The Benefits and Challenges of the “Free Flow” of Data

12 November 2015 - A Workshop on Other in João Pessoa, Brazil

Also available in:
Full Session Transcript


>> MODERATOR: I guess we can get started.  We are one panelist short, but hopefully Vint Cerf will join us shortly. 

Thank you.  We have one for coming here today.  Thanks to the IGF for having an opportunity to come and talk on these issues, and thanks to the MAG for selecting this workshop.  We think it is a pretty important topic.

So the topic of the panel today is The Benefits and Challenge

of the "Free Flow" of Data.

Now, "free flow" is a bit of a term of art, but at its core we think the term describes one of the de-engineering foundations and Internet; namely, the principle, the data, and information should flow around a network dynamically unrestricted to maximize for efficiency.

As an engineering principle, this has provided businesses and consumers to access with the best available technology, to information, to online services wherever those resources will be located around the world.  Ultimately, that is one of the greatest innovations of the Internet is that for many intents and purposes, data is agnostic to location, but, as we all know, that principle also presents significant challenges, especially for governments that are organized within a framework in which geography ultimately determines jurisdiction, and it makes a variety of core government functions more challenging.  It complicates law enforcement access to evidence, to domestic privacy protections and to the restriction of certain types of regulated content such as hate speech and child pornography.

So in response to this broad array of challenges governments have been putting up walls of restrictions on the Internet and free flow of data. 

Some of these restrictions have been put in place for legitimize purposes, network security, fair commerce.  Others are less defensible and are intended to unfairly support preferred commercial interests to quelled domestic political dissent and sometimes governments pursue these actions which are -- which may be well meaning, but can have serious unintended consequences for the Internet for other parts of the network than those areas that the regulations were initially intended.

So to help us understand these complex issues, this suite of intersecting jurisdictional data flow engineering questions, we have a distinguished panel.

So I'll first introduce myself.  I'll be moderating.  My

name is Jonah Hill.  I work with the National Telecommunications

Administration, US Department of Commerce, and my colleague and

co-sponsor, Carolina Rosini, will introduce our panelists.  We're

missing one, but we've got three others who are some of the

leading experts on these issues, and we'll start a moderated


There will be an opportunity for everyone to ask questions towards the end.  We're going to save some time for that, as well.

So, Carolina. 

>> CAROLINA:  Thank you, Jonah, and good morning everybody.

I want to reinforce and thank you, all the panelists, and to our repertoire, and to our remote moderator, and to Frank, one of our organizers here at the room today.

Going back to the panelists in this order, I have at my

right side Sunil Abraham.  Sunil Abraham is the Executive

Director of Bangladesh Center for Internet and Society.  He

founded Mahiti in 1998, in creating a company in high impact

technologies and solutions.  At the end of the day, he is

one of the great experts there at Internet privacy and more.

Mahir Shaki -- did I say that totally wrong -- she is a Dutch politician, a member of the Democrat 66, and has been a member of the European Parliament with the Alliance of Liberals and Democrats Europe party since 2009.  She grew up in Linden and went to high school in a lot of amazing universities here.  I have her bio, very completive if you want to learn later.  It started with fundamental preschool.

Hi.  Please come sit down and us here.

Joining us now, no need for much introduction, but served one of the founders of Internet, and she is the chief Internet evangelist go for Google.

We also have with us Larry Strictny, the head of the NHIA agency in the US coordinating a lot of teleco and Internet Governance discussions for the US.

So no further introductions, because we are running out of


The panel is going to work in three sections.  We're going to first pose general questions for our provocateurs and some specific questions, and in the third section we're going to open for participation and discussion.  You guys can, whoever wants to make intervention, please just make a line by that wall so you have access to the microphone.

So, I think first question we have here is as with all the public questions governments must weigh tradeoffs between competing priorities and objectives.  In the case of the Internet and global trade, social development on the one hand and right and security on the other.  In recent years the scale seems to be tipping toward civil right and what is going on the what are some steps that we as global community can take to tip the scales in the other direction? 

So each panelist is going to have three to four minutes to speak, and we're going to be controlling the time.

Sunil, please, we're going to go in this order. 

>> SUNIL ABRAHAM:  So I'll start off by answering the second question, which is what is going on.  And the answer to that question is that the blocking of free flow of information on the Internet, or what is referred to as the fragmentation of the Internet, or what some other people call the balkanization of the Internet is the symptom, not the disease.  The disease is the unsolved jurisdiction problem.

