Note: The following is the output of the real-time captioning taken during Fifth Meeting of the IGF, in Vilnius. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the session, but should not be treated as an authoritative record.
>> Public private Cooperation on Internet Safety/Cyber Crime.
>> LIESYL FRANZ: Good afternoon, everybody, my name is Liesyl Franz and I'm with TechAmerica. I thought we would go ahead and get started now that we have taken care of housekeeping in the room. As you can see, and as you have seen throughout the day, we do have a little bit of an acoustic challenge here in the venue. Can you hear me at all? Okay. Just checking. Which is very important because we have a very good and distinguished slate of speakers for you and we want the session to be as interactive as possible as well. So I have asked our speakers to speak very close to the microphone when they are making presentations and for you as discussants as well, I hope you will speak very closely to the mic when you are making your interventions.
We are joined here today by we are going to organize the session in two sort of half two halves. We are addressing cross border, wholistic approach to cross border cyber crime, information sharing, cooperation and awareness raising in a multistakeholder environment, the public private partnership and other collaboration mechanisms necessary for addressing cyber security and combating cyber crime. So we thought we would take the two hours that we have today and divide it into two. The first hour we will address information exchange between public and private parties on cyber crime threads and best practices fighting cyber crime and we have three case studies for you today from the U.K., the Netherlands, and Georgia.
After that, we will take the second hour to discuss building trust and cooperation by creating national and international alliances and we have discussions and examples from European Parliament, the Netherlands and then public private partnerships in the second half of the hour as well.
So let me take just one brief moment to introduce the first slate of speakers for our first half of the afternoon. To my far right we have the honorable Alun Michael who is a member of the parliament in the U.K. We have Annmarie Zielstra, and we have Mrs. Rusudan Mikhelidze, head of research and analysis unit for the Ministry of Justice in Georgia. And they will share with us their experiences and efforts in public/private cooperation against cyber crime. Alun, would you mind kicking us off once again.
>> ALUN MICHAEL: Thank you very much for the welcome and for the chance to be here. I am going to say something about crime before I go onto cyber crime or whatever we call it. My favorite comment about crime is that laws rarely prevent what they forbid. Laws rarely prevent what they forbid. There is a mythology about problems, criminal activity, things we don't like, which is that you solve the problem by passing a law. There is a second piece of mythology which is what is done about crime by the police.
The idea that the central role of the police is to hunt down criminals and to prosecute them is in fact wrong. When Robert Piehl first sets up a police force in London, he sat down clearly then and it is true today that the job of the police is to prevent crime.
My first role as a minister in 1997 was to establish a partnership approach to reducing crime in the U.K. based on a local partnership involving police, local authority, and a variety of other agencies, and inviting civil society, voluntary organizations, local community representatives to be part of that. It's been very successful. For instance, in my own city of Kardif a proper analysis of where people were becoming victims of violence has led to over a ten year period a reduction in 40% not in police figures, not in reports, but the number of people going to accident and emergency unit in the hospital requiring treatment as the result of a violent incident. That is real reduction, not just a statistical reduction.
My point is that a partnership approach which focuses on preventing crime, taking the profit out of it, removing the opportunities is far more effective in reducing the number of victims than is an approach based primarily on legislation or policing. That must be equally the case or more so with the internet because the internet classically because of the nature of it, the nature of communications is a place where even more than in the real world it's possible to analyze what's happening, be aware what's going wrong, be aware what it is that needs to be tackled. There has been a reference in the introduction so the fact that criminal activity on the internet is global. It is, and I think for many years we were mesmerized by that international dimension into thinking we could do nothing. In fact, in the U.K., what we have been trying to do is to build a national approach to tackling and preventing criminal activity. And without any stimulus from the centre, we found that one or two places, Wales being one, and Yorkshire being another, have started a regional or more local approach to tackling internet related crime.
And that's been extremely effective because it's people analyzing what's going on and asking what they need to make a difference. When I look at the specific questions that were posed to us in the paper for today, I would answer them as follows. What is the responsibility of local and national governments? It is not to think that they can do everything or that legislation is the answer, or that they should look inward, but coordinate, everybody, a partnership involving industry primarily but also civil society in order to tackle the problems of their citizens. What are the responsibilities of private parties? I suspect that this is primarily industry. Industry must be in the lead in this. Industry, people in the internet industry, those who are designing the thing at the cutting edge that are fresh approaches, must be those who are designing in the protection of the public, designing in the prevention of crime. But they cannot be left to do it alone and you can't leave the private sector and government to do things on their own. That is why in my view it is so important for parliamentarians to be involved as well as governments. We have six from the U.K. parliament here this week. I know there are quite a large delegation from the European Parliament too. We need to be there and so do people from civil society such as Child Net that has brought young people to the Internet Governance Forum. What is the possibilities? What are the successes? We can be successful in this if we get industry to accept the importance of this approach and to recognize that engagement with preventing crime is the price for avoiding the traditional approach of excessive legislation and excessive legislation which inhibits the proper exploitation of the internet, in other words, the exploitation by the good guys not just by the criminals. What is the line between showing responsibility and being your own judge?
It is that engagement of elected representatives in civil society so that is there proper accountability, opening in and transparency. What is the line between fighting crime and censorship, is having that proper dialogue between the four partners with the governance side, of course, including law enforcement. And finally, an example of success is the way in the U.K. we have tackled on line child abuse sites. I use that term not child pornography because there is real abusive children behind each image. And was that an intrusion on the freedom of the internet? No, because nobody should be able to abuse children. Was it easier than some other issues? Yes, because everybody can agree that the abuse of children is evil. Everything else virtually is more difficult. But that's why it's important for us to tackle it, because unless through the process of cooperation and agreement the multistakeholder approach, unless we can tackle difficult issues, then we will revert to the bureaucratic approach to the legalistic approach to international institutions and all of those things which would actually fail to tackle crime and nuisance on the enter net but would inhibit its growth, development and benefit for mankind.
>> LIESYL FRANZ: Thank you very much, Alun. Annmarie?
>> ANNEMARIE ZIELSTRA: Thank you. Can you hear me all? Well, thank you for being here. I have been asked to talk about public/private partner in the Netherlands, how we fight cyber crime, between the ICC. National infrastructure against cyber crime its public private partnership. Before I go with you through the slides I will start with a small movie to give you impression about the way we working in the Netherlands and specifically in the cyber crime information exchange.
No sound? (Music). Okay, we can stop here and for those who are interested, I have a brochure on public private partnership in the cyber crime information exchange, and I can give it you to. But we go now through the slides, and we start here. United against cyber crime. You can't fight cyber crime on your own. You have to do it together. That's why we bring public and private organizations together in the national infrastructure. We started in 2006 in the Netherlands and there was hardly nothing on fighting cyber crime. So we started with a programme funded by the department of economic affairs. And based on the idea of learning by doing.
So start with projects, see what's working and if it's successful, continue that. And if it's not, stop. So one of the projects was the cyber crime information exchange, and the programme will end December this year. But the cyber crime information exchange from the site of the government and the private industry said this is very successful, it gives added value, we will continue this in the structural way. The whole philosophy was a strong focus on prevention like Alun just said. It's not about tracking down and prosecuting. It's extremely important, but not the solution for the problem.
