Add to collection(s) Add to saved
  1. Social Science
  2. Political Science

07 Nov 2012 IGF WS 172 - IGF Workshop Management System

advertisement 
FINISHED COPY
SEVENTH ANNUAL INTERNET GOVERNANCE FORUM
BAKU, AZERBAIJAN
SUSTAINABLE HUMAN, ECONOMIC, AND SOCIAL DEVELOPMENT
7 NOVEMBER 2012
11:00 AM
SESSION 172
CLOUDY JURISDICTION: ADDRESSING THE THIRST
FOR CLOUD DATA IN DOMESTIC PROCESSES
* * *
This text is being provided in a rough draft
format. Communication Access Realtime Translation
(CART) is provided in order to facilitate communication
accessibility and may not be a totally verbatim record
of the proceedings.
* * *
>> RAPPORTEUR: Thank you, everyone, for coming to the
session today. I want do make sure everyone has headphones. We
are trying to resolve some trans-border threats to civil
liberties posed by the move to the cloud. If a baseline of
privacy protection can be assured, concerns over limiting data
flows on the basis of jurisdiction will be alleviated.
This panel will be divided into two parts. The first part
will discuss some of the challenges raised by the cloud
environment for traditional civil liberties paradigms.
The discussion in part two will be solution-driven. What
rules can be put in place at the international or natural level
to alleviate the heightened risk to privacy and other civil
liberties raised by the cloudcentric model.
To my right I will invite first Mr. Bertrand LaChapelle who
is the Programme Director at International Diplomatic Academy.
He will raise the concerns or the challenges of jurisdiction on
the cloud.
Welcome, Bertrand, thank you so much for coming.
>> BERTRAND LaCHAPELLE: Thank you. So my name is Bertrand
LaChapelle. I am at the International Academy leading a
programme called Internet and Jurisdictions and if you have
looked in your bag you may have seen this brochure and the
invitation to the workshops we hold on Thursday and Friday on
those topics.
I'm glad the opportunity is given to highlight a few points
regarding jurisdiction. In the last year and a half, this word
"jurisdiction" has popped up in discussions where it was
relatively rare before.
The challenge that we are witnessing with the tension
between the horizontal cross-border nature of the Internet and
the vertical system of national jurisdiction is growing.
I want to make a clarification, first of all. The Internet
is technically borderless. It is not based on a geographic
architecture. However, this does not mean there are no borders
and jurisdictional borders on the Internet. When you move from
a website in .com to a website in .cn you are crossing borders
even if you don't understand it. You may be crossing from
France to Belgium without any control, nonetheless, you are
under different jurisdictions.
The key problem is that therefore we should talk about the
Internet and the Internet spaces, the geography of the
jurisdictions, do not map one-on-one the physical jurisdiction
of the different countries.
Without getting into details, there are extensions of the
power of sovereignty outside, and vice versa; there are
situations where the citizens of one country are actually under
the quasi-jurisdiction of another because of the types of
Internet applications they use, because of the types of the
domain names they have bought.
To give you one concrete example, you are probably familiar
with, when the website was seized by the Homeland Security arm,
the ICE arm of Homeland Security because it was bought by a
Spanish operator through an American-based registrar, there was
a de facto extension, currently legal in the current
architecture of the natural sovereignty over the territory of
another country.
And there are many other examples of spillover effects
like, for instance, when the filtering that is applied to some
ISPs in India filter down to Oman because of the arraignments
between the operator in Oman and the telco operator in India.
I don't want to get into detail but I wanted to highlight
we are witnessing a situation where the exercise of national
sovereignty has potential trans-boundary impacts on another
territory.
The problem is that for a lot of platforms and services
that use the Internet and target users around the world, there
is a tension between their terms of service and the national
laws of all the countries they operate in.
Without getting into details, what I want to highlight is
the danger or the situation that we are witnessing today is not
the type of situation we had in the past whereby sovereignty was
working by separation. It is still about the clear frontiers
where the sovereignty of one country is on one side and another
country is on the other side. What is at stake is the
management of sovereignty and jurisdiction over shared spaces.
And overlayering of jurisdictional competence rules that take
into account -- here again, not getting into too much detail -criteria that are the location of the user, the country of
incorporation of the platform of operator, the location of its
servers, and even the type of domain name that this operator is
using or where it bought the domain name in question.
So to bring this larger picture of overlapping
jurisdictional problems to the question of cloud computing or
cloud services, if you take into account location of servers to
apply jurisdictional criteria, you have a new type of tension.
The benefit is precisely the data is distributed on several
servers that ideally are distributed around the world to provide
the better quality of service.
If you need to have an application of all different
jurisdictional criteria based on where the service is, you
destroy the very purpose of cloud. As an illustration of this
problem, you may not know that Jimmy Wales, founder of
Wikipedia, says that he does not put any server for Wikipedia in
England because of the libel laws in Great Britain that would
not be compatible with the way Wikipedia works.
Wikipedia as a matter of fact is a typical example of the
kind of problems that cloud computing may more than other actors
experience with the patchwork of jurisdictional criteria.
>> RAPPORTEUR: Thank you, Bertrand.
Now we are going to have a discussion about recurring
problems that have arisen in many comparable online contexts
when it is related to the cloud. We have legal obligations.
Some governments, some governments are discussing some new legal
obligations to build in intercept capacity into Internet
services, whether it's Canada, UK, United States, United States
in previous years, and some other challenges regarding voluntary
sharing of data when, for instance, even though they, the police
will need a warrant to access communications, sometimes there
are no -- there are immunity -- no liability in the statute is
the sharing the data voluntarily. And if they need to share it,
we should know the limits.