The problem of jurisdiction on the Internet was identified by scholars in the early 90's, but since then even though we had had many forums such as the IGF for learning and discussion there has been very little progress on solving this problem for most of the countries that are online.  There is one small exception to this and that is the Internet and jurisdiction project and by the amazing work by both Patron and Paul, we have some progress.  But unfortunately nation states and corporations remain skeptical of this project and are not supporting this project like they should with commitments and checks in both senses and, therefore, they are not making as much progress as they should be making.

In other words, as long as the problem of jurisdiction remains, the balkanization of the Internet will continue.  There is no way of stopping it.

A few countries similar minded countries have managed to solve this problem.  That is because they have managed to harmonize both substantive and (Indiscernible) law across their borders and therefore they become one larger jurisdiction and can hold other actors to account.  And also enforce rule of law and protect the rights of their citizens.

The second comment I would like to make is on this sentence which is the tradeoff between human rights, openness, economic growth, social development on the one hand and Sovereignty and security on the other hand.  I don't think that is an accurate description of the tradeoff.  There are many tradeoffs within those categories.  I will give you just one example.

Within human rights itself many different human rights are in conflict with one another.  The right to privacy conflicts with the right to transparency, for example, or the right to information, but there are optimization solutions today as Edward Snowden says, transparency should be directly proportionate to power, and I have provided a commodity ask that is privacy should be inversely proportionate to power.  So the ways in which these conflicting rights can be balanced or optimized and these are the places where we should invest our energies.

Thank you. 

>> MODERATOR: Thank you, Sunil.

Jonah, back to you. 

>> JONAH:  Maybe we can give the other panelists an opportunity to make some opening remarks on that question.

Generally, do you find that the question is really one of jurisdiction

or are there other fundamental questions at play? 

We can go with Meritcha.

>> Thank you.  Thank you very much for organizing this important discussion.

I think one of the risks is that we think in terms of tradeoffs and sort of zero sum relations too much.  I would push back against that.

But we do see that the, what I think most interesting promise of the open Internet to Foster, perhaps, more horizontal relations between people and to allow citizens, Internet users that live in countries with authoritarian or repressive governments to enjoy the universal human rights such as freedom of expression and access to information with the help of the open Internet.

On the other side of that promise, we see, unfortunately, that a lot of states are seeking to enhance their own grip and power through the use of new technologies and also the enter met, and I think that the whole question of what is legitimate regulation and what is not is kind of at this intersection, but we have to distinguish between motives and responsibilities that governments have to look at whether they are legitimate or not.

And I want to note here, too, that not only authoritarian or repressive governments have a tendency to use security arguments to restrict freedoms, but unfortunately also open societies, and I think that that is a grave mistake.  The con flaw case of national secure tight and network security are using network security as a reason to legitimize control over Internet and infrastructure is a big problem and sometimes actually undermines both national secure tight and network security.

Briefly, just to verify, because the debate on regulating data flows is perhaps too broad and prance this is deliberate but it is important to distinguish there could be reasons, such as the protection of the fundamental rights which is a different reasoning than protection reasons just to protect economic actors, or as I mentioned broad and security measures.

In Europe we see a tendency to have the universal declaration of human rights, fundamental lights being leading and accepting some com appear mice in economic efficiency towards more respect for rights.  And I'll just end there so that we have enough room for discussion, but it would be wrong to frame every regulation as either a protectionist measure or as a balkanization of the web.  There are legitimate reasons and I would say protection of people's fundamental rights also online is a reason to regulate. 

>> MODERATOR: Thank you for using one minute, not less of your time.

Strictny, please. 

>> Wow.  We have a serious time keeper here.

I've made my time limits every time so far this week, so we'll see how we do.

I would like to unpack the question a little bit to provide a little broader framing because I think when we talk about free flow of information, I think there are two components of it we need to keep in mind.

I think at its most basic I think what the vision is, what the shared

norm is that any device connected to the Internet ought to be able to share information with any other device on the Internet.  And it needs to be able to do it consistently and I think in that point I would emphasize it should be without regard to geography so that if I can communicate with an end point when I'm in my office in Washington DC I ought to be able to do it when I'm in Brazil and so on.

I think the other aspect of this that ought to be evaluated then is the economic efficiency.  So sometimes when we talk -- because we want the network to be allowed toy solve and operate as efficiently as possible because that is what leads to a lot of the growth and innovation, what we want to continue to see on the Internet.  But I think as one evaluates the different measures that might be taken with respect to interfering with free flow I think you need the look at both of those because it's not clear automatically that a measure taken that might impede economic efficiency necessarily interferes with the first provision about being able to always reach another source at any time at any place.  And I think when one is analyzing responses by whoever in terms of things that change the Internet, we ought to look at both of those and evaluate them under both lenses.