We have to focus on prevention, and that's what we are doing within the NICC. And there is a big role for the private sector, and there is a big role for government. Because 85% of the critical infrastructure is enhanced in the private sector. Private sector is responsible in fighting cyber crime is responsible for taking the measures, so the ownership must be on the side of the private sector. And there is a role for governments. The role for the government is leadership. It's bring organizations together, it's based on rising resilience of the critical infrastructure, but it's also facilitating, stimulating, and also financing research and that kind of things.
The information exchange when we started in 2006, well, we said we can find out ourselves, but look what other countries are doing. So we looked at the United States and they were working with ISAACS and we looked at the U.K. and they were working with the information exchange and we said that's a model that's working, why don't we do that in the Netherlands. Don't invent wheel again. What can we learn from other countries. That's very important.
Leadership must be at the private sector, so the private sector must be chair of the ISAACS of the information exchange and the government must have a facilitating role. So this is what we built from 2006. It's the flower model, what we mentioned in the Netherlands and it's based on public private partnership. So in the middle you see government organizations like the intelligence service, the Dutch police, gov CERT and the NICC as facilitator, as fly wheel and in the circle around you see the private sectors. We started in 2006 with the financial sector and today 12 sectors are linked to the cyber crime information exchange.
And it's voluntary, so it's quite a lot of sectors. We meet every six to eight weeks on a face to face basis where the private sector is in the lead, where the private sector delivers the chair and sets the agenda. The government organizations bring in information and expert eyes. So if you look at the flower model, we also started with a cross-sectoral information change on topics which can be addressed to several sectors, process control security. And in 2006 it was very ambitious to create a national infrastructure and today we are laughing about that, because cyber crime isn't something you do on a national basis, you do it on an international basis. Cyber crime is worldwide. So we have to work together worldwide. For that reason, we also set up the information exchanges on European level and the international level based on the same way of working using the same principles like using the membership guidelines, using traffic light protocol, and have the same way of working. The key success factors are trust and value. You must build trust. You must build trust in small groups where you know the people. Where you can meet each other on a face to face basis so you have to build the network and that's very important. You need to build trust, and we use the membership guidelines for that, so there is continuity in people attending the meetings. So we meet the same people every meeting. We use the traffic light protocol, the red, green, yellow and white information. And we said participation is voluntary, but not free of obligations. So all parties involved have to play an active role, and that's very important. But building trust takes time. So it needs one to two years, depends on the sector, to build that trust.
And it's also about added value. If you get to know each other, you will share information much easier. So when you get to know each other and you know the way of working, you can address topics in the information exchange. So you have to invest the whole time and you have to set the agenda to get with the private sector. And that's very important to do that in an environment where there is really collaboration between public and private parties. I want to stop with this part because of the time, there will be questions later on and also for you there will be the brochure but also the membership of NICC united against cyber crime. Thank you.
>> LIESYL FRANZ: Thank you Annmarie. I'm glad we got the movie working even though it startled me out of my seat. Rusudan, please, go ahead.
>> RUSUDAN MIKHELDIZE: Good afternoon, ladies and gentlemen. It is my greatest pleasure to be represented here and to be able to speak at this forum. It is not an easy tact after the representative of the U.K. and distinguished delegates and the Netherlands, the countries that have developed various methods, ways of public, private partnership, and who can share with us the best experiences in that respect.
When I was invited to this workshop to speak at this workshop, I thought what does the country like Georgia, which is we just started to develop its system against cyber crime to effectively tackle this phenomenon can offer to the world or share to the world.
Of course, the example that I will be talking about the law enforcement, ISB cooperation, memorandum of understanding specifically is just a very small initiative that can be an example for the countries that are just building their cyber security systems, the mechanism to effectively tackle cyber crime in their respective countries.
This is a good experience for me to take home best experiences and best practices of other countries and other distinguished delegates represented in this forum. With respect to public private partnership. The title I would like to draw your attention it the law enforcement ISB cooperation. And I will do that by describing the small initiative, I would say, that was launched in Georgia this year actually.
This is the memorandum of cooperation, which was signed on 24th of May, 2010 by internet service providers and the law enforcement agencies, and the memorandum of cooperation deals with elaborates on and provides for the general principles for cooperation in tackling cyber crime. The basis for this guideline was the Council of Europe guideline on ISB law enforcement cooperation, and this is just the enumeration of basic principles which are relevant in the area.
Why did we rush with the signing of the memorandum of understanding? What was the need in the country at this point where there is no legislation in force, we are still awaiting for the parliamentary procedure which will be completed soon with respect to the cyber crime amendments that are prepared and hearings are at this moment in the parliament of Georgia. We do not have the legislation, we didn't have the legislation in force at that time, but we still decided to have the memorandum of understanding signed.
I think that this was the very reason to promote somehow the dialogue to initiate the dialogue between ISB and law enforcement on this issue to show them both sides the needs of detailed procedures in this area. And the needs or the joint city of joint efforts from both sides to tackle this very phenomenon. As I mentioned the basis for guideline of cooperation was the Council of Europe guideline, and the Georgian memorandum of understanding lists just the general principles. This is not the solution of the problem, of course, and this is not the legal basis on which the ISB law enforcement cooperation can be built solely.
Actually, we as the government and also the representatives of ISBs were awaiting for the entry to force the legislation to provide for more detailed regulations of the field. When the working group was working on the draft memorandum of understanding and this working group was comprised not only by government representatives, the law enforcement agencies, but also number of ISB's, mostly all of the ISB's registered in Georgia, we found the need of more detailed regulations.
And these detailed regulations can only follow once the legislation in Georgia is in place. What is the point that I would like to raise for discussion for the countries that are developing the systems against cyber crime? It is of utmost importance, indeed, to have the law enforcement and ISB's sit together to find the problems that are peculiar, not only to the cyber crime globally, but the difficulties that exist in the fight against this phenomenon in particular country and it takes, of course, the time. It is, we are proud to say we could manage this in a relatively short period of time to which the joint project Council of Europe, European union contributed very much. At this point to repeat the practice of cooperation is not based on detailed procedures because they do not exist. These are just criminal law, criminal procedural law provisions that are used of investigating cyber crime by law enforcement and ISB together. But once the legislation is in force, we intend to detail the regulations with regard to this area. I think this was the point I wanted to make from the perspective of the representative of the country such as Georgia. Another announcement I wanted to make, and I think that I'm permitted to do that, is there, the regional conference or international conference that will take place in Georgia in November, and that is organized by ICT business council and financed by several, ICT business council in Georgia and several donors are participating, and from the site of the government there is the data exchange agency which is, which was just established and which tries to, the regulations of the state exchange agency give them the short also of CERT Georgia but we are a long way towards that at this point. In order to have CERT Georgia develop, there still needs to be done many things. But these two counterparts, information, data exchange agency, ICT business council are organizing this regional conference to which all of the distinguished representatives here are invited to participate in case you are interested, I could give you more details about that. This conference is yet another example in Georgia of public/private partnership which, which still needs much more to do and in order to be a best example for the outside world. Thank you very much for your attention. Thanks for inviting again.
