Protecting the Consumer in an on-line world

15 September 2010 - A Workshop on Privacy in Vilnius, Lithuania

Also available in:
Full Session Transcript

Note: The following is the output of the real-time captioning taken during Fifth Meeting of the IGF, in Vilnius. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the session, but should not be treated as an authoritative record.

>> LIESYL FRANZ:  Good morning, everyone.  I'm Liesyl Franz.  It's a pleasure to be here and welcome you to the Workshop 112.  We have a lot of distinguished panel with us today.  We have asked each of them to make brief opening remarks before we open it to a much more, robust discussion to our audience today.
I want to give a brief opening, how to deal with online security such as social networking, cloud computing, online gaming and what are the balances between security, privacy and openness online.  This workshop is one of the feeder sessions that will provide input into security and openness and privacy main session tomorrow.  So we will be taking good note of the discussion here today to feed that into the discussion here tomorrow as well. 
The question that you would pose to the panelists today is what are your observations about the challenges for keeping the users safe online given the dynamic that we have today and I hope that will spur some observation from you as well.  Once we have a chance to discuss your observations as well, and we'll see if there's any other observations to make.
To my immediate left is Mr. Alun Michael, a Member of Parliament in the UK; to his left is Ms. Pilar del Castillo, a member of Parliament in Spain; to her left is Ms. Alexa Raad, CEO of .ORG; to her left is a Board Member of Communications Commission, Ministry of Information in Communication in Kenya, Ms. Alice Munyua.  
Thank you very much.  I left out details, and I hope you will    they're very distinguished and I look forward to hearing from them today.
As you can see, we have lots of acoustic challenges, so I ask the panelists to speak into the microphone, so, Alun, please get us started.

>> ALUN MICHAEL:  Thank you very much.  The first question, I suppose, is when we're talking about protecting users and safety for users, whose job is it?  And the simple answer, it's a job for all of us.  We really do need leadership for industry from the space, but there needs to be accountability too.  That is a job that involves attention and challenge.
At the Parliament we had Internet day in the UK at Parliament last year, we had participation from a group of young people brought together with chart net, there's a group today here with us that I'm delighted to see.  They were asked to summarize the workshop discussion and one of them did so in one sentence.  He said what we want is to be able to go online and go anywhere we want to go without any interference or technician in school getting any way and do so safely.
Now, is that    I don't think that summarizes the problem?  Often we have a discussion with one set of people concerned about ease of access, speed of connections and all of those things and another set of people concerned about safety and privacy.  Actually, you can't discuss them as two separate issues, they have to be brought together.  So we have to be realistic, practical, and build in the way we balance those considerations and they have to be built in at the design stage by industry, whether that's in terms of software or physical arrangements or connectivity or whatever it is.
I think time's running out for that approach.  I would say that time is running out for industry.  Let me put it this way.  Until a couple years ago, nobody took any interest at all in the governance of banks.  All of a sudden everybody wants to be involved in the governance of banks.  National governments are regulating as if there's no tomorrow.  Legislation is being brought in.
There's a problem with that because legislation doesn't always work.  Laws rarely prevent what they forbid.  We can't leave it to government and industry alone.  We can't prevent legislation which can rarely keep up with the world.  We need what the IGF is designed to provide and industry to keep up with it.  In other words, we need processes of collaboration, what is what the IGF is all about, not just in these annual events, but as an ongoing activity to tackle the big issues of security occur and of nuisance and do so in the sense of balancing the interest of safety and ease of access and use.
There will always be attention between privacy and openness, that's reality, and that's what the voice of young people were saying to us because that was going through youngsters through whom the existence of the Internet is as natural and as day to day a matter as air and water is for those of us who are a little bit older and have been around a bit longer than the Internet has to be.
So that makes it very important as I hope we will see in this session for the voices of young people to be heard in these discussions. 

>> PILAR del CASTILLO:  Thank you, very much, good morning.  Thank you very much for inviting me as a panelist.  I thank the Italian government for the facility for organizing this meeting.  I want to follow a little different.  I want to make observation in the programme here and finally I want to raise a couple of specific question related to this substance.  We can be sure the information and communication technologies are aspects of our lives.  Our city is instinctively linked with this academy and open and inclusive of society.
However, in order for us as a citizen or as consumers to truly participate in this new environment, we will need the trust and security.  If there is not sufficient confidence, we will simply refrain from directing and entering in those transactions.  I have to say that happen every day with many users that really doesn't    that have the confidence, enough confident in the    in this new context.  In order to create the environment that will allow us to reap the full potential of the Internet.  Those other actions that should be taken, consumer should be aware of the    the perm behavior.  It's not only rules and action, it's personal behavior extremely important in that sense.
And it should be afforded, I have to say, direct to report the personal data, even when the data was initially collected we are pushing with the European citizen and consumer right in the department.
In addition, we must also continue to fight against Cybercrime.  It is not only an ongoing task which we have to develop with consumers, we will also need to act globally and that's equally important and throughout multistakeholder approach.  In order to acted globally, we will need to enhance international incorporation.  And the task that sounds simple, though appealing, is not so easy a task.
For example, in Europe alone, almost half the European Union states have not yet ratified European convention.  For example, if we want to be efficient in the fight against Internet, we need to fight multiuser approach.  In order    every actor in the industry, the public sector or user must also use that.  The industry, indeed, is already taking steps to promote security assurance, prevent security breaches and deliver more secure companies.  As companies output security in production of problems and accept all of this new priority is establishment of the assurance for excellence.  Likewise, industry development will help consumers to identify security problems and safe online services.
So, let me now to go to a couple of questions related to the important subject that is we're discussing.  The first one will go like this.  Security in this area could be improved through government mandates, that's normal thinking and premise.  But such measures will also come innovation and reduced competition and consumer choice.  How can we get the right balance?  That will be the question.
And secondly, what is the right technology in this challenge?  How can government best support industry to develop new technology in this dimension?  One, I have one question that will arise later, but just let me finish with this too.  Thank you very much. 

>> Alexa? 