The other point I would make, it is not just governments that can interfere with this.  I guess we're going to focus on that here in this session but people ought to keep in mind that businesses make decisions all the time that can have some of these impacts and other players in the Internet space can do that, as well.  So people just need to understand that governments are the ones that I think we're going to focus on today, but it is by no means just limited to governments.

I think when we do talk about the measure governments take, I can't really speak to whether or not the trend line is continuing to increase.  There certainly was a bump in the last two years.  I'm not sure whether that increase and interest in governments taking action in this space is continuing to grow or is somewhat leveled out.  I'll leave that to the experts who are monitoring the field more closely than I am to make that judgment.  But I think one of the things that certainly emerged in the discussion over the last couple of years is the fact that, for the most part, when the motives to inject some of these measures have good motives, the idea of protecting one's citizens or in terms of protecting their privacy that, I think, increasing governments are finding that these measures aren't really going to be particularly effective.  That doesn't necessarily speak to the countries that want to use these measures as a way to impede access to content or be able to control what their citizens are seeing, but certainly if we're talking about is data more secure when it is kept in servers of one Country pursuant to data localization, I think increasingly people are coming to the realization that that is just not the case so some of the premises for engaging and applying some of these measures, I think as being undercut as people get more experience with them.

I look forward to talking more about the jurisdiction point.  I think it is a very, very important one that has been raised, but I'll save that for later. 

>> VINT CERF:  It is Vint Cerf.  Larry has already made a couple points I wanted to make.  Localization does not confer security.  Just putting things in a particular place doesn't guarantee that there are anymore security.  The Internet is a wide open environment.  A tax can come from anywhere and that is of course why there is a great deal of Don certain about securing the network.

The second point that I want to make is the Internet was designed in a non-national way.  It was deliberate.  We were talking about networks and interconnecting networks and we didn't care where they were, where their parts were, some networks could be spanning the globe, some networks might be local.  It was irrelevant in the architecture and in the protocols.

We thought that a society would arise out of the connectivity of the Internet and I think we've seen that.  People discover each other based on their common interests, discovering a common website, discovering being on the same mailing list, and the value of discovery of common interests across the globe I think has been a powerful element of the Internet's utility.

Another point about open data flow is that the utility of that open flow is very central to cloud computing.  At Google we have data centers that are scattered around the world and we take advantage of the fact that they can move data from one center to another to replicate the data to ensure that it isn't lost even if the whole data centered is disabled for some reason and the importance of being able to assume that we can move the data freely and from one place to another to assure this kind of replication is very important.

When Larry mentions anything can be connected or can talk to anything else, this is the fundamental design principle in the Internet, but I feel compelled to say that just because it's possible for something to talk to something else doesn't mean that you should force everything to accept any communication that arrives.  So we have to consider the edges of the net can resist the connectivity ask say I don't want to talk to you.  That's just as important as making it sure that it's possible to communicate but you're not forced to do so.

I'll stop there so save some time.

>> Thank you very much everyone.  I guess I'll follow up with a question on potential solutions, because I think we're talking a lot about the motivations behind some of these policies, which include desire for increased privacy for ease of access, for law enforcement, for fostering a domestic indigenous ICT industry.  There is a variety of motivation, some of which are intended to pursue, you know, what we might say are legitimate ends.  Others less so.  But when we think about the motivations it's also important to think about how we might be able to actually design solutions to the problems under that are really the foundation of those motivations.

So I might turn first to Vint and have him maybe talk a little bit some of the engineering rather than policy solutions that have been proposed for some of these fundamental problems.  Some things like privacy there are security protocols that can be used to develop a more robust privacy regime.  There is things like DNSSEC, BPGSEC.  A variety of other technologies that are being propose that he had diminish the potential needs for these kind of restrictions, policies, or at least the perception that there is a need for it. 

>> VINT CERF:  You've basically already given half of what I would


>> That is what happens when you arrive late. 

>> VINT CERF:  First of all, cryptography has turned out to be a very important part of revision of privacy, so Google and others are encrypt go traffic as it is in transit.  We do so using the HDTPS protocols of the worldwide web for example.  We also do that when we're moving data from one data center to another.  It is encrypted for transport.

We encrypt the data once it lands at the data center so that even if the data center is penetrated it will make it harder for party who is penetrating it to make anything useful out of the data.  This is all in aid of protecting the privacy and confidentiality of the content of the system that we are operating.

