactful such as spam and black lists. The developing country -- there are issues of universal acceptance because of languages. Those are other issues, but I try to conclude here. I think developing the cans are more affected by fragmentation. I think we need a lot of discussion between those who are in control, basically on one side local policymakers. On the other side, private sector which is cross-border which is not within the local boundaries. We need a multi-stakeholder dialogue specifically in there to solve those issues instead of having an increased gap. Thank you very much. >> ROBERT PEPPER: Thank you, Christine. Verna Weber from OECD. >> Verna: Thank you very much. Hello, everyone. Thanks a lot for inviting me to speak at this panel. So in June 2016, actually a couple of months ago, the OECD organised a ministerial meeting on the digital economy in Mexico. I would like to take this opportunity to thank our Mexican hosts for the tremendous job they did, as well as they are doing here for organizing the IGF. We will report back during our Open Forum at 3:00 p.m. this afternoon. So one of the four substantive pillars of this ministerial meeting was about what we termed Internet openness. So which is basically the idea of the range of the sky, right? At the OECD when we talk, we prefer to talk about degrees of Internet openness rather than Internet fragmentation. And you can download the background paper that we did on our ministerial Web site. And we proposed basically that Internet openness is a multidimensional concept. So in our framework we have four basic pillars. We distinguish technical elements, economic elements, social elements, and other factors such as for instance cybersecurity. So technical openness, for instance, increases when openly available protocols or standards are used. Social openness for us includes concepts that are related to human rights such as freedom of expression, for instance. And then for us for the OECD, economic openness, or if you want economic fragmentations depends on the ability of the users to be able to access the Internet and to enhance opportunities. This is where we see the link to connecting the next couple of billion users. So actually you can think of the highest degree of fragmentation closeness, if people are simply not cengd to the Internet. Being able to connect has a lot to do with affordable access. And for us, a lot of our research has shown that competition is a very powerful lever, if not the strongest lever to extend access to broadband connections to consumers. I is competition that is driving prices down and encouraging innovation in the market. We clearly see this in Mexico over the past years. And another example that I have, and I would like to conclude with this example, is India where reliance industries has launched a 4G network called JIR after investing over 20 billion U.S. dollars. They have to cover 90 percent of India's population during 2017 which would further increase competition in this market. The company is currently not charging for data and voice as an introductory offer, but what we can see from the press and from their announcement, they want to continue to offer access at very competitive prices. In addition, to address the issue of further availability and connectivity, they are planning wifi hotspots for which they leverage their extensive fiber network. Thank you. >> ROBERT PEPPER: Thank you very much. Our next speaker on the list is Jimson. I don't think he is here -- oh, you're here? >> JIMSON OLUFUYE: Yes, yes. >> ROBERT PEPPER: They told me you were that side. We met this morning. How can I miss you! >> JIMSON OLUFUYE: Thank you very much. I'm right here! And please accept my thanks for all the work you are doing, Robert. And I am thanking the Egyptian government for this very important workshop. I am Jimson Olufuye for the African alliance. This is made up of companies and ICT associations from 27 countries in Africa. I personally run an ICT firm. We do data cybersecurity. So fragmentation issue is a very serious issue because it has the tendency as we all know and agree to hinder the connectivity or the connection of the next billions to the Internet. Those of us already connected, we are privileged really. Let me say we are the affluent ones so to speak. So those of us that are more in a good position so sudden really taking it seriously about reaches the next billions. I want us to issue first and foremost is the issue of corruption. In our recently when it comes to deploying the I am projects that get people connected, they are handled shoddily. The principles are wrongly applied. You find they are not sustainable. Once they are connected one year, then the second year they are hanging. They are held helpless. So that is a major concern. Administrative principles over universal service fund. And also we need to be very flexible in this regard with the zero rating and all this technology application intervention to get people connected. At least get them connected and then you can improve and make the choices and so on and so forth. After all, we see how the measurement in terms of broadband, why people are connected to broadband and different category of broadband. We see it every day. Once you have your phone you can apply to move higher in terms of the level speed of access. So that is to say that it is essentially a business issue. Fragmentation is a business issue based on business models and so on and so forth. We may have to live with it. But we need to have in mind that we should consider people in the community basically. We had this summit two months ago in Namibia. And a major theme came out to me. That is the gap between government and the private sector is really a huge gap. And the gap is a major fragmentation really. The private sector have resources and they are ready to deploy to under served areas, but they need government endorsement. The connection was not so possible until that event took place and bringing tem together, and the conversation is ongoing. So that is why the multi-stakeholder principle of IG, we need to talk more about it. I don't know how else we can push this information. It's okay. We need to talk a lot more about it at these fora. That gap was really serious. Technology fragmentation is coming up. Another one is regard to DOA, digital object architecture. This is something running on the Internet and you have some people having control over the handlers and principally government now. And so it is a new ball game that is bringing up, some people are really cut off from this and they will now begin to strive again. How do we meet up with those government who are in control of the handlers. These are challenges with us. But the point for me is that when we are talking about these fragment facial issues, we need to enenable poor people yet to connect, to connect. What is happening in India is good. To connect, at least let them begin to use it. To use it, they can move up the ladder. But let's bear in mine the fragmentation at every different level, but we need to address it so that the poor in our midst will have access to the Internet benefits. Thank you. >> ROBERT PEPPER: Thank you, Jimson. Next we are going to move to the first speakers -- well, we had government, we had international organisation. We have private sector. And now we are going to move to the technical community with Karen Rose from the Internet Society. >> KAREN McCABE: Thank you very much. At the Internet Society, the two key themes of the current agenda are increasing Internet access and improving Internet security and trust. And in addition, earlier this year we lost a project to take stock of some of the key forces of change that are going to change the Internet of the future within the next seven to ten years. And to do so we have gone out to our community for their input and we've received so far over 1500 responses from over 100 fix countries around the -- 156 countries around the world. The issue of the digital dwiepped and the linkages are coming through as a big theme and concern for the future of the Internet. Many contributors to our work see that the notion of the digital divide is really going to transform, and transform into a question not just about who has access and who doesn't, but about the disparities really in the practical ability to use the Internet for opportunity and advancement. Very similar to some of the concerns that Christine well articulated. As one of our participants noted, in a quote, he said the word "access" isn't enough. The real question of the future will be what kind of opportunity is really available to you with the access that you have. And on this score many in our community are really concerned about this gap, this new digital divide, the disparities wean whether different countries, genders, social groups can meaning fully participate in the Internet, there is a concern it will grow in the future. If we have sheer connect IT as our goal, there is a disparity in the ability to meaning fully participate. Many see this potentially growing in the future especially because of this issue of fragmentation. So some concerns that have been raised by our communicative are will some communities in the future be left isolated on IPv4 networks while the rest of the world communicates through IPv6. What is the implication there for the ability to meaning fully participate in the Internet? Will some communities be at a disadvantage relative to others because of policy fragmentation? Government-imposed barriers to open Internet access or potential barriers to technology use out of fear of security concerns. The potential for slowing investment in new infrastructure once basic access is achieved. Meaning potentially that some countries and communities might not be able to innovate at the same pace as others. Those that are already ahead will continue to move ahead more quickly than other communities just coming online. One commenter from India really underscored this issue of the potential for growing gaps in the quality of access between the rich and the poor within countries themselves. A lot of times we think about the digital divide between countries, but emphasizing this issue that if you're rich and have access to high-speed broadband, but you are poor in the same country and only have access through old technology or through limited technology, the difference in the opportunities of the Internet are vast. These are just a few of the issues highlighted by our community. To be sure, there's still a lot of work to do to get everyone around the world online. I think this is a timely discussion because we not only need to look at the impact of fragmentation on today's challenge of achieving universal access, but what also fragmentation may do to create new digital opportunity divides in the future once people are online. Thanks. >> ROBERT PEPPER: Thank you, Karen. By the way, to correct the transcript, I said Karen for some reason because they said it was Karen McCabe. No, it is Karen Rose. Karen McCabe may be in here but she's doing great work from the IEEE. From the technical community we have two Karens, Karen Rose from ISOC an they are working together on a number of projects specifically on this. So -- and they are both billion. Maybe that's why the transcript got it wrong. Move on to civil society. Alison Gillwald? >> ALISON GILLWALD: Thank you very much. I'm from research ICT Africa, which is Africa-wide network based in Capetown. We do have sort of doctoral programmes and we are concerned with trying to build alternative strategies and appropriate regulatory frameworks in our countries, but it is very much applied research. We are looking for solutions. So I suppose a lot of the things I'm going to be saying are really about being very pragmatic, working with what we've got in order to make sure that we get people online. I just think the qualification you made about what is fragmented, the sort of assumption that this free and open Internet is actually all out there and it is wonderful and we have to be careful that it doesn't get clawed back in any way, is simply not the case. I think having the free and open Internet, the 1 billion connect projects and things that speak about equitable access and high-speed and quality and all of these things, wonderful as aspirational but maybe not in our life times. What can practically be done, is important. The will fragmentation question then, you know, one needs to understand the extension of the Internet and the availability of the Internet as reflecting other global inequalities that are there. And a global and national inequalities as you pointed out. This is reflected if he national level. In addressing that, as we know more people are getting online. We are amplifying that digital inequality. I think it is important to stress the inequality aspects of it that we see increasingly as people move into the Internet of traditional voice services, the opportunity to use Internet even if you have access you have access but don't have it because of affordability. This creates a freaks flexible enabling environment in many of our countries where we have fragile states or vulnerable states or states with limited institutional capacity to implement some of these things. So creating environments that are certain, so you do get investment. I want to respond to quickly in this regard to the issue of OTTs and the failure of investment because of the OTTs. All the countries I worked in in Africa, there is no evidence of this. Governments have to be careful of drinking the telecos Koolaid on this. There is trouble with voice over services to -- we see competitive markets moving very effectively from voice services to data services, and billions of dollars of investment in order to do so. Those are that are forward looking can are partnering with data companies and platforms to drive services which are driving demand and getting investments an creating their own content. I think we need to be careful not to get stuck in a teleco world here. That said, those infrastructures are critical and we have to create the right incentives for operators to go in there. We can't adopt protectionist policies for investment that probably aren't going to see the kind of investment we need in this environment if we are not giving people spectrum. Seeing in our environment the broadband are the way that massive people are accesses the Internet. We see extensive fiber investments because of the business drive in this area. I really think we need to integrate our tradition at teleco regulatory environment. We need to get that right but need to leverage the resources we have in resource constrained environments. We need to use private investments where there are there, incentivize those. We have to get individuals to self provide where they are able to, and adopt policies that are not using net neutrality purist notions of the Internet that are simply not going to happen. We should encourage any innovations that bring people online. Whether it's zero services, limited cap 3G, emergency services all those things, we need to bring people online. They are not going to be online on equal terms but we need to at least bring them online. Yeah, let me end there and I'll come back to it. Some of the issues -- one more thing I wanted to say was that in speaking about getting the open and free Internet out there, also in governance terms even in relation to technical terms, never mind in technical fragmentation, obviously technical fragmentation is our key issue and we want to ensure that there is not small Internets and things that don't work outside of China or some where else. As technical levels we want to push that but we have to stop just speaking to governments who are feeling the anxiety of not having the critical resource and modern economies under their control. We have to bring them in. We have to reduce those fears. We have to create systems of trust and involvement and participation. There will be some governments that won't want to engage either on the technical side, the right side or whatever else it is. I suppose there is not going to be a lot we can do about that. Localities of governments are anxious about their -- lots of governments are anxious about their data being in other warehouses. We need to engage with that. The implications are severe. We have a enough of governments that are setting up, for example, internal eGovernment systems, internal communication systems that have seen the value of using cloud services, for example, at a fraction of the cost of other services. They still have anxieties about where the data is going to sit and those kinds of things. We need to engage with those governments far more than talking at them about what they should be doing in terms of privacy, surveillance and of course on the technical side as well. >> ROBERT PEPPER: Thank you, Alison. If I could really quickly, because you laid out a set of principles, but you do a lot of empirical research. You mentioned the OTT. In an earlier session you talked about your empirical research on the findings on zero rating. Could you briefly report out on that? And whether or not ... (Speaker away from microphone.) >> ALISON GILLWALD: Yes. So we do both supply and demand side work. My colleague in the corner there, painstakingly collects every single piece of data cross 15 Africa countries quarterly, it is supported over many, many years and it is an extraordinary resource that tracks data prices, and various things that are happening. That's the supply side database. There is really the only empirical extent of supply side database to inform the discussion going on about zero rating. On the demand side we have the ITT access and use surveys. I quickly refer you to the paper because I can't summarize it here. There is a paper covering four African countries on the ICC dot neb, Kenya, South Africa, -- South Africa and -- it is a strategy used by operators per market share, retention and attraction purposes. It is a whole lot of dynamic bundled services, et cetera, that are driving Internet take up. One of them is an important one. We know from the demand side network, it is social networking driving the services and obviously the zero rated versions are that are allowing poor people to come online. There are problems with the data at the big data peck. At the prepaid level, you don't know who the people are and, they are suggesting that F percent are moving through buying service. From on demand side services we know that people are online but using the zero rated services. It is addressing the usage we were talking about, intensity issues for people who can't afford those services. There is more in that paper there. Just to say that it needs to be understood rather than just with niece blanket bans on the basis of information. Before TRI on the banning of free basics, there was little information on the ground. We need to look on a case-by-case basis. All African markets have been provided, it is being provided by the late entrance mobile operator. It is enhancing activity. As long as people don't buy it, it is not going to be zero rated. If less people move on to that, it won't happen. Maybe anti- competitive for the content providers. You have to address that in a different way. >> ROBERT PEPPER: Thank you. Staying with civil society, Sorina from DIPLO foundation. >> SORINA TELEANU: Hello, everybody. It is difficult to add something new to what has been said. I will bring in a regional perspective. I come from Romania, not well represented -- southeastern Europe region, not well represented at IGF and other Internet Governance spaces. I will bring in the aspect and. First of all we did a survey in the recently earlier in year an asked the community what are the main Internet relate the challenges. Surprisingly, digital