>> ALEXA RAAD:  Thank you to my panelists for setting me up.  I would like to talk about some of the challenges of online security, because in order for us to solve a problem, we need to understand what the challenges are that we need to face.
So as a registry representative, I have somewhat interesting perspective.  Number one, I think the definition of online user safety, we need to be very clear.  Some definitions are from a technical and DNS level and some definitions are actually political and content based.  So when we're talking about online user safety, what exactly are we talking about?
Number two, there are different rules and regulations governing each of the actors in that space.  Essentially, you have an international medium, you know, that is intangible, however, our interactions on this medium, the Internet, invoke multiple stakeholder and companies within the value chain and each of the companies are subject to a different set of rules and regulations.  Either they are national, local and very rarely are they international.
So you have a mismatch of an international medium with a number of different local and national flavors.
And to make this even more confusing, you can have an organisation in the U.S. that has servers in the Caribbean that does online gambles.  You've got ISVs, registries, registrars, application providers like Microsoft and Google, you have folks like Symantec and McAfees, that provides servers and end users, each and every one of us are in some way directly or indirectly providing service.
However, the one we actually process the data is very different.  So some of the data, for example, let's say a credit card, the registry will not have the credit card information, the registrar will.  If I know information about a fraudulent credit card two weeks later, is that as value if I knew it the second it was used?
We can't exchange data because each of us use different format.  Some of it is batch process, some of it is automated, so these are very, very practical considerations.  Another consideration is in the traditional model we've all been living under, we sort of offered as Fiefdoms and we try to protect our own backyard.  
However, we live in the neighborhood of the Internet.  If a thief is in the backyard of my neighbor, traditionally we've been focused on our own.  And now there's a greater sense that if there are bad actors on the Internet, that simply protecting your own is only delaying the inevitable.  Eventually they're going to get better.  You're not going to learn from what worked and they're going to come to yours.
So having said that of the challenges, I want to put out something.  I'm not always questioning long held assumptions, by questioning long held assumptions, we make progress.  One long held assumption, there is a zero sum game between privacy and security, that they're mutually exclusive.  If you have security you give up privacy, if you have privacy you give up security.  I don't think that needs to be the case.  I think you can have both, and the key is by innovative use of technology.
I do think there is a mutually exclusive relationship between privacy and openness, and privacy and openness, I think, has a lot to do with more values and content based information as opposed to the technical issues that    that pushing button task and so forth.
And lastly, I want to say    I'm glad to hear that    the regulators are telling us that they would rather not regulate.  As an industry participant, I think the time has come that we take responsibility above and beyond our own backyard.  In some cases, this is done out of necessity to ward of regulation, but ultimately I think it is the right thing to do to take responsibility and no longer shut it off.
There are organisations that have done this and are actually actively questioning these assumptions and showing data.  A level organisations is Symantec and Nominet belong to and it's called RIS, and the focus of that organisation is to be a lot more    share data about potential attacks like phishing and malware, mitigating means the damages occur and you want to fix it.
Preemptive means you're now being able to predict stuff before it happens.  By the way I see    SIDN is also a member, very early member of that organisation, and so that organisation is actually starting to work on a prototype and if these kinds of things continue, I think the industry can be in a position to go into the regulators and see we need relief, we're trying to do the right thing.  We're trying to be responsible.  These are the challenges that we face.  We can fix the technology, but these are the challenges we face.  We can then regulators fix the    these are cross national and we're not dealing with 15 different jurisdictions.

>> LIESYL FRANZ:  Alice?

>> ALICE MUNYUA:  I'm glad to hear somebody from industry talking about the different approaches to just dealing with the study in Kenya, looking specifically at one specific stakeholder group, and these are women.  Just looking at how Cybercrime affects women differently.  In Kenya, it's a study we're conducting together with different take holders and looking from an industry perspective within the context of the East African government forum.
Just looking at the legal, the various legal provisions, the five East African countries and realizing that while there are laws that are beginning to deal with Cybercrime, for example, in protection of users, they seem to be focusing so much against looking at protecting governments, protecting    again, protecting against Cybercrime against property and also beginning very active, discourse and activities around child protection, but then we fail, there's one marginalized group, when we brought this to Kenya and realise women suffer different with Cybercrime.
When we began the study and found out for example the regulatory authority within the auspices of the East African communications commissions, my colleagues who chair that is going to speak a little bit more about that, we realise there's a lot of efforts from the regulatory perspective to look at how to approach Cybercrime but not release Cybercrime against the person and government    against property and government but not against the person.
Some of the provisions regulatory but not consideration and technological provisions or, perhaps, you know, the role of industry or, rather, also regulating or encouraging    particularly ISVs.  When you speak to ISVs, most of them say increase complaints around protecting users, protecting children, protecting women online, but most of them come back and say don't use social networks which is not a solution in itself because it just increases the additional divide.  So it's actually quite a challenge and we believe that it    there's a need for a multiuse approach to it.
So it's not just about creating conducive legal and regulatory environment and provisions, but also social provisions as well as psychological provisions and also the technological provisions that I think must go hand in hand with innovation.
I give an example.  An example is very, you know, famous mobile transfer of money.  And while we have not really had any very significant cases of Cybercrime, it was mobile service providers and innovators of that initiatives have been careful working with law enforcement offices, we can see an increase of African citizens getting access to that service, we're going to have to deal with how we protect business transactions online.  For access, you know, most of it is through mobile.  One of the things the government has decided to do is registration in terms of being able to track    in a way there's a question of privacy, protection of users in terms of how is the data being collected going to be used, but we're looking specifically in terms of protected eCommerce transactions just about to be used beyond MPASSA, domain names transaction in that way, beginning to shop, pay for bills, huge amounts of money called M cash, where mobile service is literally providing banking services for M bank communities.  So it's very important for us to begin to think about what kind of provisions from a technological perspective, legal and policy perspective how that is going to work out.
And then, also, the intersection of the various regulatory because you have banking regulation and policy, and on the other end the communication policy.  So speaking from a regulatory perspective, it's actually been quite a challenge bringing the two together or seating together and beginning to address the issues from the various perspectives.
Another challenge for us has been to do with content, so not so much about eCommerce related transactions, but content protection and the realm of concentrated relation.  We had our incidences publicized in 2008, post election conflict where mobile phone and SMSs were used to pass on hate messages that were quite frightening.  The government has taken that seriously again because that translated to continuation of that.  And now we are having problems with SIM    mobile phones are being used for kidnappings and other criminal incidences.
I believe that by registering SIM cards and ensuring we have all the users on one end, we're able to track activities on that.  I think there's much more that can be done, you know, from other    from technological and social perspective, rather than just from a policy and regulatory perspective.  I'll stop here and I have quite a number of my colleague from both    from the various stakeholder groups who will speak from these issues

>> LIESYL FRANZ:  Thank you very much, everyone.  I think you laid out some interesting points for discussion, raised your own questions for the group to discuss, and touched upon, you know, many, many aspects, what is the role of government industry and the user themselves and what are the synergies and balances and challenges between security, privacy and openness.
We've touched on many aspects in the opening remarks that I think we can build on for the remainder of time.  With that, I guess we'll open it to discussion.  There is one microphone in the middle of the room, and I have the other one, so I'll be roaming as well if there is questions from our remote participants, we welcome that as well.
So please do identify yourself and ask a question. 

>> AUDIENCE MEMBER:  The perspective, some of the challenges as Cybercrime as I like my colleague, Alice Munyua, some of the challenges are getting on the Web, you get on Facebook and ask for information, they give privacy like we use.  Other challenges are based on policies, legal frame works, literal frame works like dealing with issues of Cybercrime.  Law enforcement and so forth.
And in particular, we literally have bandwidth, increased bandwidth in terms of cable, digital networks within the countries and increased speed of data become a ground for cyber attacks.  We really have to deal with Cybercrime issues like in most developing countries.  Some initiatives which we have dealt with within the East Africa country is come up with initiatives of establishing response team.  We should be able to deal with Cybercrime at the national and regional level and operate at a national level at a technical level and also be able to incorporate various levels, law enforcement, service providers, government entities and any other people using all the uses of the Internet.
And as I speak now, in Kenya, Uganda, we're in the process of deploying response teams.  It's never too late so we will be able to have to be able to get statistics, to it's clear we don't have statistics to show kind of attacks which we've experienced in our countries, but we believe we need to put in place emergency response teams to be able to get specific statistics and now how successfully we're dealing with this and deal with other national and regional emergency response teams across the world.
Again, I guess we need to look at increased awareness on some particular issues.  Some of the users do not appreciate or do not know how exposed we are on the Internet.  Our issues are critical so the user can be able to appreciate and be able to know when you get an e mail about phishing, you give them information because you maybe    you get an e mail saying you won a lottery or something like that, so it's really a challenge especially in some of the country where most of the population are in rural areas.
Issues of privacy, coming of privacy of cyber security, how you deal with privacy issues and trying to deal with cyber security issue.  Again, legal frame works need to be put in place in various countries, but here in African region to be able to know how do we measure, how do we come to balance when we deal with cyber security issues.
Best practices again, continuous sharing with other developing countries, how are they getting to some of these areas and help developing countries and be able to deal with this and managing challenge on Internet usage.  Thank you very much. 