The DNSSEC is the main name system security extensions is intended to make it less likely that someone could alter the domain name system to cause a party to go to the wrong machine thinking that they're going to their bank and they ended up on a website that has screen scaped the appearance of the bank and invites to you put in your user name and password and at that point it is captured and the bad guy uses that to empty your can.

We've also concluded that user names and passwords are inadequate tools for protecting users from penetration of their accounts and, so, we've introduced two factor authentication.  Without going into details it involves having something in addition to knowing something.  We're big fans of this.  We recommend it to everyone.  We make it available to the general public if they wish to use that mechanism.

So those are a few of the tools that the engineering teams in the Internet engineering task force and at Google in particular have implemented.  There's still much more to be done to increase the security of the system, routing protocols need to be further secured to keep someone from essentially polluting the routing database and causing traffic to go where it is not supposed to.  Those things are underway, as well.  So there is a deep awareness in the standards making community and in the private sector operators that increase security is in everyone's interest. 

>> MODERATOR: So, you know, those issues, I think, get to some of the security concerns and the motivations for restricting data flows security purposes.  But there is a variety of other motivations for data localization, for restricted routing, some of which are for content reasons, for law enforcement access.

So I'm wondering, maybe others can speak to some other potential solutions for how to get around some of those other tricky issues that may not be a privacy or secure tight matter but also is a real, you know, gets at the core of sort of the jurisdictional ambiguity on the Internet.

So I don't they if anyone would like to chime in on that.  Maybe Sunil.  I know in India there has been certain types of inflammatory content so maybe talk about some of the things you've seen in India being helpful, potentially unhelpful and some of the things that you've been advocating yourself. 

>> SUNIL:  On the question of speech regulation, the methods that somehow the US the best in free speech and countries like India are much more (Indiscernible) when it comes to the regulation of speech, this is due to a definitional problem.  It depends what you would consider free speech.

For many of us in Civil Society in India, access to knowledge is a key part of free speech.  So when you talk of theft of intellectual property or enforcement of intellectual property laws, often maximalistic intellectual property laws in other jurisdictions, then we see that as equally draconian censorship or regulation of speech.

When the average Indian wakes up in the morning, they're not so much worried about consuming political speech.  They would like to consume knowledge, culture, entertainment and so on.  So most of the jurisdictions on the planet today are equally draconian, it is just the type of speech that they're interested in regulating.  And the US, in particular, through its leadership of non-multi stakeholder secretive purely lateral trade agreements is intent on exporting its maximalistic dream to other countries.

The complication or the nexus between speech and public order is different in different jurisdictions.  When the very first movie was screened, I don't know exactly where it what screened, but when it was screened there was this image of a train rushing towards the screen and people were in panic and left the movie theater, so therefore, the nexus between speech and disruption of public order is much more dramatic or much more intense when it is in a place where internet penetration is still very (Indiscernible) or small, and therefore, it is important for our countries to regulate speech in a much more effective fashion.

The Indian executive and bureaucracy has had a mixed record when it comes to the right of protecting free speech.  On several occasions they have disappointed us with their executive orders and their interference with different types of speech on the Internet.  However, the Indian Jew dish Julie has a much bigger record.  In this year 66A in our information technology act was struck down as un constitution by the Indian Supreme Court and today the very same court is hearing two petitions, one that hopes to decriminalize definition and the other that hopes to restrain restrictions on speech that are name in the name of hate speech.

So it is a mixed record.  Things are developing.  Civil Society continues to partition all wings of government for greater protection of rights, and hopefully we will make progress.

Thank you. 

>> MODERATOR:  Thank you so much for that.  Since we are in the half an hour mark, we would like to actually open the discussion with the audience.

If you want to send me questions to Twitter, since we are in IGF and we are -- and we are trying to have a lot of participation, please send at IGF2015dataflow.  Please, if anybody from the audience would like to come to the microphone and pose their first question, the microphone is open. 

>> VINT CERF:  While we are waiting for someone to come to the microphone, I can't stand the silence, I want to make an indication on the way the Internet tends to work.

What other people say, what other people show doesn't just come flying at you in your face.  There is a lot of volition involved in getting access to Internet content.

Someone has to go and search for something.  Someone has to go from

one web page to another.

Someone has to follow hyperlinks to get from one place to the other.  So there is volition involved.  And the reason I bring this up is that if, for example, in some Country it is thought inappropriate for a party to get access to certain kinds of information, it should be recognized that the party had to take an action to get it as opposed to sitting back and, you know, in a passive way and be suddenly confronted with something.

