Privacy, Surveillance, and the Cloud: One Year Later

3 September 2014 - A Workshop on Other in Istanbul, Turkey

Also available in:
Full Session Transcript

***
    The following is the output of the real‑time captioning taken during the IGF 2014 Istanbul, Turkey, meetings.  Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors.  It is posted as an aid to understanding the proceedings at the session, but should not be treated as an authoritative record.
***
    
    >> MARC C.:  What has been the policy in all this time?  What has the business world done to address these concerns?  And what has worked and what hasn't? 
    We'll address how these measures have adopted Cloud adoption and explore potential solutions for addressing multistakeholder concerns in the post revelation era.
    I would like to ask the panelists to introduce themselves.
    Sarah, could you start.
    >> SARAH W.:  We've reacted to Civil Society and companies pushing for reform there.  We will talk about the broader reactions around the world.
    >> MARC C:  That actually is a very good segue.  Thanks very much for the overview.  
    Bertrand, I know you have been working on the global reaction and the revelations, and what would you say in relation to that work the impact has been to the various actors, not only the U.S. Government, the reaction of Governments globally, and all the reactions of providers, and even the user?  How has the landscape evolved?
    >> BERTRAND de LA CHAPELLE:  Thanks, Marc. 
    The project is sort of watchtower of what kind of reactions have been.  The actors were actually reacting to the environment of the revelations, the huge amount of uproar, but the element that emceed most important in the lessons that were drawn was the difficulty of the parliamentary oversights of the surveillance activities.  There are many reasons for that that I will not belabor, but that was one elements that behind the noise is worthy of noting, because it is a huge challenge.  Whenever you have an oversight that is behind closed doors, it is making it extremely difficult to be efficient.  That is the first element.
    The second thing I would notice is that surprisingly enough citizens and society groups that have been pushing a lot one would have thought the community in the UN would have gotten together to define some forms.  And interestingly enough, there were efforts that can be necessary and proportionate.  I know we talk about it, initiatives by groups of private companies, the debate has taken a level full visibility and has never before, and a fundamental optimist, at least, we had to get result that those issues were absolutely out of the picture.
    The other thing that was very strongly revealed by those elements was the notion that if you apply territorial criteria, you can have a situation of full extract extension and applicability of the National Sovereignty of a break in all the things that have been revealed that were particularly visible or possible because of the difficulty you find in criteria of what are applicable laws to use only certain criteria because, in most cases, the users, the server, the companies that ‑‑ and this is an ongoing criteria, without getting into so much detail, if you think a little bit about it, it has two problems.  First, technically it is a little bit hard to implement.  And we can get into a few more details, because it's tangled issues, but the second thing is what I call in another comment, something that is not scalable, is if you multiply it in every country in this way, you get to observe.  You think, okay, the data about citizens should be in multilayer, and if you multiply this by all numbers, I don't even want to apply that.  So this is a type of approach that was probably a spontaneous reaction. 
    As was noted last year, it was certainly not reducing the amounts of surveillance, and probably enhance it, because it will duplicate.  And the interesting case that we studied is the evolution and the disposition, for instance, in Brazil, and the mark of Brazil when you know there were provisions for that organisation that been shifted to provisions for access to the Brazilian citizens, irrespective of the location.  Not that that is a perfect solution, but it's interesting to see how the debate is shifting.  And there is this big case in the U.S. at the moment with Microsoft regarding access to that in Europe.  This issue of the criteria of access to that is going to be a huge debate.
    >> MARC C.:  Thank you very much for your comments.  You touched upon government reactions, particularly in Brazil, with regards to legislation just in the past recently.  I'm also curious about touching upon industry reaction.  How have providers in the private sector responded in the last several months? 
    I was wondering, Sarah, whether you could provide some comments with regards to that?  
