IGF 2018 - Day 2 - Salle VI - DC Internet of Things: Global Good Practice in IoT: A Call for Commitment

The following are the outputs of the real-time captioning taken during the Thirteenth Annual Meeting of the Internet Governance Forum (IGF) in Paris, France, from 12 to 14 November 2018. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 



>> MAARTEN BOTTERMAN: Welcome to this meeting of the Dynamic Coalition on Internet of Things.  It's bringing together stakeholders from all over the world to engage in a dialog on good practice from a global perspective and from a multistakeholder perspective, and bottom line, its intent is to find a realistic and ethical way forward. 

    So the next slide.  IoT is really a balance, and it's important to consider both sides.  There's benefits, and there's challenges.  We need new technologies to bring us ready to respond to today's challenges, challenges that partly never existed before.  And it comes with new challenges.  And just a reminder the technologies in itself are not what is good or bad; it's the way we use it.  So these principles are underpinning our thinking.  The presentation, by the way, is also available from the IGF website, so you can download it.  You'll find a couple of indications of what kind of applications we have and are developing and what the challenges are in that.

    If you go to the next one, particularly for the IGF context, it's good to look at those challenges.  If you look at the global perspective, for instance, and the Sustainable Development Goals that are formulated at the UN level in which it's recognized that connected technologies are a necessity to address multiple sustainable challenges in a doable way.  But it also requires sharing global knowledge, and to know what we want, global dialog.

    Next one.  There's a lot of applications ranging from industry applications, application in industry just because it makes sense, and technology helps improve processes, quality of processes, speed of processes, cost of processes, but also, for instance, the nice floating thing in the water is tsunami buoy, warning systems for natural disasters, next with earthquake prediction.  The management of infrastructures, also in the home ranging from the quality of the air to assistive technologies for longer independent living.  But also in agriculture, a lot of this is in use, all kind of monitoring systems, and so much more, the cars.  The session before this was about smart cities, which in a way is a big IoT-enabled ecosystem as well.

    So what does the Dynamic Coalition do?  On the next slide, and the next slide.  So how do we look at IoT?  For us it's merely a specific aspect of the Internet.  Like social media shaped the Internet in different ways than it used to be before, so does the Internet of Things.  And  it has specific characteristics about the development of future networks.  In particular, it's on collecting, storing, providing access to many data related to observation by sensors, but also or triggered by people, try to take action receiving specific data and according to preprogrammed decision models, more and more possibly towards the future AI enabled. 

    Another specific element that has come up very much during the last year and less visible before is the weaponization of Internet of Things, for instance, using devices out there not to attack the device itself but to use it to attack others and do denial-of-service attacks. 

    The Dynamic Coalition, on the next slide, started in 2008 and is active ever both in IGF but also in regional meetings, and the aim is to develop the shared understanding.  Most IoT dialogues around the world -- because there's many that take place with specific focus, sometimes with a single stakeholder, sometimes in the specific regions.  But this is the only place where multiple stakeholders from all over will truly meet on equal terms.  The interests are ours, not mine or yours. 

    What we developed over time is the principle -- on the next slide, slide 8 -- the Internet of Things god practices aims at developing IoT, good practices, good services, taking into consideration ethical considerations, both in the development, deployment, and use faces of the lifecycle, thus to find an ethical, sustainable way ahead using IoT to help create a free, secure, and enabling rights-based environment.  A future we want

    Next slide, in summary, the paper -- this is also online, you can find it again by the agenda -- it's about embracing IoT to address society to challenge this in an ethical way.  We need IoT.  It's to create an IoT environment that encourages investment.  We need all stakeholders on board.  We need to create an ecosystem that works, and for this awareness channel for feedback is important.  It's important to have legal clarity.  Some people say don't on is already out there, and partly it also applies to the Internet and we don't always understand why.  We need to get clarity there and review the legal mechanisms in light of the new possibilities. 

    And very important to ensure the emergence of not just an IoT environment, but an IT environment we can trust.  Trust is never perfect, but it should be good enough for us to want to use it.  And the thinking thus far means that this leads to meaningful transparency, we can understand what happened; clear accountability, we know who is responsible for it; and real choice. 

    So the next one, focus of today's session.  Over the last year, since last IGF, security has come up very strongly, and strengthening the security paragraph has been important.  For those who have been following the DC before, you may have seen the updated document reflect some of that.  Very interested in your take on that.  And please remember, it's about what's necessary from a user perspective, but also what's doable from a business and technology perspective and the role of governments in helping to ensure a healthy balance here. 

    And the second thing, last but not least, this DC has been driven by volunteers from the outset, and that is great because we've been able to come to a balanced view which is not focused on any single stakeholder's perspective.  At the same time, it means that the impact is also limited for how we get out there.  For that, we need to have the support of institutional players that believe that this makes sense.  We don't pretend this is the answer for everything, but we do pretend it is good guidance for any specific further good practice implementation in specific areas. 