So if there are jurisdictional issues, they might be located in the place where the volition took place as opposed to the place where the content was produced.  And I don't know whether that helps at all, but it seems to me important to recognize that this doesn't just happen in a passive way.  People, this is an active, interactive medium. 

>> MODERATOR: I know you said you wanted to chime in real quickly, too. 

>> Just briefly, because I think what we're seeing is a situation where on the one hand governments are losing a grip to control of information and people and to a large extent that is welcome'd if the open Internet indeed enables people's fundamental rights.

On the other hand we see companies of all sorts have responsibilities and play a much larger role in assessing what information is legal, what information is appropriate in a de facto matter.  So regardless of the law of the land in which people access that information.

I think that this role shift should be taken into consideration.  I agree with Mr. Strict Lynn who said we focus a lot on the role of governments but we must also look at the role that companies play.

In that sense, even though encryption by default and into encryption initiatives by companies are much welcome'd I don't think we can depend on it.  We cannot depend on whether a company sees its in its business interest to do something that also advances people's universal human rights.  And at the same time we've seen that the governments, then, have in the national security interest often saw to weaken encryption which has probably hurt both national secure tight e and network security and the people using it.  So it's like a lose, lose, lose situation.

But in this mutually dependent situation, I would just like to stress that I think depending on either technological solutions like encryption or the intentions or alignment of business models and the public interest of companies is not enough.

I would like to go back to also a legal and principled base discussion and this is where the question of enforceability and implementation is key and it is not easy, but I do foresee that there will be more multistakeholder norm setting or beginnings to be made to define where the mutual dependence lies and where the common interest lies.

In that sense I would like to point out to idea, for example, that could benefit all that have an interest in both security of the networks and the openness of the networks which is to declare the core protocols of the Internet as a neutral zone where no companies or governments would interfere in their self-interest because the collateral damage for all and for the network I self would simply be too large.  Just a thought out there to focus on the mutual dependence and to make sure that we have principles and enforceable and mechanism to safeguard the openness and the security of the network. 

>> MODERATOR: Anyone else want to respond? 

I guess we can take the first question.  Can you introduce yourself, please. 

>> AUDIENCE:  Good morning.  I'm Daniel to Brazil administer justice.

Brazil is currently considering a regulation which in includes some regulation on international data flows.  And we understand that lately several considerations regarding transborder that flows are being done basically on the means on the approach of technical issues, commercial issues, but what I would like to ask the table, the panel, is that (Inaudible) some considerations regarding human rights and rights of owners being considered.  It is very important.  There is very concrete and pragmatic question because basically on the last rulings by cure pee an court of just Dick it seemed to me that the European court of justice "S" position itself as a court which would defend human rights in the Information Society and the Safe Harbor, the ruling regarding Safe Harbor in validity you can take out the fact that not the world (Indiscernible) but the treaty that Safe Harbor principles were not considered and quite when considering the European protection framework and it is not a new argument, this one.  Since the year 2000, several people the DPAs and several governments in European union considered Safe Harbor principles are weak and principles that would not be aligned for the framework of that protection regulation European union.  So when the trial came o the judgment came, the court of justice came for several people in Europe and all over the world the result was viewed as a natural consequence of principles that were not perfectly drafted.

My question is:  In which span by technical by did commercial level, the worry about data owners right will be taken in account into new treaties and new instruments ask the new techniques of international data borders flow. 

>> Just a logistical information, Twitter is actually not working, so if you guys want to make questions, do come to the microphone.  Thank you. 

>> AUDIENCE:  I thought I would shift the microphone which more friendly to people that would like to come up.  I am Parminder, from India.

My question is of what floors on the Internet we need, and I take the inspiration from the last speaker who says we need to develop new norms.  Step back and think from the public interest what exactly are we dealing with.

There are different kinds of things which flow on the net in terms of the social description of them.  I think data as an issue of personal privacy protection and also as an economic resource is different from information/knowledge which has a common string to it historically.  That information is right.  Right information is law in many countries in various forms and right to access to knowledge is also a kind of a human right.

And third is content as intellectual property content.  There are three different kind of things.  So what looks good like free flow of information, which obviously looks good as a human right is not the same thing as free flow of data, because data is largely an economic resource.

Wouldn't you probably start thinking of data information knowledge and content, IP protected content and some different kind of things.  I know there is an overlap because information is as data on Google servers, there is an overlap but there is a separation, and the separation when you face complexity then you probably start differentiating and that could be a way to approach the subject.