divide was the first one. Yes we still have digital divide and access problems in our region with mainly unconnected regions and divides between countries, but also within countries. I will give the example of Romania. We have cities with high speeds and you might have probably seen Romania ranking high in broadband speeds but at the same time half the country is not connected. We have that problem. That means we need to build more infrastructure but at the same time the private sector is not so interested in investing because the commercial interest is not that high in the remote areas. This is where the government should be intervening. This was actually a recommendation that was made at our subregional IGF earlier this year, the southeastern European IGF, where people said there is a need for public private partnerships in order to build infrastructure in these areas. This was about infrastructure. Another thing in our region which is more related to the actual fragmentation, we see a lot of blocking. Both by governments are when it comes to content policy. You want to avoid child pornography or online gaming. And the solution, the government here is asking them to block certain content. As both Internet Society and some organisations within ICANN have said blocking at the level of the DNS can lead to some form of fragmentation in the Internet. But in the region we also have job blocking, companies from outside the region they don't offer their services within the countries. That is another type of fragmentation for users in our countries. And the last point I want to mention is about local content in local languages. Some of you might know that our region is quite diverse not only in terms of languages but also scripts. We have Latin, we have Latin with die reiterate I can marks, Cyrillic, Armenia, Georgen and a diversity of scripts there. There are efforts to implement the international domain names. This is a good thing for bringing more people online, allowing people to express themselves in their own languages and scripts. INDs have problems. Maim addresses don't work well in IDNs and search yin engines do not recognize them. This is a form of fragmentation. Yes we have them but they are not reachable. These are the main points in addressing fragmentation in our region in which we are trying to work within the southeastern European dialogue. Thank you. >> ROBERT PEPPER: This is an experiment. We are going to break into three groups. Question is, what are the groups going to do? Some of the things -- and so we have been up here trying to disstill in realtime a little bit of -- three problem sets that people have raised about fragmentation, about leading to not having more people connected, 4 billion people connected. We will have speakers who are part of the groups and will be reporting back. In realtime we are making changes of the themes of the three break out groups. So they are all going to have to listen carefully. I heard, there are a lot of things put on the table, but I think there were three things that came through very, very clearly. In multiple presentations. The first one is that there is insufficient infrastructure for a variety of reasons -- I'm sorry, let me back up. What we want to do from the breakout groups is have things that people are actually working on to solve those problems, right? In a very practical way, solve those particular things that are leading to the fragmentation of more people not being connected. All right. One theme that came through was the network connectivity. There is a subset which is there is no connectivity. But multiple people said, well, you know, the connectivity we have is not good enough. It may be either old connectivity and hasn't been up grated for real broadband or Christine, you know, mentioned operators that are not investing to up grated from the -- upgrade from the old technology. But in order to take advantage of, right -- I loved the way Karen and a couple of others talked about being able to take advantage. Use and take advantage of being online and what are the barriers. One of those barriers is the lack of good technology. So why don't we have -- this is about insufficient networks and insufficient increasing capacity of networks as well as getting networks to places where there are none, right? That will be one breakout group. The second and the third break out groups, both things I was hearing about capacity building. So part of, or one of the issues -- again it came up multiple times on capacity building. The ability of people to use the Internet. To meaning fully participate for people. So there are projects and programmes working on skills, capacity. Based on our main session yesterday, there is relevant content, right, and linking relevant language with local content, make can it easy and use to understand what the benefits are, that's a second issue. So the second breakout group will be focusing on capacity building and lome relevant content, local language. The third breakout group, I heard a different issue on capacity building which I was not expecting to hear, but multiple people raised it. That is helping government and government policymakers learn about the technology, the Internet, the benefits, what needs to be done to really for themselves to take advantage but also to create the right environment and enabling environment for Vega adoption and use and -- for increasing adoption and use and benefit of the Internet. Part of this is about government capacity building, helping government policymakers learn more and do better and really appreciate. So that I would propose to be the third breakout. Again, I know that there are people in in room working with governments around the world and in your countries to help them go up this learning curve, right? I was not expecting to hear that as one of the themes popping up, but it was. What we are going to be is a little chaotic. Why don't we have the first break out, which is the network infrastructure, meet over here. Right? And the second one on capacity building for individuals, meet over here. And then the one on government capacity building meet back over there by the door. We have 20 minutes. Then at the end of it, it would be great if each of you could pick -- one of the people who will be presenting in the next one, try to distribute yourselves. You can then report out and we'll have the other presentations. Let's try this as an experiment and see if it works. Twenty minutes! Infrastructure here. People capacity here. Government capacity there. (Captions are suspended during the breakout sessions, and will resume when the groups come back together.) >> MODERATOR: Three minutes! (Standing by.) >> ROBERT PEPPER: If we can get back to, to finish up and bring your Chairs back? I'm glad everybody is having fun. (Pause.) >> ROBERT PEPPER: I guess we could have had more time. Okay! I think there's a lot of activity, a lot of energy. This has been good. Unfortunately, we are going to be tight on time. I think we can go over a little bit. They still will be serving food downstairs. So just to get on with it, there were I think two of our next speakers who were in the infrastructure discussion. Izumi and Carolyn. So why don't we, if you can report out? Have you decided between the two of you how you are going to divide that up? Or one of you start? Izumi? Izumi, why don't you start and then we'll go to Carolyn. >> IZUMI OKUTANI: This is Izumi Okutani. I was in the group that discussed the infrastructure part of the fragmentation, how to actually try to reach out to those who are not connected. We focused a lot on the benefit of community network. That's where private sector is not able to accommodate, I don't know, the benefit or cost. And some of the benefit of community network was being discussed that we could create price benefit that it might make it available more for users who don't have that much money, competent five private services. Or it is also compared to subsidy by the government. It makes the community be more proactive. They have the sense that they have to maintain and operate the network. So it leads to capacity building technically as well, rather than simply being a customer and then keeping receiving what they receive from the government. But there are also challenges being identified such as how to actually start with funding. One of the answers may be the governments provide the funding at the beginning and that the community continues to do the work. Or how do you actually provide, stop connectivity in -- start connectivities in areas that are challenging, like Afghanistan or other areas where it's physically challenging to build a network. There is reference to the group within IETF, GIGA. How do you provide a combination of technologies in areas that are physically challenging? This information is available but another point was that community network benefits, not just the Developing Countries but the cases even in Developed Countries such as Sweden where the community network is being built. So these were the key points being discussed. And remaining questions, what do we mean by community network? Is it just grassroots community effort that tries to provide connectivity in the last mile? Does that also involve projects with the government that it will provide connectivity to the Internet part? Or how do you actually get started? What do we actually mean by it? These are still open questions we have within the group. >> ROBERT PEPPER: Thank you. Carolyn? Oh, that was good? Yeah. Use this also as your opportunity to make your other intervention, okay? So this is great. Thank you. >> IZUMI OKUTANI: This is something that was not discussed in the group, but from my perspective on fragmentation I would like to touch on the two technical identifiers, IP version 4 and IP version 6. This is an identifier that you need to connect on the Internet, fefl, like you kneeled numbers for telephones. The current version that most of the Internet users, IPv4 ran out of stocks. We want the next Internet users fob IPv6 supported. This needs changes in your network to purchase products that support IPv6 and there are certain features that are still not commercially available in V6. There are things that each of us are able to do to promote V6 deployment in the Internet. For example, governments can maybe request vendors to have more support on their equipment in the areas that is not supported or raise awareness by consumers that these are the products that supports V6 and make sure that you purchase them. If you are a consumer for your home, make sure when you purchase anything for the Internet, make sure that it supports V6. If it is not available, ask the vendors or the ISPs if they support V6. This is what you can do on your own part to support V6. There is only 8 percent worldwide, so there is room for people to make V6 available for the next 6 billion connections. >> ROBERT PEPPER: I thought we would have extra time but I was told we have another group coming in. We were having too much fun in the breakouts. We have to keep our interventions short. If there's a comment on the V6 stuff, I want to come back to that because this is quite important. Maybe we can also take it outside the room as we go get lunch afterwards during the break. But this is very important. Carolyn? >> CAROLYN NGUYEN: I was going to yield because we were talking about IPv4 and IPv6. >> ROBERT PEPPER: But we need to ... right. >> CAROLYN NGUYEN: With respect to fragmentation and the SDG, what I was going to talk about really, we think about fragmentation at the infrastructure level and fragmentation at the application level. So fragmentation at the infrastructure level, efforts at community networking is critical. The way we look at it, initiatives that we have been involved in, a critical element of that in order to make it sustainable because we want to link fragmentation to Sustainable Development Goals is the involvement of the local communities because they are the ones that know what the needs are. They are the ones who will know what applications are necessary by the community, et cetera. So in the initiatives that we have around the world, this is exactly what happens. With respect to the funding question, it depends. Some of it comes from government funding. Some of it comes from global projects. For example, from the World Bank, et cetera. So we try to link that together. As part of our efforts to do this, we have also put out there the affordable access initiative grant fund which is entirely about supporting local companies, companies that are with a few employees that have applications that they are bringing to markets for the local community and what they are looking for is a step in order to scale it out across the world. This is part of our effort to support the Sustainable Development Goals but also increase connectivity at the infrastructure level. And the companies that we have supported range from solar, energy access, et cetera. And then at the application level one of the things that we have been working with is to create a trusted cloud. So we have announced a commitment to invest a billion dollars to bring the power of cloud technology to serve the public good. And over the next three years. So we are looking to support 70,000 nonprofits, 900 University researchers and expanding broadband communities to 20 communities in 15 countries. Very much implementing the on ideals that we discussed. >> ROBERT PEPPER: Thank you. There is -- I'm not sure where we'll bring it back in, but I do know that there is an issue of security that we want to be raised from CGI, but you also are going to be coming back on the government side. I might want to weave that in when you come to that. But there's he the notion of trust and the lack of trust which is keeping people from being connected. For the moment -- we are really lucky. Yolanda Martinez was able to make it back. And is really our host for the whole week. Again, I want to thank you, Yolanda. Yolanda was in the group about people capacity building. So Yolanda, please. >> YOLANDA MARTINEZ MANCILLA: I would like to give this to Ms. Christina cardenas. Welcome to nooks once again. I hope you are enjoying your time. I'm going to see most of you around. >> I'll do the report out. I'll do the report and then give it to Yolanda. We had a conversation in our group about capacity building. We started with the notion talking about multilingualism and languages on the Internet. The reality that unless people have the ability to get on the Internet and use the Internet in scripts in their own language, you can't even have sort of capacity building around that. As a foundation, we need to make sure that there is more opportunity for non-Latin scripts on the Internet and for people to use them. Secondly in terms of talking about capacity, there was a comment made that it's not just enough to train people on things like how to use the Internet or how to get on a computer and how to type things in and get online, but also there's a need for capacity building about what is on the Internet and what's in it for people. Not just building skills but an awareness of what is on the Internet and why people should be using it to drive demand. We had a discussion about formal education activities led by our colleagues from Mexico, and some of their experience and their focus on ensuring that youth are engaged in the Internet in classrooms early on. But even in that, in engaging youth in the classrooms we had a discussion that sometimes we might have to reverse engineer from the bottom-up this notion of capacity building. Teachers sometimes have lower skills than students, and some approaches for capacity building sort of go from a top-down approach of these are the things you have to learn. The kids in the classroom and the teachers have their own ideas about what is going to engage them and what is going to build their skills. Thinking about reverse engineering capacity building from the bottom up. We talked a little bit about the importance of creating locally relevant content and the ability to grow the stills and confidence of people in creating content because this is also going to help drive demand for the Internet. When we had a discussion that social media can be a really great way to help people build their skills and confidence, because the first step a lot of people make in creating Internet content is actually on social media platforms or sharing through social media platforms. So that may not be enough, but thinking of that as a way to build skills and confidence so people can go and develop greater and larger bodies of locally relevant content. >> ROBERT PEPPER: All right. Thank you, Karen. Did you want to say something else as part of your brief intervention from Maria Christina? Because you were going to say something. When we originally structured this, there were going to be the additional speakers to make points such as Izumi made biff 6, but again we are tight on time. I want to give everybody an opportunity, but if there is a particular point that you wanted to make. >> Well, thank you. We were receiving everything in our group, as you mentioned. We considered the training and teachers and the students to use technology, but also to the whole society. We identified that we need to develop more the skills and understanding of what the Internet is for and if we do that we will be more able to have an impact with the Internet in the communities. And the Internet was not considered before in the case of education, for example. And now that we are showing what we can do, how we can connect with teachers, we change the whole view of how the education can change the new generations for use. Such things as what Yolanda is doing, for example. We are talking about, constructing for the future. But if we don't teach the new people that we use that, we won't be able to use it the whole thing. >> ROBERT PEPPER: Gracias. Thank you very much. We have one more group, but two more speakers. Carolyn, I'm going to come back to you if there's anything else that you wanted to come back at the end on some of the things you were otherwise going to stay. I want to go to Stef any McClellan from CGI. She was on in the group on capacity building for government but you have important points to make about trust as it relates back to security, as well as a force, having people not connect. So Stephanie, please. >> Stephanie: Thanks very much, I'll try to be concise. So in our group we had a great conversation. There are people, representatives of different governments from different areas of the world, different Internet access levels. A lot of it comes to capacity building, but in terms of improving institutions. So institutions such as regulators who may not be able to push back against some of the big incumbent players in the market. Sometimes that's a matter of not having capacity or a matter of having cases of nepotism or corruption in the government. So that is certainly one part of it. Another is looking at issues like infrastructure, looking at education as another institution. So bringing across teacher training programmes that might require some government intervention to try to improve the institutions, like the education system. Affordability is definitely another one of those. Sometimes the government lacks the budget. Or has to be sort of trained and encouraged to make space in the budget for Internet accessibility. Other challenges include around the areas of monitoring and evaluation and stability. Sorry, sustainability. So making sure that it is not just a one-time thing where you implement a new programme but make sure it continues over the will coming years, and that you can build on it. Alison raised an interesting point that some governments do see the importance of the Internet for improving their economy