>> LIESYL FRANZ: Thank you very much and thanks to all of you for sharing your experiences. I would like to open it now for a few questions before we move onto the second half of the sessions, so if anyone has a question about these particular cases, now is the time.
>> So congratulations on such good initiatives in U.K. and Netherlands. So in Lithuania, we had this experience, similar experience. We signed a memorandum of understanding between the governmental institutions and industry, and we had nice activities, however, this was later on on hold. I'm just wondering, and I want to ask a representative from U.K. and Netherlands how does this model is organized in terms of finance. Is there any membership fee soar is this funded by the government? How it works?
>> ALUN MICHAEL: Shall I dive in first? I think the problem is identifying how to manage and organize and that has to be based on the identification of the problem. Most things go wrong when you have identified the wrong problem and use the wrong methods to solve it. And one of the problems, and this applies to tackling crime much beyond the internet experience is that it can't be just the industry that identifies the problems, things that are not a problem to the industry may be a real problem to the public to, user, to small companies and it can't just be the police. When I was a minister in 2005 we discovered a major problem and a flaw in the way that we were policing mobile telephone scams, and what brought it to our attention wasn't the police, wasn't the industry, it was members of parliament, because there was a flood of letters from members of the public saying we are being ripped off here, somebody ought to do about it.
But it was solved then having been identified by the government and the industry responding to that general public concern. So I would say that you have to build the infrastructure, but it's a mistake to base it purely on judgments made by government and the industry. At the moment, we are going through a scoping study, which is being led from a university to identify the areas to focus upon.
>> Okay, you were asking about funding and how we organized it, well, firstly, it's very important there is added value for all parties involved. That's the only reason they will join. And about funding, the private centre brings the people and the expertise and the government funds the platform. So if you look at that, it's on a 50/50 base. We come together every six to eight weeks for each sector about 25 people from the private sector and during the meetings, there are also working groups, round tables, et cetera. If you are looking at the research, we are doing within the information change the private sector pays for the research and the government so we have also fundings from the European commission to do research and all kinds of projects. On the European level and also funding from our government to do research within the information exchange.
>> LIESYL FRANZ: If I may take the prerogative of the moderator that I think might be illustrative for everyone. Can you touch upon the greatest challenge that you faced as you were trying to develop your respective initiatives?
>> ALUN MICHAEL: The biggest problem is to stop industry waiting for government and government waiting for industry. Both want to see the other being serious about this. Industry wants to know that its engagement will be respected, and that means the that there won't be an approach to legislation and regulation. And there is a bit of a vicious circle. I think there is a need for a sense of urgency about this because just as in the international dimension there is a tendency to think about top down organizations and so on. And the answer in fact is a, call it a multistakeholder approach, call is a cooperative approach, it's proper governance, but it's not through an old style of legislation, which can never keep up with this sort of developments that we are seeing with the internet. So I think it's a question of getting people to take it really seriously. As I mentioned, I think it was not in this session, in an earlier session, nobody was really interested in the governance of banks, were they, a boring subject, until about two years ago when everything went pear shaped and every government and organizations are wanting to change the way that banks are governed and regulated. Now, I think the potential is there for a great deal to happen in the international and the national dimension in the internet unless we succeed in making the IGF process the process of multistakeholder approach work and that comes down to the sort of initiatives we are talking about here.
There will always, of course, the way in which the police and law enforcement agencies seek the engagement of industry on those big issues of national security and so on, but my point, I think, is that that doesn't define the things that ordinary citizens, the sense of well being, the sense of being secure in a place is under mined if you have things like graffiti and litter and things, there is an equivalent in the electronic age. So you need to have definition by citizens and users, not just by the big battalions.
>> LIESYL FRANZ: Thank you. Annmarie.
>> ALUN MICHAEL: I should have said one thing, and that is in actually trying to break through this, the nominant trust has been funding some of the work. That is a trust established by nominant is the domain registry so they have been trying to create the movement.
>> ANNEMARIE ZIELSTRA: Don't talk too long. See what's working and continue that. See what's not working and stop that. I think that's the most important thing, and start in small groups, people think about the bigger the better, but I think it's good to build trust in small groups, it's easier. Doesn't mind if there are two or three to start with, because if you are doing the good things people talk to each other and will join at the end. So that's my opinion.
>> In our case the issue that was to be resolved was the clear registrations that needed to be in place by the law enforcement and the ISP to cooperate effectively. In this respect the challenge was not the willingness of the parties to establish this clear rules, but the uncertainty on the side of the government representatives or the management related to the topic, why do we need the cyber is this such an urgent issue for Georgia. We just have a couple of cases on cyber crime which can be resolved under the existing legislation. These were the questions we needed to answer during the process. As for the process itself, most important challenge was that the ISB sector wanted to have more detailed regulations in the absence of the legislation in place in Georgia. That's as I already mentioned is something to be developed in the practice. And as representative of Netherlands has just pointed out, this is just a start. This is where we start to see how the practice will get developed, and what will happen in our long way big challenges also to address within the, within our country, thank you very much.
>> LIESYL FRANZ: Thank you very much to the three of you. I will move on now just to keep going with our flow. Okay. I will go ahead and take a question, part of my job, if you will excuse me is to make sure we get you on time. But I want to be sure to get the dialogue in, so, please, go ahead.
>> Forgive me, chairperson, because my question perhaps could have been raised in the second half. My name is I'm a member of parliament in the Netherlands and I'm a beginner in the world of cyber crime so my first question to you guys would be, what do you mean by cyber crime? Are we talking only about child pornography here, are we talking about bugs, are we talking attacks on the infrastructure? What is the definition you are using? I want to know this because I want to understand, like the Georgian representative, the urgency of tackling cyber crime. I'm now reading the outcomes of this interesting BBC survey conducted in 2010 that this awareness of safety on the internet, the sense of well being and secureness on the internet, it differs greatly per country. European countries feel extremely unsafe about the internet, much more apparently than the Americans or the Indians or the Canadians or the Egyptians. Why would that be? Are we in such a much more dangerous place than the others? I don't think so. So what's the scope and why the urgency?
>> LIESYL FRANZ: Well, I think we presented an absolutely perfect introduction for the next part of the panel, but I will encourage our first panelists to answer it as well as we go through the discussion, would that be all right? Okay. Great. Let me take the opportunity to introduce our speakers for the second half. First to my immediate right we have Marietje Schaake, to her right Thomas de Haan with the Ministry of Economic Affairs in the Netherlands and Roelof Meijer with SIDN. And we will conclude with Wout de Natris which is chair of the cyber crime working party, Jochem de Ruig CFO of RIPE NCC, and Laurent Masson with Microsoft who is the director for antipiracy and cyber crimes. So if you would recognize the question posed as you make your introductory remarks and we can continue the discussion and I know I missed one question over there but maybe we could defer. All right.
