This action might not be possible to undo. Are you sure you want to continue?
Security threats are real. Governments are concerned about Cyber warfare and related threats, business entities suffer from cyber crime in various ways while the average user faces various forms of security threats online. These threats are real but the measures against these threats are considered disproportionate and happen to cause greater harm sometimes than the threats to be warded off. Moves to address the security concerns often result in breach of privacy, This round table was organized to bring together different points of view on Security and Privacy and encourage a free and unrestrained debate to look for convergence in some areas between the two sides. The roundtable approached this broadly with a view to define and enumerate concerns on both sides and look for unseen common grounds. http://bit.ly/igf323
Panelists: Alejandro Pisanty (Workshop Chair) Director General for Academic Computing Services of the National University of Mexico (UNAM) and Member of the Board of Trustees of the Internet Society Prof Dr.Wolfgang Benedek, Director of the Institute of International Law and International Relations of the University of Graz, Austria and of the European Training and Research Centre for Human Rights and Democracy in Graz (ETC) Steve Purser, Head of the Department of Technical Competence and Security, European Network and Information Security Agency (ENISA) Prof. Simon Davies, Founder and Director, Privacy International and visiting Senior Fellow,
London School of Economics Bruce Schneier, "Security Guru" and Internationally renowned security technologist and Writer. Barrister Zahid Usman Jamil, Councilor of the ICANN Generic Names Supporting Organization (GNSO) and Member of the Mutlistakeholder Advisory Group (MAG) of the Internet Governance Forum Apologies: Katiza Rodriguez, EPIC. Robin Cross, IP Justice Andres Piazza Jean-Marc Dinant Audio Recording of the Workshop: http://isocmadras.blogspot.com/2009/12/igf-worskhop-323-roundtable-balancing.html Contact for further information Sivasubramanian Muthusamy Isoc India Chennai firstname.lastname@example.org Workshop co-organized by Electronic Privacy Information Center (EPIC) A brief substantive summary and the main issues that were identified: Prof Dr.Wolfgang Benedek, Director of the Institute of International Law and International Relations of the University of Graz, Austria and of the European Training and Research Centre for Human Rights and Democracy in Graz (ETC) When 9/11 happened, the reactions were to tighten security and to introduce new kinds of regulations. Our title is large, Security Vs Civil Liberties and balance could be refuted in a certain way. Why should we balance absolute human rights against security interests?
Article 17 of the International Covenant on Civil and Political Rights does not contain any qualifications. But Article 8 of the European Convention on Human Rights has certain possibilities for restricting rights, in particular for public safety and security. But in International covenants, under article 4 a state has to declare a state of emergency to introduce any restrictions. Article 8 of the European Convention on Human Rights, the qualification is that such measures have to be necessary in a democratic society. We have certain Standards developed by European court of human rights in Strasbourgh, on how to deal with such restrictions. Also the standards developed by the European Court are restrictive on such restrictions. During the terror attack in 2009 in Mumbai, India, many International participants of the IGF Hyderabad had to take a flight from Mumbai to Hyderabad despite adverse travel advisories. There is a certain measure of insecurity that we have to take into account in our world of today. You can not fully avoid risks. The anti terrorist legislation which we have seen over the last few years are under the presumption that you can largely avoid risks and therefore you have to give away freedom in order to preserve security. We have given away quite a good part of our freedom but I am not sure of its effect on security. The hypothesis is that there is problem of proportionality between between the measures of restriction and the gains on security due to the measures. Steve Purser, Head of the Department of Technical Competence and Security, European Network and Information Security Agency (ENISA) One of the fundamental rights of citizens is the right to understand what is going on, but we don't understand what is going on in terms of security. We use a lot of acronyms which are not easy to grasp. Citizens have to develop Electronic Common sense - a way of behaving in electronic world if we have to make progress. Prof. Simon Davies, Founder and Director, Privacy International and visiting Senior Fellow, London School of Economics Privacy was nascent and almost invisible as an advocacy stream twenty years ago. Over the past twenty years people have developed a sense of privacy as a fundamental right, though not as an absolute right. There are restrictions on privacy, there always have been. There is nothing different today from what it was twenty years ago or a few hundred years ago. What I sense is the emerging social contract which involves right to know, right to understand, the right to be brought into the equation of the way society works. That is part of the way
people expect society to go or the way Governments to behave. A fundamental problem is that while people want to assert their right to privacy. When people talk about the right to preserve their privacy, they are constantly told to justify their position. There is a slippage on the security end. one of the biggest problem we face in balancing security and civil liberties is that Security has become such a means to an end, security has become such an industry that it is almost self fulfilling. For Instance in England, the government claimed that it should collect all data related to cars going in and out of London for national security purpose. The objection to this idea of high-jacking data from the congestion management system in the name of security without providing any evidence or adequate justification, without providing a matrix by which it could be judged, examined if it is a justifiable claim. while data protection rights are eliminated in the name of National Security. The objections were thrown out because the Government maintained that the citizens can get information