and helping their citizens, but some of them don't. So for the ones who do see the importance, they might be limited by not having the strong institutions or not having the resources and the capacity to build that out. For the ones who don't see why it needs to be a priority, that's something that needs to be worked on there. It comes back to the idea of security an trust, which is what I focused on. So if you don't have, a lot of times especially in Developing Countries, countries that are new to the Internet, security becomes an issue because you might not have the education to realise that you need to be updating your programmes and that there are security risks. There's an element of computer illiteracy there. There is an element of maybe people, higher rates of pirated you are wars. You are not getting the security patches coming through. A lot of time the Internet connection is done through mobile phones, those don't have the sciewsht standards that you would have in a normal laptop or wifi computer setup. So for all these reasons there is research including an incredible report by Microsoft put out in 2014. It kind of shows that when it comes to digital access and security, things kind of get worse before they get better. So as the digital access spreads and a lot of focus so far has been on digital access and not on the quality of that access. So in a lot of these cases as digital access improves, security measures don't keep pace. There are higher incidence of malware and cyber attacks that happen. In order to keep pace you have to push through the point where you get the access and the cybersecurity improving in lock step. So a big part of that is building capacity within the governments, improving institutions such as, for instance, law enforcement where they may not have the training in digital technologies and cybersecurity. So in working within existing legal platforms, kind of making sure that the existing laws include references to digital security and cybersecurity. I am going to see ... I feel like I'm missing something. I also know we are in a hurry. Yeah, training, education again being part of that. Basic digital hygiene and not just for the public at large but also people who work within the government to make sure they understand the importance of this as well. For civil society organisations. >> ROBERT PEPPER: Sorry, I'm being told we are being thrown out of the room. I apologize, Stephanie. Some of the recommendations that you just made on security, right, are also about capacity building in governments as well. These are really linked together. A couple of real quick things before we run. I apologize, we ran out of time. Carolyn, are you okay? I think in some of the will projects you are working on -- it's important that the private sector have that opportunity. A couple of quick things. One, there is, for those interested in IPv6, there's an IPv6 best practices workshop when? >> It was yesterday, but the information is available on the Web site. So click the schedule under the presentation. It gives key points and the document is available as well. It would be great if you take a look. Thanks. >> ROBERT PEPPER: Thank you. Second, everybody here in terms of the writing up the results, -- >> We have Hisham from the government of Egypt who has been the rapporteur. I know we have had a lot of discussion in the breakout groups. I ask the speakers to send me key points from that. And all the speakers have my email address. I have been pinging them. Other people, my details are on the ICC Web site. You can find details of that on the IGF forum. I would like to say as well we'll keep an eye about what tweets you guys have been doing as women and pull that into the workshop report. >> ROBERT PEPPER: Last two-points. Great minds think a lot. The great minds in this room. We came up with the three areas of capacity building for government, good policy, capacity building for people and good networks. The Internet Society has a policy framework for enabling Internet access. They have a wonderful Venn diagram. That has three things: Expanding infrastructure, support of governance, and fostering skills and entrepreneurship. So maybe we just should have gone to Karen in the first place. It is bottoms up, we ended up in the same place. That's really great. Last thing is, leading by example, right? There has been a lot of discussion in this here, and on the importance in the main sessions and other Working Group sessions on the importance of gender equality in bringing women into the Internet Governance process and the technical process. I'm honoured and proud to be on a panel where there's eight women and two men. This is you actually great. That led to the success of this session. So if you can join me in thanking all of the speakers and all of the participants who were here. Thank you very, very much. (Applause.) (The session concluded at 1:40 p.m. CST.) >> Big thanks to Robert Pepper as well. (Applause.) (CART provider signing off.) (Please stand by for the Newcomers Track.) (Please stand by. The Newcomers Track will begin momentarily.) >> BIANCA CAROLINE HO: Hi, all. Apologies. The Newcomer track will begin soon. (Pause.) >> For those on the side, come to the table so we can listen to you. No worries. This is Newcomers, no judging. Thank you. >> We are going to ask you to kindly to your positions and we are going to start in two minutes. >> I work for the IGF Secretariat, but I think we know each other because we spend a lot of time together on the Newcomers Track. I want to thank you for attending these sessions. What I see is the same faces at these sessions which is good for the continuation of the track. I am leaving to Bianca to present herself. We will go around because we want to hear your names, what are your interest. We are going to present you our days the speakers. They will be having dialogue with us to see what is the role of civil society within the Internet Governance Forum and within the Inter- Sessional al work of the IGF and how can we contribute all together. That's it. >> BIANCA CAROLINE HO: Thank you. Yesterday we started with interest duesing every Newcomer. Some of you were here, like Sebastian, some of us are not. It is good to practice talking to the mic. I feel like a lot of people did the no even know how to use a mic. That's a good start. Hopefully you can still participate actively. Tomorrow, there is not too many days left but you can still start small. We'll start perhaps from this side. So do you want to talk about yourself and ... just like introduce yourself and pass on the mic so everyone gets the chance and then we will go to the speakers to talk about civil societies, what they represent, why they are here and how they can interest act with you and we'll open up for questions. Thank you four your patience. >> My ram name is Slobodan markovich from the, I am not actually a Newcomer. I really supported this Newcomers Track. My organisation also is one interesting mix of technical community organisation and civil society organisation, given the fact that we are a not for profit. So please ask me anything either now or around the agenda. >> Hello. I'm Stephen, a Professor in communications studies at York University in Toronto, Canada. I also have been involved for the last ten years at least about different, in social movement and civil society organisation and relationships through alternative technologies and alternative media. I am now right now interested very much by Internet Governance discussions. >> Hi, I'm Matt Hatfield, on behalf of IFEX, we deviled and promote free expression, a global network of organisations. >> I'm (indiscernible) a youth representative the Netherlands. I have to obey, this is not the first IGF. It is my second. But I'm really curious about things that will happen in this session. So okay. >> Thank you. My name is Benjamin, Vice-Chair of the at large advisory Committee at ICANN. I participated in seven of the previous IGFs and I was in four of them either speaker or organiser for workshops. I think I will stop here. >> Hey, my name is (indiscernible), I am from Chad, the national Coordinator of IGF Chad and also a member of Afri-ICANN. Thanks so much. >> Hello. My name is Olivia coming from Togo, west Africa and part of regional academia, Africa IGF. >> My name is Dasia, coming from Congo, assistant on new project and it is my first IGF. >> Hello. My name is Nicolas from Uruguay. I am computer engineer. I am working as a network engineer at LACNIC. Also part of the YouthIGF movement from Uruguay. When we organise a meeting to specifically Internet ecosystem, how the Internet works. Also we are attempting to give more information about security and focus on that. Thank you. This is my first IGF. >> Hi. My name is Odelu from the institute on research on Internet and society in Brazil with research on a lot of topics and public policies. I am my first time in IGF. >> Hi, my name is Rasha an dual La, Professor of mass communication at the American university in Cairo, a new member of the MAG representing civil society. >> My name is Ricardo, the Ambassador at large for cybersecurity of the Spanish government. I am here as an observer. I would like to see how the participants of this workshop deal with the issue that we have to discuss today. Thank you very much for welcoming me. >> I am PY Wong from Malaysia, I have a CSI known -- we special like in LAC reform. This is my first time here. >> Hello, everyone, James, I represent -- I am from Kenya and represent an organisation called the bloggers association of Kenya. And we have a project called I freedoms Kenya and that is concerned with human rights online. I'm really happy to be here. This is my first IGF. >> Hello, my name is Ted. I'm a French student in economics. This is my first IGF. I took part of the YouthIGF in France. >> Good afternoon rvetion my name is Sebastian, here representing the dot EU domain registry. We had a session today on the influence of noncommercial users in the web space and I am here to kind of pursue that dialogue and see how civil society can interact with us and how we can interact with them. While our organisation has been here before, this is my first IGF. >> Thank you. Hello, everyone. My name is (indiscernible) Haga, youth IGF from France and it is my first IGF. >> >> BIANCA CAROLINE HO: Do we have anyone else? Maybe you? Would you like to say your name? >> Hello, my name is -- Haurta, from Mexico, we have the telephony cellular project in rural communities. This is my first IGF. I come here to this table to see how I can engage with different groups. Thank you. >> BIANCA CAROLINE HO: Thank you. There is one seat next to me. Do you want to sit here maybe? It is there for you. Also there is one here next to the ... >> My name is (indiscernible) Chavez, the first time for me here in the Forum. I come from (company name.) Mexican organisation that focuses on multilateral and civil society participation. I am Professor of communications and advisor for parliamentary advisor for radio and TV in reference to digital areas. >> BIANCA CAROLINE HO: Thank you. I think that's it. We don't have any other participants, as far as I can see from here. So let me now first of all say thank you to the colleagues from IGF friend that accepted to be here and speak to you about how civil society can engage with the IGF and its role of civil society. I'm thankful that Rasha joined us, a MAG member, and renneata also is MAG member. Can you introduce yourself briefly am say what is your position within the IGF from the civil society? >> Yes, Renata here. Hi, everyone. It is nice to see all these new faces here and some not so new and to have the newcomers track space, which is very important since the IGF is an community. Impart of the community, same as you. I am, however, a part of the civil society in this community. This means activists, scholars, citizens really who want to contribute to IGF in many ways. I am a teacher, a researcher in the northeast Brazil in the states of Serra. And I also do lots of different work, many civil society organisations. I research Internet Governance and civil society. I started getting to know about IGF when I was a student at the Brazilian school of Internet Governance in 2014. Since then, I have participated in ICANN in the noncommercial users constituency space, LAC RALO, the Latin America at large space, the advisory Council for ICANN, which is organised among the five continents, and I definitely would say that to be a part of this community, to be a member of this community you really have to get to know your other civil society colleagues, how civil society organises itself within IGF, debating throughout Inter-Sessional work. This means the best practice Forum. I'm Co-chair of the best practice Forum on gender and access along with MAG member Jack McKee. And also the dynamic coalitions which, for instance, have themes such as the D.C. on gender which I am a member, and community connectivity, rights and principles. So there are many spaces where you can do work in the IGF. It is like an umbrella of themes for the civil society. And I am grateful to have been part of those spaces. I definitely would recommend that you get to know more about them, get to know more about your colleagues and contribute with us to the next IGF in 2017. >> BIANCA CAROLINE HO: Thank you, Renata. We have Leana. Tell us about yourself and your role in the IGF. >> hello. I'm Leana from Armenia. I represent ISOC Armenia. It was founded around 25 years ago when many young participants here were not born even. I joined ISOC Armenia since 2000 and I want to say that it is really very active community in Armenia. It actually started from some brilliant minds when at those times in the 1990s there was no IETF -- I'm sorry. At that time there was I-net conferences and one of our community members went to those meetings and we wanted to have the registry for domain nairnlings top level domain name for Armenia. That person, now the founder of ISOC Armenia, he met John postel and he wanted to have the dot AM. We have him from Serbia from registry. So he asked for dot AM and John postal said if you have the multi-stakeholder community, some organisation, that would be very fine for the country to have your domain name. And then some other bright minds get together and founded, which was now called multi- stakeholder. That term was not that popular at those times. Nevertheless, we had that process down. And we had as members representatives from different stakeholder groups in their personal capacity. And at that time it was called actually the community was called Armenian Internet users group. From the beginning we were like end users of Internet. But since that organisation and communities is really very active, we discussed all the things within the community related to the Internet. All capacity building, security issues, whatever we have we discussed there and we are growing in number. And regarding our activities, we have support -- we support the libraries in rural areas. This is a project which we do in recent years. We found that in the country, the libraries are going to die. I mean, everyone is now using the Internet online libraries and in the rural areas they have no connectivity in this. So we helped them to acquire computers. We provide them with software, special software and help them to get connected to the online world. The other project which we do is a project for disability, people with disabilities. People with visual impaired and blind people. So we developed an Internet centre for them and in this way we communicate with them, the stakeholders. We cooperate with other stakeholder groups and invite them to cooperate with us as well, to the end users. And in the past already two years we established the Armenian IGF. We formed it and what we have really is a very interesting experience. We established Internet Governance Council. We do not have only IGF once a year as in many countries. We have permanently working body which deals with Internet related issues. So whatever actual or burning issues we have, we face in the country, then we have this Council which discusses all the issues and brings, gives some recommendation even to the government which might then become a kind of law or rule or something mandatory or to all the operators, et cetera. It is really very important to have such kind of bodies and we find this model very useful for the country. And we have also horizontal connections without IGFs. We participate to nationality, regional, subregional and global IGFs and we have the messages and this is really also very important to have this not only connection vertically but to horizontally to all the IGFs. And have them overview of what is going on the other countries regions and to my mind I want to say that everywhere the issues and the concerns are more like the same. So we are all in the same globe and facing the same issues. All the security things, all the challenges, bringing stakeholders together. So we face the same issues everywhere. Thank you very much. I will pass this. >> BIANCA CAROLINE HO: Thank you. Please, go ahead. >> First of all, thank you for inviting me to come to this workshop. It is great to see new people coming, joining the process, joining the discourse because you can see by the time the discussion and the discourse at the IGF is changing with more civil society joining. This year it is very impressive how you can see all stakeholders actually working together. Then wouldn't have been done without the engagement of civil society on equal footing with the government and private sector. This is exactly what my programme is doing. I am working with HEDIS. There is an Internet Governance MENA programme, Middle East North Africa. This is building the capacity of different stakeholder including civil society, but we also work with government, private sector, technical community and researchers. We focus on Internet related irves but also try to engage them in the process, to influence the Internet policymaking. This is done on different levels. For example, we first start to engage them at the local level and then we took them to the regional level. We have DR of IGF. Because we couldn't actually have these discussions until the Arab spring. It was not possible to have discourse about Internet policies before that. After the revolution of governments realised how it is important to have this discourse and this is when the Arab IGF started but there was still a vacuum because the civil society was not pored about Internet Governance, the concept. But also about the related issues. This is where we started raising the awareness of building capacity in the process. After engaging them at the local level and also the regional level, the natural evolution was to take them to the global level as well. We started this when the IGF was held in Turkey. Surprisingly enough when we had the first IGF organised in Egypt in 2009 it was the organised for the first time, the first time actually it's organised in one of the Arab countries. We had zero participation from the civil society. The first time actually to see people from civil society in the Arab region participating was in Turkey 2014. It was very interesting to start engaging at the global level. Starting from then, they started taking it from there. They participate now with different workshops. They also start collaborating with different civil society working at the global level. They actually manage to also voice the concerns of Internet users from the Arab region, as well as networking with different stakeholders working at the local level. They helped to bridge the knowledge gap. When they came back they started working with their local organisations, raising issues, building the capacity of further local actors