>> MARIETJE SCHAAKE: Thank you very much. I feel a lot of pressure as the first speaker in such a long row to leave enough time to get to the end so I will be brief. My maim is March eat gentleman Schaake. I'm a member of a liberal party from the Netherlands. I am also here to learn as my colleague from the green party in the Netherlands parliament said. I think cyber crime is a complex issue and so I would just like to raise a few questions that I have and some thoughts that the topic sparks with me. And I will focus on the need for international cooperation. Where we are looking at a worldwide web it only makes sense to look at European cooperation and when we look in Europe, we see that criminals sometimes work together more easily and more naturally than governments do. So I think there is a lot to be improved there. But the topic of today is also trust and how to build it, and I'm fascinated by this question, perhaps, because in the Netherlands we are dealing with a lack of trust in politicians, a lack of trust apparently also in the workings of an open internet. Apparently we are afraid so how do we regain this trust? What sort of leadership is needed because trust is indeed crucial in open societies.
Before we know how to build trust, I think we need to know what's the problem.
As you mentioned, and I think we have to have a realistic approach, not to create fear that's exaggerated but also not to be naive. When we talk about cyber crime, I think there are two things that sometimes are mixed up a little bit. Criminals use the internet to commit crime, child pornography exists in the off line world and exists in the on line world. The sales of counterfeit medicine is done through the internet but is it really cyber crime. Cyber crime is more the use of technologies to commit crimes that are specific in the ICT or digital context.
So besides knowing the definitions we work by, we need to know the skill we are talking about. There is a lack of knowledge still in mapping the problem, and, therefore, to create accurate solutions and not to make false promises, because I think as political leaders and government, you lose a lot of trust if you suggest that you have a solution, which you actually cannot manifest. So the question is not only in what definitions do we use in terms of the words that we use and the scope that we are looking at, but also in identifying what do we see as a crime. This morning I was involved with working on a report in the European Parliament that deals with the enforcement of intellectual property laws. It's a very interesting topic. It deals with both counterfeit goods, so fake jeans of brands, handbags, medicine, batteries, et cetera, but it also deals with the infringement of copyrights materials on the internet. Now, some people argue that in today's digital world it's no longer possible to enforce on line copyright laws when it comes to music. Others will argue that it's very attractive for people to use downloaded materials of non copyrighted songs and other files because there simply is not a cheap alternative offered. So then the question is do we think it's crime if a teenager downloads one illegal song, when does it become crime? How do we fight it? Do we look at it as a crime or lack of an attractive alternative. When I talk about lack of definitions I think we should look at that too. I know of an example in the United Kingdom where one year the legally permitability amount of soft drugs was changed, and the crime rates dropped significantly not necessarily because there was significantly less crimes committed but because behavior that was initially identified as criminal was no longer identified as criminal.
Now, we clearly have a lack of knowledge, but it's also identified that we do have tools to fight most of the cyber crime and the crime that happens on the internet with the current legal models that we have. So I think we should be careful not to create more bureaucracy or institutions and also be careful not to inflict collateral damage as we try to fight cyber crime because clearly we want to keep the internet an attractive and positive place for people to participate in democracy, to be educated, to enjoy entertainment, to communicate, to have access to information, and we have to be careful not to compromise fundamental freedoms and civil liberties. And this would also lead to a lack of trust and a compromises precisely those values we want to protect against cyber crime. So I think a great public private initiative should be an objective in depth study to get these facts out in the open in a trustworthy way, not just to have a security company do a research in terms of how much crime is committed because that would not be very credible, per se. Currently, I think there already is a lot of public private cooperation, which perhaps is mostly happening in a private matter, not necessarily transparent, and it's also not always clear which hat someone is wearing.
We see governments hiring expertise in the private sector. We also see corporations hiring former police agents, former lawyers, legal expertise from the government sector. We even see corporations hiring hackers to test their new products so there is a different sense of overlap and different hat wearing in different context.
So when we look at trust, I think it's very important to look at democratic oversight, accountability, transparency, also very important to include the citizens using the internet, to be vigilant, to be active, to monitor criminal behavior and possibly combat it. So citizens should be made aware of the knowledge that should come out of the objective studies and citizens should certainly not be alienated. So how to find a balance. I was fascinated by the previous speaker about the main leadership of the private sector in fighting cyber crime. I would like to learn how this relates to democratic oversight and who is finally responsible because I think that safety and security are still public responsibilities, and I believe that the government should take the leadership and also the final responsibility, of course, in collaboration, but I think the term self regulation of the industry is often abused to permit all kinds of measures that actually should not be out of democratic oversight.
We have seen this with internet service provider whose have been asked to independently enforce measures against behavior such as blogging and filtering of internet behavior and this could lead to extra judicial actions and blurring of the division of powers. So I think law enforcement and measures to fight cyber crime should be defined specifically in terms of responsibility. We should be sure that there is no self censorship happening, which is a risk that we see now, and that companies are not forced to cut off citizens or to filter or block, et cetera. We should really use the positive sides of the internet to offer alternatives. So to sum up, in building trust, I think we have to build a vigilant society, have objective knowledge, provide attractive alternatives to criminal behavior and make sure we have democratic oversight and in the worldwide web, the EU should have leading position on this community of values and when we look at the tackling of cyber crime and protecting of cyber security, let's not forget civil liberty.
>> LIESYL FRANZ: Thank you very much. So if you do have the other presentation?
>> THOMAS de HAAN: Thank you very much Liesyl by pulling me into the workshop this way literally. My name is Thomas de Haan from the Dutch Economic Affairs Ministry. I'm here with Roelof Meijer the CEO from SIDN, and we will jointly talk about, we will jointly talk about initiative which is rather new. It's one year old, which is called the internet safety platform. And I think this may be to do this setting, I think your question, which what's cyber crime, what's cyber security. I think it's a very complex world in which everybody has a different definition also. And even we have had workshops here in which not everybody agreed on the same definition. So it's not yet a closed case.
I can certainly only give my, let's say from the public policy point of view, kind of insight in what we think is, let's say, safety cyber crime security. And I think basically we make three distinctions. On one hand we have to network and information security, in which there is continuity, crisis management, integrity, exclusivity of networks, how they work is part of it. They should be secure. That's obvious. Another point is privacy, and think about the basic rights of users to have their privacy guaranteed and and then as CERT block I would say is the whole point of the safety on block, user safety on line.
And when we see all kinds of phenomenon or issues which are playing now, we can, for example, see that, for example, spam is something which is completely in the blue sector of privacy. It's very user centric. We protect users from spam. The other sides, to give other example, bot nets is something which we think is a threat in all three categories. Bot nets compromise security of networks basically.
But they also use consumers to do the work because consumers are affected and they are the source of crime,, for example, through malware which are in bot nets. So basically this brings me to the second point, to the real presentation, from a public policy point of view, we can tackle a lot of things very well. For example, Anna Marie gives the example of the information exchange. This is a very successful partnership which is let's say on the side of the cross point of network information security and internet safety.
But from the ministry point of view, not only economic affairs, but that is how justice and what we are missing is a kind of contact point with industry for a couple of issues which we thought are disbursed. They are not taken up any kind of coordinated way. And I think I will skip a couple of slides. Because basically what we want the to do from the ministry side is to have first of all, a kind of more structural dialogue with the market, especially with ISB's which in the Netherlands there are not completely organized. They don't have let's say a branch organisation. So we looked to make contact with at least the major ISB's to look, to deal with cyber crime issues, and then again we have many other players, for example, SIDN as one of the it's an internet organizations which also were interested in taking up a few things which basically were not taken up in a constructive way. We also approached Microsoft and basically what we started is a structure which we called internet safety in which we, let's say, not try to make regulation. One major point is that we want to use this platform as a way to be in a kind of prepolicy stage, in which if there are initiatives to combat certain phenomenon on the internet, we are talking about the right parties to look if there are possibilities of trying through self revelation code of conduct to tackle these problems. And then to get more concrete, I think in the platform we have now five areas in which we have working groups together. First of all, it's the privacy working group, we have a special group on child pornography. One very recent work group is dealing with bot nets. We have the notes to take down, and one general public relations working group. I think I will give the time, leave it to this, and give the mic to Roelof.