Thank you. 

>> AUDIENCE:  Good morning.  I am Baton, the director of the Internet and director project that (Indiscernible) kindly mentioned.

Just wanted to contribute to continue what he said regarding the fact that as long as the jurisdictional issue is not being addressed, the fragmentation or dangers of fragmentation will persist.

We're in this situation where there is a distinction, basically, between the situations where they can be harmonization on substance, and the situations where there is no harmonization on substance.

On cybercrime convention, for instance, or even legal assistance treaties, they can be improved because there is a goal to have dual incrimination; something that is illegal in one country is illegal in the other one.

On all the speech issues that we are talking about, this is not going to be possible and it probably shouldn't be possible because there is no convergence, so we are limited to the situation where we have to do with what can be called procedural harmonization which are some of the things that we are doing.

The point I want to highlight is that because there is insufficiently speedy process in that regard, every single un coordinated action by the different governments and also private actors and others is creating a sort of jurisdictional arm's race, for those that are familiar with game theory, very typical situation.  Everybody is making a decision that looks perfectly coherent in the short term for their own interest, but the cumulative effect of all those decisions is making the problem harder to solve and that is one of the key intentions.

Finally, to Marjo's comment on the protocols and the public core, the

Internet I think is one of the things flowing in the Netherlands.  In the Internet project there is one enormous source that has emerged on domain seizures, for instance, which is the DNS layer is a neutral layer that is essential for the global interoperability of the network and any action at that level as a global impact, it is not something where we can filter partially.  It is on/off switch.  Therefore, any requests for domain seizures or action at the domain name level should be justified by a harm that is actually at the global level, either the infrastructure itself, fishing, malware, nets and other abuses, all when the entirety of the activity of the site under the domain is dedicated to something that is globally sufficiently accepted as in acceptable.

So I just wanted to contribute that and make a bit of advertisement for the workshop we have tomorrow at 11:00 on those topics. 

>> MODERATOR: Did anyone want to respond to any of the three questions and comments from the audience? 

>> I'll pick up on and extend some of the implications of Bertrand's remarks.

So as we get into these questions of respecting the laws of other jurisdictions and the conflicting that we run into, again, I do think there is two sets of issues we have to talk about in that regard.  One is when it is clear that you say a company in Country X is dealing with the private information, the personal information of a citizen of a Country why, today we have issues in terms of how do we actually operationalize those protections.  And I do think that is worthy of a lot of discussion and I think there are solutions that could be found for that, but I think it starts with being able to identify whose law applies in that situation.  But I think there is already a strong trend toward recognizing that it's the law that jurisdiction, the person whose information it is that probably ought to prevail.

Then the question is how do you provide a mechanism by which the company in Country X, even if it wants to store the information in Country X afford's the rights of the regulations of Country Y.  To me that may be a coding problem.  It is not clear to me that that is a fundamentally impossible problem to solve.

The much more difficult problem is when Country Y in determining the protections that are -- should be extended to its citizen attempts to basically inject its law into the laws of Country X and say, well, Country X if your Country you have to recognize, you know, in some -- most recently the French case with the right to be forgotten.  Those are much more difficult, and I don't know that we have a process today to figure out how to resolve that type of issue, but there you really have it.  It is beyond just protecting that information of that citizen.  It has now come to projecting the laws of one country into the legal system and rights and responsibilities and that Country much more difficult issue, and I don't see a quick solution to that type of situation.  But I think we have to keep the two of them separate because it may well be possible to solve the first one if we can get the bright minds to figure out how to do that and for the second one it's something we need to keep talking about. 

>> Vint:  He is the lawyer and I'm the engineer so I'm sitting here thinking, okay, you must think that it's a trivial matter to encode the access controls and laws and restrictions of a 193 countries into the data that we store at Google, for example.

I think is harder than you made it sound.  But I have a question. 

>> That is the problem. 

>> VINT CERF:  I know.  We can do anything.

There is some element of truth to the fact that you can do anything if you can figure out the programme to do it.  I wanted to ask the question about the problem of the uniqueness we find where information flows around the met and there are concerns about where it is and who has access to it.

We have other global communication systems that have been with us for a while, the telegraph since 1845, the telephone since 1876, the postal services probably even longer than that.

That involved movement of information around the world.

So the question I have is whether any of those global communication systems posed similar problems and did we have any solutions for them.  It may be that there are no good answers, but I thought it would be worth asking. 