    The goal at the end of this meeting will also be to volunteer for working groups on two specific aspects.  That's slide 11.  One of the things is so an ethical approach.  There's a lot of work on that.  UNESCO, World Economic Forum, industry players, other NGOs.  It's important for us, I think, to take stock and that ethical approaches are there and how we can benefit from it.  We'll ask you to volunteer for that, and we've talked with Eddan, and Eddan will be happy to help with that too; right?  Eddan is from the World Economic Forum, one of our speakers. 

    The other thing is a similar thing on contemporary work on ethical IoT.  I am not talking about 60 academic papers.  We talk about that overview and for securing IoT a longer way forward, and Frederic -- and Frederic is from Internet Society.  They do a lot of work on this, and Frederic will talk more on that, but he is happy to help a couple volunteers to get here on that high-level paper.  So appreciate that. 

    With that, with the full understanding in the next slide that we create the world of tomorrow with the choices and actions of today, I hand the floor to Avri. 

    >> AVRI DORIA: Thank you.  I am Avri Doria, I am moderating.  How long did we give the speakers?  We originally designed it as a 90-minute session, but it's a 60-minute session.  I was wondering the expectations.  I want to make sure we get a little bit of Q&A of the rest of the participants in the room.  How long are we guiding them? 

    >> The guidance is three to five minutes. 

    >> AVRI DORIA:  So keeping it on the three side.  If I have three, there's seven speakers here, that's 21 minutes.  So Frederic, I have you listed first.  If you would like to start. 

    >> FREDERIC DONCK: Thank you, Avri, and I will respect the three minutes.  Nice to be here and talk with IoT

    I work with the Internet Society, and we are leading, as Maarten just said, a big campaign on IoT security and privacy.  We are also impressed by the fact that we are talking about 20 billion, and that is one of the more conservative figures I have seen recently. 

    I appreciate, by the way, that nobody in this room is talking about smart devices.  I cannot hear this anymore.  The devices are not smart.  Those 20 billion dumb devices are connected to the Internet and transmitting all day, every second information.  This is what we are talking about.  This is what we are talking about Internet. 

    So what are the issues?  There are so many issues.  First is manufacturers are rushing devices on the markets, selling them with very poor privacy and security embedded.  There are no incentives for manufacturers to put privacy and security on the economic level. 

    Those devices are connecting zillions of different information and data and transmitting them.  Some of them we just don't know that they are transmitting. 

    The information of consumers -- I have information showing at% of devices failed to adequately explain to the customer how their personal information are collected, used, and disclosed, just to give you an example. 

    Last but not least, most of the manufacturers in these fields are new to the IoT market.  Those are usual manufacturers who were producing plastic dolls for kids, and they squeeze chips in it, and it becomes a connected device. 

    So that's the reason why we feel in society that we really should tackle this because, as you know, everything you put on the Internet becomes part of the Internet. 

    And the risks, of course, are very well known -- data compromise, surveillance, physical risk.  Remember, just to take one -- I don't want to scare you, but there was this denial of service attack in Finland where two buildings were seeing the home heating put to zero when it was freezing outside.  And then the Mirai botnet attack that would allow me to talk about inward versus outward security.  People might be concerned about the fact that if you put the toaster on the Internet, someone might play with it and burn your fingers.  That's the inward security.  But more important for us is the outward part of security.  That is they might use your toaster as part of a huge denial-of-service attack using hundreds of thousands of other toasters like has happened with the Mirai botnet. 

    What do we propose?  Honestly, we believe security is a collective affair.  This is a collective collaborative process because we don't believe that just regulation is -- just rush to manufacturers as the end, the top would be a solution.  We believe we should address this in a wide way with different manufacturers.  For the manufacturers, we come up with online trusted lines, principles.  Those are 40 principles from authentication to encryption, et cetera.  That for us, if manufacturers will follow those principles who are producing the device, we would eliminate up to 95% all the risks I just mentioned.  That would be for manufacturers.  On a volunteer basis.  OTA.  Remember this name. 

    Policymakers, we came up -- in society, I got also different proposal for policymakers to embed into their approach.  Not specifically regulation.  Policymakers can create an environment for security.  But they also can make clear who is liable.  So there's a lot of recommendation that we have for policymakers.  One of the last ones would give consumer trust, as you mentioned, and that's what we call trust smart.  Pay attention.  Trust smart is a very complex issue.  It's just not a label that you put on a carpet.  It's much more complicated.  We see this as an ultimate goal, one of those that might give consumer trust. 

    Avri, I am happy to take any questions. 

    >> AVRI DORIA:  Thank you.  I think we will save the questions till the end.  Otherwise we might not get to all the speakers. 