>> LIESYL FRANZ:  Congratulations on your effort to build a CERT.  Alexa? 

>> ALEXA RAAD:  I would like to build on the term, I've heard Internet security, cyber security, I would like to put on the table a model to take a look.  I think of this is a three stack model.
At the bottom of the stack there are issues that have to do with technical, DNS issues.  Phishing, malware, configure, DWSA attacks, overall everybody would agree there are    one would lead to another.  A phishing attack could lead to malware attack.  Across difference nations and culture and values, we can agree these are egregious crimes are the Internet.
The next level are things that some might argue are cyber security, but in my mind that's more of a value judgment, which is intellectual property.
So for example a particular hotel chain could be used in a phishing attack, but if IP rights of that user are now abused.  If it was used as a phishing, it should be considered phishing.  It's a security issue and ought to be dealt with separately.  I've seen it come in the process and try to deal with security mission and it's simply muddies the waters and does no one any good.  The third issue is a political issue and values judgment and that, I think, is the very slippery slope, which is some governments may consider registering a name or putting up a site that criticizes that government a security issue.
We've seen that governments blocking sites like Twitter or Facebook where journalism can happen and they can disable and identify the IP address of the registrant?  Unsavory ways which in some cases have led to the death of whoever registered that name.
This is not only a cyber security issue as the government claims or is that more of a values judgment and something that    if we're trying to deal with international cooperation because different properties have different value systems.  Trying to force that cyber security on an international medium where multiple users have very difference understanding and, perhaps, values of speech and censorship.  I personally am speaking for myself, I think that is a misuse of the Internet and the fact that it is open.
So if we want to actually solve the problem, let's define it first and get things that are most easily addressable are the ones that have to do with the technical issues, the issues like IP infringement and things like censorship or political issues don't belong in that stack and can be dealt with separately.

>> LIESYL FRANZ:  That's an interesting way to cross out certainly the discussions we have here because those kinds of issues    the values that you mention range across the global.  I think we ale hear more about that tomorrow as well.  Alun, you want to add to that?

>> ALUN MICHAEL:  Yes.  I want to respond.  I think it's an interesting way of dividing up the issue.  I agree about the need for clarity, however, I don't think you can do it and dismiss elements as not being part of the discussions we need to have.
We can probably agree about the technical issues and need for clarity there.  When it comes to value judgments, yes that gets more difficult.  It makes it more important we get into talking ant it and seeing where it's possible to draw lines, which include in some cases people choosing at a national or at an individual level how they're going to deal with them.
One of the things that concern me when we're talking a lot about Internet related crime, I'll use that as a administer general phrase rather than the specific terminology, was that people concerned about intellectual property were not part of the discussion.  They took a very clear view that they needed something legislative and that was the approach needed.
You need people concerned about Internet property and the issues of theft around that to be part of the discussion because otherwise you're not getting serious.  And now when you come to the political and establish Internet values, that's where some important issues need to be tackled.  For instance, in the UK we've taken a strong line on sites that portray child abuse, it's abuse of real children involved in the activity and there's a lot of money involved in it for the rather nasty people involved in it.  And we've successfully gone up to 98.5 of the    the definition's quite difficult, of protection against access to abuse sites and taking down of sites.
Now, that is a value judgment.  There was some discussion early on, is that interfering with people's rights?  Well, obviously, no, there's no right to abuse children or portray that activity, but it is a value judgment.  That is a value judgment.  You have to get into those.  Once you get past issues like child abuse where there's general agreement and consensus and there's technical issues being dealt with there, you get into the administer more difficult judgment, so I would say your analysis is very useful.  The more difficult judgments of the third of those levels, the third of those levels that's the place where doing less is probably the best thing and being focused on where things need to be done, but we need to develop a consensus as far as what is something that's ought to be dealt with by if wider Internet community and what should be left on one site.
That's where the difficult and interesting people decisions and philosophical decisions have to be made.  It's not enough to deal with technical, because that's easy    it's not easy, but you know what I mean?

>> SUE DALEY:  Yeah, Sue Daley from Symantec, honoured to be here and be in this discussion.  We all can agree.  The online threat and environment which we're facing is increasingly complex and sophisticated and dangerous place for us all to be in.  Last year alone Symantec saw over 2,900,000 pieces of malware code alone in a year.  We are seeing increasing threats out there which we need to be responding to.
I would agree with the sentiments of the panel.  I hope I am summarizing them, we all have a responsibility to address these issues and there's not one person or one organisation that can address these.  We all have to work together, so I think there's clearly a role for industry and governments, law enforcement, as well as the individual to know how to protect themselves and address online security issues.
What I think is key to remember is that we just talked about technology and technological issues, the three key elements of addressing online security issues, clearly there's a role for technology and technology must continue to adapt and there's self regulation and as the only threat environment evolves we must value that.  We need to look at legal issues and have a regulatory and legal framework which can adapt and address legal issues we might have such as cross border issues.
There's people issue and we have to get the people issue as well, that's awareness and education.  It's making sure people are aware of threats and finding ways to, perhaps, inform people about online threats in a way they'll understand.  We're talking to difference audiences.  Might be children, older people, it might be people who have a technological know how.  A lot of people aren't technology savvy.  We    the audiences out there need to be reflective of what we're talking to.
It's getting skills and education is a critical part as well, so those three together is a    if I can say, is the strategy of three elements of strategy needed to address Internet security issues as we go forward in this discussion.  Thank you.  Leisure go ahead. 

>> PILAR del CASTILLO:  I think and share with you the definition, definitions, but we have to take care, not to consider the Internet community as a batting apart from the world because the values are the same values and then, for example, taking specific aspect with the child abuse.  I mean, with condemn the child abuse on the Internet.  In those they are not condemned after they're committed.
We are to take care and not create two roles because it's the same world when we really share specific values that we will have the specific mention of treatment in Internet. 

>> ALEXA RAAD:  That's one of the major challenges from the policy perspective, when you saw fraud, committed online, is that, you know, should we have two sets of laws, one that looks at, you know, online fraud    I mean that's one of the challenges we find.  

>> ALICE MUNYUA:  Are we supposed to have two sets of laws, one dealing specifically with cyber fraud and one that deals with physical fraud or should it be, you know, the same or similar but the approach is different?  Thanks. 