>> LIESYL FRANZ: Roelof, go ahead, please.
>> ROELOF MEIJER: I wonder if this is doable with the people around us with all of the ambient noise. How are you hanging out there? Yes? Okay. Is my presentation up. I'm going to improvise a bit because I have heard so many thing from the other speakers that I would like to react to that I'm not going to go in my nicely elaborated presentation, but I will just hit on a few slides, but this is definitely not the one I want to pick.
While this is going on, I'm just going to quote Alun, if you don't mind and I will add a bit to your favorite quote. You said laws rarely prevent what they forbid, which I think is true and maybe you will steel this one from me, and generally they have a lot of negative, unwanted, restrictive side effects. That's why talking about the platform for internet safety in the Netherlands, that's why a lot of the private parties in the end feel that it's worthwhile to put time and effort in this kind of a thing, and Alun, again, quoting him said involvement in the price you pay to prevent legislation.
And I think that's true, but it's a very negative approach. And from the perspective of ISDN being the guardian of the.NL name space, I prefer to approach it from the way that involvement is implied by good stewardship or good citizenship maybe. Still not there. Sorry. Okay. It's not working. Right. So
>> LIESYL FRANZ: What I might suggest is that as you know, we have to post workshop summaries to the IGF web site after the conference, so if the presenters will permit, we will include the slide presentations in our summary, and, therefore, you will have the reference points. And I'm sure there might be happy to be shared with you on an individual basis if you came up to them afterward as well. Okay?
>> ROELOF MEIJER: Yes. Okay. So I'm happy because it mean that's I am forced to improvised which I wanted to from the start.
>> LIESYL FRANZ: Just keep the time.
>> ROELOF MEIJER: I will try to answer one question which hasn't been asked yet and another one that was asked. What are the main objectives why private parties get involved in something like a platform, a public private collaboration to fight cyber crime? Well, the first one I have already answered, that's maybe a negative approach, prevent legislation. In our case, specifically, it was also creating some kind of an umbrella, a place where all things would come together in a neutral environment, and to use an IGF phrase on equal footing where private parties could discuss with the authorities on the same level. It was to change the fusion and confusion in all kinds of actions to increase internet safety in the Netherlands, to change the fusion and confusion to a more unified and consistent approach. It was to change actions in isolation to actions in collaboration, and it was and one of the previous speakers elaborated on that, it was to change suspicion into trust. And that's why it becomes very personal in a platform like that.
And I think all of them in their strategy have something about their image, and so, of course, it's also to improve the corporate image of the private enterprises. Going to a question that was asked are what are the challenges if you start such a thing? And I think the major one, and it's always the subject of discussions, is not being passive, so not waiting for a court order before you move against clearly illegal or criminal activities on the internet. But being consistent and without being careless. As soon as you move away and we noticed this as a registry, as soon as you move away from the position, we will only do something when a judge tells us to do something. You are on this kind of slippery slope, and it's very difficult to keep a clear line there and I think that's what Mrs. Hackman when she said democratic oversight it makes very difficult to make a personal call or a corporate call and I don't know who of you were in the opening ceremony because there we also heard from Mrs. from the Council of Europe talked about inappropriate content on the internet. And it's something completely different from illegal or unlawful, and it's very subject to values and cultures and is definitely not subject to laws.
And that's the second challenge is mission. As soon as you are dealing with things that are clearly criminal or unlawful, there is a force that will come and ask you to do something about unwanted or unpleasant things that on happen on the internet and to resist that is quite difficult. Also very important one is getting results and it's quite a challenge. There are a lot of skeptics as soon as you start something like this. It's the platform to fight something in our country, and very often these platforms are just talking groups and there are no clear results.
This group luckily is very focused and we are getting clear results and one of the things you have to do to make the chasm together as big as possible is keep the platform slim, light weight, not light weight in the sense you should have decision makers there, but it shouldn't be a very large group. And if you have a small group, there is a big group of which you risk it if you exclude it. So then your challenge becomes getting reserve to adopt the actions that you decide to take as a selection of companies that is on this platform.
Do I still have time?
>> LIESYL FRANZ: One more thought before we move on.
>> ROELOF MEIJER: One more thought, I'm happy you didn't have what the cyber security and cyber safety is because those are the difficult questions to answer. What cyber crime is for me that's an easy question. There is an easy answer. That's any criminal or unlawful activity on the internet, and on the internet, you should or could define as using a computer and a network. But when you have reached the phase of cyber safety or cyber security, I think that's a very difficult thing to define.
>> LIESYL FRANZ: Okay. I believe we are turning it over to you, Wout, for the last third of the group here.
>> WOUT de NATRIS: Thank you Liesyl one of my favorite phrases is cyber crime is international and we can't do anything, thanks for reminding me Alun. This is something we have encountered in the first three years on an almost daily basis when you work in international environment. What we are proving here today and last year at the IGF is that we actually start to be able to do something. And one of the initiatives that I would like to discuss here is the cyber crime working party which is working from the in Amsterdam which is clearly an example of a new way of approaching this cyber crime problem.
And to answer you, I think the cyber crime, I'm going to agree on this and add a little that, yes, cyber crime perpetration, cyber perpetrations and cyber crime and if you forget to look at the perpetrations, you usually already have the crime on your hands before you notice it. And so spam and malware enforcement are just as important as cyber crime enforcement because usually the crime stems from the spam and malware coming with spam. Having said that, the cyber crime working party which is industry, it's a public private corporation, and in the group are, for example, nebs of the right antiabuse community, there is law enforcement, we have cyber crime prosecutors on board, we have government on board, the E.U. affairs is involved and we are definitely looking for other governmental agencies like the
>> LIESYL FRANZ: Turn your mic on, yes.
>> WOUT de NATRIS: Yes, I think I have fixed it. We have this moment as looking in, as an interesting thought. So that means we are breaking down the government part of this, because at the IGF you can see we want industry to do a lot of things. We want government to do a lot of things, but actually who are industry, who are government? And within the cyber crime working party, we are trying to identify the individual different government parties, and together mentioned before, build trust and learn to listen to each other and identify the common concerns that we have. Because when we identify the common concerns between all of these different parties that come to the table, that means that you will probably start looking at common solutions. And that is something which I would like to bring to the IGF before I hand over to Microsoft and the right NCC. Is that the questions that we, I think, we have to raise in the IGF and other international environments is exactly who is industry. And why do I ask this question, because there are so many different articles that are under this term industry, that the chances are that maybe 75% is not aware the IGF exists and are not here.