There are a lot of challenges right now taking into account
that lately we are using the cloud in our daily lives, we are
relying more and more on cloud services, and all the data that
in the past was in a house or an office are now moving to the
computers. It's not any longer in the hand of each of us in our
house but in the hand of third-party providers.
So we are going to invite Ian Brown. Ian Brown, where are
you? He is Senior Research Fellow at the Oxford Internet
institute. He is a well-known academic; he has also written
recently a report for the global network initiative on cloud
computing. Thank you for coming, Ian.
>> IAN BROWN: Thanks, Katitza.
I'll say a bit about the UK in this first part because I
think the UK is really a leading government on Internet
surveillance in ways perhaps the civil liberties community would
not like.
Let me briefly, Bertrand, on the libel side, that libel
question that Jimmy Wales raised is very interesting because in
a way the UK libel law is an illustration of almost preInternet,
very sweeping claims of jurisdiction within the UK that in an
Internet era are very problematic. And I don't like to
disappoint Jimmy Wales but the fact the servers are not in the
UK would not prevent the UK courts from finding a connection to
English law!
(Laughter)
Although we are trying to reform our libel laws right now.
Lawful intercept in particular, let me say a few words.
Current government actually current government and the previous
government have been developing for several years now at new
lawful interception requirements on communication service
providers. Like many other countries, including the U.S., we
have had for a number of years requirements that
telecommunications service providers have a lawful intercept
capability. That is to say, if a government agency comes to an
ISP or phone company with a lawful warrant in the UK case, not a
court order, a warrant signed by the Secretary of State, cabinet
member, authorizing an interception, then the Internet service
provider has to be able to undertake that interception.
Alongside that, again, like many other jurisdictions, we
have laws requiring Internet service providers to keep basic
communications records about what their users are doing online.
When they were connected to the Internet, who they have been
communicating with via e-mail and the case of phone companies
via mobile telephones and also some specific information about
location of the phones that must be recorded.
That is an EUwide requirement under the data retention
directive although that was driven by the UK and the UK had
broader retention laws before the European data retention
directive came into place.
The UK law enforcement and intelligence agencies are now
complaining that the data that is retained about people's
Internet use is not broad enough. As people move from
traditional e-mail to things like social networks and to
communicate instant messaging, even online virtual environments
and online games, those agencies are concerned that they will
lose the capability to put under surveillance people that are
using those mechanisms to plan and commit criminal acts.
Therefore, the government, current government, has proposed
a very sweeping bill in Parliament which is currently being
looked at by a special select committee of Parliament that would
really potentially broaden out those requirements for intercept
and this particularly storage of this communications data about
what people are doing.
It could even go as far as under the text of the bill
giving the government the ability to require not just Internet
service providers but actually pretty much anyone providing any
kind of communication service online.
To some extent it could be argued even down to an
individual that was running something like a tour node on a home
PC to record this communications data and also to facilitate the
recording of communications data and intercept. Right down to
the level of specific algorithm, cryptographic algorithms that a
system could use.
Mobile phones of course encrypt voice, tour is encrypting
data packets so very broad-ranging bill. Lot of criticism from
the civil liberties community and it's not clear whether this
bill will pass into law as is or will be amendments in
Parliament or whether the good afternoon as has happened in the
past with this type of legislation may have to step back,
withdraw the bill and introduce something more limited in the
future.
I just will say a few other things about the UK regime that
I think are interesting for this discussion. A big issue as
Katitza mentioned about privacy of people's communications
records especially but more broadly data about activities.
In many countries, including the UK, government agencies
can ask companies that hold that data to voluntarily provide it
to the government agency. In the UK the Data Protection Act
specifically allows for purposes related to criminal
investigations, a broader range of purposes than that for data
control is to voluntarily provide data to the government and in
trying to work out as I did for an academic article earlier this
year which you can find online called Government Access to
Private Sector Data in the United Kingdom.
I suspect, although I can't confirm because there are not
procedures by which these voluntary provisions of data have to
be notified, say, to the information commissioner, the data
protection regulator for the UK, certainly not made public or
notified to the people whose data is being handed over, there is
no central point at which you can find information about that.
I suspect there is a lot of this going on, a lot of data flows
from the private sector to UK government agencies that are not
transparent and notified to individual users. I think that's
one big problem.
A second problem is that the UK surveillance regime in
general is very untransparent. People are not notified if they
have been the subject of investigation after the investigation
has closed, which would be a good way of trying to prevent
abuse.
The normal courts do not by and large have jurisdiction
over how these powers are used. Intercept evidence is not
allowed in court cases because the intelligence agencies worry
that would reveal their methods and sources. So in day-to-day
hearings courts are not looking at the evidence and whether it
was lawfully obtained. There is a special tribunal that exists
to investigate alleged abuses of interception capabilities by
the intelligence agencies. However, they hear very few cases
because how would people ever know if data about them or their
communications have been intercepted if they aren't notified or
there is not some other organized way of that notification
happening?
In practice, that tribunal has only I think in -- it has
heard a few hundred cases during its lifetime of about I think a
decade and it has only found in favor of the complainant in I
think six cases the last time I looked at that. There is
limited information about their decisions, of course; they won't
publish full details about what was alleged.
Then finally I think again interesting in the UK for the
broader discussion, the ability for one-stop shop access by
government agencies to data about people's online activities.
We certainly have the case in the UK that accredited police
agencies are able on a particularized but automated basis to
access communications data about people. So records of what
people have been doing online today, that's reasonably limited,
that communications data, just basic data about their -- when
they were online, their subscriber data, names and addresses,
ISP holds, who they were talking to by e-mail.
A big problem if you massively broaden out the scope of
this communications data as the communication data bill would,
then you are talking perhaps about a lot of other information
about people's online activities and social networks and online
games, more geolocation information in total which will paint a
very detailed picture of an individual's life.