>> LIESYL FRANZ:  Thank you.  Now a question from the gentleman over here and the lady here and the gentleman in the front and a couple more up there.  Go on. 

>> ANDREW CUSHEN:  Good morning, everyone.  My name is Andrew Cushen.  I'm one of the investors this year.  I work with Vodafone, my comments    perhaps, I have a contribution.
I would like to state by saying that it's vexes me a little bit when I hear a discussion of solving these problems or reaching some end game where there is no Cybercrime.  From a practical and realistic end point you have to know that the Internet affects our society.  If you stand back and think we'll be able to fully make the Internet immune from such things, then we are setting ourselves up for a goal that we will ultimately fall against.
That's try when you think of the nature of the Internet and technology that the world will always lend itself to creative solutions through positive and negative solutions.  It will continue to whack a mole in order to stomp out crime.
The other thing I noticed is that regulation seems to be very imperfect remedy to all this stuff, to me.  The Internet by its very nature is international    do we have the processes that allow us to regulate that in a manner that it can adapt its regulatory approach to some issues?
I'm skeptical as to whether or not the regulatory approach can add anything of real value to this, particularly when we start reflecting on the nature of some of these things done.
Instead, and this is leading to some sort of question, I wonder whether you as panelists can see the best we can hope for is force some education of consumers and users of Internet, versus participation from private sector and competitive dynamic that creates.  For example, my Internet browser will popup messages for me    if I use the right browser or for example different online shopping sites will go trusted representations and ISPs will protect their consumers online, could that be sufficient to this problem?  Could we adjust the market forces that exist and the Internet step up and solve that problem, or do we need to look at regulation or government led approach that is could tend to being too static, too piecemeal in terms of their approach and not international in the in terms of solving this problem?  So thank you. 

>> LIESYL FRANZ:  Would anyone like to address that    those comments?  Alun? 

>> ALUN MICHAEL:  Yes.  You said society hasn't eradicated crime?  No.  We learn that things that didn't work in attacking crime in the offline world, if you like, ain't going to work in the online world.  So what do we learn?
We learn that an approach of policing chasing after criminals doesn't solve crime.  You chase and fill your prisons and it didn't    actually, a partnership approach to chasing crimes stops it.  I've learned it in my city.  That should be in the online world, which is capable like no previous society, if you like, of an analysis of what's happening an identification of where the problems are and the work towards a consensus and partnership, that should be the way to go.
Now, that can't just be left to governments because that gets a legislative regulatory approach.  As I said at the beginning, laws rarely reflect what they forbid.  It's so important there's several parliamentarians here from several countries.  Young people breathe the Internet like we do air and water.
One quick example, the programme with communications is that they're so fast, you can attack so many targets at once.  We had a big scam in the UK using mobile phones and we realised the level of penalty that we were imposing was just inappropriate for the type of massively organized scam.  We had to change the nature of that very quickly, but we also changed the requirements of delay on money being transferred out of the country, which allowed the speedy response in a timely way.  We just had to change the nature of the solution, but it was changing the nature of it to a preventive rather than chasing after the crime approach, and that's what I'm arguing for because that means business, the people developing, pushing at the boundaries all the time need to be a part of the solution and you cannot    I hope it wasn't what you meant, just depend on leaving it to the users, the public, the victims or the potential victims to protect themselves.
That doesn't work. 

>> LIESYL FRANZ:  Anybody else?  Yes, Alexa?

>> ALEXA RAAD:  A good rule of thumb is crooks are often smarter and faster than you.  Second, technology catches up, but the regulation often comes in two to three years after trying to solve a problem that has now morphed and users are ultimately the last.  And just to illustrate this point, this is what I would consider a relatively Internet savvy folks.  How many of you have actually clicked, okay, continue when a site pops up with a certificate that's expired?
So even though you know as a user, you still    you still take the chance?  And so it    so I think to echo your point, I think it's not an issue of just leaving it to technology or just having a massive user education campaign, but it is about having multiple governments, so they're regulating us and regulation can help provide relief and provide some collaboration.
As an example, one thing that actually helped quite a bit was ICANN provided contractual relief to us so we could move faster.  That was a great move on ICANN's part because our existing contracts with ICANN would have prevented us from being able to move very fast.

>> LIESYL FRANZ:  Thank you. 

>> KARLENE FRANCIS:  Good morning, every, I'm Karlene Francis from Organisation of Eastern Caribbean States.  I like the approach of protecting consumers.  I'm particularly interested if public education.  Based on my experience when we passed the eTransaction in Parliament in Jamaica, were mandated by both sides of the house to conduct public education campaign.  It was particularly expensive for the government, they had to find all the funds.
So the question I want to ask the panelists and in particular persons from industry here in the audience, is what are industry players doing in terms of public education?  Are you working with if governments and the country to make sure consumers understand the tricks that exist?

>> LIESYL FRANZ:  First I'll go to panelists to address that and folks in the audience that might understand as well.  Go ahead, and then we'll    do you want to answer?

>> ALUN MICHAEL:  Public education has to be in the context of practicalities or in the context of coherence, a coherence can't be provided by individual companies.  There is a need for some bringing together of industry and that is difficult for industry.  It took a long time for banks to agree to operate on a simple system for financial transactions, but it was absolutely essential.  I think the same applies in this area.  There's too much of the same work we can't share.  If we share, we might become vulnerable or lose or leading edge.
Well, actually that sharing is essential to maintaining the openness and avoiding regulation so it's in the industry's interest.

>> ALEXA RAAD:  That's right.  The industry I talked to you about risk, it took us two years to get about 20 member companies together.  Two years to work on a data share agreement, which finally everyone has signed simply because of the fact that, you know, there was a concern about how much liability and risk they were taking.  But that is the only way to do it. 

>> AUDIENCE MEMBER:  I'm from the Dutch government and economic affairs.  It was an interesting question from that lady an I recognize the answer from the panel too.  Because we have the same experience a few years ago, eight years ago to be exactly, we started as a government, including financing the whole programme on awareness, we created a campaign to users. 
After a few years we came to the conclusion it shouldn't be only the government to do this thing.  It should be a shared responsibility with service providers and industry.
The first action plan was called surf and save and it was fully financed.  That was the second step of financing the government industry and ISPs.  So that really made progress in recognizes that it was a shared responsibility to create awareness on the user and that is not just for the government itself.  But    you can see    I have to say, sorry, industry was looking to government to say yes, it was not just the responsibility    it isn't just the public responsibility.  It's sole responsibility for industry service providers and they're providing a service and they have information about the quality of service and privacy and security aspect and by that we are now in second phase of campaign called financing.
Furthermore I can inform you telecommunication regulators has imposed policy guidelines on ISPs that Shea should inform the users of the threats on the Internet highway and they should also offer a view on what kinds of methods you can take.  It's not limited, but it is a first step to inform the user and make them aware.  The first step is getting the user    that the user has to act and of course has to accept and implement necessary measures.  Of course, that's the final state, but it's very, very important to recognize that industry and service provider have own role.
In my view, it's a growing role to recognize their role.

>> LIESYL FRANZ:  Thank you.  A couple of responses on the other side of the room and we'll move on.