    >> SARAH W.:  Following the advance that Kevin outlined, I think it was a recognition across the industry that the balance in many countries had tipped too far in favor of the state and, in a way, from individual rights.  And the way that we structure this was to set out a group of principles.  So it wasn't intended to be descriptive, because we wanted it to have global application, but it was meant to go through and highlight the areas where we felt there was a real need to address issues, because the bottom line is that people won't use technology that they don't trust, where the Government tried to do that. 
    And the next principle was the need for improved oversight.  And what we're talking about here is having processes in each Country to create checks and balances.  And I think this revelation has really shone a light on an area where there was new information out.  So many companies publicly and explicitly state in what propensity what information can you provide, and break it up into detail.  This is something that we would encourage Governments to do.  There should be transparencies. 
    And, then, the fourth principle was around free flow of information.  And this Bertrand touched on, force data location, in his comments.  There is a real concern that the knee jerk reaction to these revelations was going to be a series of countries requiring infrastructure with the national boundaries in order for them to do this, and for us the idea of surrounding the Cloud or having to create infrastructure for every ‑‑ across 192 countries is empathetical to the way the networks works.  Even on a logistical level in terms of how you structure data, it is not related on an international basis.  It is not like we have the Commonwealth section of the data.  So I think there was a real sense in that responding with trying to ground would have various consequences and actually would address the issues that had been brought to light.
    Then the fifth principle was around avoiding conflicts between Governance.  And essentially that's talking about reforming the inlet process and the need to have a functional system whereby Governance can get information.  I think the sense is that this is an area where reform improvement is long overdue, and it's natural that conflicts arise between Governments, but there needs to be a way to resolve those in a framework to resolve those that is understood.  So essentially I don't want to ‑‑ those were the principles laid out by the companies. 
    We're continuing to advocate on these five principles, and we're also continuing to listen, and part of the reason we're here is to get more ideas about what we're doing in light of the questions.  
    >> MARC C.:  Thanks very much, Sarah, for your comments.  I'm also curious about other Government reaction we might see in other parts of the world. 
    Izumi, can you talk about what the reaction has been and age specific.  
    >> IZUMI AIZU:  Thank you.  Sorry for the guys that don't have the chairs.
    There was a very, very middle reaction in Japan in some parts of the Eastern Asia.  I checked with Wikipedia, and there are certain sections devoted to each reaction.  In Japan, Mr. Suto, the cabinet Secretary, said it is a U.S. domestic issue and it should be handled within the U.S.  For  Japan, U.S. Diplomacy, our secret should be kept well.  They are not too strong, also specifically for this case.  Maybe the general take is, our privacy will not directly invade that.  I don't have that much secret to the U.S. Government, so why do you care.  Or, well, what we can do anyway. 
    From the Cold War days we were all aware, or many of us were aware that U.S. has been doing all intelligence activities of wiretapping anything.  There were at least two or three facilities in Japan with huge intercepting of any communication from Russia or China, or wherever and we are decoding all.  So, to some degree, from the 50's list.  For me, for example, it wouldn't be a surprise if the U.S. agencies are not tapping the domain.  I am saying that they should do that, but that is kind of the old guy's cliche.
    Also, in Japan there is something called Secrecy of Communication ‑‑ it is literally translated like that ‑‑ at our Constitution, which was established after the war ‑‑ or the Second World War.  That is a reflection of why Japan started, or engaging in such a bad war.  And one take is that before the War and the Regime, there was no guarantee of privacy or anything, or censorship, that would make people fear that you have no free speech and stuff, so that, under the guidance of the United States Government and Army, I think they're occupying Japan, that some guys, most Japanese‑Americans, came up with the idea that, you know, not to repeat the same mistakes.  Let's just keep the highest standard.
    So our Minister of Communication is usually very much demanding the ISPs and others to respect all the secrecy, meaning the substance of the communication as a holy thing; however, it is getting more compromised these days.  They started wiring tapping and they're tightening up there, but general direction is that ‑‑ at least within Japan ‑‑ we don't have much sense of fear.