>> MODERATOR: Great.  Did you have another question?  Did anyone else? 

Oh, real quickly.  I'm sorry. 

>> Thank you.  Sorry, but a lot of questions have been asked.

I just wanted to clarify that there is a clear distinction between how personal data and non-personal data should be treated and I think that is important and it is another distinction that is often lost in the public debate where, you know, open data, anonymous data, non personal data generated as a byproduct by machines and sensors should all be processed, transferred, aggregated in the most open way.  But there are some reVic shuns for personal data and I just want to point out that there is already jurisdiction that regulates this, for example, the GATS treaty allows companies to make an exception in the flows of data for the sake of protecting people's privacy.  So a lot is new, but a lot is also not new.  That is what I wanted to point out.  There are already agreements and jurisdictions and treaties and other legal frameworks that can be built on to ensure that data can flow but people's rights are protected.

And I wanted to point out that this notion of extra territoriality is already happening de facto on a daily basis and at the same time companies are already adhering to laws of the land a daily basis.  So just an example.

When people sign up for any popular social media that probably, you know, numbers of us are using, they agree to the terms of service and to some extent place themselves in the jurisdiction of, for example, the United States if this is an American based social media company.  And we've seen this concretely with the Dutch citizen who had his direct messages, so private messages on Twitter subpoenaed as part of the investigation by the American Department of Justice and there was nothing that the Dutch government could do to stop that seizing of data.  So the de facto American law reached into the rights of this Dutch citizen.

Vice versa, when a company like Google or social media company wants to operate in a Country like Turkey where the constitution for bids the insulting of the creator of the Turkish state auditor they have to adhere to it otherwise there is simply no establishing of the company in Turkey.  So the weighing of these principles and interests by companies, by governments is all happening on a daily basis.

So I just think we should not have a discussion as if we still have a blank piece of paper on which we can start drafting the laws that would ideally regulate all of this.  We have to do with an evolving climate of jurisdictions agreements and deliberations that both companies and states make and that have real consequences for internet users and sometimes also for the open Internet itself. 

>> VINT CERF:  I wanted to make one other vocabulary point.

I hear the word company being used a lot.  And I assume it is sort of a substitute for private sector entity.

But I did want to mention that there are more entities in the Internet than just private sector companies.  There are all kinds of other entities, government entities, universities, not for profit, NGOs.  So I hope that our discussion isn't so narrowly focused that we leave out the fact that there are all these other entities who participate in the Internet who generate and consume information, for example. 

>> We have Just ten minutes, so anyway if you can just talk in one

minute.  So we can back to the audience for questions. 

>> I had several things to say.  But one minute.  Just to build on what berth tram was saying.   Even when there is overlap of substantive law, and I wasn't advocating for total harmonization of substantive law.  I've said before that this lack of harmonization is both a bug and a solution.

The existing mechanisms completely broken the AMLAD prospects.  These two years there is hardly anybody convicted in AMLAD.  India has the problem but the US does not have the problem and problem is getting worse.

Because countries that receive MLAD requests don't process them with adequate speed.  All sorts of lies are being produced into MLAD requests.   Even if the US wasn't planning a an attack on soils, he knows that the US government will take that request more seriously if that lie is published in the MLAD request. 

>> MODERATOR:  Introduce yourself. 

>> AUDIENCE:  My name is Bridget Kootz.  I work for public

(Indiscernible).  My question is about trade agreements.  What is the role of trade agreements in this debate because the 21st century treaty agreements include provision on cross-border data transfers, direct trade obligation on cross-border data transfers, like the TPP takes which was released last week in eCommerce chapter.  So all these pry are it tees, for countries like the protection of personal information privacy or other issues, they become a trade exception.  They have to satisfy the exception language in those treaty agreements.

So I'm quite curious to hear about the treaty agreements, because

there are rules existing now the cross-border data transfers or direct free flow information, whatever you call. 

>> MODERATOR:  Take another question, and then we come back to the panelist. 

>> AUDIENCE:  Hi I'm Fernando from youth IGF programme.

I would like to raise an argument regarding the role of social media platforms.

I think we don't have adequate system to protect the users.  I mean, social media platforms have already been refused to appeal several requests from governments because they don't have legitimate interest, and I think we should look on this argument because the intermediary sometimes on a daily basis is the only proxies, is the only thing between the user that should be protected and law enforcement. 

>> Did you want to start? 

>> I was going to respond on the trade issue.