>> AUDIENCE MEMBER:  I'm from the Nominet, the UK domain industry and then I'll respond directly to you, Colleen, because this is a very, very important area and it addresses people's awareness of their understanding so they can keep themselves safe.
There is a lot of information out there, but it's very, very scattered around.  One of the things that as a company we have started to do and hoping to launch it towards the end of October is an initiative or portal called know the net and this is a way of trying to help people find the information that they need and to approve the awareness of the understanding of the things you can do to try to keep yourself safe.
This is part of that sort of overall message of people being able to take responsibility for themselves but then not being able to take responsibility for themselves if they don't understand the I remembers properly and effectively.  And so you've got to get people to that stage.  I think we've got a particular concern, certainly I have, that when you have a priority to get more people online to break down the digital divide, the new people who are going to come online who are unfamiliar with the technology and the risks they are going to confront, and this is going to be a big challenge for all of us so the new people coming online do not immediately become the targets for the, as we've heard, very bright people who are one step ahead of the game and committing crimes against the Internet user. 

>> SUE DALEY:  This is Sue from Symantec again.  We have a number of awareness groups and different campaigns focusing on different audiences again, so we have a campaign called Get Safe Online which is focused very much on consumers and supporting SMEs and the message they develop around those focused on the audience.
Symantec are focused on child on safety which are coming together, as Alun says industry and government and other stakeholders and on behalf of that was a public awareness campaigns and they're targeted to different audiences and that works out well because you're able to target messages there.
I just wanted to pick up on one thing the panelists just mentioned asset policy legislation and regulation and roles as well.  I think there may also be a discussion point around how legislation can also encourage a takeoff of network security to our suspicions and encouraging the good practice, best practice take-up of technology, particularly around network security, to give you a quick example, if I may.  We have in Europe in the form of telecoms package which is one of the directives that was introduced in York first, a notification requirement that is going to be implemented, it plays an important role in helping individuals know if their information security or data has been breached in some way and know what it is.
Part of the information as amended is put in and if organisations have technological measures in place that can    the data is    for instance, if it's been encrypted it's not at risk, for example, then you have a requirement to notify is reduced, so that can be an incentive for people to take out a high level network security tools and solutions that can by doing so protect individuals more.  So legislation can play a role by incentivizing people to put in high levels of data security and information security that we need today given risks we all face. 

>> LIESYL FRANZ:  Go ahead up front.  Here and on the other side.

>> AUDREY:  From Frontier Corporation.  Just to tell you what my colleagues have side what's mapped in the United States.  In 2005 U.S. Congress designated October as U.S. Cyber Security Month.  It's a time industry and government spends a lot of time doing public outreach specifically on cyber security issue.  That's one thing measurable over the last four to five years so I think we've gone toward drowning the awareness of the risk of online environment and that's coordinated by not for profit organisation that is a good model of public priced partnership by industry and government NGO is really charged with doing public outreach.
One interesting thing happening this year is they're launching national messaging campaign, sort of we have these things in the U.S., everybody has them, catchy phrases on how to teach kids not to put their hand on a hot stove or not to start a forest fire, something similar on cyber security is going to be launched this October and backed by a lot of research that industry is engaged in to find out what's going to resonate with consumers and run a web site called and National Service Security Line if you're interested in looking into it.  Thanks.

>> LIESYL FRANZ:  I have one more response to this particular question that was supposed by an audience member and I want to switch gears if that's already with everyone.  We have pending questions from the audience here and in the middle and in front as well.  One more on the awareness piece and we'll move on.  Thank you.

>> BRIDGET COSGRAVE:  Good morning, ladies and gentlemen, I'm Bridget Cosgrave.  I'm with DigitalEurope, and we're software producers of consumer electronics and telecommunication equipment.  
For the benefit of the audience, I think it's useful and relevant for you to make reference to the European Commissions eCommerce directive as well as the Consumer Rights Directive which are two pieces of legislation in the process within the European Union and you can get more information on the EU European Commission work site and we're active in that and wanting that to be adopted within the European countries.
I want to ask on behalf of the    I'll get the organisation name right.  The Digital Europe, an organisation in Germany, performing on behalf of the European Union, a year's protection toolkit for use access to the Internet.  This was shipped here and there are six of them in the entrance to the registration building and unfortunately they were not put into your pack.  
So if you will be kind enough if you're interested in the topic, it's an exceptional useful server of youth protection tools being used across the European unit.  There are stacks of these documents at entrance to the registration building.
Our motto is "Vision 2020:  A transformational Agenda for the Digital Age."  
Then finally, as a testimony to the effectiveness to awareness campaigns, the European Commission graciously funded, with a sum of two and a half million Euros earlier this year, a pair of European East Skills Awareness Campaign which Digital European EE Skill Net Digital Skills across 2700 countries, a campaign that ran in March touched citizens in Europe.  
It touched the question of awareness as consumers acting in a responsible and aware fashion, it raised the most important issue we face and the opportunities we can create for young people to see growth and job opportunities in the sector and not only fear the activity.  Thank you.

>> LIESYL FRANZ:  Okay.  One other mention on this from youth participants here today, so I would like to get them to join in on this part of the conversation before I move on. 

>> LINDSAY BOWER:  Hi.  I'm Lindsay and I work for Childnet International.  I work on education team and we go to schools all over UK and last school year we spoke to over 30,000 young people from the ages of 3 to 18.  It's fantastic to go to schools.  It's great to be here.  Our youth participants would like to say something about the issues discussed in terms if the responsibilities lie with industries or Internet users.
When I go to schools, I give parent sessions and parents always ask me about security software, filtering software, and we can't recommend things specifically or we would be millionaires so we recommend them to you so comparing web sites to help them get the best for their home computers.  It's a difficult issue because parents often consider their children to be experts and rely on them to help them.  They don't have the same technical skills you guys have so I'm going to pass to Rebecca and Dan who have interesting points to say.  Thank you. 

>> BECCA:  I'm Becca and I'm 15 years old and we want to say that Digital Citizenship isn't taught in schools, so when you sign up for a web site, your terms and conditions don't make sense to young people and it's too technical for us to understand, and technical risks aren't covered that much in them.  When we ask our parents, they don't know either because they haven't had it explained to them.

>> DAN:  Hi, my name's Dan, I'm 14 years old.  I live in Guernsey.  Like what Becca said, the people that use the technical terms like DWSA and phishing, people who design software, all of the stuff you talk about this morning, all of the stuff you talked about isn't passed down in education in schools.  
The new UK curriculum is supposed to include digital stuff and teaching us about Internet safety, and when the new government was brought in, they scrapped the decision to put in Internet safety lessons into the curriculum. 

>> LIESYL FRANZ:  Thank you very much for that perspective and a little bit of dose of reality for us in the room.  Thank you.  
I would like to thank those patiently awaiting to raise other questions in our conversation today.  I think you had your hand up an hour ago.