working that level. They produced Articles, blogs, and opinion pieces about what they think. And they reflected on the participation of the IGF. This year they are coming, organizing even workshops on their own and taking it forward, whether at the local or regional or even the global level. So the programme that you are working on also tries to map issues for them so that when they come to this kind of discourse, they can be able toll highlight issues. For example we have a programme that maps issues in the MENA region and reflect and write about policies. We keep building capacity over the year. It's a on going process and it is up to them to take it to a local level during the IGF. Thank you. >> BIANCA CAROLINE HO: Thank you. One interesting thing about civil societies is that everyone has a different cap. Some could be academia, some could be ISOC or NGOs. So there are, even if you are civil society, it doesn't mean that you are all the same. You have different needs. Now I am going to open up because I know we are sort r short of time because the previous session over ran. I want to open the floor for anyone who has questions. You can also go and network. Maybe we'll start opening up the floor and see if anyone has questions about how to engage civil societies hearing at the IGF. >> Thank you. I think it is not the right question to ask because IGF is mainly attended by civil society. The stakeholders, the other stakeholders are participating but not participating as much as civil society. The question should be how the civil society could be more effective in participating in the IGF. This is a different question. So I think that we have a lot of network of civil society existing now and perhaps we can organise ourselves so that before any IGF, six months before we have to have our programme. How we will participate and how we can be effective in our participation. Thank you. >> Thank you. I jumped at taking that question because I completely agree. Civil society is about dialogue. And we are the majority on Internet Governance Forum. We need to strengthen the dialogue with other stakeholder groups. And I see, the way I see this happening, I think every one of us here in this room has a bit of a spark in this. It is trying to build together our results. So the IGF has the nature of not being a deliberative body but we have results. We have our outcome documents. We have a review platform receiving comments. So anyone can take the year long work of the BB gender and axe, for instance, and leave a comment there on what they think is the idea to have more women connected to the Internet, since of the next billion unconnected, 600 million are women. Anyone can leave their thoughts on this. I think this is amazing. We are definitely in need of putting more focus in using these results we have on the IGF which bring knowledge and bring the stakeholders also to the dialogue. We have attempted to invite, for instance, for our session we invited representatives of the alliance for affordable Internet, which has private sector participating, technical community. We have the ITU. So we need to bring in these groups to dialogue with us. It is great that you are here. You are all here in the civil society track helping us think about this. So that would be my idea for them. >> Just a quick comment back to the previous question. We need to think of the IGF as just a hop where people come and network because it doesn't have any binding decision. So you have to work before and after. You have to start working before, preparing for the IGF, doing your own job that you do at the local level. Then at the IGF you show case, you learn from other best practices, you network and then you take it forward. The output of the IGF to start working for the next year. So it is an ongoing process. You don't come to the IGF to actually have any binding outcome or decision. So it is important to bear this in mind. >> Yes, I would agree with the previous speakers and just short addition to that. We can all start this dialogue, this conversation on a national level, which is more easier as a step, a first step to start on the national level this dialogue. >> BIANCA CAROLINE HO: Is there anyone who wants to pose a question to civil societies in general? (There is no response.) >> BIANCA CAROLINE HO: Okay. I think we will close this session. As a reminder -- thank you so much for all the speakers here today. Again, I think a lot of this discussion doesn't have to be done here. Now that you know everyone, know their face, you can always grab them in the corridors and talk to them. If you go to drinks, parties, you can totally talk to them. They are very open. Even among peers you can still talk among each other. I wanted to tis again the Newcomer dinner is not sponsored, so you have to pay, but there is a Newcomer dinner tonight sponsored by Nicolas. I want to thank all of you. We had three different -- as you mentioned, like this is civil society, but yesterday that was, we had private sector and government two days ago with the knowledge cafe. You don't have to be private sector to go to the private sector one. I think that facilitates that discussion. >> I just wanted to leave a comment here. It is an interesting time, this time of the IGF because we also have a process called the MAG renewal when the next MAG for civil society will be selected. And this process can be organised via the IGF Web site. So anyone can fill in a form. If they want to contribute in that capacity. And also via the civil society coordination group which is a group that holds together five other groups which are formed by civil society participants. So get to know who civil society in Internet Governance is, participate, join these groups. Have your say. You can have your say on how the MAG is chosen, who is the MAG, where is the IGF, where it will go. There is a Working Group on enhanced cooperation of the commission of science, technology, and development, which also is involved in the IGF. So there are many spaces. Of course, it is thousands of civil society offerings. So it takes awhile to learn it all, but we are here. You can count on us for mentoring, for jobs, whatever. >> BIANCA CAROLINE HO: Thank you, Renata and Leeana. We are letting you go, but before you go, join us tomorrow on the final session where you will be speaking and we will be listening. Your feedback is crucial here to see you for the next year whether we should kind of continue with the Newcomers Track and in what way. Whether this was good logistics or not or maybe you have ideas to change this. That will be the first part of the 45 minute slot. The second part will be about how can you engage with the Inter- Sessional work in 2017. Thank you so much. And see you around. (The session concluded at 2:19 p.m. CST.) (Please stand by for the session number 267.) (Stapling by for the Internet Governance Forum 267 session: Surveillance and international human rights law.) >> The people who came here, the people who came for the workshop -- the section for this one is -- yeah. The right to be forgotten and -- an education. Yeah. You're welcome. >> For those trying to go to the international human rights law, they have moved and we are going to workshop 10. So we are going now, if someone wants to follow us. We can go together. Don't get lost. >> MODERATOR: I'm sorry, if you waptd to see the right to be for not en, it will be in workshop number 10. If you are here for surveillance of human rights, you are in the -- right to be forgotten, workshop ten ... here is international human rights law and surveillance. (Please stand by for the IGF session number 267, surveillance and international human rights l (Session number 267, surveillance and international human rights law, will begin momentarily. Please stand by.) >> Just a couple more minutes. We are waiting for one speaker. Because of the room mixup, we will be right with you. (Pause.) >> Thank you for your patience. Thanks for the organisers of R3D. We have the speakers here. We will start with Amos. He's a advisor to the UN Special Rapporteur on freedom of expression and MC from Google and I'm going to take the moderator stand and take advantage of this by saying that for us, this is a very important topic and very important discussion. I'm really at tentative to this but kind of leave you with a few questions in your mind on proportionality, the necessity to know security and transparency and sort of four guiding principles for the discussion that I know the speakers will talk about. On to Amos. >> AMOS: Thongs so much, MC and Katitza and Luis as well for organizing the panel. I want to kind of briefly give a round up of some of the standards promulgated within the UN system that might apply to the fast evolving surveillance technologies in the operations around the world. And I mean, I think I also want to throw out challenges and ask questions in the hope there will be panel and audience participation so we can make this more interactive. We recently briefed a special procedures, the freedom of expression mandate as well as freedom of association and human rights defenders. We recently filed an amicus brief in the United States court case called Kigani versus Ethiopia which basically concerns -- I should start my timer. Which basically concerns activist being surveilled by the State of Ethiopia in Maryland. This is an Ethiopian American activist, cutting to the chase, this case is up for appeal. We basically laid out our positions on why this surveillance, this type of surveillance, this type of malware to infect another activist's computer extra territorially affects the right to freedom of soarings, freedom of expression, privacy, so on. One of the most under discussed norms that has taking on increasing importance in the digital age is the freedom of opinion, enshrined under Article 19.1 it is separable from Article 19.2. The right to a freedom of opinion is an absolute right and does not permit any interference. We see in the digital age where we form and hold opinions are not longer confined to processing them in our own heads or writing them in a diary. We hold opinions on a Microsoft Word document, and by browsing the Internet and having the history of the websites being recorded somewhere. To the extent that Internet browsing histories, drafts of documents and digital mem that that we do not share with anyone, to the degree that these are mechanisms for opinion is it ever legitimate for governments to collect such information given the absolute nature of the Article 19.1 right? I think when we go into communication surveillance we are talking about Articles 19.2 and 19.3. I'm talking about the ICCPR, I'm sure you know and we go into the limitations criteria, three provided by law: Necessity and proportionality. I want to highlight one or two things. Provided by law is not simply to, in our view it is not simply for it to go to a formal legal process and you have legislation and therefore that makes it provided by law and satisfying the standard. I think law might also be reasonably clear and precise about the conditions under which surveillance may target each and every one of us. I think under necessity and proportionality we have to be clear that it implies surveillance must not be reasonable, desirable or even useful to accomplish an aim, there must be a immediate connection between the surveillance and the legitimate aim, whether national security or otherwise that is sought to be pursued. So I think there has been a greater development and strengthening of the human rights norms and criteria on digital surveillance, especially since the Snowden revelations in 2013. I think this is where the challenge lies. Surveillance schemes around the world are expanding, in ways that raise extremely grave concerns for digital rights and digital expression. So the challenge for us, I think, as a human rights community as well as for governments, private actors and international organisations, is how do we translate these norms? How do we translate these international norms into concrete and enforceable protections that governments respect? And so I have two questions here I want to throw out to the audience and the Panelists. What can the UN scheme, whether the freedom of expression mandate but broader than the special procedures, the Human Rights Council, General Assembly, any of the UN agencies, what can they do better or do more of in terms of supporting grassroots and local movements for more surveillance accountability? And the second question I want to ask which is really related, how do we develop and socialize standards that give concrete meaning to the criteria of necessity and proportionality? This may be a process question in the sense that we might ask for more transparency and more quality of transparency from governments in the private sector. We might also ask for judicial oversight. Again I think we need model legislation, we need moldings for the kinds of oversight that we see. I think the necessity and proportionality principles provide a good template for that. I also think it is an outcomes question, less talked about. Some kinds of surveillance that are almost never permissible under international lawvment the example, for instance, of mass surveillance. We try to get meaningful perspective on how to provide guidance on what are legitimate national security aims. National security is a catch-all phrase for all kind of surveillance and it is untenable and we must start Tomming to a more well defined definition or at least provide checks and balances that can limit the use of that term in the pursuit of surveillance regimes and operations. I think that is really the remarks I had and hopefully those questions may be answered as we go along. Thank you so much. >> Moving on to the example in India, I will move to Aja Jack more, policy Director at LSFC, yes, the example of India. >> Hello? I think it is working now. Thank you for the introduction. Iamb Ajun. I work with software freedom law centre a private organisation that works to protect digital liberties. One of the main projects we have worked on in the past is communication surveillance. This is something I was involved with drafting, which is why I was looking forward to this session as much as anyone else here. We had a report called communication surveillance in India, a couple of years ago. What this report did was take a look at how communication surveillance is conducted in India and more particularly one of the chapters of the report was dedicated to comparing the landscape in India against the principles that we have just spoken about here. The proportional principles are an excellent reference to look at any regime in any jurisdiction. I thought I would quickly go over a couple of the principles and see how the Indian landscape stacks up against these principles. This would serve the purpose of evaluating the landscape itself and give you an oiled of how the whole thing works. The first principle in the list of 13 principles is legality which says that surveillance should always be carried out in accordance with law that has been clearly laid out and that is the first principle. But we have determined in our reports that in India this principle is not always observed very well in the sense that we do have a set of laws that set out when communication surveillance can be undertaken but these laws are anything but clear. For instance, the technology act are the two main legislations that sanction communications surveillance in language. But the language of these sections are extremely broad and make room for the conduct of surveillance at basically any turn of the time. More importantly in India the citizens do not have a constitutional right to privacy. Some judicial interpretations by the Supreme Court have interpreted the right to privacy as being implicit in the right to life and personal liberty under the constitution, but this has been recently up for debate. The standing of the right to privacy in India is very, very questionable as of now. Moreover, there is also now no periodic review of the laws that sanction and oversee surveillance which means the legality principle is not very well met in India. Again, the principles of legitimate aim, adequacy and proportionality are more or less related and state that surveillance must only be carried out in accordance with these principles when there is a legit maillot aim when it is necessary to carry out surveillance, when you exhausted all the means of gathering this information. None of this is observed in India again because the under which surveillance is permitted to be carried out range from everything from the very broad ambit of protection of national security right down to the spreading of computer viruses. There are standing mandates within the provisions of law to exhaust all other means of procuring this information, but this not always seen to be done, which is demonstrated by the fact that one of the requests that we had, one space before the government entered the right to information act about how often communication surveillance is gathered in India, on average every month about 9,000 orders of surveillance are issued by one particular authority in the central government which means there is absolutely no scope of application, there is no scope for weighing these instances against the benefits and the costs and coming to informed set of conclusions on whether or not this is a situation that warrants surveillance to begin with. And then moreover, surveillance in India is not carried out under the supervision of any sort of judicial oversight. So the entire surveillance process, starting with the sanctioning of the surveillance order right down to the conduct of the surveillance it seven and view of the order, everything is carried out with executive arm of the government and there is no invenges by any other arm of the government. It is a monopolistty particular where there is abuse of process. There is no user notification. Nobody is notified when surveillance is initiated or concluded regardless notifying people of this would in fact take away from the surveillance process all together and there is no transparency whatsoever when it comes to the surveillance landscape in India. As I said any request to provide information on how communication surveillance is carried out is usually met with response to the effect that this is a matter that relates to national security and which cannot be discussed as easily as people seem to think. Usually the request is denied and we have to rely on reports in newspapers or information leaks to get an oiled of how the whole thing works in India. So that is just some of the more important principles I think from the list of 13 that I already covered. Do not take too much time I conclude here and allow the discussion to carry on. Thank you. >> MODERATOR: Thank you. We are going to move to Peter from the Council of Europe and data protection unit. >> Thank you very much to the organisers for having any intervention. I just would like to invite you to have a brief look into the interpretation of and the set of requirements, the European court of human rights established regarding surveillance and surveillance measures. But for beginning, it has to be said that surveillance is basically left to the discretion of the national sovereign states. However, it is widely recognised, and I will of course point out in the court of jurisprudence as well, the use of surveillance measures represents interference to Article 8 of the European convention on human rights as well as to Article 12 of the universal declaration on human rights as well. Now we are going to focus on European legislation. So it has to be in accordance with law, but the surveillance measures are basically used for very specific purpose which is of public