    The next one I have on the list is Eddan Katz. 

    >> EDDAN KATZ: Hi.  I am from the World Economic Forum.  Based in San Francisco.  Let me explain a little bit about how it is structured.  We have different project teams, one of which is on Internet of Things and smart cities.  I am on the data policy team but was working with that team on a set of principles in regards to the industrial IoT Safety and Security Protocol.  Since I have three minutes, I will refer you to that on the Internet.  The IIoT Safety and Security Protocol from the World Economic Forum.

    What we have done with our protocol design networks is bring together a multistakeholder set of groups, in particular for this group, a network of experts from the finance industry, technology companies, electronics manufacturers, members of the DC IoT -- and Maarten contributed a great deal while in draft last year at IGF was distributed on the mailing list -- government representatives, standard-setting bodies, industry associations, and entities deploying IoT systems. 

    I would like to share some observations about the agile governance that we are trying to approach this with.  In regards to the dynamics, shared responsibility is the theme.  This is not on the regulatory level.  This is adopted voluntary standards.  So the fact that the cyber physical environment is very different and there's a decentralized interconnectedness is a key factor.  The distributed risk exposure is an important factor in trying to understand the liability.  And the risk mitigation challenges are why we turn to the insurance industry as a major part of this endeavor, so that the cyber security best practices that were developed as part of this protocol would be taken on by the insurance industry so that entities deploying IoT systems would, while abiding by the cybersecurity best practices, would qualify for insurance or for a discount on that insurance.  That's the mechanism.  Our experience so far, since this was published, though still an ongoing thing, in April, is taking a lead within the insurance industry has been somewhat challenging, and while we've had some positive experiences and are now getting off the ground with some particular insurance entities that are interested in adopting this, it has been difficult. 

    Let me, then, just describe the three different areas.  We came up with principles that are in the document, and we are hoping over the next few months to try to help incorporate into the IoT good practices.  First section is on line of business device safeguards, and there are ten different parts to that, and those are what the devices themselves should contain.  I won't go into all of them.  A second set of things is on internal governance and risk management.  This focuses on board oversight, top-level accountability, making sure that the business and security parts of an entity talk to each other.  And then recordkeeping and metrics being the third focus, establishing performance indicators and metrics to measure that by.  And so you can find more on the IIoT Safety Security Protocol.  I would be happy to answer questions on the protocol design, our IoT project, and how we can plug better into the Dynamic Coalition in the coming year. 

    >> AVRI DORIA: Thank you.  The next speaker we have is Taylor Bentley from ISED. 

    >> TAYLOR BENTLEY: Hi, everybody.  So my name is Taylor Bentley.  I am from the Economic Ministry in the Government of Canada Innovation, Science, Economic Development.  That's ISED.  So the story goes back to 2016 with the Mirai botnet.  The continued calls since then have all been to ask for more regulation, for more, I guess, frameworks around Internet of Things devices.  These calls and the research that we have done to respond to them came to the conclusion that such a proactive approach would not be consistent with Canada's traditional light-handed approach, where we use framework policies and laws of general application to instill the same rights and responsibilities that consumers and businesses must exhibit offline as online. 

    So the question was, all right, if we are not going to regulate in this space, how do we preempt it?  So with that, we were very happy to enter into a partnership with the Internet Society, with CIRA, the operator, CIPPIC, which is a law clinic in the University of Ottawa, and a Canadian academic research network for a Canadian process on enhancing IoT security.  So IoT security 2018 dot CA, by the way. 

    So where to start.  We tried to start with definitions, and that was fruitless.  Then we started with what's already been done, and the thing is that there is quite a bit.  If you know anything about Canada, you know that we have lots of Internet -- we have lots of prolific Internet users, but like most places, consumers are generally not informed or not prioritizing security and privacy concerns.  Businesses are the 0% small/medium-size enterprises who also struggle to demonstrate basic cyber resilience. 

    So we have a plethora of resources, both for consumers and businesses, but how to navigate between them, how to advise what is the best approach, both when businesses or consumers are adopting smart solutions or Internet of Things solutions.  So it's about reducing risks.  It's about ensuring innovation and adoption, ultimately ensuring trust.  So there are three working groups:  Consumer education and awareness which has developed a shared responsibility framework for devices and focuses on key messages on IoT that would be delivered both to consumers, so indicating the key behaviors that we'd like to see from consumers.  But then also the supply side of that, so how can government, standards-making organizations, international organizations, civil society, et cetera, and businesses, manufacturers, how can they support those behaviors?  The other working group on labeling and standards has outlined considerations of a labeling and standards scheme for IoT devices, including a lot of work highlighting work condition by the CSA, the Canadian Standards Association, on a new standard.  So a big part of this is going to be also providing guidance on how businesses can consider this sea of standards and how they might be able to -- oh, thank you -- and how they may be able to navigate.  The final is the network resilience working group, which is fleshing out recommendations about network-level defenses that operators can implement now.  While we talk and have a lot of good ideas about design-level improvements, I think we have a lot of ISPs and network managers that can do a lot of good work now.  So we need to sift through and help everyone reduce the risks and get the kind of social and economic benefits that we are looking for. 