Have you ever wondered who are not here? And I'm not going to give all of the examples. We can think of hosting companies you can sigh of carriers that make sure that everything goes through the ocean but we have local ISB's, local parties that you may not know of, but also the RAR's, the SIDN's of the world, what are their roles and in which way in the end can they contribute to lift this burden which is coming to the world.
So if we identify who they are, we learn to know from each other what we do, what we can actually, what is our core business goal, so learn from what our concerns are from there maybe we get a different, a very different discussion that we are having today. And that's, I think, something which I would, could be a challenge for the IGF in the coming two years to make sure that this discussion is going to take place, and it has to be at, I think, the start at an international level, and when you have some sort of result, you can trickle that down to the national level, that's what the CCWP is going to try to do. Cyber Crime Working Party is going to identify problems that come with solutions on the international level and through the individual networks that we have try to get the solutions down. What are we going to do? We are going to try and make standardized information request for industry, for government agencies to use towards industry. We are going to have trainings, and we are going to have people from the RIPE NCC or probably from Microsoft train law enforcement on specific topics so they know what sort of information industry has, learn to exchange information, and all of the implications that it has. It's going to raise some major questions over not so long a time from now. Okay, you change information between industry and the government sector without stress passing too much on privacy? How are you going to deal with it? How are we going to make sure that in an international environment, you get a response with the speed that's needed in the digital age? When you don't get a response on an IP address and who owns it in a year because then you can basically stop your investigation because nothing will come from it. Everything will be gone. It's questions like this and I have a couple of others in the background document I provided for the session, so I invite you to look at it. Coming back to the CCWP, Jochem is going to present on why the industry is participating in the project and on the possible topics that they have for law enforcement, and Laurent from Microsoft is going to give an example of two databases which are in place which governments have to learn to use and deliberately use the word learn because we are probably not doing it at this moment as government agencies. Thank you for your attention.
>> JOCHEM de RUIG: Good afternoon. I just have some slides, I just would like to ask how many people know what the RIPE NCC is and what regional internet registries are. I'm happy my chairman of the board knows it. That's good news. Okay. Let me just briefly, maybe a bit slow for a lot of people then, but let me just explain a bit what we are, and what we do. We actually exist since 1992 already in Amsterdam. So that's quite old, in internet years. We are a not for profit association under Dutch law. We are an independent organisation. So we are fully sponsored and by our contributors, our members, and at the moment members in over 75 countries. There is five regional internet registries so there is four other sister organizations like us in the different regions of the world, so it's geographical spread. Our region involves, includes Europe, former Soviet Union and the Middle East. What do we do? We actually register and administer internet number resources, and internet number resources are IP addresses, IPP4, IPP6 and AS numbers. One thing I want to specify. We do not make policies ourselves. So we have a public forum where anyone who has an interest in policy making for internet number resources can go and they can propose a policy, and it's called a RIPE meeting or there is mailing list where's people propose policies and they can suggest an idea on how to do the registration differently or actually the contribution of internet number resources.
So why are we engaging with law enforcement. Well, that didn't come by nature, I have to say. But we do feel we have a public responsibility as we represent 7,000 members in this area. So we do feel the necessity. We are also a coordination centre. So our members support us that we actually play a coordination role that we are here and actually discuss with you on the ways how to make the world a better place, I would say, but I think it may be a bit high for this, but at least to coordinate externally. We also, of course, want you to support the current system that exists and especially also law enforcement, that they understand the system, how it works, and that they can work with the system as it is.
A fourth item we do want is actually that you and law enforcement actually participate in the policy making. It's an open forum anyone can propose anything. It's mainly technical community, so they are very technically oriented, but actually we recently have seen law enforcement bring forth a policy proportional on IP version 6 to make sure the registration and administration is going well. The fifth which follows from that we do the registration and administration of internet number resources is we are a source of information and we have a lot of technical knowhow in house, and we also provide trainings. We have done several trainings for members, of course, but also for law enforcement.
We do have the first responsibility towards our members, so we act within a strict man date from the RIPE community, and we also do the tasks that are explicitly given to us. Just some myth, one thing I always have to explain we are not a domain name Registrar. We do 192.something, it's just a lot of people are familiar with the Domain Name System especially because of the intellectual property law. We don't have that situation, and we have quite a different world around us. There is another myth which is that the revocation of an IP address is actually turning off a switch on the internet and that an IP address is unusable. That's not the case. You can actually, we call that a deregistration. You can change the record in a database which changes something, but then all other parties that actually do business with that IP address have to do something. This may take time. This might take years. It all depends how on ISB or other party runs their business.
Another myth which actually I'm trying to convince also the technical community about, is that law enforcement is really developing a good understanding of the technical world and on what to do, and I think that's a very good development. Well, the main interest that actually law enforcement recently has emphasized to us is I think three things, data quality, actually revocation of internet number resources as far as possible, and to impact the policies.
Data quality, of course, is crucial. We have to keep good records so that everyone can actually find out who is at the other end. The closure revocation I just mentioned, it's a very difficult topic, but there are measures you can take. You can inform people that an address is not used correctly, et cetera. Impact on policies, recently, I think in the Aaron region the F.B.I. will bring a proposal forward to approve the registration of the IP version 6 addresses and that's a very good development. So we have a discussion about that.
So what do we see what we have achieved so far? We, I think, for the last three years we worked a little more closely with different law enforcement, mainly from the Netherlands and from the U.K. We have a lot better understanding of the work we are doing. I think they understand our position a lot better what we can and can't do, but we also understand the problems law enforcement has a lot better which is crucial to be able to actually help in a case. We are working on some internal procedure improvements like we get a lot of information requests, like who is using what IP address at what point in time, so we are helping people to train them, how they can find this themselves, get that information directly on line so they don't have to contact us.
Well, we do have some higher goals as well to inspire and inform public policy makers, that's why I'm happy I got the opportunity to speak here. And we want to create a bit more awareness about the we provide good governance on how we register and administer those addresses and how we deal with our membership and that we perform good due diligence when a member becomes a member that we do controls and checks to make sure it's a legitimate company at the other end. And as I mentioned before, we do we now have a lot more clarity on the main issues from law enforcement. So why the Cyber Crime Working Party? Well, we wanted to start a bit smaller and actually focus a bit on some specific task. We do support that it's an international party, and multistakeholder, so we have got the different parties at the table. We have achieved that. From our community, we do require transparency, so we do report back to your community and our members what we are developing and doing here. Information sharing, which follows from city down together, we want to impact the policies procedures as I mentioned before, and we want to support the existing system.
I want to mention one last thing before I wrap up. We want to focus on some specific projects and tasks, so we don't want to just having a discussion forum bring people in the room. We do want to have some tasks, look at them and come up with a solution or an answer or an analysis and bring that forward.
>> LIESYL FRANZ: And now Laurent if you could close us out, that would be great. Thank you.
>> JOCHEM de RUIG: Good afternoon. I will try to be as short as possible, but what I would like to do this afternoon and this session is just to talk about and give you, share with you a few examples of the cooperation that we have with law enforcement, but also with the different stakeholders which are engaged in this fight against cyber crime. I was sitting on another panel early this afternoon with the Council of Europe, and I explained that clearly partnership and cooperation are very key drivers for the action and the strategy of all company in the field of cyber crime.