about what the Government is doing therefore the rights are asserted The information that we get is that the Government is collecting the information. This is a vicious loop and exemplifies the problem we are facing. National security and security in general are a means to an end, it is not quantifiable. Try getting the FBI or CIA to quantify their claim of national security for privacy exemption- it is extremely difficult. There is a disconnect between the expectations of citizens who want to assert their privacy rights and the expectations of many security professionals who believe that the mere mention of word security should give them a golden pass through the privacy conundrum. That is not an emerging problem it is a growing problem, the one that we have to deal with. Bruce Schneier, "Security Guru" and Internationally renowned security technologist and Writer. We are here having this conversation, because the Internet in a sense is a very identifying technology. Someone who wants to send an email needs to know where you are. When you send a query to a search engine, the search engine needs to know where to send the information back to. Internet and Information Technology have a lot of identity embedded in, but it is sloppy, because it is the computer that is identified not the person. There is a lot of identity, but there is a disconnect between the computer and the person in the chair, a disconnect between the network and the person. This sloppiness is bothersome to a lot of people in government or corporations who want to use their data for political purpose or for marketing, for control. We have entered an era where national security is the pass to do anything, in a way that it was when there was a war on drugs was ten years ago that you can use that phrase to justify anything. There is a wide-spread belief that there is a situation of Security Vs Privacy, that in order to
have security you have to give up your rights to privacy. If you want more privacy, you have to give up security. This is meaningless. For instance the metal detectors in a building are a security measure, but they have nothing to do with privacy. The locks that we use in a hotel room are essential to security. that is nothing to do with privacy. There are dozens, hundreds of security measures that have nothing to do with privacy. Identity based security has to do with privacy. There is a wide spread belief between governments and the corporations pushing these technologies that If we knew who everybody was we can pick out the bad guys. This is fueling the desire for information which is pushing on our privacy. Already the police have extraordinary powers to invade our privacy but there are limits on that power. There is a warrant process, a disclosure process, a judicial process, all designed to limit the powers when they invade our privacy. that is a key thing to pay attention to. the only thing security vs privacy if we look at one threat We live in a world where there are many threats. Terrorists are a threat, repressive governments are the second threat. unethical corporations are the third threat. nosy neighbors are the forth threat. When you look at all the threats you quickly realize that privacy is not antithetical to security, privacy is component of security. In order for us to be secure we must also have privacy. They are not in opposition at all. By giving away our privacy in some misguided attempts to make us secure against terrorism, we are actually reducing our security against governments against multi national corporations against those who are in power. Privacy is empowering. Giving privacy to people raises their power with respect to government. That is why it is important and that is why it is part of security. Barrister Zahid Usman Jamil, Councilor of the ICANN Generic Names Supporting Organization (GNSO) and Member of the Mutlistakeholder Advisory Group (MAG) of the Internet Governance Forum
Corporations tend to want to identify users and collect a lot of data. From user perspective, in social networks, there is anonymity. One does not have to disclose information, or present national identity card. One can have multiple identities but Law enforcements can trace the IP address from the mac address. Businesses have to maintain certain amount of credibility, certain amount of security for consumers about their privacy. To that extent it is imperative on the part of business to maintain privacy, the difficulty is when they are faced with national regimes, who wish to make use of the data that businesses have collected. This a challenge for business. Do businesses avoid regimes that don't respect privacy? Too much regulation legislation
affects innovation. It is not practical for business to avoid territories that are not completely free. It is important to make consumers feel secure about the privacy of their data. Steve Purser, Head of the Department of Technical Competence, ENISA There is a need for a cultural change, need to develop electronic common sense, People need to need to develop a basic risk management strategy by which they can handle all risks on or off the Internet. Legislation is a clumsy tool, heavy handed tool, takes time to develop, and by the time it is developed it becomes obsolete. Legislation is national. Internet is global. legislation does not satisfy needs. It is softer measures, proactive, preventive measures that will win the day Bruce Schneier If we examine the history of common sense, we find that it is slow to develop. New technologies can take 20 or 30 years before the new generation develops common sense. It is clumsier than legislation. It takes even longer. Legislation becomes obsolete by the time it is enacted, so it is clumsy. Common sense is clumsier than that. We live in a world that changes faster than ever before. A thousand years ago, one did not see anything new in all his lifetime. Now we see something new every year. We might be living in a world where common sense can no longer catch up. It changes so fast that it is impossible for people to integrate new risks, new trade offs, new socialization, faster than they change. Twitter did not exist two years ago and there may be something new two years from now. By the time we develop common sense about twitter, it is too late, twitter may be gone. Younger generations are better at detecting nonsense on the Internet. We might be heading to an era where common sense becomes obsolete. We don't know what that means to society.
