IGF 2019 - Border crossing
Last week in Berlin the 14th Internet Governance Forum of the United Nations annual meeting was held. The IGF’s goal is to bring people together to discuss public policy issues relating to the Internet. However, there is no negotiated outcome at the IGF; it serves only as a place for policy-makers to discuss, exchange information and share good practices.
According to its official website "the IGF facilitates a common understanding of how to maximise Internet opportunities and address risks and challenges that arise."
This being said, even without any specific outcomes expected, some of the numerous sessions which took place last week were of great interest.
Like mentioned in a previous post, the ICANN 66 meeting was very much focused on "DNS abuse". Unsurprisingly, this topic was the also the subject of several sessions at the 2019 IGF; and again DNS matters were conflated with content ones. This hugely problematic conflation stems from the fact that to act as a domain name registrar an accreditation agreement is required. However, no such requirement exists for hosting service providers.
The sole international regulation applicable to all hosting providers pertains to the IP addresses they use to make their hosting infrastructures reachable via the Internet.
IP addresses are allocated by five regional internet registries to local internet registries within their specific geographical regions. Those local internet registries, in turn, are making those IP addresses available to their customers.
While most local internet registries are Internet Services Providers, not all of them are equal in terms of resources under their control. As opposed to the ICANN registrar accreditation agreement which set specific financial, technical and operational criteria to become accredited, the requirements to become a local internet registry aren't that stringent. Anyone, even individuals can become a member of a regional internet registry and be allocated one or more IP addresses. Furthermore, the handling of abuse by regional internet registries is quite limited when it exists at all.
This vacuum at the global level has led to the shift of perceived responsibility from hosting services providers to domain name registrars. Interestingly, most countries have laws pertaining to hosting providers and even a specific liability regime in place, but the majority have nothing specific regarding domain name registrars.
Due to the global nature of ICANN, stakeholders and governments are trying to use this organisation to put into place international policies they are otherwise apparently unable to pass as treaties. Although instating such policies is legitimate and can only be efficient if done at the international level, the DNS clearly isn't the proper place to do so.
Ironically, an equivalent number of sessions were directly dealing with the sovereignty loss that states are facing due to the global nature of the Internet.
To briefly - or sarcastically - summarise it, on one end governments are unable to conclude treaties at states level and prefer pressuring private organisations into passing policies in their stead. On the other end, they are lamenting their loss of sovereignty on the online world.
GDPR and friends
One of the accelerants for this hard push on abuse handling is undoubtedly the passing of data privacy regulations around the world. The European Union initiated it, but many other countries are passing their own data privacy act and while the benefits of protecting the privacy of individuals cannot be denied; it also regrettably renders abuse investigations harder to carry. Here too, the vacuum created by a lack of international legislation is being filled by private initiatives (under the pressure of governments). In the case of ICANN and its - late - efforts to comply with data privacy laws, a unified access model to redacted domain name data is being devised by the community.
This effort should lead to the creation of a single entry point system where interested parties will be able to request and access to domain registration data which has been removed from public databases.
Again, this does not seem the adequate venue to deal with such issue as ICANN cannot impose a policy that contravenes local laws. Especially considering ICANN's mechanism to evidence that a policy is in breach of a local law is somewhat shaky as the means to evidence such breach requires a conviction.
It should be governments with the assistance of data protection agencies who should be at the helm of such initiative.
It is not to say that governments are not trying to adopt international rules to facilitate their law enforcement agencies work. Several initiatives are, in fact, at work.
Maybe the most (in)famous one is the United States CLOUD Act. This text of law was passed in March 2018 by the U.S. Congress just before the Supreme Court ruled on the so-called "Microsoft warrant case". The Supreme Court was asked to answer the following question: does a U.S. warrant reach content that is accessed and controlled by a U.S.-based company, but stored on a data server located outside the United States?
This act is twofold.
First, it makes it clear that U.S. based operators have to conform with U.S. warrants no matter the location or the nationality of the owner of the content targeted by a U.S. warrant.
Second, it is supposed to improve and accelerate cooperation between the U.S. and foreign law enforcement agencies. To accomplish this, it authorises U.S. based providers to disclose data, pertaining to individuals who are neither U.S. citizen or U.S. residents, to law enforcement agencies of a country who has entered into a data sharing agreement with the U.S. under the framework CLOUD Act.
In the absence of such agreement, foreign law enforcement agencies have to rely on mutual legal assistance (MLA) treaties. According to experts on the IGF panels, the average time for an MLA request to complete is of 10 months, which is indeed way too long a delay.
As of the writing of this post, only the United Kingdom has entered into a data sharing agreement with the United States of America.
The European Union is also negotiating the terms of a similar agreement but it refuses to consider these negotiations as being conducted under the framework of the CLOUD Act while the U.S. government does.
The E.U. has yet to finalise its E-Evidence package which will set forth its own internal rules on cross-border e-evidence. It is however, already negotiating both with the U.S. the execution of a data sharing agreement and with the Council of Europe its adhesion to the Second Additional protocol to the "Budapest Convention" on Cybercrime.
The Budapest Convention is an international standard on Cybercrime which was ratified by 64 nations, but Russia and China are not amongst them.
At the beginning of the month, a Russian led resolution - sponsored by China, North Korea, Iran, Nicaragua, Venezuela and Syria, among others - was passed to create an "Open Ended Working Group" to examine Cybercrime. Without delving into the obvious issues behind this initiative, it is essential to notice that a similar division already took place in 2012 at the telecommunications level when the member states of the I.T.U. were unable to agree to a common position which created a schism with human rights recognition at its core.
The main risk which most governments are trying to avoid is the balkanization of the Internet. This exercise is highly perilous, considering the governments' antinomic will to impose their sovereignty online while keeping the Internet a unique cross-border network.
Russia already passed a law which mandates the creation of a sovereign internet for Russia which could be activated to disconnect the country from the global Internet when required. Iran also announced that it was working on creating a cyber-defence shield to create a halal internet.
Although "splinternet" is a bad buzz word, it nonetheless alerts the public about the real risks of countries deciding to live in online autarky. This being said, history shows that self-sufficiency is not a viable model and that sooner or later, trade necessities will take over. But at which cost?
Effectiveness of the IGF
Contrary to the ICANN meetings where stakeholder representatives are trying to push their agenda via the adoption of policies, at the IGF the same representatives are mostly making bold - and sometimes outrageous - statements to shock the attendees and convey their messages.
The use of this "persuasive" technique was pretty obvious when the head of the cybercrime division of the Council of Europe claimed that only 1% of cybercrimes are being reported to law enforcement and that only 0.1% are solved. Knowing that most online crime will involve the use of a payment method and that all payment providers and/or banking establishments require that a police report be filed to take action, the above percentage does not seem quite realistic.
Another such example was when an INTA executive claimed that there is a direct link between human trafficking, child abuse and brand counterfeiting… While we will not disagree that brand infringement needs to be tackled and solutions need to be found, such statements will not help to have a reasonable dialogue.
There is no denying that ICANN is slow to take action due to its consensus policy functioning; it is at least it moving forward. IGF, on the other end, feels more like a venue for very theoretical and unrelated discussions with no pragmatic solutions.