We are and we have been in the past for many years partnering with NGO's, with international institutions such as Euro Poland, Interpol, and others, but we also try to partner and cooperate as much as we can with other companies, and with the local authorities and law enforcement in different countries. This is very important for us.
As I said, in the previous session, no matter how big the company and our company can be, without this cooperation, we can't, we just can't achieve anything in the field of cyber crime. When I look at the type of cooperation that we have, we are basically working in three directions. The first one is we are talking and we are working on the legislative framework in different countries, mainly cooperation with international institution like the Council of Europe. The second direction is around capacity building and training. Once again, we are cooperating with different institutions but also with local authorities to train different population law enforcement, prosecutors, judges, around these issues. And the third direction, which is the one which I will spend a few more minutes to, this afternoon with you is around the development of some tools to help law enforcement but also the other stakeholders to fight cyber crime.
Some of you may know some of these tools and I will give you some of the names we have developed DNA, for example, we have developed another tool which is called KEDS. These two cools are being used to fight child pornography by the authorities in different countries. If you are interested in having more information about some of these tools, please feel free to contact me. I will be more than happy to provide you with the information I have.
Another tool is the internet for which is also well known from the professional. Basically these tools have two goals, one is either to support law enforcement, or that's the second goal, to protect the user on the internet. What I would like to present to you this afternoon is basically two portals. You have got one which is on the right, which is called the LE law enforcement portal, which is a tool which has been developed a few years ago, which is currently used by law enforcement in different countries, which is a platform whereby law enforcement can exchange information and chair resources in between and from different countries.
So based on this first experience we have developed the second tool that you have on the left, which is going to be become live in a month from now in October, which is a tool which will allow different stakeholder not only law enforcement, to share information about legislation about cases, about different techniques that they are using to fight cyber crime. These two tools can be, you know, are available for free. And they have been developed on open standards to allow the different law enforcement NGO and different stakeholder to use them properly. So once again, if you are interested in getting access to this tool, please feel free to come back to me. Ill arrange that for you. A third tool I wanted to show you briefly today is this tool that we call COLFEE, it's computer on line forensic evidence extractor. It's a tool which allows law enforcement in different countries to capture and manage live computer evidence without any specific forensic expertise. This tool has been made available through internet or an NGO which is called NW3C. Once again, this is a tool which is available for free, and there has been developed on open standards to allow the law enforcement and different agencies to use it.
Once again, if this is something you would be interested in getting more information, please feel free to come back to me. These three tools are clearly a good example on how the private sector can bring its expertise and its knowledge to the public authorities, and also to the NGO's in the fight against cyber crime. So I just wanted to show you these three tools this afternoon. Thank you very much.
>> LIESYL FRANZ: Thank you all very much for your very thorough and succinct descriptions of the projects you are working on. We are right on time, and have about 15 minutes for questions and discussion, and what I'd like to try, if it works, if we could either for your questions if you could direct it to one of the speakers or if one of the speakers feels compelled to answer a question, we will try to get as many questions in as we can for those that might pose them in the room. Before we go to the room, Sophie, do we have any remote participant questions. Okay. Thank you. And now, let's open it up for a little bit of more discussion.
Yes, over here.
>> My name is Fionna Osanga I'm exclusive executive of association of Kenya which brings together the mobile and ISP content providers and service providers. There is a lot of discussion going on especially from the governmental presenters on what needs to be done, on what ISP's are not do and what they need to do and my question is to the government representatives on where does, where do you draw the line between the responsibility and the service providers and the responsibility of the government agencies because when it comes to a cyber crime there is a lot of gray area for who is responsible for what and that makes it very hard to chart a clear way forward on what needs to be done, what kind of policies do you need to develop and how would you tackle particular crimes when they do occur. And the terminology at the market, and the Supermarket is the owner. If I come into a supermarket with a gun and comes in and shoots my customers, the individual who does that has to be held liable for that, which means then there is a limit to how much responsibility I can have as a Supermarket owner. I can put cameras, all of the security features that need to be put in place, but I cannot restrict anyone from the general public from entering the supermarket. And I would also like to hear from Georgia a bit more. Maybe I will talk to you on a one to one, because I have a lot of questions on how you have developed the different programs you have talked about and the challenges that you experienced prior to that, thank you.
>> LIESYL FRANZ: Thank you. Who would like to tackle that one. Alun.
>> ALUN MICHAEL: I will just try one thing, I think looking for a dividing line in responsibility is probably the wrong approach. The starting point surely should define what the problem is, what's the mischief, what's the damage and then for the partners to say what's the best way of tackling it with the starting point being can we prevent the damage, can we remove the profit, because that's what is the motivation for the vast amount of crime. If you can do those things then you don't need to go to the bureaucratic or the legislative approach, and that's the argument I'm making is that if you can get the positive approach, enabling legislation is possible, but it's not where people normally start. Then you can avoid getting into some of the places that we have got to very badly in terms of the way that we deal with off line law enforcement, and we can do things much better in the on line environment, but there is some urgency because otherwise you will get into traditional ways of doing things. You say one other thing there as well. Terminology, somebody asked about, there is a great danger that we talk about cyber crime or eCrime as if it's a totally different universe. If somebody uses a foot path to burgle my house, if somebody comes to my city by motorway, we don't call that foot path or motorway crime. So we have to be careful with the definition of the what we deal with in an esoteric space which relates to the internet. It's actually different ways of people behaving and exploiting the possibilities that are open to them. The common sense approach is to together define what the problems are and, therefore, what the solutions are.
>> LIESYL FRANZ: Thomas, you wanted to add something?
>> THOMAS de HAAN: Well, very shortly, I think if you talk about the roles and responsibilities of ISP's, which I think was your question, of course, we have all legal option obligations. We have a telecom act. We have due diligence that means they have to take care of some, let's say safety in general. It's not prescribed exactly what, but there is a responsibility. And, of course, they have to cooperate in all of the let's sacral examinations, cooperate with this, and I think, and I concur with my U.K. colleague, that before introducing new legislation, if you encounter a problem, you first look at cooperation and try to in a precrime state or let's say in prepolicy state to try to get to solutions.
I would say also we tend to focus very much on ISP's, and I think we tend to think that ISP's are part of the chain. They are not the only partner which can do certain things. Of course, they provide access, but the consumers exactly on the same level as concern responsibility. We have also internet organizations, so it's a chain in which you have to get every partner to get them in with this responsibility involved. Thank you.
>> LIESYL FRANZ: You wanted to add something?
>> I just wanted to listening to your metaphor about the Supermarkets, I think it's important how we assess the internet. If we consider it a public space, then that should be free of any blocking, you know, free of maintaining that neutrality and who is responsible. It should be open to everybody. Then a Supermarket is perhaps not the most relevant metaphor because it's actually a private space. This is really interesting, how do we define the internet and which parameters are of such public interest that they should be guaranteed and where can law enforcement or fighting cyber crime infringe on this public space because on a public road or square there is also a balance. It's accessible for everyone, you cannot build a wall to protect your market booth or you can't misbehave according to existing laws, so I think what's been raised by many people is that some laws exist, and that can simply be applied on the internet, but we have to think conceptually about how we want to look at the internet.