interest. And here I would like to invite you to really make the difference and to understand the difference, the European court is making between interest and rights because human rights are embedded in those declarations I was referring to, but the interests are set by the states and public interest is only and the use of surveillance measures can only be legitimate if they are respecting human rights. So with then introduction, I just would like to have a more detailed look at the court jurisprudence on this measure. As I mentioned there's a measure of discretion whenever evaluating threats to national security left to the states. And we are deciding how to combat this. Nevertheless, the court in its jurisprudence which is very extensive and it starts from the case called clause and others and hence the words Zakarov and other cases which I won't cite here, but I invite you to read those. So the court in these cases established a three sphoaltd of requirements, where the Member States have to request when applying those measures. Three fold set of requirements consist of the obligation that the measures have to be foreseen by law, have to be necessary in a democratic society, and an independent and effective supervision has to be in place regarding towards this measure. I would like to stop at the requirements number two because this requirements number two has some subrequirements or elements which has to be taken care of. The necessary and democratic society for the court of human rights means that the measure has to be foreseen by the law and it has to pursue legitimate interest and has to be necessary and proportionate with a view to the legitimate pursuit. So we are now in a situation where the state's margin for appreciation is no longer uniformly brought. For example, in the case law there is absolute -- so there is a reference to Article 3 of the European convention which speaks about torture, or human degrading treatment as well as punishment. And there is no margin of appreciation whatsoever. It goes in the same direction by the -- regarding Article 6 as well, which where the court stated if it exists, a less intrusive measure available. So the use of surveillance measures cannot be legitimate. Or cannot be considered legitimate anymore. And it has also established a very detailed requirements for independent court supervision. About screet surveillance, the court is relatively flexible on the subject of recognition of victim status. So it is quite open on receiving claims regarding the use of this measure and the criteria of the "in accordance with law" has to be understood that the law should be accessible and foresiebel and relatively -- foreseeable and relatively detailed. There is also an obligation for the when it comes to the use of this measure to impose safeguards which must be accompanied, or which must accompany the surveillance measures. And there is also the fourth criteria which is the necessity criteria regarding the secret surveillance where the court usually make a balance of the national security interests and the intrusion of, or to the private life of the data subject. Usually it requires that guarantees against abuse have to be in place as well as supervision, as I mentioned before. Basically, these are the requirements that the European court established and I will be open for questions. >> MODERATOR: Thank you. Moving on to Katitza roll Riggs from EFF Katitza Katitza thank you. Before explaining, we have been working over a year on a competitive analysis of surveillance laws in Latin America. I think it is important to remember the history in Latin America and reflect on the horrific consequence of unchecked surveillance. And just to illustrate a case, in December 1992 following, a Paraguay an lawyer drove to a secure police station in a sun ion. A police officer discovered a cache of 100,000 documents piled near to the ceiling. This was called the archive and almost complete record of the interrogations, torture and surveillance carried by the dictatorship of Paraguay. The files report details the operation con door, a clanld Stein programme between the military dictatorships in Olivia, Argentina, Chile and other countries in the 70s and 80s. The countries agreed to cooperate in sending teams on other countries to track, and kill their opponents. They used informants, cameras, wiretaps to build a paper database of everyone that was viewed as a threat. Plus their friends and associates. The terror of archives show how far a country government might sink when unchecked by judicial authorities, public oversight bodies and knowledge of the general public. That was a quarter of a century ago. A modern operation con door would have more powerful tools at hand than just paper files. Cameras or wiretap, phones. Today the surveillance technology leaves these techniques documented in the terror of archives in the dust. So one way to stop these powers from being used against the public is to create robust modern privacy laws to constrain its use that includes strong safeguards, and also judges who are strong and independent and knowledgeable on the topic and oversight mechanisms that allow the general public to know where the country's most secretive government agents are up to their time. To assist in this task an help policymakers, we have been working over a year with our partner organisations in those countries in Latin America to release a comparative lem analysis of surveillance laws in those countries. Our work, our goal was to shed light on the current State of surveillance in the region, both in law and in practice. I don't know if we can show the page in the screen? Okay, I will continue. What we have learned from this research, and I will be very brief. It is really 100 pages. You can read it. There is a good summary too. We analyzed all these laws against international human rights standards and we take the necessary and proportionate principles as a benchmark, as guidelines to assess compliance of each of these laws against international standards. So in the legality principles we found in our research that many states only specifically authorize wiretapping, which means listening to or recording telephone conversations. They do not have precise, to conduct new forms of surveillance even in many countries with a few locations for geo location tracking or even cell tower monitoring, using malware. Like wiretapping these are inveigh sieve and raise far different privacy concerns and leave out questions that might be tackled. In Colombia you don't have pure judicial authorization to authorize any kind of wiretapping. Are we going to keep these insane legal safeguards in that country for the use of technology that is even more invasive than just a simple wiretapping? It is a question. Despite the lack of legal footing, there appears to be widespread use of these technologies. Research by (phrase.) show that in the majority of Latin American countries, countries were in touch and sought to purchase malicious software. In other countries legal framework that are written in very Broadway. It might be interpreted as authorizing a outreach of surveillance and future surveillance. For instance, just to cite an example, Article 200 of the criminal procedure code of Paraguay established that a judge can order the sock exception of communication of any accused person regardless of the methods to achieve it. Whatever technical neons to use are authorized by this provision. This takes out the debate in Congress about the use of the right legal safeguards when you are using new surveillance technologies, or whether you should use it at all or you should actually authorize at all these kind of law enforcement powers. There are more examples, but I will give up to the second topic which is the culture of secrecy. We found a very strong culture of secrecy in Latin America. Many states don't publish information about they have about surveillance technologies. States are not complying with freedom of information law when faced with requests for records regarding their laws and exaibilityd also. States issue transparency reports in order to provide useful information to citizens and users, but that is not happening. Sometimes you cannot, any general public cannot access it unless you ask for freedom of information lawvment telecommunications companies are not publishes not even transparency reports or law enforcement guidelines to know which are the processes that the police have to follow when they knock at their door requesting users' data. So we really need to stop the culture of secrecy here and understand which are the capabilities. This is an obligation for the states. We can not rely on whistle blowers to do it, but of course whistle blowers have been fulfilling that role. We have not had our Snowden in Latin America yet photograph I want to talk about public oversight. This is a problematic issue in Latin America. Most of these oversight mechanisms were born in an era of escape from the dictatorship culture, when the culture of secrecy is very embedded in the system. But oversight mechanisms have been weak, including legislative mechanisms. We have seen concrete examples in Guatemala, in Colombia, Peru and Argentina of illegal surveillance targeting judges, politicians, opponents, activists for illegal surveillance. So what we need and what we are trying to do is to have more public oversight. Things like reports that the public can audit and not just rely on the traditional legislative oversight mechanisms that haven't worked in the region. Finally, just to conclude, there are many other things that we need to improve best of your recollection we theep necessary and proportionate principles, in the Web site if you can navigate a little bit, this is the research we have in the table. You can see the country reports. There are four more reports coming from Central America. And you can go back, under all the authors from all the organisations who work on this research and we have a map. You can show ... you can click on each, Mexico, you can see what is happening in each of the countries and the major findings. Please, this take a look at this and see what is happening in Latin America. >> MODERATOR: Thank you to the Panelists. I know that Mr. Fernando wanted to have an intervention and then we'll take questions from all of you. >> LUIS FERNANDO GARCIA: Thank you. I just want to make some comments regarding the very interesting participations that happened before me. And just wanted to tell you a tale about why these principles are important. We talk about them and they seem very E earial, don't seem very real. For example, in 2013 in Mexico there was a telecommunications law passed that was particularly vague on certain aspects. It was vague on who could could do surveillance. It was vague on whether you needed digital authorization to smeacts data. The effects of what happened have been documented, is very important to look at. We are saying because these provisions are vague, what is going to happen is that there is going to be a lot of authorities that don't have legal powers to the surveillance and say well, I have legal powers and that is exactly what happened. In a report we published last week called the State of surveillance out of control, which is right now only available in Spanish but it will be soon available in English, and I advise you to keep track on us. And what we did, we did a lot of information requests, more than 600 of them. We had to do 200 transparency appeals. It was a big effort. To really know what were the effects of this law. And what we found is that, for example, there was, when this new telecommunications law entered into effect, the number of authorities that asked for user data spiked, more than doubled. The number of requests for user data also did. But another issue that is very important is the fact of digital authorization. Because it is useless to have very clear laws if there is no one to check whether those laws are being complied with. What we found with the requests is that in effect as we suspected, there were a lot of authorities that do not have legal powers to do surveillance that ask the telecommunications companies to access user data. 99 percent of all access to user data happened without judicial warrant. Something that the Supreme Court of Mexico, I mean we made a lawsuit against the telecommunications law. In the process of doing the litigation inside of Mexican constitutional system, this is what is happening. Authorities without authorization were asking for data without judicial warrant and they were getting it. For example, the biggest mobile telecommunication company, for example in the first semester of this year received more than 25,000 requests for user data. They never ever ever rejected one request. Any authority without judicial warrant asked for personal data, they got it. This is without legislation that is clear on whether you need judicial warrant. Thanks to the litigation that we carried out, the Supreme Court established very clearly who can make surveillance, that you always need a warrant, except with an emergency system that has been established in law. But in the meantime, all these illegal unwarranted uncontrolled surveillance happened. Regarding transparency which was also mentioned, it is important that we have meaningful transparency because to have this number of how many requests doesn't really tell you much. And what we have been fighting for is to not only get the number of how many requests an authority makes and gets authorized, but how many people or devices are surveilled because the number is totally different. We actually got information from some companies and confirmed this. For example, the federal police of Mexico, between 2013 and 2015 got the authorization of a little bit, a little over 200 requests for user data, or for President intervention of prior communications and with those 200 authorizations they were able to surveil 1,700 people. So it is important to have more meaningful statistics and data that can really serve the society and the population as a real means of exercising control over these authorities. Not just random data, for example, that you can find in some company's transparency reports that doesn't tell you much about what is going on. Actually this Monday we also were successful in making the Supreme Court of Mexico order the national security agency here in Mexico to actually give us the number of how many people they surveilled in 2013 because they didn't want to give it because they say that it harms national security. The number of people, I didn't ask who, I just asked the number. They said it harmed the national security. And now this precedent that we achieved in the Supreme Court I think is going to be useful and it can be also an example about what real transparency really means. And by which numbers are important for transparency? I want to add another point of data which is we asked, because we get sold on this surveillance provisions as useful, that they are needed for law enforcement, around in certain occasions when they are used correctly they certainly can be very useful for law enforcement. However, why we document it here in Mexico is because of all the prosecutes in all the investigations where there was a use of surveillance technique, only a little bit over 8 percent of all those investigations became an accusation. There was the case, the investigation became a form am prosecution of a person. 90 percent of the people who were surveilled in the context of a criminal investigation were never charged with any unlawful actions. So we were able to make this statistical analysis thanks to the information that we got through transparency and it is important that we can get this -- we didn't get this from all prosecutors, but from some. It is important that these transparency provisions allow us as society to make these kind of assessments. Finally I want to mention something that Amos was mentioning about certain types much surveillance that shouldn't be legitimate, proportion national or necessary to achieve even very legitimate aims which is, of course, mass surveillance. I just want to mention two more. Data re-dengs mandates which is very important because from the litigation that we carried out against the telecommunication loll before the Supreme Court of Mexico, even though we got some good provisions like this clarity about who can do surveillance and with which process and with which authorization, the bad part of that judgment was that the Supreme Court of Mexico validated a constitutionality of that intention in contrary to what the European court of justice has already ruled that it is mandatory that this mandates that telecommunications companies are disproportionate and unnecessary. We will in the next day, in a few days we will present a case to the international. Commission of human rights for this. We think it is important to develop a more robust jurisprudence on surveillance because the only piece of jurisprudence that has come out of the inter-American system that is related to surveillance is the case of discern versus Brazil. Actually we mention it in the lawsuit before the Supreme Court. The Supreme Court merntioned in the judgment and said it didn't apply to retention. It only applied to access to metadata. It is a very good opportunity for the inter-American system to develop a precedent that can help all the preening. Another measure that we believe is very problematic is the use of malware for surveillance because even when traditional surveillance that requires the cooperation of company, in Mexico it is really not been very successful as a control because the biggest company just gives the data without asking any questions and because some authorities don't even think they need a warrant. The malware makes it even more difficult to exercise control over the surveillance techniques. They don't need anyone. They do this directly. We think it is problematic and it should be considered unlawful and illegitimate way to do surveillance. It can only be used if it's regulated with special safeguards in extreme situations where traditional surveillance means wouldn't be useful or successful. We believe this is very important especially in a country like Mexico in which many times law enforcement and organised crime are the same thing. We need very strong safeguards and don't give the authorities these extreme powers. Thank you. >> MODERATOR: Great, because we don't have that much time, though we can stay in the room if you all have time, but let's take two or three questions an distribute them to the Panelists. All right. We can start with you. >> Is this working? I'm Victor from the IGF youth programme for Brazil. And part of the studies of technology at the University of Sao Paolo. The digital surveillance issue is connected with the national security issue. They struggle to access information is obstructed by the justification that if this goes public, the country and the nation will be in danger. At the same time transparency in this case seems not enough as the digital tube to accept communications can easily be hidden by the agencies who do that. With that said, how can we evaluate the accountability in these questions and are we going to need one Snowden for each country? Thank you. >> MODERATOR: Thanks. Any further questions? Sure. >> AUDIENCE: Steveal ser, labour net, San Francisco. The concern we have is the information being gathered by major tech companies like Google and Facebook, privacy of this information. And the use of this information by not only these companies but by government agencies. What rights do individuals have, working people have that the information they put up is not going to be used against them and used in retaliation, particularly workers who speak out about