    Thank you. 

    >> AVRI DORIA: Thank you.  And next I have is Claudia Selli from AT&T. 

    >> CLAUDIA SELLI: Thank you very much, Avri and Maarten, for having me here today with you. 

    As you say, I am from AT&T, and of course, at AT&T, we are looking a lot to creating business solution and state/local solution to provide our business enterprise users a global and seamless experience because we are connected, our clients wherever they are, and we have 48 million devices connected to the Internet as of the third quarter of 2018, and we have -- among them, for example, we are connecting cars and other objects, home solutions and these kind of things.  And the IoT is really the network that is combining the physical device and technology which then enables connectivity, that exchange and increase the opportunity as well for the integration of the physical world to the technological system.  And the main aim is really to cut the cost, so have economic benefits, to increase the human intervention in supporting all of those connected devices, but as well to increase the experience of the users and consumers.  And of course, you know, now that objects are all connected to the Internet and talking to each other, they can certainly improve our lives in many ways from the little and tiny maybe micro example of when you wake up and your telephone, your alarm clock sends the message to the coffee machine and the coffee machine starts to brew the coffee, so you can maybe concentrate on mails and other things and be more efficient at work.  To the more complex example of connected cars and smart cities, where you can really manage the traffic and reduce the incidents and as well manage better the infrastructure.  And we have plenty of those examples.  For example, you can if to the cargo experience where we track basically the merchandise that is being shipped, and you can really -- the business can monitor, for example, the humidity, the weather conditions, and see whether the merchandise is reaching the end consumers in a good state or whether maybe they need to take another decision not to deliver the merchandise because it would be probably in a bad state.  

    But these are just a few examples, and I can go and continue on and on with the different devices and applications.  And of course, to the uptake of these applications and devices, what is really key is creating an environment that is trusted by the consumers that are using those devices and also where we can protect the privacy as well of our customers.  And the different governments around the world are really struggling on how to tackle privacy and security, which are really the main elements to the IoT world, and to create a trusted environment.  And we are seeing and observing maybe different type of legislation coming up.  I am thinking about Europe or other fora that are talking about that.  And you know, I really agree with what Frederic said, that we really need a collaborative effort.  Everybody needs to be around the table to try and find the best solution which would be also market led, light-touch regulatory approach that still protects consumers users and technology neutral and respects as well international standards.  Otherwise you risk creating a little fortress. 

    And I will stop here because the time is up.  Thank you. 

    >> (Off microphone)

    >> GREGORY MEUNIER: Hello.  I am Greg in Europol.  I am also speaking on behalf of my colleague from the cyber security agency of the European Union.  I will have a different take on this.  We look at IoT security from a victim and consumer protection perspective.  Law enforcement around the world are really busy now investigating cases of an attack.  We recently in April helped the Dutch and UK to take down a website providing services, and now we find that the business model of criminals is really to learn Mirai-like botnets to trigger and sell botnet attacks. 

    We are also pretty busy working on how IoT is being misused by criminals for extortions.  So they use IoT poorly protected to spy on people, to steel steal information, to do many different things, and to make money from victims. 

    From that perspective, come up with a number of recommendations, so they call it the Baseline Security Recommendations for IoT.  They are very similar to what the Dynamic Coalitions have come up with.  They are very technical, also very commonsense type of proposals.  But really, the baseline is that most of the victims we are looking at are victims because most of the IoT devices are lacking the basic security features.  And one of the reasons for that, we believe -- and some might call our view simplistic, but we call it common sense -- is that there is no legal obligation for security of products. 

    If you look at the legislation in terms of product safety, it only applies to physical safety.  So if there is direct harm or effect on health on consumers, then there is legislation for that.  But it's not clear for lack of security of connected devices that would have an impact on health would actually fall in this cup of EU product safety legislations. 

    The Commission recently has come up with -- the European Commission -- with a voluntary certification scheme.  We think this is a very good step in the right direction, but we believe that it would be probably more efficient if consumer could rely on rules that can be directly enforced. 

    Just if I can continue with a few elements of cyber security that we would like to promote, cyber security by design, if you put any device and you connect it online, then you need to think about a designed cyber security strategy.  You must anticipate possible vulnerabilities, and you need to come up with cyber security strategies. 