>> LIESYL FRANZ: Do we have another question. Right, directly across.
>> Lithuanian city. For the member of parliament. If you are talking about the safety of the citizens in public places, so actually this is the duty of the government to take appropriate measures to insure that when we talk about the digital space, the government, the laws put some responsibilities for internet providers to monitor some content to cut some illegal sites, taken down procedures, put some filters and actually this is the means which are costly. So my question is if this is how do you think who should finance this? Because for some market place it is very, very big huge expenses, and I didn't mention the data retention, which, again, it's very big.
>> Can I start by saying I think the analogy is wrong. People do not behave in a physical public space simply because the government has passed a law. Laws reflect the expectations of society, not the other way around. The fact that people don't take goods off the shelf of a supermarket and walk out from it, yes, there is a law against it, yes, there is law enforcement, mostly it's because we obey the laws.
So, and there is a great deal of evidence that actually in creating a better and safer place in a city centre and I can give you lots of details on this, a proper analysis of what the problem is and a partnership approach which is not just leave it to the police to chase crooks, but analyze the problem and work together to solve is far more effective than a poor legislative policing approach. So your analogy with the off line world doesn't work. I think mine does, which is that the design of actives, the push, the expansion of our opportunities is something that is done by companies by businesses. It's part of their leadership role in that to help to make that a safer place by designing in the considerations of the citizen, but that can't be left. Government has a role because government has a role for the safety of the citizen, but you can't leave it to government and business because there has to be accountability and transparency. That's the same as in the off line world. It's the right set of principles in my view, but one of the things that we need to do is to develop a proper methodology, and that needs really good engagement between industry and government, parliamentarians and civil society in talking about the society, the on line society in which we wish to exist in the future.
>> I think indeed that the democratic oversight is very important. So, for example, when we look at the financial sector, not every detail is mapped out by government thankfully, but there are some regulations and there is oversight that is considered of such public interest and public importance that it has to be done by government at democratic, with democratic oversight. I think that that's crucial. And I don't think that the thinking about this has fully been developed. Within in the U, for example, we see a variety of models which are applied, also the responsibility of internet service providers differs a great deal in various European countries. This is a problem in and of itself.
Because at this point we cannot really speak of one European digital market. And instead of looking inward at the differences which is what we are good at, we should be aware that on a global scale, this means that there is less development and also less attractiveness for people to come to the EU with all kinds of companies and products and things like that. So we have to look at it in the bigger context with different stakeholders or people at the table. And since I don't know reliable figures on where the problems really are and the bigger picture, it's hard to say where the best solutions.
>> Taking you back to the off line world and its sole responsible of governments to insure safety of citizens in public places. Is it really true that once we have a government that we can sit back and ask them to arrange for our safety? I think every citizen and every private entity has the responsibility there as well. And I think that also applies for on line world. At least that's exactly the reason why my organisation gets involved in this kind of things because I don't think it's good, and I don't think it's fair to leave it to governments only.
>> LIESYL FRANZ: If there is one more burning question, I think we could entertain it. Yes, go back to you. Okay.
>> I would like to clear up a misunderstanding that is perhaps arising on my side because I think people are confusing public space and public responsibilities with the prerogative in public space where private companies and citizens have their own duties and responsibilities to keep it a nice place, and the very exclusive prerogative of the state to prosecute crime and to implement measures that take away freedom of citizens to express themselves or to register names or whatever. That for very good reason democratic states have given to the state and the state only. Private enterprises, even if they are in a better position to know how to implement it, do not have that power. So that is why the question where you draw the line is extremely important. We cannot just brush it away because it is not a practical question. But I'd like to get back to Roelof you have said that sometimes it's difficult to resist pressure from authorities when you are asked to play a role to distinguish between unlawful names or inappropriate names. And Jochem, you have said that you play a role in the what, do you call it, the eradication of IP addresses, revocation of IP addresses. Under what conditions do you do that?
>> JOCHEM de RUIG: Under what conditions do we do what, make a distinction?
>> Under what conditions does do you, did you entitled or do you erase names from your registry or from your what do you call it the RIPE NCC.
>> LIESYL FRANZ: The question to you Roelof is slightly differ.
>> Roelof you are from the domain register, you said it is difficult to resist pressure when authorities ask you to play a role in declaring certain domain names unlawful or inappropriate.
>> ROELOF MEIJER: Clarification, I wasn't talking about the domain names. I was talking from the context of where it is about content. And we have a code of conduct in the Netherlands which has been drawn but by the secretariat in public private cooperation with ministries, and the scope of that code of conduct has been defined as unlawful and or criminal content. And from the start there has been this tendency to try to include and sometimes it was just by accident, people wanted to write criminal or unlawful and they wrote unwanted. And think it's a synonym or something, but there has been a tendency to increase the scope for notice of take down to things that we all agree upon because there are always examples and the examples that you hear, you think, oh, yes, my God, how is it possible that it's not unlawful or criminal. But it should be, it should be taken away, it should be banned, it should be off line.
We draw the line there. It has to be obviously criminal or unlawful. And if it's not that, we don't touch it. Then somebody who can judge will have to judge first. Did I answer your question?
>> Can I just make the point that it's not just law that governs how people behave. It's values, conventions, its respect. There has to be an underpinning of law which says what can be done and what can't be done. The more that that's based on simple principles, and the more there is a cooperative approach to how you then carry it through, the better it is. That's why I made the point earlier that you can't just leave things to government and business. You can't just leave it to self regulation. Self regulation isn't the answer. Cooperative regulation where there is accountability is the necessary concept.
>> Michael you are very right. I'm very naive so I believe in the perfect society which means that values of society are translated into laws. So that bit is covered. I cannot apply my company values or my personal values in the judgment to either take down a domain and the content on the web site or not.
>> LIESYL FRANZ: Jochem do I want to take the opportunity to address the question to you.
>> JOCHEM de RUIG: Yes, as I mentioned we have an open policy forum where we actually make policies. So, for instance, if someone doesn't abide to those policies they actually use their addresses for different purposes or they have different network plans, most of these policies are technical policies, then we could say, well, revoke the addresses because you are not meeting your part of the deal why we gave you those addresses. Another technical or, well, non technical reason, we have a contract with these people. If they don't pay, we also close them down.
So those are reasons. I any what you also mean is have we ever closed someone because they performed criminal activities? No, we haven't. Because it's very difficult to prove that, and to build a court case around that, and that hasn't happened. I think if there would be a court case, and a judge in the Netherlands would rule that we would have to revoke those addresses, we would do that.
>> LIESYL FRANZ: Well, I think we have come to the witching hour. So first of all, I just want to say that I think it conversation could go on well through dinner, but we haven't arranged for that, but we have the convenience of the security openness and privacy main session tomorrow. This session feeds into that discussion, so some of the points that have been raised today will be discussed there, and I encourage you to join that discussion as well, because I'm sure it will include some of these points as well as those that encompass the openness and privacy elements as well. I would like you to ask me to join me in thanking first of all the organisation users of this workshop, for inviting me to moderate and inviting this distinguished panel of experts and speakers today so please join me in thanking them and also thank you for your participation this evening. Have a good night.
>> And thank you, Mrs. Chair.