    I just spoke briefly with the Korean friend from the NGO and there were very little reactions, as well.  We agree that we are not a big five countries allowing to the U.S.  Very similar under the International Politics.  We need U.S. power to sort of a general norm.  It's very difficult to go against that and keep quiet.  And Korea, the same way, but also at the same time Koreans have more problems with their national agencies using the SNS smart media or Twitters and FACEBOOK to influence the presidential campaign in favor of their party candidate.  So that is the public region and the world mortality at the same time. 
    Thank you.  
    >> MARC C.:  Thank you, Izumi.  What is the situation in the developing continents?  What has been the reaction with these other countries that we may not be hearing?
    Let me start saying something about MLat, where they can exchange data based on if there has been an event of crime and investigated prosecuting.  What I think is very good to see they move, at least in the U.S., of trying to modernize its MLat.  One of the greatest grouses you'll find from Developing Countries, you may have a bilateral treatise, treaty.  We can't get the data.  You don't get responses.  The MLat response is broken, et cetera, et cetera.  Let's localize data.  Let's force Google, Facebook to localize data.  I think it helps knowing that at least in the U.S., and I hope the other five continents, also sort of adopt this and start modernizing and approve their MLat process.  I want to say there is an aspect there in countries.
    What reaction?  There is a lot of different countries that have had different reaction but, generally speaking, it's disappointing to know, just like Izumi's response, being useful and positive in a sense that there would be a reaction to surveillance, looking deeper inside and saying what are we doing as a Country.  Should we ask questions of our own intelligence agencies or others.  And funnily enough, what I found in most bases, it was the politicians in certain Developing Countries that got more concerned with things like this than the Intelligence Services.  Apparently they control most of it and said the reports come to them.  So if they're sort of wiretapping each other, how am I not getting reports from my intelligence, or what else can I do.  It was a very odd reaction.  I would have thought it was Intelligence Agency that would want to be pushing for it.  This was remarkable.  The surveillance coming from ‑‑ you would expect the intelligence guys to pitch for this, but it was really strange.
    And the characterization of the U.S. was ha, ha, ha, they screwed up.  Silly to have a law.  Silly to have a court look at this.  Thank you, God, we don't have these problems.  We don't have to get a warrant.  What you mean, a warrant?  This is not a criminal justice.  This is intelligence.  Thank God we don't have a law.  There is many countries out there.  Do you have an intelligence legislation?  The answer is no, no, no, we don't want one, because what we are doing is illegal as it is, and we don't want a law on that.  Nobody is calling them out on it.  Nobody locally is calling them out on it.  Human rights, the reaction a lot of times in these is, well, it's a bad Country, we expect this of them.  That is disappointing, because there was an opportunity, maybe to push the envelope.  So, fine, it happened in the states, it happened in Europe, and in many countries.  We're not seeing that happening in certain places.  I would like to see it happen, for instance, not really happening.
    Two options.  One is let's respond to this by promulgating legislation, which is repressive.  Let's do this.  Let's try and take criminal justice warrants and intelligence warrants and put that in one law and have everything under one judge and be secret process.  No one is going to know what is happening.  They are supposed to have a right to respond or appeal, but the natural question is:  If they don't know what is happening, how would someone appeal?  
    So you're seeing this repressive legislation or policy implementing saying, let's take everything that comes into X Country.  This is sometimes government owned in cross‑border getting licenses on other big names and saying, let's talk to the other Country and say, I think it's in our mutual interest, international coordination and cooperation on this, which is remarkable.  Let's see if we can ‑‑ all your data that is flowing through your Country and see if we can centralize it and hand it over to one provider, because it's great.  Because you are now not going to have operational costs.  You can fire a whole bunch of folks.  Your profits go up because of that.  And if it is telecom, termination of calls coming from outside, guess what?  We can jack up rates by 800%.  The Country makes foreign exchange through that very attractive.  And some countries have implemented this.  And even business sometimes have said oh, yeah, let's sign off.  Some of them were even businesses in Europe who had licenses in those countries.