I think the opportunity to utilize trade agreements to set some of these norms is an important opportunity, but it is not a totally problem free opportunity.  But I do think if you look at the outcomes in the TPP text that has now been released, you know, article 14 has some very important protections that relate to the issues that we're talking about today.  I mean they do require that no Country can require a company to locate computing facilities in that Country's territory as a condition for conducting business in that territory, so that gets right to the data localization issue.

There is a more general obligation to allow cross-border

transformation by electronic means.

There is a general provision to protect personal information for users of electronic commerce.  So it is an opportunity to set some of these norms.

The reason it is not problem free and people have identified this, is the fact that these are, you know, negotiations that countries view as quite proprietary and as a result they're not conducted in an open and transparent manner.

I don't know how we solve that problem because of the nature of negotiations.  It is like if you take a typical negotiation, if I'm going into my car dealer and trying to negotiate a price of a car, you know, it is not going to help me if the car dealer knows exactly what my limits are and how high we're going to go.  There is no real negotiation that takes place at that point.  So you have these questions of how do you tradeoff the perceived need of the negotiators for the ability to have maximum room and maximum negotiating leverage against the fact this these are really important issues in the context that these issues were being discussed in an ICANN or multistakeholder environment they would be open and transparent.

I don't quite know how we resolve that tension built it doesn't take away from the fact that the trade agreements are a way to set these policies among a subset of countries which help establish norms that could hopefully then expand to the rest of the world. 

>> MODERATOR:  Anyone else want to discuss the trade agreement angle? 

>> I have one thought. 

>> MODERATOR:  Sure. 

>> Given the fact that I'm responsible for trade-in my political group I also want to point out that there is quite a bit of different between transPacific and the United States.  There have been suggestions that data protection and other related topics could be dealt with in TIPP and I think it is very clear for both the UN and US for issues like Safe Harbor or the question about rebuilding trust or ensuring their sufficient democratic oversight over intelligent services are not topics that can be department with in a trade agreement.

Now, of course, there will be questions of how to deal with eCommerce questions or now hot topic the issue of net neutrality where the US has laws, the EU has laws and it has an impact on the digital economy, but fundamental law cannot be made or changed by a trade agreement and I think that that is something that the EU across the political spectrum agrees on. 

>> So it Vint Serf again.  It strikes me that we should keep in mind that all the various threats to security, safety and privacy are global in scope.  There is no place to hide.  Anyone in one part of the world could launch an attack against anyone else.  So if we are really going to come to grips with our concerns we are going to have to find common ground, because we will need to cooperate in order to respond to these problems.  It is not a question of drawing lines in jurisdiction, it's a question of coming to common agreements.  Without that I think that we will always find this to be very, very complex space and only the bad guys will win. 

>> Thank you, Vint.  We just have two, three minutes left.

One more questions from the audience and then we are closing the


Thank you everybody. 

>> AUDIENCE:  Hi.  Hello, my name is Marelo.  I am also with the youth programme

We refer to the question of the roles with the company.  What should be the role of governance in regulating big companies that acquire other companies because of the data they hold and, so, is antitrust an element of privacy? 

>> MODERATOR: Would anybody like to answer on the big platform data competition question? 

>> VINT CERF:  Well, I guess I represent a big company, but I would like to point out to you the problems that you are concerned about are not purely a consequence of big companies.  These problems occur through -- across the in tear tire spectrum of entities that are on the Internet.

So the concern is not just about big companies, but it is about everyone who might have access to or might generate information that needs to be kept private. 

>> Just to push back a little bit on the comment that Vint just made.  I think it wouldn't be wrong to say that evil is a function of size and the bigger you are, the more harmful you can be if you want to be.  And when in the US for example you decide to regulate restaurants, a single instance of a (Indiscernible) restaurant is subject to less regulation than a national forceful chain, so therefore it is not unreasonable to expect that regulation be targeted at larger actors.

Thank you. 

>> Just to make it clear.  Under US antitrust law, these issues would be dealt with based on the economic impacts of the combination.  So, depending on what data is involved, it may or may not be a relevant issue for the antitrust authorities.  And then at least the United States, certainly more resources get applied to investigations and reviews of larger companies, but that's not set out in the law as a special category requiring special review or consideration. 

>> MODERATOR: Thank you.  I am happy to tweet later.  The (Indiscernible) is having a lot of discussions on that and have some documents coming out on big platform competition if anybody is interest owed that.

But now I would like to pass to my friend Jonah to close the panel. 

>> MODERATOR:  Well, thank you everyone for coming and behalf of NTIA and public knowledge appreciate and thank all our panelists.


(Concluded at 12:02)