The phase of change is such that common sense can not engage the problems we face, we face the interesting dilemma similar to the migration from agrarian to the industrial, to the cities, Legislation ultimately had to take over. Industrial health and safety for example had to be taken over by the state as a requirement. We don't want that to happen in the Internet. Perhaps we need to find another formula, perhaps we have to lean towards engineering solutions.
Prof Wolfgang Benedek There is considerable difference between north and south, privacy as known in the North is not known the same way in the south. Zahid Jamil The European debate, the American debate on Security Vs Privacy, it is not a debate that translates well in some developing countries. It gets misunderstood, misused, misinterpreted in developing countries and actually affects freedom of expression. For instance it is not possible for Internet users in Pakistan to tune into Hulu video casts on their laptops because these are prohibited from broadcasting in Pakistan. VOIP can not be used because it affects [telecom] business. Skype is blocked in many countries. Had there been a debate when began, some governments might have decided that the Internet would be undesirable because there is pornography, Users wont know what to do, because things are moving too fast from a southern perspective, Legislation about privacy would lead to legislation on morals. Alejandro Pisanty (Workshop Chair) Director General for Academic Computing Services of the National University of Mexico (UNAM) and Member of the Board of Trustees of the Internet Society The legislation and rules that protect privacy are sometimes seen as a huge obstacle to protect people in enforcement of the right to safety and security. Privacy rules from telecommunication law in several countries make traffic data - for instance, who is calling who - confidential. If there is a kidnap or extortion going on, the police force can not get the traffic data in a timely manner to follow up and persecute the criminals. The procedures that the law and order agencies have to go through will allow time for a kidnapped person to be killed by the time the warrants are obtained to get the phone companies to release the necessary data related to a phone call or the IP address information for an email message associated with the crime. Rebecca Mackinnon, Co founder, Global Networks Initiative In china measures ostensibly to protect children are used to control political content. Measures to fight terrorism are used to oppress minorities while at the same time there are legitimate concerns among people in china about crime on the Internet. So we do have these universal concerns but they play out in different regimes in very very different ways. The
danger of unintended consequences is that certain regimes use what is happening in the West as an enabling excuse to solidify their powers. So it is very difficult to have one size fits all type of legislation. Legislation is an over-blunt instrument. Companies are caught between governments and citizens, In some places governments can be a force for good in law enforcement, but in some cases they are not. So an initiative such as the Global Networks Initiative which is a multi-stakeholder initiative of which Google, Yahoo and Microsoft at present form part of of, becomes relevant in arriving at base principles on free expression and privacy. As these are applied, how each company approaches the base principles depend upon the specific circumstances in a specific country so the multi-stakeholder process arrives at benchmarks. In some cases legislation may be helpful, but in other cases government is part of the problem. A gentleman from the Asia pacific region: In Asia Pacific most of the problems related to Security and Privacy come from Governments. Governments have their own explanations; National Interest is higher than personal interests. This gives governments the excuse to compromise on personal privacy. John Laprise, North Western University Qatar There is a semantical issue that exists within Us Government. There are two parallel privacy definitions On the one hand there is the traditional protection of privacy which is protection from intrusion by governments. At the same time there is a responsibility of the federal government to protect their citizen's privacy from intrusion by outside the country. In United States the later definition always triumphs the former definition. In the post 9/11 environment, measure to sift through external communication is done in the name of the second definition of privacy.