I think there's now a false dichotomy in many countries'
laws between contents of the communication, what's in the email, which in many countries is strictly protected, versus this
communications data, these records about what people are doing
which are becoming richer and richer and broader and are
accessed under much less strict safeguards. That is something
that the cloud will make even worse and I think we have to think
very carefully about and we'll come back to solutions later in
the session.
>> RAPPORTEUR: Thank you, Ian. It's interesting the
comments you make about the voluntary sharing. I believe that
not only that's a bigger problem for especially small companies
who might not have the capacity or resources to be able to
challenge those requests or that political pressure from the
government.
Okay. So now we would like to learn a little more about
the challenges that are being -- happening in India. We have
invited for that Eleni Hickock, policy associate for the Center
for Internet and Society in India.
>> ELENI HICKOCK: Hello, I'm Eleni Hickock and I work for
the Center for Internet and Society based in Bangalore. It is
an NGO so I'm representing the Civil Society perspective of
these issues.
I think what we have seen from the Indian government and
their response to the cloud and some issues that have arisen is
that traditional forms of lawful access are not applying to the
cloud because of the distributed issue and the jurisdiction
issue. I think the Indian government looked toward
(indiscernible) to solve that but that is not working and many
people in India are unhappy with that process, so I'm sure you
guys have heard about the RIM scandals so the Indian government
has been asking for blanket access and encryption keys from
different server providers to monitor these communications and
monitor the data that is happening and going to other countries.
So far the government has asked for RIM keys and finally
RIM set up in Mumbai and now again RIM has suggested that
intelligence agencies in India have the capability or create the
capability to intercept those communications as well.
I think there are a lot of factors that play into this
response from the Indian government and a lot of factors in
India that also complicate this issue. So for one India does
not have a comprehensive privacy legislation. That creates
vulnerabilities for data stored in the cloud and stored in India
in general.
I think also service providers in India are decentivized
from not providing and not complying with lawful access requests
or access requests from the government because of heavy
penalties the government puts on non-cooperation. So, for
example, service providers can be put in jail or imprisoned for
seven years for non-cooperation. This has actually changed over
the years. The Telegraph Act first said they would be penalized
with six months in prison and now the ITA says seven years in
prison.
At the same time intelligence agencies are not held liable
for illegal interception that happens. There are issues of
liability and also there's no incentive for service providers to
really protect information and not hand it over to intelligence
agencies.
I think you have also issues, cultural factors as well,
feeding into the government fear and why they want to access all
this information. This might be very much a developing country
issue that needs to be taken into consideration when we look at
principles.
There are internal threats that are very real and India has
a huge population. Lots of diversity in religions and
ethnicities and these are all factors the government tries to
balance and it gets augmented when suddenly the information is
stored on the cloud.
I think you have seen some emerging trends from the Indian
government so there is emerging legislation coming out that is
asking for a broader retention of data and longer retention of
data and at the same time, there is unclear authorization as to
who can access that data. You have authorization standards
lowering, broader retention standards happening, and this is
complicating civil liberties, as Katitza pointed out.
I think there is also a problem with implementation in
India. Though there are safeguards that do exist in the Indian
regime these are not always followed and leaks happen and data
is not handled as it's supposed to be handled and you have
problems with chain of custody. You saw the (indiscernible)
tapes; that's one example of these issues.
I think that's a short summary of some of the issues that
developing countries have around this issue of lawful access and
some of these issues are augmented or exacerbated by the cloud,
I think.
>> RAPPORTEUR: Thank you, Eleni. We have the Civil
Society to be able to challenge surveillance because the
programs are sure that -- shrouded in secrecy because
individuals are never made aware because of a standing issues,
et cetera. Some companies like Twitter and Google have been
trying to shed light on these issues and we have invited today
Marc Crandall from the global compliance team in Google to shed
light a little about the problems with the transparency report
and whatever reactions from the panel.
>> MARC CRANDALL: I think at Google one of our primary
concerns, particularly within the United States, is reforming
our existing government access laws when it comes to online
information. For example, in the United States we have
something called the Electronic Communications Privacy Act,
passed in the 1980s, which involves the steps that governments
have to take in order to obtain information about users online.
We think that those laws, for example, need to be updated
so that the protections that exist for information that is in
your home also exist for the same type of information that would
otherwise be stored in the cloud.
In that respect, we take a leading role in what's called
the Digital Due Process Coalition, which is a reform advocacy
coalition involving this type of law which we just talked about.
Essentially we'd like to see these laws modernized in a
number of ways, better protection of data stored online, similar
to what I just mentioned. We feel the government must first get
a search warrant before obtaining private communications or
documents stored online. Government requires process in order
to get this information typically but we would like to see the
same for online storage as what would otherwise be required for
the government to go into your house.
We'd like to see better protection regarding location. We
want to see better protection regarding location privacy. We
think the government should also get a search warrant before
contracting location of your cell phone or other mobile
communications device. We think it should be updated in that
regard as well. We all use -- a lot of us, I should say, use
devices that have location capabilities and that should require
equal protection. We'd like better protection against
monitoring of when and with whom you would communicate. The
government must demonstrate to a court we feel that the data it
seeks is relevant to a criminal investigation before monitoring
when and with whom you communicate using e-mail, instant
messaging, text, the telephone, anything.
Finally, we think we need better protection against bulk
data requests. We talked about the growing corpus of
information online. We feel the government needs to demonstrate
to a court that the information it seeks is needed for a
criminal investigation before it can obtain data about an entire
class of users.
This is what we'd like to see with regard to the United
States and reform of our own regulations.
>> RAPPORTEUR: Thank you. Thank you, Marc. I would like
to see if there are any questions from the remote moderator,
online participation from the remote moderator, please. No?