    Again, I'm not taking names.  If anybody wants to know, take it off line.  So either let's have a law or let's set up these systems through policy.  If it is written, it is there.  This is what we're going to do, or not have a law, and continue doing what we're doing
    Then you have international cooperation through certain vendors.  I won't take the name, but there is a certain handset who is not doing really well these days.  They went to a Country and said, here's a box.  Anything that flows through this box you can decrypt.  Welcome.  Cellular devices.  So we're not seeing something positive come out of this, unfortunately, in those areas.
    I am disappointed, because what I would like to see is locally in those countries some discussion on this, just like you're seeing discussions in the state, and Europe have that, and also the international calling out of these activities.  Why is this activity not being called out?  No one cares, which I think is not helpful.
    I want to sort of end with a ‑‑ I know we're going to continue the discussion.  Everybody knows that YouTube is block ‑‑ standard is blocked, and the measures that were adopted were part of blocking part of the National Security Legislation and a whole bunch of different things.  It fits in to be able to control us with these measures that I talked about earlier.
    You may have seen the television and seen the protesters right outside the Prime Minister house and Supreme Court.  What happened was the Government had a particular channel that used to basically project its own views.  They didn't own it, but they had good coordination with this particular channel.  Because of the division within the Country between the government and others, that particular channel was taken off the air on cable operators.  Suddenly the government which had blocked YouTube found that one of its cable channels wasn't able to broadcast at a time like this when they really needed to get the Government's story out, but they couldn't.  So guess what you had to do?  You had to build a VPN through YouTube and try to get the Government's message, because you wanted both sides of the story.  The Government was, like, oh, my God.  I don't think it realizes it yet, but a lot of people were bypassing the Government's policies to get to this information which would have been helpful to the Government.
    Anyway.  Strange things are happening there. 
    Thank you.  
    >> MARC C.:  There is one other question I wanted to ask with regards to the EU specific reaction.  I know that for a number of years there has been the EU data retention act, and I was wondering if someone on the panel would like to discuss what that is and how these revelations have affected the debate.
    >> BERTRAND de LA CHAPELLE:  As a matter of fact, I think the debate has evolved in many respects regarding privacy in Europe.  The first thing when we talk about that, our attention, we need to understand that the situation has changed significantly in terms of the types of service that have provided the data.  When we were talking about that, particularly the framework that you mentioned, it used to be about mobile operators.  Mainly we were dealing with voice and, so, basically you had very limited amount of information.  So fundamentally our attention is any kind of requirement form operators to keep the data about the communications, particularly metadata, who this person has called at what time during which duration beyond the period that the operator itself has any commercial interest in keeping it, and that's where the whole debate comes from, because the operator, when it is just for voice, the faster they can get rid of the data, the better.
    So before police, criminal investigations, et cetera, the requirement to keep more data was a big battle about which duration, what amount of data, what conditions for access, et cetera.  What I want to highlight is the debate is shifting now regarding the privy regime, because the platforms that we use ‑‑ and that goes actually for the mobile operators themselves who are more and more the gateway to the Internet and have much more data than they can collect, including geo location, which is an extremely important piece of data.  The content that we put on the platforms is content that we want them to keep for a long time. 
    I was joking the other day that in the future people will have their FACEBOOK timeline running on LCD screens on their Tom Stocks so they will have their whole life as a business.  Get started there, but they will ‑‑ we want our data to be there.  I'm using Gmail.  I want my data and my mail from five years, ten years to be in there.  Complete different situation from what it was when the mobile phone operators were starting the data much faster.  
    So this is what has changed the landscape in terms of surveillance, because they use often the expression the treasure trove.  People in the law enforcement or in the surveillance are seeing this huge amount of data that, indeed, may be useful for criminal investigations, but the framework for accessing it can be completely inappropriate today.  So I think the debate about our attention ‑‑ I must confess that I have not followed in precise detail the most recent evolution, but what is clear is that the debate on the evolution of the regime for that affection in Europe is strongly reactivated by this revelation, and I would say that in a certain way it's a good thing.  Especially if it highlights the difficulty to use geographical criteria to determine the conditions of access to data.  So it's opening up the debate, in a way, and I think one of the ways is that the debate has to be broader than it was.  The discussion about that protection regulation in Europe has been too limited to a small group of actors for a certain period, and it is now being opened more broadly.  