>> OLGA JORGEN:  That's okay.  I'm Olga Jorgen, a former Dutch MP.  I would like to come back to the beginning, the those who want to get online, you want to get there safely.  Then of course, the question is what is safety?  I think already there's value in safety.
What I think is safe for my nine year old boy is differently for what he thinks is safe.  So there's always value in that.
But I think now what we need is companies to be transparent, essentially in social media, we've seen issues around Facebook, Google, Hi, transparent is not clear.  I think the answer, one of the answers, actually, to this question that the youngster tells us.
The comment is you're absolutely right when you say you cannot have education about that, because we have too many local and regional differences and takes way too long to get all this implemented all through Europe and further away.  We need to look through companies that make the suffice book, the Googles, the HIs.  How do we as consumers get them to handle our    how do we get them to have our privacy by design and get them so far that they can teach us how to design our privacy when we use their programmes? 

>> ALUN MICHAEL:  Can I say, I think the most important thing is, again, to learn lessons that are old lessons and apply them intelligently to online world.  Government is not thought of in terms of intelligence, regulation and so on.  Actually, there's an alternative that's been around for 150 years, it's cooperative governance.  It's    it takes a little bit more effort just as the IGF approach takes more effort than simply setting things in statutes or setting up a UN agency but it's worth it and it works.
So I think what we need is an approach which says legislation shall be enabling and shall be minimal taking on Sue's point about legislation can be enabling.  But it isn't traditionally, and    if I can say, European legislation is often complex and detailed.  So is UN legislation.  
The European convention is, you know    we need legislation based on principles which recognize the need of people to work together on the detail, because the detail has to change and adapt.  That is true about legislation in general, but it's true in spades of the way we approach the issues in the online    the online world.
There is no alternative to cooperative approach to the problems and challenges we face in the online world.  That isn't new but it's absolutely right for the 21st century.  

>> PILAR del CASTILLO:  Yes, I think once again we find in the online world the same kind of approaches we find in the offline world.  We find in the offline world, you know, an approach which is more full of information.  It's administer full of legislation and we have    we finding offline world another approach which is more cooperative way which leave legislation for principles and so on.  This happens every day, even today when we are dealing with this, you know, in any Parliament, in any, you know, institution which I'm dealing with this.
So, it is like that so legislation should be taking as far as help, as far as, you know, push for better choices, for better competition, for better information.
But only on that premises.  But this is a    will be in the online world forever.  I'm not sure forever, but it is in the offline world.  So all we have to deal with this, this is the same.  So we have to go case by case, subject by subject and then decide if legislation is need, I have to understand and what degree of development. 

>> ALEXA RAAD:  To your question, how do you get the companies to be more transparent?  Use the same tools they use.  Number one, consumers vote with their pocketbook.  Second, with Facebook, the privacy issues with Facebook were not shared by Facebook, they were actually discovered by users.  They started a campaign a social media campaign putting it out on Twitter, putting it out on blogs and really within three days, Facebook had to respond. 
Previously, if you had to get the same pressure, it would be impossible.  Use the social media, a Twitter message is worth 10, calls to the front desk reception to get to the CEO. 

>> FRED LANGFORD:  Fred Langford, Internet Watch Foundation in the UK, the organisation I spoke about earlier.  I wanted to give a success story instead of talking about the bad points.  The self regulation does work and we have an example of where it works and crosses something Alexa was saying about the values as well as the legal aspects because we issued notes and take downs to content hosted illegally in the UK.
Since 1996 illegal content has dropped from 16% to below 1% in the UK.  At the same time, like Alun said, we provide a list of URLs for industry to block access, which is a value judgment.  
So I just want to say, it is possible and that is working with industry.  So industry need to step up to the mark and put their thumbs where their mouth is, basically.

>> ALUN MICHAEL:  Can I just make one point, you used a term which I think is a dangerous one, self regulation.  It's actually cooperative regulation.  It's the industry that does the business, but it's working with law enforcement agencies and the significant thing is there has not been legislation in the field because this confidence on the part of parliamentarians and civil society on the way it's being done, so it's better than self regulation.  It's far more virtuous than self regulation.

>> ALEXA RAAD:  I visited your office in the UK and I love what you're doing.  The model is one that we use.  There is a value judgment, however this is what makes it beautiful.  
This stops us from going down a slippery slope.  You have oversight.  You have separation of function and oversight.  Law enforcement will tell us, these are the sites that we need to shut down.
In our policy we shut down child pornography and abuse sites.  That is a value judgment, however, the way it's done is it's verified by law enforcement.  
Another thing we do is we actually, because we're so concerned about having the slippery slope, right, we actually have another organisation that then looks at our actions, right, and holds us accountable to make sure that we did the right thing.
So now you've got three separate organisations, a third one does it after the fact and they report to me.  So I'm confident the way that our policies are laid out is not taking us to a place where we don't want to be.  There's a difference between yelling fire in a crowded theater and having a right to yell.
It is a balancing act and you have to    that's called Rational thinking, you know.

>> AUDIENCE MEMBER:  I'm from Germany Pirates and I would like to bring up two things.  Facebook and companies like this are selling user data, so it's against their business model.  I'm wondering if you could force them because it would simply    it's going against what they're doing.
Secondly, people brought up teachers in Germany, for example, have no (off microphone) of the Internet and how to work with it.  Sometimes teachers ask me to come in front of the class and explain something because they don't know about the stuff again.  
We should, like, educate teachers and younger age of teachers.  It's still failing nationwide because it's a federal model and nobody can agree on something.  And first of all, we should all neighbor spend more for education and spend less effort talking what to educate.  Thank you. 

>> ALUN MICHAEL:  Just a quick one, I think there are some difficult issues here.  You're right to talk about business models.  I mean, one issue, for instance, is the separation in traditional media of advertising and editorial content.  
I think there's a big question.  If Google is selling where in the order of searches items come, then that's not based on editorial judgment, it's based on advertising judgment.  Doesn't that separation need to be something that is universal value that therefore can be understood by consumers?  It isn't at the moment.
It seems to me those are the sorts of issues that    which are in the third tier of your earlier separation where the protection of the consumer requires clarity.  It doesn't stop either of those approaches being adopted, but it makes it a requirement for it to be clear so that people can then make their judgment.  
That sort of issue of making sure that the clarity and the accountability is there in order for people then to be able to exercise individual or group choices.

>> ALEXA RAAD:  That model, if you remember, some of the problems on Wall Street with traders and analysts, you bring that up with checks and balances, perhaps I'm naive, but I believe ethical business is good business.  Those that have survived and done well are those that have done business ethically.  
If you think of the damage to Facebook's brand when it looked like they were trying to get one by the user.  And it took a user to actually point out that you could change your privacy setting it was a user campaign to shame Facebook to get the CEO on CNN to face up to it.  You cannot pay on the brand damage.  
Did they lose advertising money in the short term?  Yes.  Again, in the long term how much did they damage their brand and credibility?
Again, perhaps I'm naive, I think those who actually adopt that sort of oversight and truly believe in practice, ethical business are the ones that will be here tomorrow.

>> LIESYL FRANZ:  We have one here and here.

>> JANICE RICHARDSON:  Janice Richardson, I coordinate the Insafe Network public private Partnership set out by the Commission.  We're talking about protecting consumers online, and it seems to me that we have total missed a very important group of consumers.  Did you know that there was a 29% increase last year in the under nine year olds in virtual words.  
Now, what is rather shocking was that there was a rather similar increase in the amount of financial transactions in virtual worlds.  We have very young consumers coming up and these are the ones that need protection and perhaps total different sort of model.  What do you propose?