injustice on the job or health and safety on the job. >> MODERATOR: All right. Any questions from remote participants right now? No? One more, over here. >> Thomas from the German federal foreign office. I wanted to pick up the question of proportionality, necessity and maybe give a reply to what you just asked about, accountability. The General Assembly resolution being run by Brazil and Germany for quite some time sent us around unlawful and arbitrary surveillance, mass surveillance, all of that. So that is a term that was taken, of course, from the international covenant on civil and political rights. It is about 50 years old. Now, you may ask why did we stick to unlawful and arbitrary and didn't go into necessary an legitimate and proportional and all of this? And why do we stick to this old language? The answer is, of course, when the resolution -- we were criticized for doing that. The answer is when the resolution was first introduced from 2014, please note the timing, the decision on the part of the cosponsors of that resolution was we would rather go for a consensus resolution rather than having something that is highly controversial that is being voted upon and then divides the international community. After long negotiations the result was we have to stick to the language from the pack because many states said look, this is what we accepted by law. We signed up to the treaty. It's binding. We are not ready to go in a resolution. It is not binding beyond our legal obligations. That's why the unlawful and arbitrary turns up again. In the latest resolution about to be adopted in the general Sebastian this December, we have introduced a new provision that says, that calls upon states to develop or maintain and implement adequate legislation with effective sanctions and remedies that protect individuals against violations and biewtions of the right to privacy, namely through unlawful and arbitrary collection, processing, retention, et cetera, by individuals, governments, business enterprises and private organisations. So we still have the terminology but the kind of addresses have been enlarged quite a lot. Thank you. >> MODERATOR: Thank you. Any other Panelist want to respond? Amos? >> AMOS: I think that point is very well taken on the distinction between arbitrary and unlaunch and necessity and proportionality. I think my comments on necessity and proportionality I mean in the context of Article 19 and the right to freedom of expression and the limitations clause and established in 19.3. To the extent that we think surveillance measures or regard surveillance measures as restrictions on freedom of expression, that should be analyzed under the limitations clause under Article 19.3 and that's how necessity and proportionality kick in. I wanted to make that clarification. Thank you. >> MODERATOR: Peter? >> Peter: Thank you very much. (Off microphone.) -- we are also debating, there is a political debate. Of course, I don't want to go into very much into the details on that. So what would be the best of the solutions. And the court, in the court decisions I was referring to there are no clear-cut answers either. However, being said, there are some possibilities under the structure of checks and balances within the democratic society whereas institutions can be set up and empowered for the oversight of these kind of activities. For example, in Europe it is now very much in the centre of debate to give this power to the data protection authorities. And I know Mexico has one. The American states are also in the phase of considering the data pro television. There is no clear answer in European jurisdiction, but there is a very stringent requirement that oversight has to be put in place and it has to be independent and effective. I can continue for hours on these two issues, but I think the institutional oversight is very important as well as the public control of those institutions. >> MODERATOR: >> There is a lack of trust about how governments around the world are using surveillance technology. Many of the reports that are being discussed within the oversights mechanisms, whether it is within the authority, whether it is legislative oversight mechanisms are not working. We lost trust. We don't have access. The public cannot know what they are doing. So we need mechanisms which allows discretion. Some things remain secret but some others the public needs to know. Thus we are calling for public oversight mechanisms. There is not necessarily the secret legislative reports being written by intelligence agencies to the Members of Parliaments without us knowing what is going on there. I just wanted to say that. >> MODERATOR: Any other questions in the back? Other comments you want to bring up? >> Just a very brief comment about accountability measures. I mentioned the meaningful transparency, not just any transparency but meaningful transparency, but also with regard to, it is not only necessary that data protection authority exists but that it has a specific powers regarding surveillance. For example, the ability to do random access to certain investigations, not to all of them but random sample of investigations in which they can get access to confidential information in order to be able to make an assessment on whether these provisions are being used correctly or not. And other types of specific powers. I believe that is what has been going on in Mexico, that type of authority exists but it hasn't got into these kind of issues because it doesn't feel like it has these powers, specific powers. Also the right to notification is something that is very important to push for. It is important, I think the basic principle should be that any authority that uses a surveillance measure needs to know that eventually it will be known that they did the surveillance measure and that they will be scrutinized by the independent body, the judge for sure, an independent body hopefully. And also the persons surveilled at the one moment. This is something that needs to be guaranteed, but also I would second what Katitza said. I think we need to have a discussion on whether -- I mean if authors want this power to invade privacy, they have to have a little transparency with regard to methods as well. Many of the methods that they are using are not being revealed and it is being used, this argument that they can't reveal them because then you can circumvent. But I mean, at some point you need to give up certain restrictions in order for society to really assess and discuss in a democratic way whether these methods are proportionate, necessary, which I understand necessary and proportionate as synonym of arbitrary, but maybe I'm incorrect. So yeah, basically that's it. Thank you. >> MODERATOR: >> I want to call attention to the notification principle because it is important for litigation to be able to notify users of surveillance method. So they can challenge the requests. Obviously it doesn't have to be in an ongoing investigation where they put in jeopardy the investigation. But there are many cases that it is not. The judge needs to assess whether that notification will put or not in jeopardy the investigation. We need that so we can actually request a lawyer, the victim, the subject of surveillance and challenge the request, whether it is proportionate or not. We have a case in the United States that my organisation litigates, it was a case against Icelandic parliamentarian who was part of the wiki leaks. And the U.S. government gave Twitter, that they are not allowed to say -- Twitter in that case litigated challenge the gap order and then won in court. That's why that person was able to go to EFF and we were able to provide counsel in the case and request that that request was disproportionate. So that is a real principle be would like to see recognised at the international level. We need it for litigation. Without that, it is very hard. >> MODERATOR: Thank you very much for joining the session. And good luck! (Applause.) (The session concluded at 4:00 o'clock p.m. CST.) (Standing by for the session to begin.) (Please stand by for the session to begin.) >> MODERATOR: Very good. Welcome everyone to the panel, welcome to everyone in the room and watching remotely. This is on strategic litigation in defense of freedom of expression online in Southeast Asia. Jointly sponsored by the American bar association rule of law initiative and the media legal defense initiative. Both organisations recognize that there is an emerging need to develop, enhance and defend the legal frameworks to ensure a free and open Internet. These frameworks will have a direct impact on governance and should be oriented towards maximizing freedom of expression online. Strategic litigation is being employed around the world to defend against online censorship and to advocate for a freer Internet. There is, however, a lack of lawyers with a specialized expertise required to litigate and defend complex cases involving principles of Internet freedom. ABAROLI is pleased to be sponsoring a Delegation of lawyers from the Southeast Asia to the IGF. They are presenting on this panel and I will introduce them to you. My left, Asep cam din, Mercking diswition of the legal aid centre for the press. He has a degree in international law in Jakarta. He was established in establishment of regional group of raid and the southeast lawyers network and the advocates for freedom of expression coalition, Southeast Asia or AFEXE. To my immediate left, Maria Cecelia I can't, from a group which spear harded the magna carta for Internet freedom in her country. She log blogs on law and technology at Cecilia soria.com. To my far left is L Khun Ring Pan of Myanmar a founder of his law firm and team leader of the legal affairs team, ex-judges and lawyers and court officers. They support parliamentary Committees with legal research and advice for legal reform in Myanmar. He was a founding member of the legal aid network, promulgating a legal aid law promoting rule of law and access to justice in Myanmar. On to my immediate right, Preap Kol, he served as the will Regional Coordinator of UNKAK, UN Convention against corruption in the Asia-Pacific region. He served in the democratic institute for international affairs as well as working for the European election commission to Cambodia. Before I introduce the first speaker I wanted to just give a short roadmap to how we will, how this event m unfold. We will first, I'll first call on Patrick, he'll ghif an international overview of our topic. Then Asep who will talk about this topic regionally and then turn to Cecilia and Ricky to talk about their respective countries. And Kol will give a perspective on civil society's engagement and the important role that civil society plays in strategic litigation. So now I would like to turn to pod Rick Hughes, MLDI's legal Director which works locally to defend journalists and bloggers rights. We are pleased to be sponsoring this panel with that group. >> Thanks, Oliver, for inviting me to be on the panel. One of the ways in which MLDI works is through strategic litigation, which means that we challenge problematic legislation, problematic decisions, hoping that the outcome will have an effect that reaches beyond the particular client and that benefits the wider community. In the context of digital rights and freedom of expression, for us in broad terms strategic litigation is about challenging states and private actors where they use the law to prevent journalists from reporting on the news and where they prevent community from accessing the news through the Internet. We work on three main areas in treelings digital rights. The first one is issues relating to intermediary liability. The second one is pushing back on cyber crime laws, and the third one is challenging shut downs. We see a lot of commonalities in these areas in the regions and the countries in which we work. We work globally. In terms of our litigation strategies in relation to certain states in East Africa, for example, we cyber crime laws, the provisions reflected in other states such that when we are litigating strategically in those cases in specific states we do so with an eye on what is happening in other states with a view to taking challenges in other states to deal with the commonalities that exist in that legislation throughout those regions. And what I would like to do is maybe give you a brief overview of the type of litigation we are engaged in in those three areas. So in the first area in relation to intermediary liability we have been involved in or are currently involved in a range of cases before the Strasbourg court, the European court of human rights which have a deleterious effect on intermediaries and the way in which they go about their business and the way in which individuals can access information on the Internet. We were, for example, involved in the case of Delphi versus Estonia, we have been worked in the Tamiz versus the U.K. case ongoing before the court of human rights. At the moment we have a very important case relating to intermediary liability before the European court of human rights which relates to hyperlinking. I will give you a brief overview of the facts in relation to that case. It concerns a news portal which published an Article containing a hyperlink which brought readers through to a YouTube video which contained allegedly defamatory material related to a well-known nern Hungary. The incident itself concerned the discrimination and mistreatment of a particular vulnerable group in Hungary. The p comens made by the individual were deemed to be defamatory by the courts in Hungary. And as well as the person who made the comment, the newspaper was sued on the basis that it disseminated the comments by inserts in the Article a hyperlink to allow access to those comments. This is obviously a hugely problematic decision that has now gone to the Strasbourg court. We hope it is a measure of the seriousness and urgency with which that court regards the particular outcome in that case, and that they have given it an expedited track, which is quite unusual in an Article ten case. Normally they reserve that to cases related to the right to life and freedom from torture but they have given it an expedited track. What has been particularly useful in relation to that case has been the engagement and involvement of other organisations providing amicus briefs to assist the court in understanding the nature of hyperlinking and what is at stake as a consequence of the negative decision coming out of the Hungarian courts. That as an example of strategic litigation we think is important because it shows a coalition of organisations not just the applicant whom we represent fighting the case alone in Strasbourg but also organisations that profess and have expertise in relation to hyperlinking. And are able to put before the court -- I think this is very important in relation to strategic litigation on human rights. You have technical issues sometimes that need to be dealt with by the judges. The judges are not necessarily the best place to understand those technical issues without some kind of guidance from experts. And we have fged to put in place, certainly organisations have become involved in that case and provided amicus briefs which essentially explain the nature of hyperlinking and also provide an explanation as to why hyperlinking is essential to the way in which the Internet functions with respect to freedom of expression more generally. That is an important case and one we hope the court will give us a positive decision on. We are also litigating cases in East Africa in reeling to cyber crime laws. And there has been a raft of cyber crime laws which have been enacted in certain countries in Africa and around the world which all possess certain commonalities in terms of the provisions and types of harm that they are seeking to deal with. In Tanzania at the moment we have three cases in court challenging elements, provisions of the cyber crimes act. One of those cases raises serious questions relating to the information that service providers are obliged to give to state authorities in the context of criminal investigations that are taking place in the country. For example, in a case called Jeme in Tanzania there is a particularly difficult circumstances for online operators who are receiving requests from the police to simply provide them with details relating to users posting content on their sites, their names, IP addresses and so on, such that they can identify them and then instigate investigations in relation to criminal acts that they allege take place but are never set out or explained to the service provider, the operator of the Web site, such that they would feel compelled to provide the state authorities with that information. It is an interesting system in Tanzania, the way in which cyber crime laws are being used to secure this information. In the first instance you have the police writing to the Web site operators, insisting that they are entitled to this information. If they receive a refusal, then they go to court, and only then do they go to court, but that court proceeding takes place ex parte and in camera. There is no opportunity for the person who owns the, or to whom the information relates or indeed the Web site operator to challenges assertions being made in those heerks. The threshold that the state authorities have to meet in relation to those hearings is not high. They simply have to say it is relevant to an investigation as opposed to providing some kind of evidence that it relates to a particular commission or of a particular crime. That is problematic and one of the provisions that we see being misused by the government in Tanzania in relation to the cyber crimes act. There are others, and other challenges we have brought where we have tried to impress upon the local courts the importance of ensuring that these cyber crime provisions don't impact on the right to freedom of expression. And the third area where we are working in relation to digital rights, where we are litigating cases is in relation to shut downs. Shut downs is becoming an increasing issue for a range of reasons. Apparently from the very serious to the quite trivial. At the moment in Uganda we have an outstanding case. It is a judicial review of a decision by the state authority dealing with communications to shut down a, on two occasions the Internet. First occasion was during the election. Second occasion was during the swearing in of the President. A suit is brought against the ugh an Dan terrorist, the will bank a state owned entity complied with a order from a state owned entity without carrying out any kind of due process and acting unreasonably to concede that the, that its systems should be shut down such as individuals were not able to transfer money or do all the normal things that they should be able to do on a day-by-day basis as a consequence of this Internet shut down. That is a judicial review. That case is happening at the moment and we are hopeful that the court will take a view in relation to the manner in which the decision was made because that's the essence of the challenge that we are bringing as opposed to challenging it as constitutionally unlawful. So in broad terms those are some of the cases where we are engaged in relation to digital rights. But what we are seeing in general terms is we are seeing first of all an increase in our case docket in terms of types of cases that we have to bring. So we are being asked to become involved more and more in constitutional challenges relating to cyber crime laws, for example. In relation to shut downs, challenging decisions in relation toe decisions by state agents to shut down the Internet, to flip the kill switch and to take issue in relation to the effects of decisions by the government based on