    A number of simple requirements could be if you are connected, you need to have a password.  It shouldn't be hard coded.  There shouldn't be any manufactured back doors in it.  So these very simple set of requirements we believe would help to enhance security. 

    If I can conclude really briefly, there's also a very important principle that we would like to promote is the lifecycle of security.  We think that all connected objects should be able to be updated regularly.  Otherwise they are obsolete by default because they expose the user to risk. 

    Last but not least, security is a feature, we believe.  You must be able to disconnect your device, and this is really a baseline cyber security principle.  Thank you. 

    >> AVRI DORIA: Thank you. 

    Okay.  Now, the next person I had on the list -- thank you very much -- was Wolfgang Kleinwaechter, who I do not see, and then I also had Ram Mohan, who I don't see, but I was told that there was another speaker from Afilias, Melinda.  Do you have a microphone where you are? 

    >> MELINDA CLEM: Yes, I do.  Is that working? 

    >> AVRI DORIA: Please.  So it's Melinda Clem? 

    >> MELINDA CLEM: Yes, I am the vice president of strategy at Afilias.  Ram sends his regrets.  I am going to just give a brief discussion of our focus in this area and try to cede some time back to the discussion and problem resolution. 

    So at Afilias, we see tremendous benefit in IoT, but we also are realistic about the challenges.  We've got this categorized in five buckets:  security, both the creation and effective implementation and practice of protocols; interoperability; privacy; trust, which we define as global reach, accessibility; and then finally, the strategy around how you address orphaned technologies.  Right?  We get rid of these things, you know, on an annual basis, if not more.  What's the protocol for addressing these legacy devices? 

    The focus at Afilias is one where we are trying to -- you know, we cooperate with both the civil society and the public sector, but the reality is that the Internet advances at a rate that far exceeds any governance ability to keep up.  So that's why groups like this are important to address those challenges and step up and be nimble and flexible.  And one of the ways we are focusing on that is raising awareness of the existing and proven technologies and standards that are out there that we can leverage.  We are not necessarily starting from zero on everything that we have today.  Those specifically are ones that are in our bailiwick and we think can be leveraged are the DNS, you know, both the domain name system itself, the registration model, the core part of the infrastructure that can be leveraged; and secondly, DNSSEC.  We've got built-in security that works, and it works throughout the ecosystem, and both of those things are sitting there waiting and ready to go to be implemented in select IoT cases, largely for things that aren't natively connected today and have some sort of a chip technology. 

    Finally, we see a couple of factors of success, and first and foremost is providing the greatest benefit for the user and having a user-centric model here, both in terms of giving them what they want but then the ability to control their own data and privacy. 

    Finally, that security and privacy is a responsibility that is shared at each part of the ecosystem.  In no case should it rest at any one person.  It's all of our collective responsibility. 

    >> AVRI DORIA: Thank you.  And thank you all for having kept it really quite short.  And I will not spend a lot of time recapping what you all said because I'd really like -- although I did hear words like cooperation, I've heard words of building on what we've got, things on enforcement and using fairly normal methods, and principles, protocols, et cetera.  So I think that's wonderful.  And it is actually a building of the new with a combining of the old and recognizing that. 

    I'd like to -- one thing I forgot to do, which was to also introduce our rapporteur, Ryan Triplet, who is there taking notes and will do a much better job afterwards sort of talking about what has been spoken of. 

    I would really like to open it up now to comments, to questions, to answers to some of the points, such as the strategy, the where we are going moving forward, the how we are moving forward, the people who are going to say yes, I will help work on this part of it, which is also one of the questions that Maarten asked. 

    I would like to ask the people that excellent, try to keep it to under two minutes if we can so that over the next 20 minutes we can get as many people as possible in. 

    So while I've been talking on, has anybody decided who wanted to be first to comment, question, or answer?  And please introduce yourself when you speak because I may not know you.  And I keep talking, but no one has raised their hands yet.  Okay.  See if we can find someone that hasn't -- okay.  So I've got one and then two.  And then three.  Okay.  I've got four now.  So please, go ahead. 

    >> AUDIENCE: Good morning.  Thank you.  I haven't got a microphone. 

    >> MAARTEN BOTTERMAN: The microphone is used for remote participation. 

    >> AUDIENCE: Okay.  I will try to make it work.  Good morning.  My name is Jasper.  I work at the Department for Digital in the United Kingdom.  Really glad to be hearing about all the initiatives on IoT security that are happening, including this Dynamic Coalition and many of the other areas of work. 