>> ALEXA RAAD:  I would like to know what allowance that they're spending money in the virtual world?

>> JANICE RICHARDSON:  I'm not sure their allowances, but many of them have access to their parents' mobile phone and they want to buy a new Barbie dress or a new piece of perhaps, and they ask to buy this and receive a code to put into mobile, and if mom or dad gives the okay, it may be only a 10 year old or less, but seems to me this is where we are educating consumers.  
This is where we're educating citizens and, therefore, we do have a role at looking at these consumers also because there are many of them and they are our future. 

>> ALEXA RAAD:  In that example, there is a responsibility on the part of the parents.  Just as somebody was talking about to get    to understand what sort of filtering responsibility to use.  To advocate responsibility to the parent and leave it as    to the school or the provider is a dangerous thing.  
If it's the parent's phone and they    the parent's phone and they know it's happening, it's their responsibility to set up or call the company.
If the company doesn't have the settings or offer the options to be able to customize that, and be able to disallow certain things, by virtual of the competition, I believe they move to    either they move to another provider or it would be a request for additional features to be added.
So here's where responsibility and cooperation work well together.

>> ALUN MICHAEL:  That's right.  To assume that it's good business to be ethical, it's good business to be sound is a good aspiration but the success of ethically based business depends on the environment in which that's taking place.
So there's a real challenge, it seems to be, and this is a good example here of saying what are the values that ought to be applied.  If there's a value signed up to buy business and you've worked through values in practical ways, that's when the power of social networking and all the rest does become part of the equation.
But you can't avoid it seems to me, the responsibility for setting boundaries of the values that need to be applied.
Now, the more you keep that at the level of principle as you were saying with legislation, that simple level, you keep the legislation out and have the values, that's debated and discussed in the cooperative environment, and the legislation the underpinning dealing with any cons, that has to be the model that's right for the future.

>> SCOTT:  My name is Scott and I'm with the agency Elder.  A gentleman said we cannot stop the crime, but we always have to fight the crime and we always have to have hope that we will win.  That is the human glimmer.  
The only way to stop the Cybercrime is creating a global I.D. system.  That's the only way for protecting people.  And by making crimes in the real world and Internet equal.  I think it was a very good idea by the lady from Kenya. 
No matter the values, no matter the values of any religion, a theft of anything is still a crime.

>> ALEXA RAAD:  Who wants this hot potato?

>> ALEXA RAAD:  I understand what you're saying, I'm not sure a global I.D. system is the way.  I'm not sure what you want is the way.  I'm not sure to get as close to eradicating crime.  There are many ways to do that.  Having a global I.D. system to many rings a number of different bells.  One of them    none of them are terribly blood.

>> ALUN MICHAEL:  I think as well.  The challenges, this is, as somebody said earlier, absolutely international in its nature.  But as was also said earlier, applications are local and personal.  
One of the things that was having to me, we talked about creating crime reduction in the UK level mirror what was done in local level with everyday crime.  What has been spontaneous is it's been two or three regions in Wales and Yorkshire, at the partnership between business, public authorities and others, to look at what can be done to protect business, to help people understand the issues involved in the balance between ease of access and privacy and protection, have taken off.
And I think thinking that because the Internet is so international, therefore all answers need to be international is not    is not the right way to go.  Not at least because there are a very limited number of things which you can get international agreement.  
Worldwide there are many, many challenges.  It seems to me what you've got to do is develop something that recognizes variation of values.  We need to work toward common values, implementation of human rights in particular, and recognize what is going to be difficult and, frankly, what is going to be impossible to achieve and work on the possibility    

>> SCOTT:     created by international companies and I cannot watch some videos on some servers from BBC.  They say you're from another country and you cannot see that.  Maybe someday I'll need some international visas.  I think one sees the problems and the other one solutions. 

>> ALEXA RAAD:  I think the fact that you're unable to actually access certain videos or sites is something that's actually shared by citizens of other countries.  But I think it's a separate problem with a separate set of reasons why then, you know    anything having to do with a global I.D. 

>> SCOTT:  I'm sorry, my buffer values, you want me to talk with Iran    

>> ALEXA RAAD:  I'm not sure I understand your question.

>> SCOTT:  I don't understand the problem    you say people have different values, shouldn't implement some things    

>> ALEXA RAAD:  Yes, there are different cultural values.  There are some things that are very similar, but there are some different cultural values.  I'll give you an example.  Sex education in the United States, state by state basis, some consider it sex education; some consider it pro abortion.  
You take that to Muslim country, anything having to do with female reproduction or sex education would consider it offensive.  So we can't enforce on a global basis, which one are you going to choose?  
I think what we're saying there are some values that are going to be different on a country by country or region by region basis, and   

>> ALUN MICHAEL:  And the attitude of the United States to offline gambling is an example that could cause quite an interesting discussion   

>> LIESYL FRANZ:  I'll taking the prerogative of a moderator to    I cannot see who's going to take this opportunity    one of my questions as we're getting nearer to    near to the end here.  
Two more questions and then perhaps we'll ask the panelist to    the opening question or the discussion on    so two more comments, a question, and then perhaps a response and wrap up for our panelists.  Is that all right?  Thank you.

>> AUDIENCE MEMBER:  When you have something like global I.D. and IP addresses are unique and ISP    which use them while giving them out, so if you have I.D., you can launch the ISP and ask them who I.D. at this moment, what you want is simply because    you're balancing privacy of individuals.  Thank you. 

>> LIESYL FRANZ:  Thank you.  Just to make reference to the youth protection round table, so the web site is  They did a survey among European countries to test sensitivity of certain aspects of values.  
So there's actually concrete information on this question of reactions of different communities on what risk of child community, in any event.  So that's just a factual example.  
And with respect to business models and, indeed, the question of access to content is more a question of rights management and who has paid for the right of geography with the business model of content comment with respect to business illustration and a question of online protection of consumers.
Okay.  One more question and then we have a remote participant comment and question.

>> AUDIENCE MEMBER:  An issue when take about security and people can be protect, not just only about computer system, it's about just the people, the life and something like this.  So we need to liken sure discuss something more and more.  
In the context, in the Asia countries, we do have some context of    our    code of conduct from the corporate, like in the case of Taiwan, the people are worried about others in terms of people conduct of the company maybe in the United States but if it    the situation that that's in the country or that's in the government, how can be like staff of the company as well.  
Like in Taiwan when the people feel they are being push or expression in the political views and ideas, that kind of like a rumor spreading out, like, oh, that already been like corporate and we could not, it not easy at all when we try to contact through the Facebook, through the Facebook page.
We don't know this is not been like washing, operating like the developer themselves or not.  So I think this is kind of like    we don't know how we can have like direct contact to the big corporation like far away from like where we are.  Thank you. 

>> LIESYL FRANZ:  Okay.  Any comments to the last few questions? 
We do have a question from a remote participant, so let's go to that. 

>> I'll read the question from Victor Darling from the Cameroon remote hub.  There's no issue to protect Internet users and that's the case from my African countries.  Do you have any initiatives to help poor countries in large campaign to raise awareness and protect their Internet users? 

>> LIESYL FRANZ:  No responses? 