    >> MARC C.:  Actually, that leads to the question about positive developments. 
    I was wondering, Sarah, you spoke a little bit about the principals.  Do you think that we have had something positive coming out of this entire episode?  
    >> SARAH W.:  I think it is a meaningful forum, and I think it is interesting how quickly a lot of these issues on the acceptance side, and the acceptance that the issue has not active debate around how do we get a function in one room.  How do we make sure that this process server, and more discussion like that, continue.
    I think it the positive that articulated reform and people coming from simple society, from industry, some from government really grappling with these issues, but in terms of concrete things we point to, has an interest in this situation.  
    >> MARC C.:  In addition to the policy debate which has been prompted by this, many of us in Civil Society have been trying to have this debate for many, many years, and documents finally put it ‑‑ made it impossible to ignore and has prompted a large legislative fight in the U.S.  
    There are two particular good outcomes here that I want to point to.  One is the utter explosion of transparency reporting as a best practice in the ICT field, at least in the U.S., but starting to present internationally.  You now have ‑‑ there were a handful of companies reporting before, and now you have dozens of companies, large and small, in and out of the U.S. Internet and Telco, that are pushing for the Government to publish more about national security request.
    In the U.S. you have the government itself reporting more in terms of numbers about how much surveillance it does, how many people are affected.  We have some problems with the way they're reporting those numbers, but it's still more than was ever before.
    The other really positive outcome that I see is the concern about NSA surveillance has finally put the focus on encryption as an important part of the infrastructure.  It has prompted Internet companies, also large and small, to begin deploying encryption in a way they haven't before.  Encryption between their website and the user.  Encryption between mail service.  Encryption between their data sensors, particularly in the response to the NSA hacking Yahoo and Google.  So I think that this kind of focus on hardening the Internet ecosystem as a result of the USA scandal protects all of us, whether it is the NSA or other intelligence communities or criminals, or whatever, and is a wonderful, wonderful result.  And it is about time, but better late than never.  
    >> MARC C.:  Thanks. 
    Kevin.  
    >> KEVIN B.:  One more thing on that front.  The IGF itself has declared that pervasive monitoring is a technical attack that should be mitigated, so we're even seeing this taken up as a top concern by the technical community and not just the companies.  
    >> MARC C.:  So what do you think in the development? 
    >> IZUMI AIZU:  I want to say something about ‑‑ it's interesting, there is no distinction between metadata and content data and it's just data.  We surveyed.  Metadata is data.  In fact, frankly, call logs and other high speed traffic data is considered easy to get.  What is the problem?  It is just a log.  Why is that a problem?  Because they don't necessarily have data protection concept or rules in their Country.  That distinction doesn't really exist.  It becomes default. 
    For this Country, where this will be a problem, and there is the judgment that has come out, I think ‑‑ I won't go into details of where there may be some interpretation of that principle.  Maybe it has accepted a proportionality.  But, regardless, it has had a huge impact on many countries where retention is now out, especially Europe and some other countries.  The problem that arises, that still there is going to be surveillance in some form, so if you can't retain it, how do you do it?  So the fix is that you do more interception.  That may mean that there will be more interception requests starting in such volume that technically they're not retention, but you're getting there.  So there is that discussion.  So I think one of the good things is, at least, there is now a debate because of this debate in the U.S.  Maybe this debate could be moved forward to Developing Countries saying, don't you think you guys should have a distinction in how your Country and your legislation can bring metadata and traffic data and things like that.  
    It is also a very positive thing, the MLat form that is taking base in some countries.  I know the U.S. is doing this, and we hope to hear more tomorrow and the day after in some of the panels what that reform will mean, but I hope other countries other than the U.S. are also thinking about doing that, because otherwise there will be such a push from Developing Countries wanting to get stuff, and if they can't get it, they will just go around.  