(Silence)
Are there any questions online?
>> MATT ZIMMERMAN: No, no questions online yet.
>> RAPPORTEUR: Okay. I would like to see if there's one
from the law enforcement community or someone who would like to
make a comment on the panel so far a question.
Please, the lady on the end.
(Pause)
The microphone, please, for the lady on the end.
>> Thank you. We are hearing all the time from the Civil
Society that some ideas like go and rectify the laws -- it's
fine?
>> RAPPORTEUR: It's fine.
>> We know when legislators want to make laws they have to
understand the subject of the law, the situation, to be
regulated. So what are technical people, what are technology
people and Civil Society saying to legislators? Okay? We are
all the time nagging and saying, oh, civil liberties are at
risk, we are all the time controlled, we are tracked, why don't
we tell legislators how to do, to get rules convenient to the
new environment which is the Internet to the needs to protect
national security and then to other needs to feel free and to
feel that way all the time?
I mean, we have to give them factual things.
>> RAPPORTEUR: I would like to give the floor to Wendy
Seltzer from the technical community to give a brief
intervention.
>> WENDY SELTZER: One of the things that technologists are
often called upon to help with is to explain the possibilities
and impossibilities and so sometimes there are difficult
questions asked to which it's not possible to give a clean
technological answer that says yes, if only you take these steps
you will have the solution to all of your law enforcement
problems or, on the other side, all of your civil liberties
problems. These are messy issues. What we can do is to help to
elucidate the challenges and some of the solutions that are
better and worse for solving those problems.
So we can note, for example, that because of the difference
in jurisdiction and fluidity of data in the cloud, if people
don't have protection in one place for the activities they want
to engage in, they may simply go someplace else where their data
will not be subject to the same retention and tracking rules and
circumvent the kinds of protections that someone meant to put in
place by imposing that surveillance. So that a solid protective
regime for people trying to store data online can be helpful to
everyone who is trying to achieve a better relationship there.
It's good for companies because they can sell a stronger product
to their consumers. It's better for law enforcement because at
least it keeps the activity jurisdiction rather than sending it
elsewhere where they have even less control and it's better for
those seeking privacy because it assures due process and
transparency of the rules relating to information collection and
its use.
>> RAPPORTEUR: Thank you, Wendy.
Now we call on Bruce Schneier who is Chief Security
Technology Officer of VT from the private sector, also from the
United States.
>> BRUCE SCHNEIER: Hi, good morning. I want to make three
quick points. One, it has been said many times that data is
moving to the cloud. In general, the problem I think we're
dealing with is that people are losing control over their
computing. It's happening from two different dimensions. On
the one hand, our data is moving to the cloud where the
regulations are not the same as if the data was in our house.
Perhaps held by a third party, perhaps held in a different
country, perhaps across -- it crosses borders and there are a
lot, these jurisdictional issues are very difficult and things
we're wrestling with.
The other end of this is that we're losing control of our
end devices as well. I mean, I'm using an iPhone and I have
much less control over what I can put on this device than I do
my computer. I can't put an anti-virus, I can't even write a
file erasure programme. Updates are largely opaque to me. And
this is happening a lot, whether it's smartphones or tablets or
e-book readers or gaming consoles or cameras. These devices are
increasingly Internet-ready and increasingly opaque to the user.
In both cases, there is a lot of issues of control and
really of trust. That we are trusting whoever makes either the
end user devices or the in-cloud data stores to protect us by
obeying the law, keeping the data within borders and there are
technical solutions to these things. But it's not clear that
the companies that build these devices really want them. There
is a lot of value to keeping data unencrypted in a cloud
provider, cloud provider wants to mine that data for advertising
purposes and or for beneficial purposes for you.
I think that is the big trend here that we're trying to
fight. We're now moving to a level of sophistication in
computing where things are moving out of our control but that
has legal and jurisdictional implications.
That's the first big trend.
The second is that as we're learning, governments are
discovering the Internet. We're using it for more and more of
our socialization, of our business, commerce, more and more of
our lives are moving onto the Internet so we're seeing a more
government scrutiny.
The question is why can't the technologists tell the
lawmakers what to do? The problem is the lawmakers don't want
to hear that. The lawmakers are seeing balances that they set
10 or 20 or 30 years ago being upset by this new technology.
What they want is to move the old regime, whatever it was, into
this new technology, which often is impossible, because it
doesn't work the same. But that does not stop lawmakers from
trying.
Lawmakers are under pressure from two
areas; from police forces, who want access to data for various
reasons; and they're under pressure from industries. They want
things to remain the same.
In the United States and elsewhere we're seeing enormous
fights by industries who make businesses on copyrights trying to
force the Internet to be just like records and tapes and other
physical objects.
It's not working.
So what we're seeing, I think, I mean, I see it in the U.S.
and certainly elsewhere, is very heavy-handed Internet
regulation that does not really take into account the subtleties
of the Internet and I think that causes more problems than it
solves.
Last year in the United States we had a
debate over an Internet kill switch. That debate takes many
forms. I think of it as a big red button on Obama's desk. But
however you think about it as an security engineer that's an
utter disaster, but as a police force who wants to say, shut
down the phone system, it's the same thing they had before.
Convincing them it's difficult is hard. Those are what I
think are the two megatrends that really affect this issue, and
I'll stop there.
>> RAPPORTEUR: Thank you, Bruce. Now we have Sophie
Kwasny from the Council of Europe. Thank you, Sophie, for
coming to our meeting today.
>> SOPHIE KWASNY: Thank you. Sophie Kwasny. Yes, I work
for the Council of Europe in charge of data protection but I
work for a wider division which is the cybercrime and data
protection division and I think that the fact that those two
issues have been brought together recently in the Council of
Europe is a good signal.