Audrey Ponk Intel Corporation We need accountability mechanisms rather than overly burnt legislation. There is evidence of movement towards developing accountability mechanisms. How can we find accountability mechanisms that find a middle ground. One example is about how law enforcement agencies obtain crucial information in time sensitive situation, for example in a situation where a hostage could die if the information isn't available in time. There are cooperative mechanisms, accountability mechanisms that have worked in the past, in different jurisdictions globally, not to circumvent but to enhance the judicial process, so that
corporations who hold private information or access to information can work together to get critical data in critical situations. release the crucial data By these cooperative mechanisms law and order agencies have been able to obtain crucial information in time. Alejandro Pisanty(Chair) Historically, mostly in Europe, Privacy was split into Private Life and Intimacy. It was found that it was very hard to protect them legally. Personal data is much easier to define and legislate. Personally identifiable data is in the hands of the State. This data is of two types, that which is mandatory as in tax return data and that which is provided to the State as optional Information or obtained by the State legally or illegally by surveillance, espionage and other legal and illegal means. Then there is data in the hands of private parties. There are three kinds of law. The law in Europe which ie extremely exacting and demanding with all kinds of rights embedded in the legislation for citizens. Users has all kinds of rights whether to allow or disallow transfer of the data. Another would be the US kind of view. In the US private data is handed out voluntarily to business establishments, like information disclosed voluntarily to the local mega store or video store, It is assumed to be voluntary. Many companies are sloppy about data protection. The market hypothesis is that one can choose the companies that are good at data protection, which is also equally sloppy as a hypothesis. in protecting the data. The third would be the law prevailing in the rest of the world, which is the law of the jungle. The split between intimacy and data protection looked right 30 years ago. Now even extreme examples of intimacy provide digital data recorded in a permanent form This gives rise to some very complex situations, whereby our intimacy has also become a provider of data. Steve Purser For every rule with a good example, there is one with a bad example. Context is enormously important. In security there are very few tools and it is a question of using the best tools. Lets talk in terms of alternatives. One is the idea of common sense which is limited. One is the idea of using legislation which is slow. The third is the idea of using software but human brain is more powerful than software. We need to develop Electronic Common Sense. We know that there can not be 100 percent security. If someone is to approach on the street and ask for details one is cautious, but it is amazing how much of information is shared in a chat room. Wolfgang Benedek
When it comes to law enforcement, the mechanisms are there. Particularly after the Madrid and London bombings. In Austria, the police have to simply sign a form, these provisions are used mostly in case of saving someone from suicide. That would be a computer search and would require a warrant from a judge. But in Europe there are data retention directives that require data to be retained for a period of 6 to 24 months. Vast amounts of data are to be collected allegedly for anti terrorism, anti-crime measures. It goes beyond reasonable limits and disproportional to keep all this data This directive is challenged together by business, civil society and by governments. Austria has challenged it in court and have asked human rights groups to suggest ways of implementing the directives in the most human friendly manner. US has been secretly collecting swift and credit card data, and when discovered, US is negotiating with European governments to do this transparently. Bruce Schneier Social network sites avoid any mention of privacy as they want the users to share information. But they have very exacting privacy rules that are buried and they are very hard to implement. It is wrong to think that people will get better choices if companies compete on privacy. The goal actually is not to give people better choices, often the goal is to make better profits which they achieve by giving people fewer choices. Zahid Jami Data retention is a serious concern for business. It is a cost issue. If we concentrate on security aspects, it is important that we don't confuse the developing countries in the very high level of some of the discussions. It would be useful to come down to developing countries and make them aware. There are such a lot of obstructions created in evangelizing, informing or making aware developing countries the benefits of the Budapest convention 0n cybercrime. It is not a law enforcement agency tool, or for cooperation between governments. It has specific human rights articles that require safeguards, due processes, judicial oversight, all of which get lost in translation and not conveyed to the civil society in the country. There were specific clauses and articles that were removed from the legislation when these model clauses go down to developing countries. Nobody was made aware of it. This is a convention with some balance, this convention need to go down to the developing countries, It needs to be explained to business that the model clauses from EU on data transfer is a frame work. If the developing country does not have the legislation, the businesses at least have to subscribe to the model clauses. These are duties and obligations if businesses in a developing country have to do business with the European union.