    The other thing that I think is useful is, the best practice that is developing here is a lot of criticism of how the U.S. does things, how Europe does certain things, oh, there is a court, there is judicial supervision.  It is not perfect, but it could be improved.  But at least there is that structure. 
    Giving those ideas to the rest of the world is very valuable.  Any time any legislation sits there and thinks about their own legislation, they should be able to say why don't they do it like we do it.  Why are we giving them an authorization that is carte blanche.  So sharing those best practices and the transparency of what the U.S. and how it is doing will maybe push that envelope in many countries who may now be thinking about, or hopefully there will be some push to bring in some reform.  
    There has been, I think ‑‑ this is my view and, again, I think you'll find there will be greater trust in the U.S., to some extent, of developing and why.  If you're a repressive Country, and if I have data and I know my Government's accessing that data and doing it in a certain form, what am I going to do?  The first thing I'm going to do is try to VPN everything to my drop box, and I want to encrypt it.  And where am I going to house it?  I'm not going to house it in my service in my Country, or any Country like mine, I'm going to look at the West, or countries where there is better protection, now that I know U.S. has better safeguards, or is going to have better safeguards.  Maybe Canada is a location.  Maybe other countries that I feel things are going to be safer, so maybe that is a positive.  Maybe that is what marketing is starting to look at.  Hopefully that will come. 
    I've noticed that we haven't seen equals delete their Facebook accounts or their Gmail accounts.  In fact, most, if you ask them, when I'm doing training for law enforcement, are you in the Cloud?  Do you use Cloud services?  No one raises their hand.  Do you use Yahoo?  Yes, I do.  Microsoft 365?  Yes, I do.  Use it on an iPAD?  And suddenly you realize that that's Cloud.  It is not data that you got on your device.  So I think ‑‑ you know, I haven't really seen a huge fallout of people walking away, so that is a good thing, but with the improvements, hopefully, that we've seen, I think, I hope, that that is going to lead to better care.  
    >> MARC C.:  Bertrand, what do you think of how the rules are changing moving forward?
    >> BERTRAND de LA CHAPELLE:  One of the elements, almost provocatively for those of you that have followed the different international processes, particularly the net media conference, we need to remember that indirectly the net media conference was triggered.  It raised the bar of visibility, and the end result was actually a set of principles that might not be perfect, but we've been talking about principles for ages in the IGF.  A lot of work has been preparing this, and it has been categorized, so in a certain way the existence of principles, the incredibly increased weight about privacy in the global level and about surveillance, that was even for most years in the past or something that we're not debated, this has been a form of progress.  That being said, we're confronted with an environment where even if the desire were growing ‑‑ sarah was improving the MLats system, and it's great.  The mutual system is that it's mostly bilateral in countries.  There are some multilateral.  They vary tremendously from Country to Country. 
    The U.S. has a lot of treaties, but they don't contain the same kind of closeness with one Country and the other.  They do not exist among all countries.  They're on mostly criminal issues and corporations, and they have one component, which is dual incrimination.  So you need to have something that is criminal on one side and on the other side, which means that in most of the cases when there is a problem with tension between one Country and an operator or platform that is located in the U.S., the low in the Country does not conform with the low in the West clearly to the issue of speech and expression, therefore, the MLats are out of the picture.  They are not a tool that can be used on legal issues when it is not a dual incrimination.  Of course, a cybercrime convention has tried to harmonize a little bit, in substance.  It is not universal.  It is putting in the legislations in a number of countries, but we need to agree and understand that harmonization of substance is not going to be achieved in the foreseeable future.  Particularly on issues that are related to freedom expression.
    So the big challenge that we're confronted with, and we have to find novelty ways to try, is if we cannot do harmonization on substance, harmonization on what is zero expression, what is legal activities and so on, we need at least to develop frameworks for harmonization on procedures so that the highest level of due process can be put in place.