We have heard that many of the issues discussed today
infringe upon civil liberties, right to privacy in particular,
so bringing them together at the Secretariat level, it's
enabling us to really work closer together on those issue and so
I'm very happy even with the data protection background to come
and mention some of the issues raised by the cloud.
So it was said there is a regulatory framework that's been
there for years, been working, the problem with the cloud,
cloudy jurisdiction, can be foggy, murky, the fact the
boundaries we knew are more and more blurred. They are blurred
on a number of levels. First is that the law enforcement side
access by law enforcement is shifting in some places to
surveillance intelligence and traditionally if some of the
safeguards we have been putting in place in the Council of
Europe have begin applicable to the law enforcement, it's true
for intelligence side it's always a bit more difficult. So
making a clear distinction between both is important and in
practice it is more and more difficult.
Another type of blurring is about the data. Those
regulatory frameworks, they define the types of data that can be
accessed. I will use the terminology of the Council of Europe
which is the cybercrime convention terminology. We see that it
can be accessed to traffic data but when you are accessing
traffic data, are you solely accessing that or also content
data? There again the frontier between those types of data is
less clear than it used to be in the past. Is data at rest? Is
it stored on a computer and can be accessed under a search and
seizure or it data entrance mission which then should be covered
by other types of mechanisms?
We heard about the voluntary transmission of data. Indeed
under the convention of cybercrime detecting access to publicly
available data. This can be accessible with no further
authorization. And when there is access control restrictions,
lawful and voluntary consent must be obtained from someone with
lawful authority to disclose data. It's this voluntarily
mechanism, the question being who is consent to go that? Who
has this legal authority? Is it the cloud user? Is it the
cloud provider?
Finally, blurring of the form of cooperation. It's from
formal to informal, from legality of framework to requests
covered by infinite terms of service of the cloud providers.
The last point is the blurring of frontiers that was
mentioned before, jurisdiction questions. Which law applies?
Which safeguard applies? And the notion of consent is also
understood differently around the planet so how do we apply
that? Those are basically for me the issues at the moment. And
if you allow, we'll tackle later the solutions that can be
proposed.
Thank you.
>> RAPPORTEUR: Thank you, Sophie. I would like to take
four or five questions from the floor if there are any. One.
>> Good afternoon. I'm (inaudible) and I
represent (inaudible).
Good afternoon. I represent Internet Service Providers
Association of India. I happen to sit on the executive council.
I have a question for the panelists just to give a brief
background.
An Indian regulator has called for an approach paper on
concerns about data and cloud computing. I'd like to hear from
the panelists today on are there any best practices or guiding
principles we as service providers should be giving input to the
regulator on how best we should approach these concerns about
cross-border data protection issue and jurisdiction issues? Is
that something we could, as an approach to the government,
suggest? Because the government is inviting service providers
to come to the table and discuss all these issues. Thank you.
>> RAPPORTEUR: Another question. Just to clarify a
little. We are going to the second part of the panel about
solutions-driven and your question will feed perfectly into
that. I will wait for the panelists to get to the second part
before they answer to you. We wrote your question.
Is there any other questions?
>> In order to be a little contentious, one of the things
here we were talking about is changing of defaults. In the
sense that if everyone is using SSL and PGP, then that
significantly changes the default from the age of the telegraph,
interception then was easier. So when only those people who
wanted to encrypt would use code language in there, so how do we
address this issue?
Now, this is something that law enforcement agencies are
actually quite concerned about. It's not about whether person
can because they can always do that, they have always done that,
but the issue of changing of defaults is a problem that, and so
I would like to kind of reiterate what the lady from the back
said. We are bringing up all kinds of issues with privacy but I
think we have to provide good ideas about security as well, not
for individual security but how law enforcement agencies should
and could go about it which does not rely solely on the idea
that judges can clear it because judges can be people who are
not well-versed with the constitutions of the country, people
who, you know, executive magistrates who were policemen in India
can be counted as judges for these purposes as well. That can't
be the single-point solution.
>> Just specifically on that, well on on the two points, I
think, first of all, the rule of law is the best that we have
and if you have problems in individual jurisdictions with the
judiciary that's something that needs to be addressed within the
judiciary and level which authorizations can be given.
The encryption question is really interesting because this
came up a lot in the UK bill because of course what the
government would like to happen is Internet service providers
intercept using deep-packet inspection equipment all traffic
flowing to servers where the government does not affect -effectively trust that that international provider will under
the right circumstances provide some of this communications
data, so the ISP themselves within the UK jurisdiction can
provide and what happens if the traffic flow is encrypted?
This comes back to the question from the lady from the
back. This question caused enormous confusion to the
government. They -- you would not expect MPs to read Bruce's
wonderful book on 500 pages of cryptographic algorithms but the
concept, it won't mean anything, seemed to be very hard to get
over to the government in the UK. But they finally got it and
they came up with some extraordinary solutions like we'll record
everything for six months and then if we're interested in the
traffic we'll go back to the provider and get those
cryptographic keys and decrypt it, which was remarkably
impractical.
We'll come back, as Katitza said, to better solutions but
the debate has been as confused in the UK as India, I think.
>> RAPPORTEUR: Thank you.
Any other questions? Please, the lady first, white lady,
and then the lady in the back.
>> I have a question for Bruce Schneier. I want now to
know how do you differ cloudcentric security from traditional
and what character makes -- (indiscernible) -- in cloudcentric?
What characters make security issue cloudcentric?
>> BRUCE SCHNEIER: The main difference between security on
your desktop and security in the cloud is you don't often have
access to the security controls. Especially as you move to
cloud computing where you expect the cloud provider to do actual
work for you.