    I wanted to say that we in the UK, we take the security of IoT incredibly seriously, and we are taking forward a number of initiatives and policy interventions in this area.  In particular, last month we created a code of practice for security of consumers in IoT devices.  We believe this really moves the debate forward.  What the code does, it brings together what is widely considered good practice, with the three top guidelines being no default passwords, implementing a vulnerability disclosure policy, and making software updatable.  So we believe this can help many of the existing initiatives in IoT security because we've carried out an 18-month consultation process with industry, with society, with academia as well, and hopefully we hope that our code can be -- can inform maybe the Dynamic Coalition work.  So I am happy to contribute to the security paragraph that you mentioned.  I will also be speaking about this tomorrow, so don't want to speak much more about this now, but feel free to speak to me if you would like to understand more.  Thank you. 

    >> AVRI DORIA: Thank you.  Okay, yeah, please, grab a microphone, introduce yourself. 

    >> AUDIENCE: I am Mike Nelson.  I work for Cloudflare, which is an Internet security firm.  If you know about us, you probably know that we protect websites from DDOS attacks.  But the truth is our future is in securing the Internet of Things.  And if you want to know more about that, there's a very good Wired article on Cloudflare and its overall strategy on the Internet of Things and what I like to call the Cloud of Things or the Cloud of All Things.  

    But I just wanted to pick up on a word that wasn't talked about very much except for Maarten's introduction, which is ethical.  The Dynamic Coalition has made that a very important overarching focus, but I think in order for that to be useful, we have to answer a very simple question I heard in 1995 when I went to the first UNESCO conference on info ethics, and I heard it yesterday at the Govtech Summit.  And the question is:  Whose ethics?  In the UNESCO meeting, they debated for 15 minutes whether it was Kantian or Hegalian ethics.  Yesterday it was Confucian ethics, Baptist ethics, or utilitarian ethics.  So any of the ethicists in the room care to take that on, and why talk ethics rather than human rights, which is actually better defined? 

    >> AVRI DORIA: Thank you.  In fact, whenever I hear people talking about ethics, I go to the abstraction of human rights as defined because that was as close as we got to agreeing on common ethics.  So thank you for bringing that up. 

    >> MAARTEN BOTTERMAN: Would you allow two fingers?  

    >> AVRI DORIA: Yeah.  Where were the two fingers from? 

    >> (Off microphone). 

    >> AVRI DORIA: Okay.  Then I will just put you in the queue. 

    Nigel, I had you next. 

    >> NIGEL HICKSON: You should never say two fingers to ethics, surely. 


    >> AVRI DORIA: Excuse me. 

    >> NIGEL HICKSON: That's the level of humor you get from ICANN.  Nigel Hickson, ICANN.  The only report I had, really, I suppose this debate is very important on a number of levels.  And one of the levels addressed by Interpol was, of course, the specification, the security standards of the products.  And this, of course, is important.  It's a debate that's been had now in relation to Internet of Things, but it's a debate in the past that's been held on many other product areas.  I suppose the concern, having been around this debate for the last 30 years or something, is of regulating specifications for good reasons, regulating or setting standards in terms of the security protocols, the resilience, et cetera, et cetera, on products that are manufactured in Europe, the States, Canada, or whatever.  But how do we facilitate these to become global standards for the multitude of Internet of Things devices that are manufactured all over the world, where perhaps these standards and these protocols, et cetera, just will not be picked up?  Thank you. 

    >> AVRI DORIA: Thank you, Nigel.  I had two more participant nonspeakers, then I have three of the speakers who have raised their hands.  But I saw the hand in that area but didn't manage to identify who had been the hand.  So which one of you did raise your hand before right after Nigel?  Okay.  I will go to you, yes, please.  Sorry I am not knowing or remembering people's names. 

    >> AUDIENCE: No problem.  Good morning, I am the Director of the Martel Innovate, a small company based in Europe in Switzerland. 

    I think it's very important that we gather input from several initiatives, and I am very glad to have seen that several speakers are representing very different stakeholders.  I think it's a huge responsibility.  The reason Europe, quite a lot of work being done.  We have an initiative called Next Generation Internet, and an initiative that is called also Internet of Things Large-Scale Experimentation.  We have an IoT cluster.  And I think it's very important that your activities become visible to this audience and vice versa because there is a lot of debate, and the more we are able to influence the decision-makers, the public authorities, the regulators, the more Internet will change for the good. 

    So yes, I think it's important to have all the players in the radar. 

    >> AVRI DORIA: Thank you.  And I am glad that we do.  And one of the things in terms of visibility is indeed outputs from this Dynamic Coalition that sort of bring together that in a cooperative way.  So thanks for bringing that up, and thanks for putting the push on us slightly that we really do, after three years of existing and before that many years existence, getting some outputs there. 

    I have Taylor, I saw your hand, then Eddan and Frederick Frederic all wanted to make comments, then we'll go back to non-participant speakers if we have those. 