Simon Davies Companies have to some how ignore privacy One of the ways privacy isn't invaded through exception, in the name of public security. In the movie Batman the Dark Knight, Batman has built the capacity to look into all mobile phones in Gotham city. The dialog against the use of such technology is revealing. http://warnerbros2008.warnerbros.com/assets/images/TheDarkKnight_Script.pdf INT. LAB, RESEARCH AND DEVELOPMENT -- DAY
Fox enters the dimly-lit room. At one end is an extraordinary array of thousands of tiny monitors. Fox approaches, fascinated, as they quietly display architectural patterns individually and in concert. The images become a MAP. FOX: Beautiful. Unethical. Dangerous. You've turned every phone in the city into a microphone... Lucius presses a key. The BABBLE of a MILLION CONVERSATIONS at once fills the room. Every cell phone in the city. BATMAN And high frequency generator/receiver. FOX Like the phone I gave you in Hong Kong. You took my sonar concept and applied it to everybody's phone in the City. With half the city feeding you sonar you can image all of Gotham.
Most privacy is systematically invaded Whether it is batman or real world, if citizens are to give away privacy, the authorities have to be more accountable, they have to give away some of their secrecy, legacy of being able to hold back. That would be an enduring formula for the protection of privacy. If we can keep that as a concept in mind, then many of the problems of privacy systematically will disappear.
Wolfgang Benedek In the process of bringing the cyber-crime convention to developing countries, the human rights dimension is lost. The problem is that in the Cyber-crime convention it is said that the
human rights part is left to the national governments. This is a structural flaw in the cybercrime convention that human rights concerns are not included on the same level as security concerns. More has to be done in order to get the full concept across. We have some orientation, from rules. In International Covenants on Civil and Political rights, Privacy is not explained in any large way. APC in 2001 in its Internet Rights Chart tried to translate privacy into this environment This is being updated to bring it up to actual needs. Stakeholders are not against human rights. Zahid Jamil In developing countries there is one convention available, one standard. We have a model law from the commonwealth which is based on the Budapest Convention. We will take something out of the convention for privacy and human rights. That convention focuses on preservation and not on data retention. Second, it talks about judicial oversight,due process, and incorporates the UN convention on human rights and the European convention on human rights. These clauses have to be explained to the developing countries, otherwise it is only the Security protocols that are adopted and nothing else. Investigating agencies ask for information. To what extent the law and order authorities are themselves accountable? Developed countries have tribunals to look into the use of regulatory powers but such accountability mechanisms do not exist in some developing countries. These are aspects that need to be looked into. There is a lot that each of us can do to protect our privacy. The framework of Rights against Obligations applies to citizens and not to Governments. There is a real imbalance Bruce Schneier: There are some rights that simply come as rights. That is the way the world has to work. If people are going to throw their private data without worrying about consequences, it wouldn't help. One obligation is to behave responsibly while giving out data. Another has to do with delegation. Sara State Department, United States of America The e-government Act in the United States requires the Government to disclose what it does with personally identifiable data collected. There are privacy impact assessments published
which can be shared with developing countries. Zahid Jamil The best practices can be shared with the developing countries who can determine the level they want to implement. Bruce Schneier The number of exemptions to that act make it irrelevant. Eric Iriarte Peru United States was to sell some arms to Chile, which transparently appeared on the US government website. In Latin America there are no laws for data protection, laws are based on security. In Mexico there is very quick movement for access to information, without any privacy laws, which means access to information is sought without any cause. Pranesh Prakash, Center for Internet and Society, Bangalore, India A lot of debate is happening on a theoretical level. A lot of good ideas are coming out. These ideas have to be translated into good systems of governance in countries like India. Consumer organizations are trying to make human readable privacy signs such as that of the creative commons. Concerning citizen's privacy a lot of systems that have been discredited by Bruce Schneier such as Key escrow are sought to brought to India. There is a national ID scheme that many countries are freezing. In India open wireless is no longer allowed without being registered with Government. There have been debates on these issues, but these debates find actual recognition in the governance systems. That translation is very important. Concluding Remarks from Panelists The debates taking place across the pond have to be relevant for other countries and it should be made sure that it is not mistranslated. We need to think of data as the pollution problem of the Information Age. All processes produce it. It stays around. It has some secondary uses and has to be disposed off properly. Just like in the Industrial Age, in the rush for progress in the Information Age, we tend to ignore pollution, ignore the issue. The decisions we make today will have profound effect in the next ten, twenty, fifty years.