    So when we talk about surveillance, I was mentioning in the beginning that the main challenge for me is the question of oversight, and whether the commentary oversight is a question of process.
    The second element was that it shows the impact of extraterritorial extension of sovereignty.  This question of extra territorial extension of Sovereignty is now immerging in the environment of the Internet because we're in an environment of legal between the different countries and trying to re‑territorialize trying to use the expression.  Trying to legislate themselves out of the problem by ‑‑ they don't know how to apply their national law or how to enforce their national laws.  As I said, I'm making a new law to enforce my national law and apply it to as many people outside my Country as I can, and it is making the problem even harder to solve, because we're getting into other measures.  So I think both on the surveillance ‑‑ and I would agree with what Zach said, somehow the back practices are becoming a benchmark for practices in other countries.  That is the kind of back and forth situations in the environment.  
But I think both on the surveillance and on the interactions between countries, particularly on law enforcement with platforms and so many other issues, the notion of due process is an essential element.  How are the users involved and aware of what is happening?  How do they have the capacity to express and contradict themselves in a contradictory procedure?  How can they get redress?  That sort of focusing on developing transboundary or transnational due process mechanisms is a very large issue that spends a lot of ways trying to do it on issues related to the main issue. 
    There are many other issues.  I wanted to insert this expression in the process, because it's a threat that we could probably use in many discussions.  
    >> MARC C.:  Just, very quickly.  I want to say also this raises the issue of Sovereignty, but at least what it does is solve that problem when you talk to Developed Countries and they say, we don't get anything, and that's why we're going to do this.  So at least if you can solve a part of the problem, you're moving towards some sort of a discussion, and that's one thing.  
    To the extent that there is lack of due criminality between two countries, well, guess what?  That is actually a good thing for both parties.  This will be the argument I'd use if you're going to start reaching the Sovereignty of each other thinking that my law should override yours, the others can do that, too.  That would be the argument.  So to that extent it's a good thing that there isn't ‑‑ I don't think you're going to get harmonization.  To that extent, you need something where you need to accept the fact that different countries are going to be different, and I don't really think we can come up with a solution for every problem.  So at least what you can try to fix, we should try to do that.  What you cannot try to, work at it.  So your project, I think, is great in that respect. 
    Thank you.
    >> BERTRAND de LA CHAPELLE:  The only thing I wanted to highlight is that most of the international architecture is based on the fundamental principle which separation of Sovereignty is we tend to forget legal is placed on the separation.  What we're dealing with is shared transborder spaces, and this legal competition is bringing conflicts of laws, and the way we exercise the Government exercises Sovereignty in shared spaces is not the clear cut, my Sovereignty, my law, your law.  There is not a usual thin line that says my border, your border.  It's how to combine the different legislation and how to ensure the coexistence in norms on shared online spaces.  
    >> MARC C.:  This has been a great discussion.  We only have four minutes left for questions, but I think we should at least try to take some questions. 
    So, to be fair to the remote participants, I think I'm going to take a remote question first, and then we're going to take a question from the room. 
    And, Khaled Koubaa.
    >>KHALED K.:  Together against cybercrime.  So her question is that she would like to have our opinion about the role of the organisation and the feed of data protection regulation and also how to support national governments in the process protection of data of citizens. 
    Thank you.
    >> BERTRAND de LA CHAPELLE:  I'm not sure I am the best person to answer this.  There are people from multi‑lateral organisations in the room.  It is just the prompt if they want to take the floor.  
    >> MARC C.:  Does anyone want to answer that question who is on the floor?  
    >> AUDIENCE:  Thank you very much.  Thank you for the question. 
    So with the European level and the European convention on human rights, our court is currently examining a pending case that deals precisely with the question big brother watch, so we're expecting that.  And in terms of standard setting, there is also a lot that we are doing.  We have a declaration on digital tracking that was adopted, we have our data protection convention, and we have our reassembly working on that to trying to couple all those actions together.  
    >> MARC C.:  I think, Izumi, there was also something happening in Japan.