    >> TAYLOR BENTLEY: Thanks very much.  Again, this is Taylor Bentley from the Government of Canada.  A lot of our questions are about who decides and how do we figure it out.  Well, you do it lily, of course.  But I think the answer, unfortunately, standards is one of those things that's going to take a long time.  As I say, the design principles are also going to take a long time.  It's like two or five years out.  You know, if we are lucky, something catastrophic doesn't happen.  But it could, and then you'll have pushes for regulation.  Look at fake news and what we heard yesterday.  Right?  When issues happen and people aren't involved in the conversations, then it forces a reactionary comment. 

    So I think what we need is guidance on how to navigate what's already there. 

    I was really impressed with the UK approach, their mapping document.  There are so many principles out there.  Let's maybe think of guidance, ways that we can guide, because I think what's in the Dynamic Coalition right now is good.  How do we implement them, and what's good guidance for how to do that?  Thank you. 

    >> AVRI DORIA: Thank you. 

    >> EDDAN KATZ: I wanted to put my two fingers in to the ethics question and address that.  Data ethics is one of the things that I work on within the data policy team at the World Economic Forum, and I think it's already been answered that, you know, I don't think a manual contour will help us at the moment, but I think that a multistakeholder setting, and in particular this group, because it is open and not contained, the process that we went through included primarily people chosen very deliberately to be as much of a cross-section in different parts, even unexpected ones, but also to make sure that it was also open to a broader conversation during the process of drafting.  It was distributed to this group.  There wasn't much feedback, but I hope that in the coming month I'll send around the finalized sort of version that there will be some more comments on that. 

    So I think the answer is for ethics, it is who decides, and that the answer, especially now more than any other time, is deliberately inclusive, deliberately geographically diverse, and ensuring that as many voices as possible are represented.  That's not a definitive answer, but it is a process one. 

    >> AVRI DORIA: Thank you.  So it sounds like we've got a coalition going, but perhaps we need to be more dynamic about it. 


    Okay.  Frederic, I had you next. 

    >> FREDERIC DONCK: Thank you, Avri. 

    Fortunately, our Canadian friends already said most of what I was about to say.  Canada is ahead of the curve.  We are very proud to contribute to the multistakeholder group that we try to socialize.  We start also in France, Senegal.  So watch out.  I mean, we are very happy to continue this conversation in a very multistakeholder model.  So first. 

    Second, thanks for mentioning the UK in the Code of Conduct.  That is really great.  I would invite you to read it.  We are perfectly aligned to this, and it's a great piece of paper.  And I agree with you, this is very concrete, and we need to socialize this. 

    Third, it takes -- yes.  The conjunction of IoT and artificial intelligence is a key point here.  We are disclosing a lot of information that we are not conscious that we disclose.  And this completely huge amount of data is being analyzed by artificial intelligence.  When you move in your house with your detector, you don't know, but you tell something to Nest or whoever can connect and take this information, same when you are moving in an airport.  So this is where an ethical issue is because there will be decision made by those connected devices, by nonhuman agents.  So that's really a critical point, and I am very happy that the Dynamic Coalition is addressing this.  Thank you. 

    >> AVRI DORIA: Okay.  Thank you. 

    I could take another participant or two's comment before returning to our -- okay, please.  I've got one and two, and then I'll go back to our speaker.  Yeah, so please.  Please introduce yourself and please. 

    >> AUDIENCE: Okay.  My name is Fierre Levnishka.  I am working at UCL on a large project on Internet of Things.  We are actually doing global governance in Internet of Things research with myself and Madeline Carr here. 

    Wolfgang Kleinwaechter was actually in another meeting which was on east-west commitment to multistakeholderism, and I think this was reflected yesterday with Macron's emphasis on the very divergent approaches to governance and regulation, not just for the Internet, but the Internet of Things and AI. 

    So when we are talking about privacy and security, there are really very, very different regional perspectives on how to address these things.  So to achieve a sort of global approach on this European model which is really being discussed here will take a high level of diplomatic effort, not just working at the multistakeholder level, but across states, between companies from different regions, and I just sort of wonder whether the Dynamic Coalition can really reflect and engage with these more complex political-economic issues. 

    >> AVRI DORIA: Yes.  It's interesting that you referred back to Macron and his multilateral as opposed to multistakeholder perspective.  I would hope the people from the multilateral would try to interface with the multistakeholder as opposed to insisting on their own silo, as it were. 

    I had you were next, and please come to the microphone. 

    >> AUDIENCE: My name is Louis Pedraza.  I am just curious citizen.  I enjoy listening. 

    Just a suggestion.  Have you ever considered an expiration date to data collection or to connecting devices?  Just like credit cards, where you opt in, but five years, they actually contact you about whether you are interested in renewing.  Because most of the time we tend to forget half the people we are giving access to our data.  So just a thought/suggestion. 

    >> AVRI DORIA: Thank you.  Good question.  Did any one of the speakers, especially a speaker that hasn't -- okay.  Would you like to?  Since you already sort of indicated something like that. 