Are you afraid that our children will ask us tomorrow "Why didn't you forbid me to put my data in facebook? I cant get a job" Actually that is not true. There is the greatest generation gap since the Rock and Roll. That is the old generation talking. We already have CEOs who blog. Soon everybody will be on facebook. We can't tell our children not to do something. They are right and we are wrong. Security is not in general algorithmic. Most good security solutions need a lot of brain power. We need to look at alternatives and choose wisely. We have three social solutions. One idea of good practices, or electronic common sense. One is the idea of intelligent software, the third is legislation and each has its place and the key to issue is using them wisely.. The Internet is one of the large spaces where there is large freedom. This obviously makes government uneasy and find ways of control. In Europe there is a proposal to give one single identity to every Internet user who has to disclose it everytime he goes online. We have to make sure that it does not happen. The security debate has a chilling effect on privacy and other civil liberties. We have to explain civil liberties to all stakeholders in a way that they are not afraid and make them see them as a common way of interacting in cyber space. When in future is so obsessed with exposing themselves, privacy would lose its important. People would be suspicious of non disclosure. I am wondering if we left the engineers out. I am wondering if we can do something in the next 12 months which involves the engineers. We have to get the engineers involved. That is one of the missing ingredients. Can we ban the word security for a year? security is a very charged word. Can we use the phrase risk management instead? There are a lots of different words,security, risk, privacy, vulnerability. different shades of the same thing. We have to hit security head on. It is emotionally charged and you cant ignore the word, cant ignore the emotional charges. One of the reasons why we have nutty policies in my country is because people of afraid. Fear. That is another word. These words are important. The emotions are important. And the meaning right or wrong, erroneous or true are all important. This is hard, not easy, it is not new. The old notion of security is as old as multicellular life. The first thing that you will introduce to life forms is how to reproduce, how to eat and how to avoid being eaten. This is it. Security is not black and white, it is shades of Grey. As we move further and further into
technological development we have to understand that we are less in control. There we see Bruce's point about data pollution a good one. The classic book on security says first list your assets, then value your assets and then protect your assets. A lot of companies don't even know their assets. And by the time they define their assets, it has all changed. Part of security is compromise. It is being able to live with a bit of fussiness and taking the best alternative that is open to you. I do like the analogy of risk management. It is essentially risk management of a particular sort. Alejandro Pisanty, Chair: Thank you very much. We can call this to a close. Conclusions and further comments: National security and security in general are a means to an end, it is not quantifiable. Citizens have to develop Electronic Common sense - a way of behaving in electronic world We have given away quite a good part of our freedom but its effect on security has been less than proportional Privacy is not antithetical to security, privacy is component of security. In order for us to be secure we must also have privacy. There is considerable difference between north and south, privacy as known in the North is not known the same way in the south The danger of unintended consequences is that certain regimes use what is happening in the West as an enabling excuse to solidify their powers. So it is very difficult to have one size fits all type of legislation. We need accountability mechanisms rather than overly burnt legislation. if citizens are to give away privacy, the authorities have to be more accountable, they have to give away some of their secrecy, legacy of being able to hold back. That would be an enduring formula for the protection of privacy. There is a structural flaw in the cyber-crime convention that human rights concerns are not included on the same level as security concerns. More has to be done in order to get the full
concept down to the developing countries Developed countries have tribunals to look into the use of regulatory powers but such accountability mechanisms do not exist in some developing countries. These are aspects that need to be looked into The best practices can be shared with the developing countries who can determine the level they want to implement. A lot of debate is happening on a theoretical level. A lot of good ideas are coming out. These ideas have to be translated into good systems of governance in countries like India. We have to explain civil liberties to all stakeholders in a way that they are not afraid and make them see them as a common way of interacting in cyber space. Sivasubramanian M President, Isoc India Chennai email@example.com