what we say are unlawful decisions to effect the way in which intermediaries conduct their business. As far as strategic litigation is concerned we are conscious when we are litigating all of these cases that the effects of the decisions in one jurisdiction will hopefully have an impact, certainly will carry some weight in other jurisdictions. One of the important things that we saw from the intermediary liability case before the European court is the importance of ensuring communication across the world among organisations to understand precisely what is happening in relation to interference with freedom of expression and the Internet in order that we can provide for example information in relation to our cases, the litigation that we are engaged in, to assist other organisations to try to make sure that freedom of expression isn't impacted unlawfully. >> OLIVER XAVIER REYES: Thank you, pod Rick. In just a few minutes we will be taking your questions. We'll hear from two more of our parentists, taking your questions and also looking for questions online. I want to mention also that our online moderator is my colleague Oliver Reyes, an attorney from the Philippines who works with us on this programme. And I wanted to acknowledge him. Okay. Asep, a regional view, please, of strategic litigation in Southeast Asia. Thank you. >> ASEP KOMARUDIN: Thank you, Mark, for the introduction. My point about the, in the region of Southeast Asia, most of the Southeast Asia country, the law on the standards of human rights regardless of the existing legal framework, the guarantee of the human right. In some Southeast Asia countries have few human rights for respect. Some other with the legal framework, the condition is worse. Violations of freedom of expression, trial, independence of the judiciary, freedom independence are common across southeast Asian countries. There is no effective witness mechanism available in regional. In many government in Southeast Asia, they are increasing freedom opponents by using two of their limit the availability of this opportunity. The methods being used to restrict the Internet freedom and expressions online, including with the national security regulation and investigatory power, harassing, liberal climate also, with restrictions on civilians. The legitimate concerns about online security have resource in poorly written laws that have been broadly interpreted to strictly legitimate, an atmosphere of fear and self censorship in some Southeast Asia countries. With the recent regulation and policy development in Southeast Asia countries, we know in Thailand they have the computer crime act has been used and its through the Internet and also in Malaysia recently the amendment of the crime act and also in the Philippines, cyber preventing act also. They are releasing to limiting the freedom of act expressions. And Southeast Asia, activists and journalists are using the Internet or the cyberspace as a tool of democracy for the democracy movement. So they try some anti-government critic seeing that will be coming threat for the government. So they want to try to regulate it and then to control what happened in online with the improper regulations. The challenges for the lawyer in Southeast Asia, because the law is very absurd, it is becoming hard for the lawyer to defending single cases in their respective country because it is mostly the cases happen in Internet freedom in south Asia countries, not only about the legal or the law manner, but also political cases. That's why make it difficult to do defending. It is not only about the enforcing the law but it is also the political issue because a lot of maybe in Cambodia the opposite party member has been jailed because the online defamation also using the Article. It is the networking of the lawyer, so to helping each other, like the our friend from MLDI is saying that we also in Southeast Asia supporting our friend in the country to, for the single cases is sending the trial officer, or amicus brief or release the prior statement. So at least the law enforcement agency know they are watching by the group in not only in the country but watching by another group in the region. Sometimes this is becoming effective to, for the lawyer defending the cases because we got the attention and to make sure the due process of law is fulfillment in every cases, but again it is not all working because like I mentioned before, it is a political cases, so it is very hard. Meanwhile in the Southeast Asia we doesn't have regional human rights court. We had a weak human rights declaration, this is under the standard of the international human rights mechanism that is becoming one of the challenges also. And the other thing is in Southeast Asia, what we had is more basically about the freedom of expression issue. It is a bit too far for us in Southeast Asia when we talking about the right to be forgotten, when we are talking about the more technical issue in Internet Governance because so there is only a limited country in Southeast Asia that have the data protection law, that have laws protecting the data of the people of the citizen. And then because it is the Southeast Asia country, when there is look like some learning each other in government when it is happening in Asia, so another government will copy what then they want to have it also in their country. Some similar situations. In Indonesia also we had the regulations that we call it the IT laws since 2008. The law is already amended just last month. We had the new amendment law. There is a few changes in our IT law. In the past the IT law, we had online defamation, the maximum sanction imprisonment is six years. Today it is becoming less than six years. It is becoming four years. Then some other changes that we had a provision about the right to be forgotten in our IP law, but there is a lot of questioning about the provision of the right to be forgotten in Indonesia because it is not clearly about the what data can be asking to delay and to be forgotten. And also the one thing is giving the big authority to the government to blocking the Web site without the proper mechanism because the blocking mechanism is not need the court order in Indonesia. It is only by request, by public officials requested to our Ministry of the information desk. And then it can be blocking without the proper mechanism. That is what we are worried about the abuse of the mechanism without the proper blocking Web site itself in Indonesia. Meanwhile, the rising of the online defamation cases is quite high intensive. Until now there is ten cases every month regarding the online defamation and then based in some organisation research, the most using the Article online defamation reporting is public officials. 70 percent using the Article. And then the most reported are the public or the citizen. Because they are rating status in Facebook or Twitter or social media platform, because unsatisfied with the public policy or public services in their regions. And then it is becoming highly intensive in Indonesia. So with this situation it is very urgent for the lawyers, also for the law enforcement agency now about the minimum international standard of the protection of the Internet freedom. Then because in some case is in implementation in the law enforcement agency, a lack of understanding about how to handle the Internet or cyber cases. Because in every cases, they only use the screen shot of the Facebook. They don't using the digital evidence. They don't use digital forensics. So it is also the challenge for us to defending cases in court. Maybe that is for me and we can discuss it later. Thank you, Mark. >> MARK WALLEM: Thank you, Asep. So let's turn now to the Philippines. For several years they were a leader in the region in terms of freedom on the net. As of last June or July it is under new management by a colorful new leader we all have been hearing about. Let's check in and see how things are going. Cecilia? >> Thank you, Mark. I will be talking about two specific cases of strategic litigation in the Philippines. One would deal with freedom of expression in general. One specifically on freedom of expression online. So my first topic will be as regards the criminal case filed against a local activist for the crime of offending religious feelings. The case stemmed from a protest that was done by a local activist named Carlos Sedrun during debate for the reproductive bill. The Catholic was the proponent of the froim and he wore a black suit and with a placard stating Damaso. That is a character, kind of unsavory religious character in a novel by Jose, the Philippine national hero. Anyway, the church filed a case dwens him using the little known crime of offending religious feelings. Before the case was filed against Cedran, that provision has only been used once. I think it was in the '50s. So nobody actually knew that that provision still existed in the revised Penal Code. So Cedran's offense centred on the fact that the Penal Code is unconstitutional because it violates freedom of expression. He was convicted by the lower court and appealed the case to the cofort appeals who also offered him the conviction. It is now on appeal in Supreme Court. Since Cedran is a popular figure in the Philippines, he has a lot of support in civil society. The support was mostly shown online. There were a lot of discussions online about his case, a lot of Memes, a lot of shares and posts. And despite the fact that the fill penis is a predominantly Catholic country, people saw that the provision was actually quite outdated. In fact, even the solicitor general urged the Supreme Court to strike down the criminal law provision for over breadth, vagueness and being an unconstitutional regulation of free speech. As I said earlier, the case is still pending in the Supreme Court. Following his conviction, there were a lot of measures also undertaken to repeal the penal provision, but unfortunately the bills that were filed have also not been passed. I will turn now to the cyber crime prevention act. I considered this as the biggest success in recent years in terms of strategic litigation in the Philippines. So as a background, the cyber crime prevention act or Republic act number 10155 was passed into law in 2012. This took the people by surprise since the passage was done. We considered it under the radar. Because at this time the attention of the public was actually centred around the debates on the reproductive health law that was currently pending in Congress. The cyber crime prevention act was widely criticized for provisions that were seen to curtail freedom of expression. Among these were content related offenses such as cyber sex, spam, online libel. The law also empowered the Department of Justice to take down content. Upon a prima facie finding and even without a court order. So public opposition to the law gained traction due to the widespread fear of social media users of the online liable provision. The public feared that acts like liking and sharing Facebook posts, re-tweeting tweets would make them libel as the original authors of the libelous posts. So 15 petitions were filed with the Supreme Court, including three separate petitions by law makers. In its decision the Supreme Court ruled the following to be unconstitutional. The provision penalizing unsolicited commercial communication, collection or recording of traffic data in realtime, and a take-down power of the DOJ without the court order. The Supreme Court also found to be unconstitutional the provisions stating that a person can be prosecuted for violations of the cyber crime law and the revised Penal Code for the same criminal act in the case of libel and child pornography. It was a mixed victory as the Supreme Court however upheld some of the other controversial provisions. The Supreme Court held thal online libel was valid. However, it clarified that only the original poster would be held libel. This excluded those who merely liked or shared or re-tweeted the post. The Supreme Court also upheld the constitutionality of the penalty where crimes involving ICT will be subjected to 1 degree higher penalty. So for instance, if there is a violation of the revised Penal Code that is committed with the use of ICT, the penalty that will be imposed is 1 degree higher than the one actually imposed by the crime in the revised Penal Code. After the law was on the whole generally upheld by the Supreme Court, the advocates considered the fight to be somewhere else, either in the halls of Congress or in the streets. Also with the administrative offices, because the next step would be to come up with implementing rules and regulations. So the advocates wanted to make sure that the implementing rules and regulations would stay within the bounds of the Supreme Court decision. Some of the efforts that were made was one, the filing of the magna cart take for Philippine Internet freedom. What is zipping can't about the Magna Carta, it provides an Internet bill of right for Filipinos. Unfortunately the bill has not been filed in the current Congress but bits and pieces of it are currently pending. However, there has been no specific bill that seeks to legislate an Internet Bill of Rights. We are hoping this aspect of the magna cart take is filed soon and we would like to encourage our Philippine legislators to do so. Several bills have also been filed, not only seeking to repeal the online libel provision but to criminalised libel as a whole. Offline libel. There has been no zipping can't movement for the bills as well. So given those two cases, I would also like to touch briefly on the current Philippine context in terms of freedom of expression. While the Freedom House reports continue to cite a decline in freedom of expression in the Philippines, I think that we are lucky in the Philippines in the sense that the state generally recognizes the freedom of expression of Filipinos. To date, there has not been an extensive and consistent states sponsored or state initiated curtailment of freedom of expression. As Mark mentioned we are under new management and we do have a colorful newment. One cause for concern was the President's recent comment stating that some corrupt journalists who were killed previously, quote-unquote, had it coming. This was seen by many as than implicit endorsement of the killing or threats against journalists. In the past year, significantly more so during the election period, we have also seen arise the instances of online harassment and threats. These usually arise from political posts on social media. What we have been seeing is that the harassment is usually directed at journalists and women. Comments do not only consist of abusive posts but actual direct threats of rape and violence. In May, a female Facebook user decided to file a case against people who sent her abusive private messages on Facebook. Her case is still pending with the national Bureau of Investigation. It appears that the investigators are faced with challenges in locating the posters so that cases can be filed against them. Journalists seem to be critical to the administration, of the administration have also received a lot of threats. A few weeks ago pictures of local writers, correspondents were shared by the administration supporters with the caption saying: Irresponsible journalists must be punished. These cases of harassment appeared to be concert and coordinated efforts of the administration supporters, leading people to fear that they are actually funded by the administration's allies. Based on cases that we're seeing there is also a shift from using the judicial system to using social media to curtail freedom of expression. So I think this is a challenge that would require a different type of strategic litigation for advocates in the legal profession. That's all. >> MARK WALLEM: Okay. Thank you, Cecilia. My country will soon be under new and colorful management as well. So stay tuned for further updates. Let's stop here and see if we have any questions from the audience. We have hand-held mics here and mics at the table. Questions? Comments? Let's move on then to Kol. He is going to give us a civil society perspective. Kol Preap from Cambodia. >> PREAP KOL: Thank you, Mark. Very good afternoon to all of you. In fact, it is morning, early morning in my home country in Cambodia. So I'm glad I'm still awake. Thank you all for showing up. So what I am going to talk about is the perspective from civil society regarding the advocacy and also strategic litigation. First of all, I like to give a general quick, general overview about our context. Our constitution, and I believe the constitution in many countries, at least many democratic countries around the worpd currently have freedom of expression. While people are electively free to use online platforms such as Facebook, Twitter, Instagram and others, we have also seen many people have been prosecuted and imprisoned for expressing opinions online and offline. For example, in my country we had thousands of activists who have been arrested and put behind bars. Among these people I would like to note that there are two members of Congressmen, two Members of law makers who also have been arrested and put in jail for posting content on Facebook. And as I said, in my country there is a constitution that gives the immunity to Members of Parliament. But the government decided to ignore the immunity and go ahead and arrest Members of Parliament and put them in jail. So far it has been eight months already. And the fact that social media has influenced politics in a big way. As you know, in some cases it drives the crowds for big protests, and even drives a crowd for revolution in some parts of the world. The government often tends to overreact by taking tough measures and justifies that as necessary to maintain peace, stability, and social order, which we civil society don't see that is a real threat. Our main role in civil society, we mostly do advocacy. We are playing a role as advocates. And our voices are influential and powerful when we have strong support from the general public and endorsed by credible institutions such as the United Nations, foreign Embassies and international organisations. In Cambodia we are fortunately having a widening civil society. We have more than 4,000 NGOs registered and operating in our small country. So it is quite a big number. And the influence of civil society in the country has become the factor that our government has adopted legislations and regulations that weaken our voices. They have adopted an NGO law, election law, and other laws that restrict our ability to work. And that has an impact on freedom of expression, freedom of Assembly. That has been over the past few years. I believe this trend happens in other parts of the world as well. I don't have to name them. I think you know that this is getting more and more familiar to many countries. We have our human rights defenders who were jailed for the past six months for doing legislative work. Four of them who are women known and who are working very hard for serving the people, they have been put behind bars. The biggest challenge for our civil society community is that the courts are being used as the arms, legs of the government and are perceived to be among the most corrupt institutions. As part of the work, because of the court is not independent and it is corrupt, transparency international has implemented programmes in many parts of the world called the advocacy and legal advisory centre, or ALAC, which provide free legal services to victims of corruption and abuse of power and we use that data that we gather as evidence to help our advocacy efforts and do strategic litigation works. For example, when we see that many people are afraid to report corruption, we advocate for the government to adopt the whistle blower