So if you are using Dropbox where you are just storing
files, very simple cloud service, that's relatively easy for me
to secure, encrypt files, move them. I don't care where Dropbox
puts them, in what country, how they move them, they're not
doing anything with that.
Contrast that on the other end with something like
Facebook.
Facebook is only useful if that company has access
to the actual data I post. They are in charge of who sees it,
how it's used, how it's displayed. I have no ability to secure
that data. I don't even know what operating system Facebook
uses, let alone being able to audit their systems or mandate
certain controls.
So as we saw two weeks ago when they
made a mistake and user data was visible to other users they may
not want, we don't even understand what that mistake was. As
the data moves out of your control, you have to trust the
provider more. Even on your computer you to have trust your
provider. I have to trust the vendors, but I still have some
amount of control. I have my anti-virus, networking
environments.
As data moves to the cloud, as my computation moves to the
cloud, I have much less control. E-mail, I have on Google
servers, I have less control over the e-mail I have on my own
servers. I'm trusting Google will probably secure my mail, only
respond to lawful orders, I have to trust that company.
That's the main difference. I have less ability to have
control and less visibility to what controls are in place and I
have to trust more.
>> RAPPORTEUR: Mark and then Bertrand.
>> MARC CRANDALL: That raises a very interesting point
regarding lack of control in regards of trust. We are at an
interesting crossroads I should stay in the development of cloud
computing and the Internet people I think fully do trust some
forms of online interaction, online banking, they trust that
their bank account, their life savings, will be handled
appropriately, for example, by the bank.
And, for example, I have no problem believing that my life
savings is represented by a number shown to me on the screen by
my banking institution. I just happen to trust them. Why?
Well maybe it's because we feel that they're a regulated entity.
They have to be accountable to someone. Maybe it's
psychological, something we've grown so used to over the years
we just accept it.
I remember the first time I deposited money using an ATM,
deposited money and I really had a problem with that at the
time.
Now I'm used to it.
So why do people trust putting or trust their life savings
to online interactions with the bank but don't necessarily trust
the disposition of their data to a cloud provider? What is the
difference?
What does the cloud provider have to do to earn that trust?
That comes from anywhere from responding to third-party requests
for your data that is being stored in the cloud, to security
mechanisms to help prevent unauthorized access that is not due
to rule of law. Breachers, hackers, and the like. So we have
an interesting gray area from the Google perspective because we
do provide enterprise, we provide to businesses, many of whom
have their own regulatory compliance obligations in their own
industries.
Sometimes they're in certain parts of the world that have
very strict privacy requirements like Europe with the U-data
protection directive and they certainly have questions regarding
law enforcement access, third-party access. What we do in that
regard is try to provide as much control to the enterprise
customers that are using cloud services as possible so we put it
in their hands. We can't do it entirely of course but as much
as we can.
For example, in our situation for third-party requests for
enterprise data, we want those requests to be handled by the
customers themselves, not by Google. We don't want to be the
compliance team for our customers. They will be in the best
position to evaluate the process, determine what should be
disclosed and what their options should be. When we can, we
want to defer. In situations where it's not possible to notify
affected customers, then, like all law-abiding customers that
have to respond, we have an entire team of personnel dedicated
to reviewing requests as appropriate to make sure they comply
with not only the letter of the law but also the spirit of the
law. If they don't, we have to fight it.
So that's sort of the area we moved from with regards to
consumer services like social networking to enterprise cloud
services.
The other thing I should mention is with regards to things
like security. Providers often need to provide some sort of
verification to enterprise cloud customers so it's one thing to
say that we have great security. It's another thing to provide
verification of that. Right? Because why should you believe
us? Why should you just trust us? Because we're sitting here
on a panel? So in the enterprise space what we often do is hire
third-party auditors to come in to evaluate statements to make
sure they're true.
We also do things like attain a security standard, for
example, ISO 27001 to show at the very least auditors have come
in to verify what we're doing actually attains some sort of
security standard. There are ways to bridge the gaps between
complete lack of visibility and lack of control to empowering
the user to have control and feel confident that the data they
store online is as secure as data they store with the bank.
>> RAPPORTEUR: Thank you. We are going to go to part two
of the session. We will focus on how some of these problems can
be addressed at the international level or national level by
adoption of a set of principles and protections designed to meet
the realities of online and specifically cloud services.
The focus is on problem solution with the objective of
providing concrete proposals for international- or
national-level solutions.
We will invite again Bertrand LaChapelle to just reply to
one of the questions and make a statement.
>> BERTRAND LaCHAPELLE: Thank you, Katitza.
As a matter of fact, in a previous professional life
between 2006 and 2010, I was the French representative for
Internet Governance issues in the French Foreign Affairs
Ministry. As probably the only person on this panel -- unless I
don't know the bios enough -- that has had connections with
governments I want to make one point nonetheless. And that is
that there is a flip side for all discussions we have here which
is that all of you are citizens and are concerned that the
appropriate measures be put in place to identify the relevant
information regarding cases where you really need to act, and I
don't want to make the list. We all know this is the case.
The big challenge is the challenge of balance, and the
challenge we have established painfully between civil protection
requirements and efficiency of law enforcement upon which we
rely for some elements of security. This difficult balance that
was achieved through sometimes fights in centuries in the
traditional space is suddenly moving under our feet in the
cyberspace.
One of the reasons why is because if you think about the
amount of data that is easily connected and easily analyzed, the
thing that is at stake is that companies for completely other
purposes are de facto, either implicitly or explicitly,
collecting a huge amount of data, storage costs have plummeted
and we discover every day new applications for things. If you
are a responsible company you want to be careful but you also
want to keep a lot of data because you may have a use for the
historical track of the data and all this.