>> ALICE MUNYUA:  I think they're looking at me.  Just to mention, for example, I wouldn't know about other, you know, resources for developing countries to do that.  
I know Kenya has made an effort.  We're doing a lot in terms of public awareness and we're trying the approach where the communications commission of Kenya, together with the ministry and service providers have actually come together and are providing an aggressive campaign currently around protection of users.  Not just protection of users in terms of using more of services, but also awareness around, you know, people's rights, user's rights.
I truly believe and I'm proud of the approach we've taken, and that would be the best    that's where the resources are, at the local level.  I think expecting somebody from the outside to come and assist somebody international to come and assist, other country, over the contents is a bit difficult.  
So I see it as the solutions as, really local.  In Kenya everybody is talking about social networking and we're talking about protecting users.  I think the advisor to use the   

>> ALUN MICHAEL:  It's quite encouraging, what's happened in East Africa I think is a lot of lessons for elsewhere.  But the fact that the IGF model, it's a regional level around the world, is developing makes up    that the place for a lot of discussions to take place.  
The other development I think is encouraging is with the commonwealth Internet Governance Forum because the range of countries in the commonwealth does range from the most developed to many of the developing countries and extremes of large and small as well. 

>> LIESYL FRANZ:  Okay.  Thank you.  Is there anything else on the participation? 
Okay.  I have one other comment that popped up.  Lucinda?

>> LUCINDA FELL:  Lucinda from Childnet.  We've been talking about openness and security, and it struck me there are a lot of synergies with conversation taking place on digital citizenship.  I'm from a child safety charity.  We talk about safety, security and authorities.  It comes down to what Oliver was saying about working with the young people.  We talk about authority, but rights and responsibility.  
What are our responsibilities as users to keep ourselves safe, but who else do we need to be talking to and from the people?  Or do you have younger siblings you need to protect?  What about your grandparents and young people?  What are values?  Who can we talk to?  We need to have a collaboration.  And if we're thinking about safety, security and values, industry needs to be doing the same.  And not just talking about what values are important to users. 

>> LIESYL FRANZ:  I believe we have only one more.  I certainly   

>> AUDIENCE MEMBER:  I'm very sorry.  I just wanted to mention something alongside my Kenyan colleagues.  We just passed something for the people.  
One of the first chapters on human rights and it cut across all areas say that there was absolute freedom of information and the protections there are so great, but we particularly are going to be big leaders, they going to change to ensure that freedom of information is protected and people are sure their information is    it's a big challenge but we    there's so much happening about cyber security, it wasn't from a BBC report that one of the countries in Africa, I think they said Cameroon, has    now has a lot of history and the number of cyber attacks and various kinds of, you know, protections.
So that's on everybody where information freedom, you need to protect    isolate those who come to attack it to make others who find it very unpleasant to use.  So I just wanted to give you that information.

>> LIESYL FRANZ:  Thank you very much for sharing that.  I think that's a great place to share those kinds of evolutions from one year to the next in all those countries, so, no, I appreciate the comment.
I think I'll wrap up.  I might ask the panelists to help me think about bullet point type of comments that we could put forward to the main session on security, openness and privacy that will take place tomorrow.  
So by way of closing on our remarks, if each of you will just take a minute or two and help think about what we can transfer from this discussion to tomorrow's main session.  Alun, you want to start us off?

>> ALUN MICHAEL:  I thought it was interesting, the point that was just made about looking at rights and responsibilities in the same place.  That's the same issue as looking at security and freedom in the same space.
It's actually bringing things together rather than having separate discussions and being comprehensive in the way you approach things.  I think we need to develop a form of cooperative governance, learning from the forms of cooperative governance that existed over the years and specific for the Internet age in order to take the IGF process, which I believe has been successful so far, into a new dimension.  
That means not just depending on the annual event but a much greater engagement between those events, greater activity at the regional level around the world and in particular starting off with the basic principle that was agreed when the IGF was first launched in Tunis in 2005, and that is at the importance of business leadership, government engagement, better accountability and therefore the engagement of parliamentarian and civil society which in the Internet age should be far less difficult than it has been in the centuries that we've been trying to work internationally for so many years.  There's a big opportunity here. 

>> LIESYL FRANZ:  Ms. del Castillo?  

>> PILAR del CASTILLO:  I would like to repeat what Alun said, I agree with his view.  I would say that safety and security and consumer protection is which has kind of ownership.  And the ownership is not only for governments or for the industry or for the users, it's a mix of the three of them.  I think one of them they have place, they have    in order to get this goal and in that sense, it's another matter, a comparative approach.
We can look at also for this, you know, course of ownership.  And only it would put, you know, all these actor to play together with the onus that it's an ownership on the three of them we can get something, I would think. 

>> LIESYL FRANZ:  Thank you.

>> ALEXA RAAD:  Going back to some points I made earlier, to be practical and solve this problem, if we don't want to talk about this ten years from now, let's define what it is we're trying to solve.
There's some things we can solve sort of, you know, we call anytime the US low hanging fruit.  If you pick fruit from the tree you don't pick the top fruit.  Stand underneath and pick whatever's there.  That's the easiest.
So the things that we can solve that do not involve a lot of    and by the way, things like phishing where we're able to get together as an industry across different stakeholders and make a difference.  That's one.  So let's get a definition of what we're trying to solve, not try to bite the whole thing but try to approach it and learn from every iteration and what it is today that work well.
I would like second, it really isn't necessarily about punishing or if you will, forcing the industry.  It really is about incentivizing the industry.  Maybe we ought to change how we think about things.  It is    I guess this is best interest to be able to serve the customers better, but also the customers' responsibility to speak up.
If we're tag about responsibility and accountability and thank you for saying they will share that, it is the customers' responsibility and accountability to be let that be known.

>> ALICE MUNYUA:  To continue to efforts to create or coming up with a common understanding of what Cybercrime or protecting the user online is about.  In that way, there's going to be    I think it has been operated that, you know, activities around that link to the    that link to the international efforts and activities that are taking place.
Very important to continue using the approach and ensuring each stakeholder group creates an environment and each stakeholder is able to do that.  Acknowledging that policy making needs to be quite flexible because, you know, there's technology and markets are always in constant, you know, move and flats and as a result unpredictable.  So the importance of having a certain level of flexibility when it comes to developing policy and regulation.  Thank you.

>> ALUN MICHAEL:  I just want to enter one sentence, let's have the low hanging fluids, the benefits that can be achieved by the test of the IGF processes, can we deal with the difficult issues that aren't low hanging fruit.  I think suggesting we go after the things that can be done easily, I    

>> ALEXA RAAD:  Of course we go after these   

>> ALUN MICHAEL:     first, have those, but make sure we're tackling the difficult issues but there's time to demonstrate the difficult issues can be attacked this way.

>> ALEXA RAAD:  Maybe different sets of people that address different parts of the problem and maybe that kind of definition is part of the discussion as well. 

>> LIESYL FRANZ:  Please join me in thanking    first of all, Nominet for organizing the session today.  And, of course, to our distinguished panel Pilar del Castillo, Alexa Raad, Alice Munyua, Alun Michael, and thank you for joining us today.  Give them a round of applause.