protection law. It is being drafted in our country. Nonetheless, we have also achieved something, although not as big as we wish. Until 2014, our government had been trying to pass cyber crime laws. And the draft law never has been circulated for consultation. But we were able to get a leaked copy and we read the law. It is very concerning. So many Articles that is going to cause harm and restrict online content. Thank you. In fact, it is not the issue of mine because my voice has been transformed in a different part of the continent. So until 2014, our government has been trying to pass the cyber crime law, and they never want to share the draft for consultation. We had our people leak the copy to us, and it is a very concerning. There's a lot of Articles that get us into trouble for expressing our opinion on the Internet. And they give accessory -- extra role to the authority to civilians to tap into the content and monitor our online activities. So that was something that has been discussed two years ago. Civil society and legal experts and lawyers come together and advocate and make acumen about the issues and the concerns. As a result they have pushed back and delayed the law, and until now it has not been adopted. We know that they would like to continue to adopt the law in the future. We don't know when. We have a another copy and we are happy to see that some of the concerns that we raised were removed from the second draft that we have seen. One last success story is that in the past our rim codes used to punish defamation with imprisonment, meaning people can be jailed up to one year for expressing an opinion. So we thought this is too harsh. In fact, we wanted to remove the entire defamation. The government compromised after our advocacy work. They agreed to remove the punishment of impressment, but still keep the fine there. So it is between 25 U.S. dollars to 200400. Still, something there, but at least the imprisonment has been removed. So that is a small contribution of my note from Cambodia and civil society. I thank you very much for your attention. Happy to answer any questions you may have. >> MARK WALLEM: Thank you, Kol. That is, the beating back of that cyber crime law in Cambodia is and was a very significant achievement. We believe, though, that that is going to be brought back and put forward by the government again. So the advocates there are remaining vigilant. For now that's a very significant achievement and we are happy to hear about that. We are hearing themes here about criminal defamation. We know that's a significant issue in many of the southeast Asian countries and of course around the world. As we focused here on Southeast Asia we know that that is a theme that runs through many of the countries. And I found interesting Cecilia's discussion about the government-sponsored cyberbullies. I would be interested after we hear from Ricky to hear from others too if they are experiencing that in their governments, the alleged use or proven use of government-sponsored cyber bullies to threaten and intimidate government criticism. Ricky? >> L. KHUN RING PAN: Thank you very much, Mark, for this opportunity. Good evening, everyone. Please allow me to start with a brief background about our country. As you might already know, Myanmar was gomped by a full batch military recommend em until 2011. The main law that has been restricting online expression is promulgated in 2004. And those laws was the electronic transaction law which can punish online expression for 15 to seven years. This is to oppress the opposition during the's owe one of the most notorious laws of all times in the past history. When the two years after the new government, the quasi military government came into power, they amended the law by repealing the mandatory jail sentence and substituting with a huge amount of fine. But we were all happy because there was not any more the mandatory jail sentence anymore and just when we were a little bit relieved about this, then in 2014 a few months after the amendment they promulgated the tule com act which criminalised online expression. For a few months this wasn't used against the online users, but just when the 2015 general election was about to be held, four political activists were prosecuted under this law and put in jail. So the main purpose of these cases is obviously to create a chilling effect for Facebook users and to take advantage in the coming election. But in spite of it, the national league for democracy led by on sang sue Chicago has won the election and came into power in 2016, April. Soon after that on sang sue Chicago was appointed a counselor, which is a position second only to the President of the union and became the de facto leader of Myanmar. So on the outside if you look at it, we have the democracy icon, Aun Sang Su Chi as our leader. It might create the effect that everything will be moving forward and every issue that we had will be solved in a few years. But it doesn't happen because according to the constitution, Aun Sang Su Chi doesn't control the three ministries mainly responsible for law enforcement, mainly the home ministry, defense ministry and the border affairs industry. They are in direct control of the commander in chief and appointed by the commander in chief. It means that she has no power to govern the country with the necessary intelligence or information. So as soon as her government came to power, news about violent crimes such as murder, rape, armed robbery and other types of crimes surfaced in the media. Of course, the issues became more intense. The armed conflicts with the ethnic minorities in the border areas became more intense and it ills widely suspected that it has been intentionally created to create the effect of instability in the whole country. Of course, new cases of online defamation were also filed very recently. This time it is not only about the case for defaming the commander in chief, but according to our data we have several cases. For example, we have 17 cases filed for, between private individuals, six cases for defaming the commander in chief, four for defaming the State could you be slor, song, four against the media, two against the President, two for political parties, two for MPs, one for the military and one for the government. According to the data we have collected so far, except for the cases between the private individuals, all other cases including cases filed for defaming Aun Sang Su Chi were not in the bill and they are likely to remain in custody throughout the trial, even though the court may find them innocent after the trial. So in order to stop all these spread of outrageous cases, defending case-by-case is not enough. We need to formulate an effect five strategic litigation to stop all this. So we had several tools available on the table such as we have the UDHR, which our country has to respect and we have the human rights declaration that the President has personally signed it. And we have our own constitution that guaranteed freedom of expression as a fundamental citizen right. And we its have the section 232 of the constitution which allows private individuals to challenge the constitutionality of these online defamation provisions. Ar we can challenge the prosecution and the courts, printing out the screen shots of the alleged defamatory Facebook posts and evidence must be presented properly before the courts. If we do not succeed in the court of first instance we have the Option to go and take the matter up to the higher courts. We have all these legal tools on our side. But the greatest challenge we have faced at every trial is bail because it is always denied in all these politically motivated cases. The second sceld of our criminal procedure code makes it impossible to ask for bail as a right. It is always discretionary to the judge. The judiciary is not totally independent because our Chief Justice himself is the ex- military general and is widely known that he or his subordinate are always making orders on how to decide the cases, whether to grant bail or not. So in order to make effect the tools that I have mentioned earlier, we need to -- it takes a lot of time. For example, if we were to challenge the constitutionality of these provisions, it takes several months. And then we have to consider the fact that our client is in custody T on so even though we have these tools, we cannot use these tools. So we are stuck with, you know, challenging the court in the first instance and end up with our clients in jam for several months at a minimum. As far as we know, the minimum jail sentence is six months for all these political activists. But on the bright side, what we have is, we have the regional network that was mentioned by our colleague Asep. And during the course of this trial our regional network has issued statements for these cases and they also issued trial lawyers for these cases. They sent it for the clients. At one point the U.S. Ambassador, derrick Mitchell, came in person to the court and the German Embassy, the French Embassy, they all sent their officials to observe and support the defendants in the court trials. So it was, it has created a very positive effect. It has some kind of influence the prosecution as well. Because of it, because of these amp answers by the diplomatic personnel we also had a wide coverage of media, both conventional media as well as Facebook media. So it still is a loss for our cases. The good thing that followed, people became aware of their rights, CSOs, NGOs, advocacy groups, unified under the same cause. And it has become public opinion that we do not want this law anymore. So the civilian government that came into power with the promise of change is compelled now to revise this law. Very recently the parliamentary Committee of the legal affairs and special issues Committee announced that the telecom law is on the top list of 488 laws that needs to be repealed or remanded. Also the bill Committee said that they are preparing a submission which will be filed probably in the next Parliament session to repeal this telecom law. So the moral of the story of these events is that we should, even though the circumstances and the situation is very hard to fight against or is an uphill fight, we need to keep on fighting and that we need to, we need solidarity to succeed. And we need to keep on moving even though it is not in the pace we want to achieve. Thank you very much. (Applause.) >> MARK WALLEM: Thank you, Ricky. The events of the last year in Myanmar have been an inspiration to the world. As you rightly point out, now governing is a challenge. It is good to have those updates. Thank you. I know we have a comment from our colleague from the Philippines. Let's hear from Oliver and then we'll open it up to other questions and comments. >> OLIVER XAVIER REYES: Hello. I just wanted to add something about the experience with the anti-cyber crime law, whether it is being litigated with the Supreme Court and perhaps it is also a helpful message when it comes to engaging in strategic litigation because the cyber crime law was challenged before the Supreme Court even before the law was implemented. So it has just been signed by the President. It had not yet come into effect but the provisions were already challenged. It was challenged on the premise that the provisions were so offending fundamental freedoms, particularly freedom of speech that its passage would create a chilling effect on free speech. Even before the law came into effect the decision was already made to challenge its constitutionality which has the effect of at least as in the public opinion, striking while the ierch is hot. But it also put the, but it would place the case in a theoretical example rather than pointing out concrete effects on how the application of this law had caused significant harm. So I remember consulting with some of the lawyers who did file those cases. That was the debate because some wanted to wait until the law had actually applied. And then you challenge it before the Supreme Court. So at least there's something concrete, but by and large people chose to challenge the law even before it was applied. And what was curious was when the, as was said, when the provisions, especially those which increased the penalties for crimes committed through ICT, those were sustained. But there were several justices in their concurring opinions who did say that we are actually going to take a wait and see attitude. We will wait for somebody to be prosecuted under this law and maybe we will change our mind. Sometimes I think those are the factors that come in. Strategic litigation its comes hand in hand or takes advantage of public opinion and the opportunities presented by public opinion. But as you know, there are courts of -- there are judicial courts around a different temple than the court of public opinion and sometimes that's something that has to be mitigated or measured. Thank you. >> MARK WALLEM: Anyone else? Yes, please, our friend from Thailand. >> Hi, I'm from Thailand. Listening to all our friends and colleagues from Southeast Asia, we know that the problem we face is more than double. It is triple, or double layer and many things that we have to fight. Not only the litigation alone. Like the problem about the bad law, we have numbers of bad law or Asep used the law. (Audio cutting out.) >> -- like the bad laws. And also when we try to challenge about the deal process, like in Thailand the deal process it doesn't be considered by the judgment. Basically they are not -- they have some kind of attitude that the officer usually will not try to, how to say, harass or try to do bad things for the defendants for the accused. Deal process has hardly been considered. I don't know in other countries, but in Thailand I think probably we have some similar situation on that and I agree with the friends from the Philippines. When we want to fight on this, there are many things that we have to do. Public opinion, public attitudes, how the case is easier. The most important is about how can we encourage judicial system or improve the judicial system to understand and exercise the fry dom of the people -- freedom of the people more than happens these days. We have more -- I know that we work so hard in our regions and we probably need morale lies to work with because just only litigation we can cannot win with a poor understanding, the norm of no respect for the freedoms of the people and the judicial system do not cross to the civil life. Thank you. >> MARK WALLEM: Thank you, and I think you make some very valid points. As important as strategic litigation can be, there are situations like the severe situation you are undergoing right now where litigation really is not just a real possibility. And I think that gets back to the point that Asep and Ricky and others were making, the regional support is necessary as well as international support, to the extent that you want and welcome it. It would be good to talk about that as well, but the regional support that they are trying to build, too, the help from the neighboring countries. I think that plays a very important role. Any other questions or comments? Yes, please. >> AUDIENCE: Hi, Jan wedding ton from the international association of journalists, we are gravely concerned about the declining situation for press freedom in the will region. Taking up the need for pressure, international pressure on these cases to make them as high as we can, it has worked in a couple of cases. In Thailand last year with. Pukitwan case and at the moment we are working hard in east Timor where there's a case happening, a defamation case happening. And shining the light on governments, so that you've got a case of the Prime Minister there taking the local journalist to court. It is such a small environment that this is devastating for freedom of expression. Where we can have journalist organisations working collaboratively in the area, in Southeast Asia we find that has some impact. Where we can have cross couples with MLDI and others on these cases, it is really important. >> AUDIENCE: Hi, not a question but more a reflection. When you were speaking about how this case is leading to real change and the fact that, for example, you litigate one law, but the law is declared unconstitutional and then a few years later or a few months later you are still litigating, the legislation is already coming with the next version so it doesn't change anything. Also the fact that you are actually picking up some representative case is of the problem rather than really changing the practice. I haven't litigated the freedom of expression cases but I litigated a lot of anti-discrimination cases and my experience with hostile courts and with the hostile regimes to the issue is that actually the representative cases never work. I think what works is flooding courts with cases. And that is what we did on discrimination. So instead of coming one representative case, we just filed 7,000 cases, or 70,000 cases, or across all municipalities. I think the free speech advocates need to learn from successful movements in other areas and really connect to the social movements and to the people and try finding innovative ways how to do it rather than picking a journalist or someone abused on Twitter. I encourage everyone to look into it. I think also one of the most strategic litigation cases I came across recently and nobody knows about it. It is about digital raise was the hacking case. I don't know if you heard of the case of Lufthansa, and this can be actually used as a good example is when the anti-, how you call it, it migrants rights movement tried to lobby commercial carriers not to deport refugees or migrants and Lufthansa and KLM are commercial carriers were carrying these cases and they wouldn't stop. Then 1400 hackers took down their Web site for a day and staged a lot of activities around it. They were obviously prosecuted but then the cyber court in germ nip said it was a form of protest through the digital platform and the Internet was being used as a space for protest, so the same rights that apply offline apply online. If you block the government or protest non-front of Lufthansa offices, it was the same as hacking the site. When talking about strategic cases we really need to look beyond our usual suspects and beyond our practices an connect to these movements. >> Just in response to that comment, I mean it is quite interesting the way in which legislation that seeks to prevent individuals, for example, from vindicating their freedom of expression, in the same way that legislation was used 15 years ago in relation to the war on terror where it was introduced with a view to allowing states to arbitrarily detain, allowing states to deport, or to engage in activities that would be contrary to human rights norms. There was strategic litigation and processes arising out of that legislation in relation to the war on terror where in the U.K., for example, you had a number of pieces of legislation that were challenged. They were challenged -- I wouldn't say the courts were flooded with cases but there were cases which were based on extremely strong facts where they managed to get the Supreme Court, they went to the European court of human rights, managed to get them to say that the legislation was unlawful to the provisions of the convention and was in violation of fundment am human rights and norms. There is a lesson to be learned from transposing strategic litigation approaches in relation to other violations relating to other human rights areas into the area of freedom of expression. >> MARK WALLEM: Okay. I want to thank our Panelists. I want to thank all of you here and all those watching online. Thank you very much for attending. (Applause.) (The session concluded at 5:55 p.m. CST.) Copyright © 2016 Show/Hide Header