    >> AUDIENCE: Yeah, why not?  That's a possibility.  I think that we haven't figured out the technical means of doing this, but I think it's really essential to say that throughout the lifecycle of the project, it has to be able to update and find -- when new vulnerabilities are found, then you need to be able to patch them regularly.  You can't be just putting stuff on the market that can't be updated.  That's really the bottom line, I think.  And maybe that could be having expiration dates on IoT-connected devices.  Yeah, why not? 

    >> AVRI DORIA: Thank you.  I had Frederic, then Claudia, both with short comments, and then --

    >> Just on that point.  Two sentences. 

    >> AVRI DORIA: Okay. 

    >> Microphone. 

    >> This is a fundamental misperception that we somehow have to make the device the solution.  We can use gateways that control the device and have five-cent devices that don't have the ability to be updated, but only connect to the net through a gateway that can be, and that's a much more economical and flexible way of doing it. 

    >> AVRI DORIA: Okay.  Thank you. 

    I have a quick comment from Frederic, a quick comment from Claudia, and then back to Maarten to close the session. 

    >> FREDERIC DONCK: Okay.  Quickly, yes, I agree with what has been said.  We got this online, we should be able to control the device or connections, whatever it is.  The problem is you have a device that continues to change data where you don't know that they do because they are broken and they continue to do what they do.  So I agree with you, consumers and users need to have control of the data.  We've got this covered in OAT.  Thank you. 

    >> AVRI DORIA: Thank you.  Claudia? 

    >> CLAUDIA SELLI: Two quick comments.  One is concerning the Dynamic Coalition should be active with the political environment, and I can we cannot really ignore that because in any case, they are coming up with laws that we all have to respect and abide.  So we need to certainly respond to these different regional perspectives, even if we are, you know, in another setting.  And then the other thing, I agree that we need to control as well the devices, but on the other hand, you have also laws that are being drafted and created that sometimes don't allow you to do that.  So it depends how these laws are crafted. 

    >> AVRI DORIA: Thank you.  Problem with these sessions is it takes about an hour to get the conversation going. 

    It's yours, Maarten, to wind it up and close it.  And perhaps you want to mention something about the part you are taking in the overall main session because the Dynamic Coalition is part of that one too; right? 

    >> MAARTEN BOTTERMAN: Okay.  Thank you very much. 

    Thank you all for contributing.  This is what we try to do, bring people together in a room that are interested already.  So we've had the discussion.  Explicit invitation is to if you want to participate in either the ethical paper or the IoT security paper, to provide your business card.  They'll make sure that this helps, this works. 

    The other thing is very much that with this room, we also do have a number of governments because they are interested, the governmental organizations.  This is how these things get out.  It's industry that is engaging.  Michael brought the point of ethics, and Eddan.  It is an ongoing discussion on how do we tackle this in the right way because we all want in the end an Internet we can rely on, that we can trust.  It will never be perfect, but it should be trustworthy.  And the Internet of Things is an important role in that. 

    So having heard the contributions also from Greg from Europol, he was talking from a law enforcement perspective, but he also indicated he is also part of an initiative working with ENISA on network information security policies, on measures.  And with the technical community on what can be happening on the technical level.  And we see these discussions back in ITF as well, been deeply involved in these sessions before.  Today we don't have a speaker from that. 

    I think Melinda clearly indicated that part of industry is really saying so how can we help the user to make this and the business to make this a trusted offer by looking at security, but she also mentioned privacy as this is part of the package that you need to offer nowadays as well.  Very clearly. 

    Justin, thank you very much.  The nice thing between UK and Canada is we see two governments taking this very seriously, and coming from a slightly different angle.  And I think together we'll find a way where also useful government support of these kind of processes will come back.  So appreciated that as well. 

    Last, but not least, if you have any links to initiatives you are aware of, we are not aware of yet, please let us know.  We will include it in the report.  It will be reflected on the IoT website, which is also indicated in the slide which you can find online. 

    Other sessions coming up that may be of your interest include tomorrow at 10:00, there is a session in room 9 organized by this gentleman with as much hair as I have.  This is the only way I can say it.  It's an open forum where multiple players will talk about IoT security aspects and how we can -- how would you say that? -- solidify towards the future.  We know we have things to do there.  Another session this afternoon is on the economics and the development issues of IoT.  That's in the main room at 3:00.  We'll also highlight how IoT adds to achieving Sustainable Development Goals.  And then tomorrow at 11:50, I want to point you at Best Practice Forum in which Michael will participate as well, which will be on artificial intelligence and the enablers of IoT and big data that feed into that. 

    So thank you very much for your attention, and don't forget to leave your business card, indicate on it ethics or secure, and your links, and looking forward to seeing you next time.