The problem is if you think about the amount of data that
is collected, take just geolocation on your phone, if you wanted
in a pre-mobile phone era to have this data collected on the
movements of let's say 65 million French people using a mobile
phone you would have needed policemen to track on a daily basis
and not on a little notepad where this person has gone and so
on. This data would never have been accessible unless an
explicit decision, were it to be made, to have someone to follow
the movements of someone.
The problem is that if you are a very well-meaning law
enforcement agency, the existence of this trove of data is
unbelievably telling because you know you can do a lot of good
things with them. The problem is how to all make sure there is
no abuse in the way it is used.
So the challenge we have -- I love the fact that several of
you are talking about words like "fuzzy," "blurred," "overlap";
the challenge we have is that the clear picture is more complex.
It's multilayered, but also about shared responsibilities. And
one of the challenges that I have here is that the mental
framework within which the law enforcement agencies are in
charge of security, the Civil Society actors are just in charge
of protecting civil liberties. The businesses are just in
charge of making money out of their activities. It's not so
simple anymore.
The fact is that as was said before in certain cases,
voluntarily or under pressure companies are being now
instrumentalized as law enforcement arms. Some of it is really
bad. Some is useful because data is useful for law enforcement.
When Civil Society actors fight, legitimately for protection of
the privacy of individuals, they are also in the responsible
role of making sure that what can be done to protect the
individuals by a proper exploitation of the data is being done.
Which leads me to the final point. I love the expression
"Digital due process." The thing is we need new frameworks for
the cooperation of actors.
We cannot only -- and this is part of the response to the
first question that was asked, on a personal basis and as the
lessons we drove from the Internet and jurisdiction programme -it is an illusion to believe that everything will be solved by
drafting documents, laws, treaties, whatever. This is not what
it is about because in many cases you have a question of speed.
You have a question of procedures of what is the appropriate
level.
The comment that was made by (indiscernible) regarding the
judges or the courts system, there is the problem he mentioned
but there is a problem of speed. In many cases, obtaining a
full court decision takes a long time. So we are confronted
with a problem. In some cases we want to be able to have a very
quick action that is respectful of due process.
And, on the other hand, if we respect the due process by
getting always to courts either the courts are not completely
aware of all the elements that have to be taken into account or
they will take a long time to make a decision.
So I personally would suggest as part of the process
forward that one dimension that we are or have been talking
about in this session is more or less how much can or should be
accessed. There is an element which is what kind of procedures
should be put in place, and here courts are important.
But other mechanics of what we call here enhanced
corporations are necessary between actors, between governments,
Civil Society, private sector. But the most important element
is that the national level is not sufficient. Because in many
cases the platforms, particularly for cloud, are cross-border.
If we wait until each national legislation elaborates its own
service and its own provisions, in many cases it will not solve
the cases where you really need to have access to data.
So I would encourage the solutions to move in the direction
of what kind of frameworks can be developed for cloud-based
services, either for storage or for social media, where the
cooperation between platforms, certain number of responsible
governments willing to take the way and Civil Society actors
that would have the capacity to monitor, for instance, logged
requests would move forward. And this kind of framework for
collaboration will actually be the topic of the workshop we have
Thursday.
But what is very important is we need to explore the range
of tools, from complete court-mandated decisions in specific
cases to very automated access with third-party control of the
logging of the different actors. And within that you can have
all modes of interfaces with the different actors. And I would
like to throw something into the discussion, the notion of
procedural interfaces. Platforms have procedures to implement
their terms of service. The governments, law enforcement, and
data protection authorities have their own procedures. But most
of them are not sufficiently documented, they are not
sufficiently transparent and they are not intra-operable.
We need to work on that traceability of all those requests.
>> Let me make three brief points. I agree absolutely
responding to the lady's question from the start that
surveillance policy-making needs to be much more multistakeholder. That's how you get the technological understanding
Wendy was talking about, about the human rights input, input
from privacy regulators who have to come in at the end to clear
up a mess rather than contribute to the debate at the start.
And technologists try very hard to explain these issue to
policymakers, but often the voices of intelligence are very
strong within government, politicians all from the left and
right like to appear tough on crime, a favorite Tony Blair
phrase, and I think that you absolutely need continued,
meaningful, and strong oversight from the judiciary and from
legislators.
I'm not quite as comfortable as Bertrand about automating
and examining, thinking transparency and multi-stakeholder
auditing can go very far. Well, I would go much towards one end
of the range.
I think the U.S. has a number of things right on
surveillance policy, one of which is Congress has much greater
oversight of what the U.S. intelligence agencies do than almost
any other nation, certainly compared to the UK. That is
something legislators should look act.
Secondly, on jurisdiction, I co-authored a report for the
Global Network Initiative called "Digital Freedoms." One of the
things we recommended in there was that when companies like
Google, Facebook, RIM, are asked for voluntary or less voluntary
cooperation by governments, and governments outside their main
markets and certainly headquarters in the U.S., that by and
large the route for law enforcement agencies in other countries
should be through multilateral treaties, not by putting
pressure. Google and Facebook do not want to be in the position
of making judicial decisions. That's not their expertise.
And the Council of Europe Cybercrime Convention is one
framework that would meet some of those tests. I know some
people are here, it's been strongly criticized and in some
places it doesn't go far enough on human rights protections, but
that could be worked on. That's an example of the framework
that could deal with this much better than these voluntary data
disclosures.
Finally, on the more technological side, very interesting
discussion between Bruce and Wendy and Mark about what causes
people, users, to trust the systems or not trust. Absolutely -(Internet lost in conference room, captioner standing by)
>> Hi. My name is Rutz, I'm from law enforcement. My
question is for industry representatives here. My thing is
about being visible and transparency. Do you have any regarding
the crimes which the suspect is accused of?
>> Classification is important and some are really
important because we are trying to investigate them and if they
that's going to be the case they will probably fly away. What's
your opinion?