    >> IZUMI AIZU:  It is multistakeholder.  The transit about that, I don't want to go into details, but in Japan there are certain movements to boast the protection with a new independent commission, but they're clearly stating multistakeholder as a draft report of the policy government, as well as for the domain name or the CLB.  Again, multistakeholder processes are really proposed to change the status quo as more transparency to harmonize with the convention. 
    I heard also similar attempts are now being underway in Korea.  So there are some intended consequences to share.  
    >> MARC C.:  Thank you, Izumi. 
    All right.  We have a question in the back with the striped shirt gentleman.  Do we have a ‑‑ maybe the nearest microphone.
    >>AUDIENCE:  Hi.  So I work as a journalist reviewing state secrets, and you are the most depressing group of people I've ever heard talk about this topic.  It's seriously cynical and fatalistic, so I want to try to give you some hope. 
    Give me a wish list of what you want to see exposed and then I'll make it happen as much as possible and we will fuck them up.  
    >>BERTRAND D:  Beep.  Okay.  Thank you.  I would like to go first.  
    Of all the questions ‑‑ that was me saying beep, not Marc. 
    From the developing world, we need your support within Civil Society, other Governments, et cetera, to make this a top line agenda within your bilateral discussions with our countries.  We need you to take action within multi‑lateral organizations like the ITU, where parties who come to that are the ones who are doing this in those countries, and nobody is even making a beep about it.  Not a beep, but a beef about, it at all.  So that's the second arena something can be done.
    The third is, I know you want to bash the U.S. Government and the UK Government and others, but at some point you need to start also turning your guns to the rest.  Because if you don't do that, you reward the bad actors and you penalize the better actors.  Not the good actors, but the better actors.  So please see things in context and in perspective.  It doesn't help us otherwise.  Those are the three main things.  If you can make that happen, I will be a very happy man next year.  
    >> MARC C.:  All right, everybody. 
    Comment, Kevin.  
    >> KEVIN B.:  First off, hi Jake. 
    I wanted to say what I think I said was fairly hopeful, and I'm more hopeful on this issue than I've ever been because of the information leading to so many actions.  My one wish is that more journalists had access to the cash stowed in documents so we can have more reporting faster.
    >> IZUMI AIZU:  I will ask you which jurisdiction are you in?  What is your culture background?  
    >> AUDIENCE:  The Internet.
    >> IZUMI AIZU:  Where you are from?  Which passport do you have?  
    >> AUDIENCE:  I have a few.  
    >> IZUMI AIZU:  All the different culture backgrounds and ideas known and stuff, what is depressing to you may not be depressing to me, and we need to recognize all the diversity in IGF.  I don't like that imposing one cultural value to others.  Not that helpful. 
    Thank you.  
    >> MARC C.:  All right.  Well, with that said, I think this is a fantastic forum, and I'm glad we're able to have this discussion.  The spicier the better, frankly.  We are three minutes over time. 
    All right. Bertrand, you can have the last word, and then we have to go.  
    >> BERTRAND de LA CHAPELLE:  I have in many cases, mostly on the fact that we have been talking about surveillance in many countries do not have any framework at all, because the less framework it is, the more easier it is to go around.  I think this should be transposed in many other aspects. 
    There is a fundamental principle in humans rights that any limitation to exercise rights should be based on law, or at least some kind of key frame, and I think that it would tremendously help the work I'm doing, so please go on.  Any pressure that says things that relate to freedom of expression and privacy and things like that regarding the Internet should have, at minimum, at the national level a legal basis, something that clearly describes what are the criteria at the national level for this, the decision making would be a tremendous help, and that's just my suggestion.  
    >> MARC C.:  Before I forget, I'm sorry, I have one second here.
    And link overseas development and IP ‑‑ you know, there is a Section one‑way process in the U.S.  Every Country around the world gets scared of Section one‑way process on IP.  Start something like that.  It will work.  
    All right, everybody.  We're going to have to adjourn.  We're four minutes over.  Thank you very much for attending and for a great session.