>> RAPPORTEUR: To Marc, if someone else wants to reply
from the panel, yes.
>> MARC CRANDALL: Small tidbit of information -- by the
way, thank you for the comment regarding law enforcement
interaction -- before Google, many, many years ago, I was F.B.I.
actually so I know the law enforcement concerns and I know the
angle.
But I also know after many other years how important it is
to protect user information. Law enforcement does not
necessarily provide what providers would otherwise want or maybe
they don't want with regards to the basis for these legal
requests. We may not know what these requests are, law
enforcement may not want to share it with us. Furthermore, it
is not necessarily within the provider's purview to make their
own judgment call whether they should interact with law
enforcement.
If we are in the jurisdiction, that is subject to
rule of law, then there should already be potentially some sort
of review as to whether or not this is bad legal process. So we
can't be the judge of whether or not process is accurate and
that's assuming the law enforcement wants to share that data
with us.
But if law enforcement conducts themselves
within the law and pursuant to guidelines outlined by the
legislators, then it's much easier for providers to enact -from the policy perspective, continuing to engage regulators
regarding clarity in law enforcement processes, is very very
important, parity between online and offline and from a
practical perspective where users need to develop trust, they
should review what information is available regarding
transparency so they can make their own risk assessment.
Google's own transparency report is publicly available. We
list how many requests we get from every country, what
percentage we comply with. This is good information but we do
that in a broad way so we don't jeopardize any specific
investigation because we have to strike a balance.
>> RAPPORTEUR: Bruce, we can have you next.
>> BRUCE SCHNEIER: I think I want to answer the question
in the back. A lot of metaphors are out of date. Friends are
not what they were 100 years ago, a lot of the words we're using
for these new things are old words but they're different. And
that's a fundamental problem with communicating what we're doing
to non-technologists.
A waste basket on the computer is not a waste basket. It's
a different thing. To speak to this person, I believe this is a
pretty optimistic panel. Security people sound more pessimistic
than they are because we deal in exceptions and the bad guys and
bad actors. I feel very optimistic and that you're right,
moving to the cloud and is beneficial in security for most
people. My mother is much more secure because her data is on
Gmail than her computer. She can't lose it. I don't have to
rescue it.
It's wonderful. For a lot of people that's true. That is why
the cloud is so compelling. Everyone loves it when they lose
their phone they get a new phone, push button and their contacts
reappear by magic! We really like that.
So don't take what we're talking about as overall
pessimism. We are looking at the edges but the reason these
things are happening is because they are so beneficial.
>> RAPPORTEUR: We are going to give one minute to each
participant for a closing but one minute, please, because we
already run out of time.
>> I think I have used my minute.
>> BERTRAND LaCHAPELLE: I love the distinction Ian made
between law enforcement and intelligence and surveillance.
These two are different categories. He uses the word data
minimization. He's absolutely right regarding data that
platforms collect voluntarily from the users. But you cannot
have that with the amount of personal data that users are
putting on social network platforms which basically explain
everything they have done from what they ate at breakfast and
the rest. We are not talking about the same type of data. One
is privacy and the other I call intimacy data.
Finally, the lesson that we get from this environment is
that we should try to move away mentally from the sharp
distinctions of frontiers that separate jurisdiction A and B.
You need not only have between different governments and
agencies but also different operators and using in that regard a
set of tools, one interesting trend I see if companies are
beginning to hire law enforcement, former law enforcement
officials, and Civil Society activists, actually, I think
governments should consider more hiring people who have a
previous corporate experience and Civil Society actors which is
actually happening and it is a very good thing. Then there's a
better understanding.
>> Just 10 seconds. I agree with almost everything
Bertrand said. I think that on the information users post about
themselves, of course, there's only so far you can go with
protecting privacy. You can't be too paternalistic.
>> I want to thank you for the comment about not being a
negative or harmful thing in the cloud and perhaps as a
takeaway, as critics, we should always try to be very positive
because they create a much more -- a dialogue you can work with.
Instead of Civil Society constantly critiquing the government,
instead, a have a positive critique on how we can all work
together to create better solutions.
So thank you for that.
>> MARC CRANDALL: I'll forgo my statement. I have said
enough.
>> I'll say one more sentence. An important lesson is any
laws and regulations need to be technologically invariant. The
more we do that, the better we fare. If we do deal-specific
technologies, they fail as soon as technologies change but these
are fundamentally human interactions. If you focus on the human
interaction, it doesn't matter how it happens or where it
happens. Just a better way to look at this.
>> I think we would also be closer to bridging the gap
between these difficulties. I'm just promoting convention on
data protection and cybercrime convention.
>> The principles that we have are technologically
invariant and the laws we adopt to meet them of due process and
transparency and minimization should also similarly be broadly
written and then applied as specific to the technology.
>> RAPPORTEUR: Thank you, everyone. I'm sorry, but we
have run out of time. Thank you, everyone, for coming.
(Applause)
(Session concluded)
This text is being provided in a rough draft
format. Communication Access Realtime Translation
(CART) is provided in order to facilitate communication
accessibility and may not be a totally verbatim record
of the proceedings.
Related documents
Slide - People
Slide - People
Jordan University of Science and Technology Abstract: Authors
Jordan University of Science and Technology Abstract: Authors
Cloud Computing - Lutheran Services in America
Cloud Computing - Lutheran Services in America
Lisa Neal-Graves, Director Technology Insights, Intel
Lisa Neal-Graves, Director Technology Insights, Intel
Cisco Video Strategy - Distributed Computing Industry Association
Cisco Video Strategy - Distributed Computing Industry Association
Document
Document
MSc Internet and Database Systems
MSc Internet and Database Systems
Abstract
Abstract
Download
advertisement